Canadian privacy laws: new rules for a new era

What is Bill C-27?

Bill C-27, the Digital Charter Implementation Act, proposes to significantly modernize Canadian privacy law. It will accomplish this by repealing parts of the Personal Information Protection and Electronic Documents Act ("PIPEDA") and replacing them with a privacy and data legal framework rooted in three new acts:

  • Consumer Privacy Protection Act ("CPPA")
  • Personal Information and Data Protection Tribunal Act ("PIDPTA")
  • Artificial Intelligence and Data Act ("AIDA")

The CPPA is intended to replace PIPEDA's "Protection of Personal Information in the Private Sector" section, while the PIDPTA would establish an administrative tribunal for appeals of certain Privacy Commissioner of Canada decisions made under the CPPA. The CPPA would also impose penalties on organizations that contravene the CPPA.

The AIDA, on the other hand, contains a distinct new regime regulating the use of, and trade in, artificial intelligence systems.

Cyber security - Client work - Tech companies

Primer on AI Regulation in Canada: Decoding AIDA

To help you prepare for the proposed changes, this guide outlines the scope, requirements, compliance measures and enforcement mechanisms proposed in AIDA, as well as the next steps before the bill is passed into law.

Learn more
241014-ai-primer-guide-cta

Read on for more information about each piece of proposed legislation.

Consumer Privacy Protection Act

Of the three acts proposed under Bill C-27, the CPPA is expected to introduce the most sweeping changes to the regulatory requirements applicable to private sector organizations.


Who does it impact?


Like PIPEDA, the CPPA would apply to private sector organizations in Canada that collect, use or disclose personal information in the course of commercial activities, and transfer information across provincial and national borders.

The CPPA's requirements would also apply to the activities of federally regulated works, undertakings and businesses. With respect to the latter, the law also applies to the personal information of their employees.

Individuals may also wish to take note of the new rights afforded to them under the CPPA, including in relation to data portability and the disposal of one's personal information.


What is the impact?


Below are some of the most significant changes to Canada's federal privacy framework expected under the CPPA:

  • Privacy management programs

    The CPPA would require every organization to implement and maintain a privacy management program. Such programs must detail the policies, practices and procedures the organization uses to satisfy its privacy-related compliance obligations.

    Organizations that adopt a strategic approach to their privacy management programs will be better equipped to anticipate risk and mitigate potential liability.
     
  • "Purpose" requirements

    Like PIPEDA, the CPPA would require that organizations collect, use, or disclose personal information only for appropriate purposes. Unlike PIPEDA, however, it would prescribe an array of criteria used to determine whether a purpose is appropriate.

    It will be necessary for organizations to carefully consider these criteria as they determine what is "appropriate" in their unique context.
     
  • Consent requirements and exceptions

    The CPPA builds on PIPEDA by imposing various new consent requirements. It would also include exceptions to the consent requirements for specific business activities.

    Organizations must continually consider the requirements for obtaining valid consent. They must also decide when the new exceptions may be used.
     
  • Children's privacy

    While implied under PIPEDA, the CPPA would explicitly designate the information of minors as sensitive. Accordingly, it would impose additional considerations and requirements for processing such information. It would also impose certain unique disposal obligations on organizations that process children's personal information.
  • Individual privacy rights

    The CPPA would provide individuals with additional control over their personal information. Under PIPEDA, individuals have the right to access and rectify their personal information held by organizations. Individuals also have the right to withdraw their consent at any time. The CPPA would extend these rights and provide new rights to seek the disposal of and transfer of personal information between organizations.

    It would further set out a private cause of action against organizations that contravene the Act. Organizations should anticipate these changes and consider how they will enable individuals to exercise their rights.
     
  • De-identification/anonymization

    The CPPA would give individuals the right to have their personal information not only deleted, but "anonymized" – a term carefully defined in the CPPA itself. The CPPA requirements do not apply to anonymized information. Organizations must evaluate their anonymization strategy based on the CPPA definition. They should also consider the implications of the CPPA for using anonymized data.
     
  • Stricter penalties

The CPPA provides the Privacy Commissioner of Canada with expanded powers, and increases penalties for contravention of the law. These powers and penalties include:

  • Administrative monetary penalties of up to the higher of three per cent of gross global revenue or $10 million
  • Increased fines for certain serious contraventions of the law, up to a maximum fine of the higher of five per cent of gross global revenue or $25 million
  • Auditing and ordering-making powers for the Privacy Commissioner of Canada
  • A private right of action against an organization for damages for loss due to a contravention of the CPPA

Personal Information and Data Protection Tribunal Act

Artificial Intelligence and Data Act


Resources to learn more or get prepared