Modernizing Canada’s Federal Privacy Law

14.11.2022

This article discusses Bill C-27, the recently introduced Federal legislation to update Canada’s private sector privacy law. The bill revives some aspects of the former bill (C-11), refines others, and introduces several novel provisions.

Introduction

On June 15, 2022, the Government of Canada introduced Bill C-27, titled the Digital Charter Implementation Act, 2022. This legislation is Canada’s latest effort to strengthen its federal privacy regime and align the Canadian landscape with jurisdictions that have modernized their privacy laws.

Bill C-27 succeeds Bill C-11, which the federal government tabled in 2020. Bill C-11 died on the Order Paper at the call of the general election in August 2021. Bill C-27 reintroduces the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). The CPPA would replace Part I of the Protection of Personal Information and Electronic Documents Act (PIPEDA) - Canada’s current federal privacy legislation governing private sector organizations in course of commercial activity. The PIDTPA would establish an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA and impose penalties for the contravention of certain provisions of that Act. The Tribunal would also be empowered to allow appeals and substitute its own findings, orders or decisions.

Bill C-27’s most significant novel contribution is its introduction of the Artificial Intelligence and Data Act (AIDA). The AIDA was not present in Bill C-11. It would be the first piece of legislation in Canada to regulate the development and deployment of artificial intelligence (AI) systems in the private sector.

 

Re-introductions and novel provisions

Bill C-27 retains core elements of the CPPA and PIDPTA as introduced in Bill C-11, including:

  • A consent-based CPPA regime
  • Provisions on de-identification and anonymization (although Bill C-27 clarifies some of these concepts compared to Bill C-11)
  • A right to explanation and other provisions focusing on algorithmic transparency o A right to disposal upon request
  • Security safeguards (these are expanded under Bill C-27, raising some concerns about harm to commercial/industrial efficiency)
  • The imposition of potentially very high administrative monetary penalties (AMPs) o A private right of action for contraventions of the CPPA
  • Office of the Privacy Commissioner of Canada oversight of compliance with the CPPA, along with other expanded authorities
  • The structure of the Tribunal under PIDPTA but with expanded tribunal powers (now equivalent to a superior court of record) Bill

C-27 also introduces a number of significant new provisions:

  • The possible entrenchment of a “right to privacy”, as alluded to in the preamble of the bill (no such preamble was present in Bill C-11)
  • The introduction of legitimate interests as a consent exception in circumstances where a legitimate interest outweighs potential adverse effects on the individual
  • Protections for children’s privacy, including the inclusion of children’s personal information in the definition of “sensitive information”, rights of recourse for parents and guardians, and expanded deletion rights

The AIDA, which is entirely novel, includes a number of provisions that would have significant commercial impact. These include:

  • Regulatory requirements for “high-impact AI systems” (which will be defined by regulation)
  • AMPs for non-compliance with regulations, along with fines for violations of certain requirements in the Act and potential imprisonment for some contraventions
  • Creation of an Artificial Intelligence Data Commissioner, whom the Minister of Innovation, Science and Industry may designate. The Commissioner would have administrative and enforcement authorities o Compliance and mitigation measure requirements
  • Requirements for plain language descriptions of systems
  • Material harm notifications to the Minister
  • Order-making powers and audit rights for the Minister.

 

Legislative progress and next steps

Bill C-27 now sits at Second Reading in the House of Commons. Numerous stages of debate lie ahead, both in the House of Commons and, if the bill is passed in the House, the Canadian Senate. With the House of Commons now sitting following its summer recess, debate and discussion about Bill C-27 is likely to intensify in the coming weeks and months.

Deliberation about Bill C-27 follows the recent appointment of a new Privacy Commissioner of Canada, Philippe Dufresne. Commissioner Dufresne has been clear to date that he wishes to see the right to privacy legislatively entrenched in Canada.

Privacy practitioners, academics, and industry stakeholders will be closely following (and in many instances participating) in debate on Bill C-27. If enacted, this bill would will mark the most significant change to Canada’s federal privacy regime since the enactment of PIPEDA in 2001.

 

Article provided by INPLP member: Wendy Wagner (Gowling WLG, Canada)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.