Introduced on June 16, the Digital Charter Implementation Act, 2022 (“Bill C-27”), if passed, will significantly amend the requirements pertaining to privacy and data protection.
Bill C-27 will enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA ) and the Artificial Intelligence and Data Act (AIDA).
Highlights of the key proposed provisions of CPPA
Firms will be required to implement and maintain a privacy management program that takes into account (i) the protection of personal data, (ii) the process for request of information and complaint handling, (iii) staff training as well as (vii) material explaining their privacy program.
The collection, use and disclosure of personal data will be subject to the appropriate purpose test requiring the considerations of specified factors: sensitivity of the personal data, legitimate business needs, effectiveness of the collection, use or disclosure in meeting the legitimate business needs, whether there are less intrusive means and whether the loss of privacy would be proportionate to the benefits.
Valid consent will have to be obtained by complying with certain conditions, including the new plain language requirement. Consent obtained by deception through the provision of false or misleading information or the use of deceptive or misleading practices will be considered invalid.
> Exception to the consent requirements will apply in certain circumstances, including when the personal data is collected or used for business operations and certain activities (e.g. provision of a service or product, network security…).
Security safeguards must be proportionate to the sensitivity of the information and consider the quantity, distribution, format and method of storage of the information. Breach of security safeguards will still need to be reported to the Commissioner, the affected individual and any other firm affected by the breach.
De-identification and anonymization will have to be complied with by considering certain conditions with the prohibition for firms to use information that has been de-identified to identify an individual. Some exceptions apply (e.g. testing of the effectiveness of security safeguards or de-identification processes…)
The Office of the Privacy Commissioner of Canada (OPC) would oversee compliance with the CPPA. Firms guilty of an indictable offence are liable to a fine of up to 5% of global revenue or CA$25 million, whichever is greater. There are also administrative monetary penalties that may apply.
Highlights of the key proposed provisions of AIDA
AIDA will regulate international and interprovincial trade and commerce in artificial intelligence systems (‘AI Systems’) by establishing common requirements applicable across Canada and prohibiting certain conduct in relation to AI Systems that may result in serious harm to individuals or their interest.
Firms who carry out any regulated activity and who process or make available for use anonymized data in the course of that activity will have to implement policies, procedures and processes explaining the manner in which data is anonymized as well as how it is used or managed.
Firms will have to conduct assessment to determine whether the AI system is an high-impact system (not defined in the Act).
Other requirements include the implementation of measures related to risk monitoring, record keeping, notification of material harm, disclosure and penalties for non-compliance.
Bill C-27 is a recast of Bill C-11, the Digital Charter Implementation Act 2020, see our article here, abandoned with the announcement of the federal election.