Today, the Government of Canada tabled a Bill to create a new statutory framework governing personal information practices in the private sector. If passed, Bill C-27, the Digital Charter Implementation Act, 2022, will establish three new statutes:
-
The Consumer Privacy Protection Act (CPPA), a private sector law that will repeal and replace the personal information protection framework in PIPEDA;
-
The Personal Information and Data Protection Tribunal Act, which will establish an administrative tribunal to review certain decisions made by the Privacy Commissioner of Canada and impose penalties for contraventions of the CPPA; and
-
The Artificial Intelligence and Data Act, which will create a risk-based approach to regulating trade and commerce in AI systems.
The proposed privacy framework within Bill C-27 is substantially similar to the former Bill C-11, which died on the order paper in 2021 prior to the recent federal election. Key features of the privacy framework proposed by Bill C-27 include:
-
Administrative monetary penalties of up to 3% of global revenue or $10 million CAD for non-compliant organizations.
-
Expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million CAD.
-
Provisions granting the Privacy Commissioner of Canada broad order-making powers.
-
The creation of a private right of action for losses or injuries arising from contraventions of the CPPA.
-
The establishment of a Personal Information and Data Protection Tribunal, to which decisions, orders and recommendations of the Privacy Commissioner of Canada could be appealed.
-
A requirement for organizations to implement a privacy management program.
-
A re-enforcement of consent (especially express consent) as the primary authority for organizations to process personal information, and more prescriptive consent requirements.
-
Clarifications and additional "exceptions to consent" authorities for the collection, use, or disclosure of personal information, for certain defined standard "business activities". Bill C-27 also includes an authority for collection or use without consent for "legitimate interests", subject to an organization conducting a prior assessment and fulfilling certain other conditions.
-
Provisions relating to "de-identified" data and "anonymized" data. Bill C-27 also clarifies that the CPPA would not apply to anonymized information.
-
Provisions requiring organizations, under certain circumstances, to dispose of personal information upon an individual's request.
-
Algorithmic transparency provisions that would provide individuals the right to request that businesses explain how a prediction, recommendation or decision — which could have a "significant impact" on the individual — was made by an automated decision-making system and explain how the information was obtained.
-
Provisions granting individuals data mobility rights by allowing them to direct the transfer of their personal information from one organization to another.
-
A provision enabling organizations to request that the Privacy Commissioner of Canada approve codes of practice and certification systems setting out rules for how the CPPA could apply to certain activities, sectors or business models, and assist with demonstrating compliance.
The proposed CPPA also creates a special status for personal information of minors.
AccessPrivacy will be sending another e-news blast with a high-level description of the key features of the new Artificial Intelligence and Data Act shortly, which recipients of this email will receive automatically.
Special Monthly Call:
-
Join us for a special 1-hour AccessPrivacy Webinar next Wednesday, June 22 at 11:30 a.m. EST for an initial commentary on key features of the proposed new federal privacy rules. Please register for free on the event page.
-
Additionally, the AccessPrivacy team is working to provide our Knowledge Portal subscribers with a suite of resources considering the impact of the new legislation. In our Legislative Reform Portal, you can access detailed analyses of the 2020 iteration of the Bill (C-11), as well as all provincial privacy legislative reform activity.