The federal government introduced the Digital Charter Implementation Act (Bill C-27) in June 2022 as a rework of the previously introduced Bill C-11, which did not pass. This new bill will be replacing PIPEDA (the Personal Information Protection and Electronic Documents Act) which was first introduced in 2001. Its purpose is to equip Canadian organizations to handle the current privacy and data protection landscape by providing a more rigorous and modern legal framework in line with international developments. Bill C-27 will apply to all private sector organizations within Canada.

Some of the changes vary significantly from Canada’s current federal privacy legislation. As such, it’s important to be proactive in understanding these changes and their potential impact on your organization. Your people, processes, and technology all have a role to play in mitigating privacy risks.

If passed, Bill C-27 would:

• Repeal Part 1 of the current privacy legislation, known as the Personal Information and Electronic Documents Act (PIPEDA), and replace it with the new Consumer Privacy Protection Act (CPPA),
• Maintain Part 2 of PIPEDA, the Electronic Documents Act, as a separate Act,
• Enact the Personal Information and Data Protection Tribunal Act (PIDPTA), which creates a new administrative tribunal to hear appeals of decisions made by the Privacy Commissioner, under the CPPA, and
• Enact the Artificial Intelligence and Data Act (AIDA) to regulate trade and commerce in artificial intelligence (AI) systems between provinces and countries.

Here are some of the key changes introduced by Bill C-27 that could have the most notable impact on organizations doing business in Canada:

The Acts introduced by Bill C-27, and how they differ from other legislation, are explained below in greater detail.

One of the most significant changes in Bill C-27 is the introduction of more severe penalties for organizations that do not comply with the CPPA.

The Privacy Commissioner of Canada will enforce the CPPA. They may recommend to the newly created Data Protection Tribunal that penalties be imposed on organizations for non-compliance. Keep in mind that the Data Protection Tribunal will have the final say when it comes to imposing penalties; the Commissioner will not have powers to directly impose these penalties (which is very unusual for privacy laws).

The CPPA will also allow a “private right of action” for individuals who are impacted by an organization’s non-compliance with the Act, as seen in Quebec’s Bill 64. The monetary penalties include:

• $10 million, or three percent of global gross revenues, for private organizations that fail to comply with CPPA regulations
• $25 million, or five percent of global gross revenues, for private organizations facing criminal penalties

These penalties are among the harshest fines for non-compliance to date, as both Bill 64 and the European General Data Protection Regulation (GDPR) have a two percent global gross revenue cap for non-compliance and a four percent cap for criminal penalties.

• New Powers to the Commissioner — The Privacy Commissioner of Canada can provide guidance or recommend changes and corrections to organizations’ privacy management programs. If the Commissioner finds an organization has violated the CPPA, he may issue a compliance order to correct the problems that led to the violation. This is significantly different from Bill C-11 and affords the Commissioner with much broader powers to intervene in contraventions of the CPPA.
• Notion of ‘control’ — As with PIPEDA, the CPPA states that an organization is responsible for personal information under its control. However, the CPPA clarifies the notion of “control” — it states that organizations have control of personal information when it is transferred to or collected by a service provider on the organization’s behalf. Furthermore, it is the organization’s responsibility to ensure the service providers they transfer information to provide a level of protection that is equal to their own, under the CPPA.
• Privacy management program — Organizations must implement and maintain a privacy management program that includes the policies, practices, and procedures the organization has put into place to fulfill its obligations under the CPPA. Organizations will also be required to consider the implications of the volume and sensitivity of personal information under their control.

• Clarity on what is and what is not Personally Identifiable Information (PII) — To “de-identify” in the CPPA means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified may remain.

To “anonymize” means to irreversibly and permanently modify personal information according to generally accepted best practices, to ensure no individual can be identified from the information, whether directly or indirectly, by any means.

The CPPA’s definitions of de-identified and anonymized data relate to efforts to clarify what is, and what is not, PII. De-identified data still presents the risk of identifying an individual, which means that regulations will still apply. With anonymized data, there is said to be no risk of identification of an individual, which means anonymized data is not PII and, in turn, is not subject to the CPPA.

• Identifying purposes at or before the time of collection — An organization may only collect, use, or disclose personal information in a manner and for purposes that a reasonable person would consider appropriate under the circumstances, whether or not the CPPA requires consent. This stipulation is very important — it means that an organization must decide at or before the time of collection each of the purposes for which they will collect, use, or disclose personal information, and then record those purposes.
• Consent and consent exceptions — The consent requirements and exceptions introduced in the CPPA demonstrate a stronger focus on transparency regarding how organizations will be permitted to use the data they collect. The Act is clearer on the definition of consent than Bill C-11; it specifies that the request for consent must be in plain language that the individual would reasonably be expected to understand. The CPPA better defines what meaningful and informed consent entails, and what processes and procedures an organization must follow if it uses the exceptions to consent.

Here are the consent exceptions introduced by the CPPA:

• Business activities: An organization may collect or use an individual’s personal information without their knowledge or consent if it is for:
  • the purpose of a business activity that is necessary to provide a product or service that the individual has requested from the organization,
  • information or network security,
  • the safety of a product or service that the organization provides, or
  • any other prescribed activity.
• Legitimate interest: Organizations must have a process in place to assess if there is a legitimate interest in collecting or using an individual’s personal information if they intend to conduct an activity without that individual’s knowledge or consent.
• Exceptions to de-identified information:
  • For research and development purposes
  • For prospective business transactions
  • For “socially beneficial” purposes
  • To test security safeguards, fairness and accuracy of models, processes, and systems, and the effectiveness of the de-identification processes

Another important addition in the CPPA is the frequent emphasis on sensitive information and the organizations’ responsibility to be cautious of the sensitivity of the information they possess.

Under the CPPA, the sensitivity of personal information must be factored in as organizations consider:

• whether the purposes of the collection, use, and disclosure are appropriate,
• the form of consent,
• security safeguards, and
• retention periods, including transparency regarding the established retention policies.

• Minors — Under the CPPA, a minor’s personal information is classified as sensitive by default and organizations must provide minors with more robust protections. Parents or guardians can exercise the rights and recourse under the CPPA on behalf of their child (including consent). However, the minor will be able to object to their parent’s authorization if they can do so.

• Automated decision-making — Organizations must inform individuals of automated decision-making systems for any prediction, recommendation, or decision that could have a significant impact on the individual. In fact, the right to be informed of automated decision-making is the only individual right in the CPPA that directly applies to de-identified information.
• Right to disposal — In the following circumstances, an individual may request that an organization dispose of their personal information under the organization’s control:
  • If the organization collected, used, or disclosed their personal information in contravention of the CPPA,
  • If the individual has withdrawn their consent, or
  • If the personal information is no longer necessary for the continued provision of a product or service to the individual.

There are also new exceptions for the right to disposal in the CPPA that were not introduced in Bill C-11, including the right for organizations to refuse:

• If disposal would result in another individual’s personal information being disposed of,
• If a contractual or legal requirement prohibits the disposal,
• If the disposal would negatively impact the ongoing provision of a product or service to the individual,
• If the individual’s request was made in bad faith,
• If the information is already scheduled to be disposed of per the organization’s retention policy, and the organization informs the individual of the time remaining before disposal.

• Right to data portability — Data portability frees up the flow of personal data between companies and gives the data subject (i.e., the individual whose data an organization holds) control over the data. This means that individuals may request their data to be disclosed to another organization, designated by the individual, if both organizations are subject to a data mobility framework.

Bill C-27 would enact the Personal Information and Data Protection Tribunal Act (PIDPTA) to establish a tribunal that would hear appeals of certain decisions made by the Commissioner under the CPPA.

This tribunal structure was originally introduced in Bill C-11, but under BillC-27 the powers of the Tribunal would be elevated to be equivalent to those of a superior court of record. All decisions made by this Tribunal will be final, binding, and enforceable in the same manner as an order of the court. Other than a judicial review under the Federal Courts Act, these decisions would not be subject to appeal or review by any court.

The unprecedented Artificial Intelligence and Data Act would create a new framework and provide guidance on privacy protections for the development of AI systems.

• Regulate the international and interprovincial trade and commerce of AI systems by establishing common requirements for the design, development, and use of those systems,
• Prohibit certain conduct related to AI systems that may result in serious harm to individuals or their interests

• Establish ways of identifying, assessing, and mitigating the harm of biased output,
• Set up a means to monitor compliance with the risk mitigation measures,
• Comply with prescribed record-keeping mandates
• Notify the Minister if the use of the system results or is likely to result in material harm,
• Establish measures for the way that data is anonymized and the use of anonymized data if applicable,
• Make a “plain language description” of the system available to the public, including:
  • How the system is, or is intended to be, used
  • The types of content that it generates and the decisions, recommendations, or predictions that it makes,
  • The measures that are established to reduce the risk of harm, or the biased output that could result from the use of the system, and
  • Any other information prescribed by regulation

The Minister is provided with new powers to request the following from organizations under the scope of the AIDA: 

• Production of records,
• The organization or an independent auditor to conduct an audit,
• An organization to implement measures specified in the audit,
• An organization to cease using a high-impact AI system, or making it available for use, if there are reasonable grounds to believe the use of the system may give rise to a serious risk of imminent harm.

Monetary penalties for contraventions of the Act will be set out in the regulations. They are significant and equivalent to those in the CPPA outlined above.

The changes introduced by Bill C-27 will have a significant impact on your organization’s privacy policies and procedures. It’s important that you work towards a managed privacy risk management program, which should be monitored over time. Understanding these legislative changes will help ensure your customers are confident that your organization can provide the secure and appropriate handling of their personal information.