On June 16, 2022, the federal government introduced Bill C-27, "An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts."
As we wrote in a previous article on this topic, Bill C-27 is an update to Bill C-11, the Digital Charter Implementation Act, which was introduced in 2020, but expired as a result of the last federal election. Bill C-27 is designed to update Canada's federal private sector privacy law and, in particular, the Personal Information Protection and Electronic Documents Act ("PIPEDA").
This article provides an overview of the key changes that Bill C-27 proposes to bring to the federal government's current privacy framework.
1. Personal Information and Data Protection Tribunal
One of the most significant changes is the proposal to introduce a new Personal Information and Data Protection Tribunal ("Tribunal") to replace the current role of the Federal Court under PIPEDA. The Tribunal will have the power to review decisions of the Office of the Privacy Commissioner of Canada ("Commissioner") and impose administrative penalties. A decision of the Tribunal will be final and binding and, except for judicial review under the Federal Courts Act, will not be subject to appeal or review by any court.
2. Powers of the Commissioner
Bill C-27 proposes to grant the Commissioner broad audit and order-making powers, and enable the Commissioner to make recommendations to the Tribunal for the imposition of significant administrative monetary penalties on organizations for violating the key provisions. The Commissioner would also be granted greater powers in regards to conducting inquiries and making compliance orders.
3. Significant Penalties
Among the most significant changes, the Tribunal would be authorized to impose administrative monetary penalties of up to $10,000,000 CDN or 3 per cent of the organization's global gross revenues, whichever is higher.
The most egregious violations of the new legislation – such as failing to report breaches to the Commissioner or maintaining records of same, knowingly using de-identified information to identify an individual, or knowingly contravening a compliance order issued by the Commissioner – would constitute offences punishable, upon prosecution, with a fine of up to $25,000,000 CDN or 5 per cent of the organization's global gross revenues.
4. Private Right of Action
The proposed legislation will introduce a new private right of action by which an individual affected by a contravention may bring a claim against the organization for damages for loss or injury suffered as a result of the contravention. The individual would be able to sue for a privacy violation following a finding by the Commissioner or the Tribunal that an organization has contravened the new Consumer Privacy Protection Act ("CPPA").
5. Consent and Exceptions
If passed, Bill C-27 will expand the requirements for obtaining consent and the applicable exceptions to consent.
To obtain valid consent, organizations will need to notify individuals, in plain language, of the type of personal information they collect, use and disclose, and the purposes, manner, and consequences of such collection, use and disclosure, before or at the time of collection. Organizations must also identify any third parties to whom personal information will be disclosed.
Bill C-27 proposes to introduce a new consent exception for the collection or use of personal information for identified business activities and legitimate interests.
In addition, Bill C-27 contains an express exemption to consent requirements for information that has been de-identified.
6. Individual Rights
Similar to PIPEDA, the CPPA would grant individuals the right to access and amend (correct) their personal information.
The proposed amendments also import the "right to be forgotten" – a new right to allow individuals to request the disposal of their personal information in writing (with limited exceptions). Disposal under the CPPA includes deletion and rendering the data anonymous. This right would apply to any personal information "under the organization's control." If the organization refuses to dispose of the individual's personal information, it must inform the individual of the reason for refusal in writing.
7. Safeguards and Incident Response
The CPPA would include a security-safeguarding obligation that is very similar to that now in effect under PIPEDA – an obligation to protect personal information through "proportionate" physical, organizational and technological security safeguards (s. 57(1)). The sensitivity of the information will be a primary factor for consideration.
Breach notification and reporting requirements are proposed to be substantially similar to the current requirements under PIPEDA.
8. Artificial Intelligence
Bill C-27 also proposes to introduce a new act (the Artificial Intelligence and Data Act) specifically intended to address artificial intelligence systems and data. The Act will require organizations or individuals responsible for AI to, among other things, assess these systems' potential to cause a "high-impact," develop mitigation plans to reduce or eliminate these risks, publicly disclose when high-impact systems are being used, and notify the Minister of Innovation, Science and Industry when the system results or is likely to result in "material harm" among other obligations.
9. Coming into Force
Bill C-27 is currently at second reading in the House of Commons, and debates and committee will follow. Bill C-27 shows substantial changes from Bill C-11 and may be subject to further significant amendments. The full text of Bill C-27 can be viewed at: https://www.parl.ca/DocumentViewer/en/44-1/bill/C-27/first-reading.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.