Modernizing Canada’s Privacy Laws: What Employers Need to Know About Bill C-27
Date: June 21, 2022
On June 16, 2022, the federal government introduced Bill C-27, Digital Charter Implementation Act, 2022. If passed, Bill C-27 would repeal Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and replace it with the new Consumer Privacy Protection Act (CPPA). It would enact the Personal Information and Data Protection Tribunal Act (PIDPTA) which creates a new administrative tribunal to hear appeals of decisions made by the Privacy Commissioner (Commissioner) under the CPPA. The Electronic Documents Act would remain as a separate act. The Bill would also enact the Artificial Intelligence and Data Act (AIDA) to regulate international and interprovincial trade and commerce in artificial intelligence (AI) systems. The Bill is similar to the former Bill C-11, Digital Charter Implementation Act, 2020, which was introduced but not passed prior to the last federal election.
In this FTR Now, we highlight some of the major changes governing the regulation of personal data in each of the proposed new acts. It should be noted these changes may or may not be reflected in the final version of Bill C-27, and we will continue to monitor the Bill as it moves through the legislative process.
Consumer Privacy Protection Act
Anonymous and De-Identified Information
The CPPA creates two classes of non-personal information. Anonymous information is personal information which has been modified to ensure individuals cannot be identified. Such information may be freely used and disclosed. De-identified information is personal information with identifiers removed which continues to pose some risk of allowing identification. Handling of such information remains subject to some regulation.
Automated Decision Systems
Organizations that use automated decision systems to predict, recommend or make decisions about an individual which could have a significant impact on them must provide this information upon request.
Right to Delete
Individuals may request the deletion of their personal data subject to certain exceptions, including where the information cannot be severed from another person’s personal data or where legal retention obligations exist. Organizations must ensure their service providers also delete such data.
In certain instances, individuals will be able to request that their personal data be disclosed to other organizations. The details of the data mobility scheme will be set out by regulation.
Much of the existing consent framework found in PIPEDA remains in place, including the circumstances in which express and implicit consent may apply.
Exemptions from Consent
The CPPA contains a number of modifications to the consent exemption provisions, including:
- A detailed “business activities” exemption which encodes when personal data can be collected or used without knowledge or consent including where necessary to: provide a product or service requested by an individual; for information, system or network security; and, for the safety of a product or service. The exemption also provides that consent is unnecessary where a reasonable person would expect the collection or use. However, marketing purposes are carved out of the exemption.
- An explicit exemption permitting transfers of personal data to an organization’s service providers without consent. However, the Bill provides that organizations remain responsible for compliance under the CPPA for personal data held on their behalf by service providers.
- A new “legitimate interest” exemption not contained in Bill C-11 which permits collection, use and disclosure of personal information without consent permissible in certain cases where the legitimate interests of the organization outweigh the adverse interests to the individual.
- Rules enhancing the information to be provided to individuals as a condition for informed consent.
Like PIPEDA, the CPPA contains a provision permitting the use and disclosure of personal information for business transactions such as purchases and mergers without consent, but it adds a requirement to de-identify the information which would need to be implemented when undertaking such transactions, subject to limited exceptions.
Computerized Data Extraction
The CPPA explicitly provides that many of the consent exemptions, including the “business activities” exemption, cannot be relied upon to collect or use an individual’s electronic addresses via a computer program or to collect personal data stored on a computer by any means of telecommunication.
Policies and Privacy Management Program
Organizations subject to CPPA must prepare publicly available information including the types of information they handle and how the information is used. This specifically includes the aforementioned use of automated decision systems as well as express reference to interprovincial or international transfers of personal information having “reasonably foreseeable privacy implications.” Organizations must also have a separate privacy management program to address protection of personal data, responding to access requests and staff training.
Protection of Minors
The CPPA deems the personal information of minors to be “sensitive information” which results in greater protection for minors under that legislation.
Enforcement and Remedies
Bill C-27 enhances the powers of the federal Office of the Privacy Commissioner (OPC). Among the most significant changes, the Bill authorizes the OPC to:
- order organizations to change practices and publicize such changes,
- approve an organization’s Codes of Practice or Certification Program to meet compliance obligations, and
- recommend penalties to the new Data Protection Tribunal (Tribunal).
The Tribunal would be empowered to impose significant penalties to a maximum of $10,000,000 or 3% of gross global revenue. They apply to a variety of breaches of the CPPA including failures to limit collection or obtain consent, as well as failures to dispose of personal data or maintain it in a secure manner in compliance with the CPPA.
In addition, the CPPA contains provisions with fines of up to $25,000,000 or 5% of gross global revenue for offences such as failing to report breaches to the Commissioner or maintaining records of same, destroying records which are the subject of an access appeal, using anonymous information to identify an individual except in permitted circumstances, engaging in reprisals or obstructing an inquiry by the OPC.
Finally, the proposed legislation would create a private right of action for individuals who are impacted by an organization’s contravention of the CPPA. Individuals would be able to sue for a privacy violation following a finding by the OPC or the Tribunal that an organization had contravened the CPPA.
Personal Information and Data Protection Tribunal Act
The PIDPTA would create the Data Protection Tribunal to hear appeals of certain decisions made by the Commissioner under the CPPA. The Tribunal would have the power to hear all appeals brought in response to orders made and penalties recommended under the CPPA.
Artificial Intelligence and Data Act
The AIDA would regulate international and interprovincial trade and commerce in AI systems by requiring that persons responsible for “high-impact” AI systems adopt measures to mitigate risks of harm and biased output. High-impact systems are subject to further definition by regulations not currently available.
Requirements and Ministerial Orders
This proposed legislation includes a number of requirements, including establishing measures to identify, assess and mitigate harm of biased output. The legislation also requires measures to monitor compliance and record-keeping on measures and assessments of high-impact systems. Those who make available or who manage the operation of a high-impact system must publish and make publicly available a “plain-language description” of the system including:
- how the system is intended to be used,
- the types of content that it is intended to generate and the decisions, recommendations or predictions that it is intended to make,
- mitigation measures, and
- any other information that may be prescribed by regulation.
The AIDA would also allow the Minister to make orders such as requiring disclosure of records, conducting audits and implementing measures to address issues found in an audit. The Minister would have the power to make any person responsible for a high-impact system to cease using it or making it available for use where the Minister “has reasonable grounds” to believe the system gives rise to “a serious risk of imminent harm.”
Administrative Monetary Penalties and Offences
The AIDA would provide for regulations respecting administrative monetary penalties for violation of the act. No such regulations are currently available. In addition, the AIDA contains offence provisions which carry penalties for various offences under it.
In addition to outlining the general powers of the Minister, the AIDA outlines that the Minister may designate an Artificial Intelligence and Data Commissioner to assist in the administration and enforcement of the AIDA.
Given the new requirements set out by Bill C-27 and the growing efforts to address data security internationally, employers should begin to take action by assessing their data policies and personal data management procedures and addressing any existing or potential gaps.
We will continue to monitor the progress of Bill C-27. Should you have any questions or require further information about the Bill, please contact any member of our Information, Data Security & Privacy Group.
The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©