October 6, 2022
October 6, 2022
Bill C-27 has the potential to impact how all private sector organizations in Canada approach data protection. Here’s what businesses need to know.
The federal government introduced the Digital Charter Implementation Act (Bill C-27) in June 2022 as a rework of the previously introduced Bill C-11, which did not pass. This new bill will be replacing PIPEDA (the Personal Information Protection and Electronic Documents Act) which was first introduced in 2001. Its purpose is to equip Canadian organizations to handle the current privacy and data protection landscape by providing a more rigorous and modern legal framework in line with international developments. Bill C-27 will apply to all private sector organizations within Canada.
Some of the changes vary significantly from Canada’s current federal privacy legislation. As such, it’s important to be proactive in understanding these changes and their potential impact on your organization. Your people, processes, and technology all have a role to play in mitigating privacy risks.
If passed, Bill C-27 would:
Here are some of the key changes introduced by Bill C-27 that could have the most notable impact on organizations doing business in Canada:
The Acts introduced by Bill C-27, and how they differ from other legislation, are explained below in greater detail.
One of the most significant changes in Bill C-27 is the introduction of more severe penalties for organizations that do not comply with the CPPA.
The Privacy Commissioner of Canada will enforce the CPPA. They may recommend to the newly created Data Protection Tribunal that penalties be imposed on organizations for non-compliance. Keep in mind that the Data Protection Tribunal will have the final say when it comes to imposing penalties; the Commissioner will not have powers to directly impose these penalties (which is very unusual for privacy laws).
The CPPA will also allow a “private right of action” for individuals who are impacted by an organization’s non-compliance with the Act, as seen in Quebec’s Bill 64. The monetary penalties include:
These penalties are among the harshest fines for non-compliance to date, as both Bill 64 and the European General Data Protection Regulation (GDPR) have a two percent global gross revenue cap for non-compliance and a four percent cap for criminal penalties.
To “anonymize” means to irreversibly and permanently modify personal information according to generally accepted best practices, to ensure no individual can be identified from the information, whether directly or indirectly, by any means.
The CPPA’s definitions of de-identified and anonymized data relate to efforts to clarify what is, and what is not, PII. De-identified data still presents the risk of identifying an individual, which means that regulations will still apply. With anonymized data, there is said to be no risk of identification of an individual, which means anonymized data is not PII and, in turn, is not subject to the CPPA.
Here are the consent exceptions introduced by the CPPA:
Another important addition in the CPPA is the frequent emphasis on sensitive information and the organizations’ responsibility to be cautious of the sensitivity of the information they possess.
Under the CPPA, the sensitivity of personal information must be factored in as organizations consider:
There are also new exceptions for the right to disposal in the CPPA that were not introduced in Bill C-11, including the right for organizations to refuse:
Bill C-27 would enact the Personal Information and Data Protection Tribunal Act (PIDPTA) to establish a tribunal that would hear appeals of certain decisions made by the Commissioner under the CPPA.
This tribunal structure was originally introduced in Bill C-11, but under BillC-27 the powers of the Tribunal would be elevated to be equivalent to those of a superior court of record. All decisions made by this Tribunal will be final, binding, and enforceable in the same manner as an order of the court. Other than a judicial review under the Federal Courts Act, these decisions would not be subject to appeal or review by any court.
The unprecedented Artificial Intelligence and Data Act would create a new framework and provide guidance on privacy protections for the development of AI systems.
The Minister is provided with new powers to request the following from organizations under the scope of the AIDA:
Monetary penalties for contraventions of the Act will be set out in the regulations. They are significant and equivalent to those in the CPPA outlined above.
The changes introduced by Bill C-27 will have a significant impact on your organization’s privacy policies and procedures. It’s important that you work towards a managed privacy risk management program, which should be monitored over time. Understanding these legislative changes will help ensure your customers are confident that your organization can provide the secure and appropriate handling of their personal information.