Bill C-27: Canada’s New Proposed Private-Sector Privacy Legislation
Introduction to Bill C-27
Canada’s private-sector privacy legislation has not been updated in recent years, unlike Europe's privacy legislation, the GDPR, and Quebec's privacy legislation. Reform of Canada’s privacy legislation will clarify organizations’ obligations, and allow individuals to better understand what information is being collected and how information is being used and disclosed.
On June 16, 2022, the Federal government introduced Bill C-27, the Digital Charter Implementation Act. The Bill is in very early stages. The first reading of the Bill was completed on June 16, 2022, and the second reading is not yet completed. This is not the first time Canadian legislators have attempted to reform Canada’s private-sector privacy legislation. In 2020, the legislators introduced Bill C-11, which was intended to modernize Canada’s private-sector privacy law, however, this Bill died on the order paper when the Canadian federal election was called.
Proposed Reform under Bill C-27
Bill C-27 attempts to align Canada’s privacy regime with our predominantly digital age and technological advances, as well as establish rights and obligations to better align with the European GDPR.
The Bill proposes to enact the Consumer Privacy Protection Act (“CPPA”), which is intended to replace Canada’s current private-sector legislation (Part 1 of Personal Information and Protection of Electronic Documents Act [“PIPEDA”]). The CPPA governs how organization can collect, use, disclose and retain personal information, as well as set out the powers, duties and functions of the Privacy Commissioner.
We outline below some of the new rights and requirements proposed by the Bill:
New Powers and Penalties
- The Privacy Commissioner can issue compliance orders, which, if not appealed, have the same force as an order of the Federal Court. The Commissioner can also recommend penalties be ordered, which would be imposed by the new Personal Information and Data Protection Tribunal.
- Organizations may be subject to monetary penalties, and for certain contraventions the maximum of such penalties is the higher of: (i) $10,000,000 and (ii) 3% of the organization’s gross global revenues in its financial year prior to the year the penalty is imposed.
New Rights for Individuals
- After the Privacy Commissioner or Tribunal renders a decision that a breach has occurred, an individual can bring a private right of action for loss or injury against an organization for breaches of CPPA.
- An individual can request that their personal information be deleted once it is no longer needed by the organization or after the individual has withdrawn consent. Upon receipt of such request, the organization must dispose of or anonymize the information, subject to certain limited exceptions.
- An individual can request the organization provide an explanation of the decision of an automated decision system, where an automated decision system is used to make a prediction, recommendation or decision about the individual that could have a significant impact on that individual. The organization must explain the type of information that was used, the source of the information and the reasons or principal factors that led to that decision.
New Clarifications and Obligations for Organizations
- The Bill clarifies that organizations may transfer an individual's personal information to a service provider without their knowledge or consent.
- An organization can de-identify personal information without consent or knowledge of the individual. "De-identify" means to "modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains". An organization must not use de-identified information alone or in combination with other information, to identify an individual, subject to limited exceptions.
- When entering into a prospective business transaction, the organization may use and disclose an individual's personal information without their knowledge or consent, only if the information is first de-identified (subject to certain limitations and exceptions). Under the current regime, the personal information need not be de-identified.
- The Bill introduces the definition of "anonymize": to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure an individual cannot be directly or indirectly identified from the information. The Bill confirms that privacy legislation shall not apply to anonymized information.
- The Bill introduces a new exception to the consent requirement for businesses. Where the organization has a 'legitimate interest' that outweighs any potential adverse effect on the individual, subject to certain restrictions and conditions, the organization can proceed with such activity without the consent or knowledge of the individual. We await the regulations to learn more about this exception.
- New requirements are proposed for the information of minors. The personal information of minors is considered to be 'sensitive information'. Sensitive information carries additional considerations for obtaining consent, using the information, determining the retention period, and ensuring proportionate security safeguards are in place.
The Proposed Artificial Intelligence and Data Act
Bill C-27 also enacts the Artificial Intelligence and Data Act [“AIDA”] which is novel legislation in Canada that aims to regulate the international and interprovincial development of artificial intelligence systems (commonly known as 'AI') in the private sector.
An “artificial intelligence system” means:
“technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.”
AIDA applies to organizations who carry out the following activities in the course of international or interprovincial trade and commerce:
- Process or make available for use any data relating to human activities for the purpose of designing, developing or using an artificial intelligence system, and
- Design, develop or make available for use an artificial intelligence system or manage its operations.
AIDA will prohibit certain conduct that may result in serious harm to individuals or their interests. Harm includes physical or psychological harm, damage to an individual's property or economic loss to an individual.
AIDA will also require certain AI systems to undergo measures to identify, assess and mitigate the risks of harm or 'biased output'. "Biased output" means content or a decision, recommendation or prediction made by an AI system that adversely differentiates, directly or indirectly and without justification, in relation to an individual and one or more of the prohibited grounds of discrimination under the Canadian Human Rights Act.
The regulations have not yet been released, so there is little specific detail on how these organizations will be regulated. Generally, it appears there will be obligations to ensure data is anonymized, to measure and mitigate risk, to publish certain notice requirements to the public, and to keep certain records. Enforcement of the legislation includes administrative monetary penalties and fines for criminal offences.
Sasha A. Lallouz, Associate and Amanda E. Coleman, Student-At-Law