On Thursday June 16th, the Federal Government introduced Bill C-27, the Digital Charter Implementation Act, 2022, a revamped version of Bill C-11 which was introduced at the end of 2020 but died on the order paper when the Federal Government called an election in 2021. The long awaited new version of a proposed replacement for PIPEDA would establish three new statutes:
- The Consumer Privacy Protection Act (CPPA);
- The Personal Information and Data Protection Tribunal Act (DPTA); and
- The Artificial Intelligence and Data Act (AIDA).
The DPTA would introduce an administrative tribunal to review certain decisions made by the Office of the Privacy Commissioner of Canada (OPCC) and impose penalties for contraventions of the CPPA. The AIDA (being the most notable divergence from the 2020 reform effort) focuses on mitigating the risks of harm and bias in the use of “high-impact” AI systems. As with the EU’s proposed Artificial Intelligence Act, the AIDA seeks to regulate AI in a balanced manner that protects against individual harm but does not overly restrain technological development.
As in the former reform effort, the new CPPA retains the principles-based approach of PIPEDA but integrates the principles directly into the Act rather than setting them out in a schedule like PIPEDA. Bill C-27 also includes the following key features:
- Requires organizations to implement a privacy management program;
- Introduces a definition of “anonymize” and clarifies that de-identified information is personal information subject to the CPPA (with exceptions) and that anonymized information is not. It also expands the cases where de-identified information may be re-identified;
- Re-establishes consent as the primary authority for organizations to process personal information, and introduces more prescriptive consent requirements (particularly with respect to express consent);
- Includes a number of additional consent exemptions for the collection, use, or disclosure of personal information for certain defined “business activities” or “legitimate interests”;
- Provides that retention periods must consider the sensitivity of personal information and that security measures include reasonable authentication measures;
- Limits the requirement to provide explanations of automated decision-making to cases where it “could have a significant impact on individuals” (businesses must explain how an algorithmic prediction, recommendation or decision is made);
- Requires organizations to dispose of personal information upon an individual’s request under certain circumstances;
- Deems the personal information of minors to be sensitive personal information and thus provides additional protections for the personal information of minors;
Bill C-27 also includes stronger enforcement powers and more severe remedies for non-compliance (as introduced under Bill C-11):
- New Commissioner powers, including audit and order-making powers;
- The ability for the Commissioner to recommend, and for the Tribunal to impose, penalties up to the greater of $10 million or 3% of an organization’s annual global revenues;
- Significantly expanded offences for serious contraventions of the law, with fines up to the greater of $25 million or 5% of annual global revenues; and
- A private right of action to permit recourse to the courts in certain circumstances.
Bill C-27’s privacy framework appears to closely mirror Bill C-11 which former Commissioner Therrien called “a step back overall from our current law and needing significant changes” to restore confidence in the digital economy. We can expect Bill C-27 to received similar criticism.
Domestic and foreign organizations that collect information about Canadians should consider the impact of the newly introduced Act and its evolution as it progresses through Parliament. With the tabling of Bill C-27, be prepared to propose improvements as well as address any unintended consequences when the Federal Government commences a consultation period that will likely commence once the House of Commons is back in session in the Fall.
PRIVATECH’s CIPP/C course being held from Oct. 31-Nov. 2 will contain supplementary material and practical guidance on C-27 compliance. Get certified as a privacy professional in Canada! CLICK HERE for more information. Early bird pricing is on now! This course is expected to fill.
For more information on Bill C-27 and to discuss its impact on your business, contact PRIVATECH.