Canadian privacy laws: new rules for a new era

What is Bill C-27?

Bill C-27, the Digital Charter Implementation Act, proposes to significantly modernize Canadian privacy law. It will accomplish this by repealing parts of the Personal Information Protection and Electronic Documents Act ("PIPEDA") and replacing them with a privacy and data legal framework rooted in three new acts:

Consumer Privacy Protection Act ("CPPA")
Personal Information and Data Protection Tribunal Act ("PIDPTA")
Artificial Intelligence and Data Act ("AIDA")

The CPPA is intended to replace PIPEDA's "Protection of Personal Information in the Private Sector" section, while the PIDPTA would establish an administrative tribunal for appeals of certain Privacy Commissioner of Canada decisions made under the CPPA. The CPPA would also impose penalties on organizations that contravene the CPPA.

The AIDA, on the other hand, contains a distinct new regime regulating the use of, and trade in, artificial intelligence systems.

Read on for more information about each piece of proposed legislation.

Consumer Privacy Protection Act

Of the three acts proposed under Bill C-27, the CPPA is expected to introduce the most sweeping changes to the regulatory requirements applicable to private sector organizations.

Who does it impact?

Like PIPEDA, the CPPA would apply to private sector organizations in Canada that collect, use or disclose personal information in the course of commercial activities, and transfer information across provincial and national borders.

The CPPA's requirements would also apply to the activities of federally regulated works, undertakings and businesses. With respect to the latter, the law also applies to the personal information of their employees.

Individuals may also wish to take note of the new rights afforded to them under the CPPA, including in relation to data portability and the disposal of one's personal information.

What is the impact?

Below are some of the most significant changes to Canada's federal privacy framework expected under the CPPA:

Privacy management programs

The CPPA would require every organization to implement and maintain a privacy management program. Such programs must detail the policies, practices and procedures the organization uses to satisfy its privacy-related compliance obligations.

Organizations that adopt a strategic approach to their privacy management programs will be better equipped to anticipate risk and mitigate potential liability.
"Purpose" requirements

Like PIPEDA, the CPPA would require that organizations collect, use, or disclose personal information only for appropriate purposes. Unlike PIPEDA, however, it would prescribe an array of criteria used to determine whether a purpose is appropriate.

It will be necessary for organizations to carefully consider these criteria as they determine what is "appropriate" in their unique context.
Consent requirements and exceptions

The CPPA builds on PIPEDA by imposing various new consent requirements. It would also include exceptions to the consent requirements for specific business activities.

Organizations must continually consider the requirements for obtaining valid consent. They must also decide when the new exceptions may be used.
Children's privacy

While implied under PIPEDA, the CPPA would explicitly designate the information of minors as sensitive. Accordingly, it would impose additional considerations and requirements for processing such information. It would also impose certain unique disposal obligations on organizations that process children's personal information.
Individual privacy rights

The CPPA would provide individuals with additional control over their personal information. Under PIPEDA, individuals have the right to access and rectify their personal information held by organizations. Individuals also have the right to withdraw their consent at any time. The CPPA would extend these rights and provide new rights to seek the disposal of and transfer of personal information between organizations.

It would further set out a private cause of action against organizations that contravene the Act. Organizations should anticipate these changes and consider how they will enable individuals to exercise their rights.
De-identification/anonymization

The CPPA would give individuals the right to have their personal information not only deleted, but "anonymized" – a term carefully defined in the CPPA itself. The CPPA requirements do not apply to anonymized information. Organizations must evaluate their anonymization strategy based on the CPPA definition. They should also consider the implications of the CPPA for using anonymized data.
Stricter penalties

The CPPA provides the Privacy Commissioner of Canada with expanded powers, and increases penalties for contravention of the law. These powers and penalties include:

Administrative monetary penalties of up to the higher of three per cent of gross global revenue or $10 million
Increased fines for certain serious contraventions of the law, up to a maximum fine of the higher of five per cent of gross global revenue or $25 million
Auditing and ordering-making powers for the Privacy Commissioner of Canada
A private right of action against an organization for damages for loss due to a contravention of the CPPA

Consumer Privacy Protection Act

Of the three acts proposed under Bill C-27, the CPPA is expected to introduce the most sweeping changes to the regulatory requirements applicable to private sector organizations.

Who does it impact?

Individuals may also wish to take note of the new rights afforded to them under the CPPA, including in relation to data portability and the disposal of one's personal information.

What is the impact?

Below are some of the most significant changes to Canada's federal privacy framework expected under the CPPA:

Privacy management programs

The CPPA would require every organization to implement and maintain a privacy management program. Such programs must detail the policies, practices and procedures the organization uses to satisfy its privacy-related compliance obligations.

Organizations that adopt a strategic approach to their privacy management programs will be better equipped to anticipate risk and mitigate potential liability.
"Purpose" requirements

Like PIPEDA, the CPPA would require that organizations collect, use, or disclose personal information only for appropriate purposes. Unlike PIPEDA, however, it would prescribe an array of criteria used to determine whether a purpose is appropriate.

It will be necessary for organizations to carefully consider these criteria as they determine what is "appropriate" in their unique context.
Consent requirements and exceptions

The CPPA builds on PIPEDA by imposing various new consent requirements. It would also include exceptions to the consent requirements for specific business activities.

Organizations must continually consider the requirements for obtaining valid consent. They must also decide when the new exceptions may be used.
Children's privacy

While implied under PIPEDA, the CPPA would explicitly designate the information of minors as sensitive. Accordingly, it would impose additional considerations and requirements for processing such information. It would also impose certain unique disposal obligations on organizations that process children's personal information.
Individual privacy rights

The CPPA would provide individuals with additional control over their personal information. Under PIPEDA, individuals have the right to access and rectify their personal information held by organizations. Individuals also have the right to withdraw their consent at any time. The CPPA would extend these rights and provide new rights to seek the disposal of and transfer of personal information between organizations.

It would further set out a private cause of action against organizations that contravene the Act. Organizations should anticipate these changes and consider how they will enable individuals to exercise their rights.
De-identification/anonymization

The CPPA would give individuals the right to have their personal information not only deleted, but "anonymized" – a term carefully defined in the CPPA itself. The CPPA requirements do not apply to anonymized information. Organizations must evaluate their anonymization strategy based on the CPPA definition. They should also consider the implications of the CPPA for using anonymized data.
Stricter penalties

The CPPA provides the Privacy Commissioner of Canada with expanded powers, and increases penalties for contravention of the law. These powers and penalties include:

Administrative monetary penalties of up to the higher of three per cent of gross global revenue or $10 million
Increased fines for certain serious contraventions of the law, up to a maximum fine of the higher of five per cent of gross global revenue or $25 million
Auditing and ordering-making powers for the Privacy Commissioner of Canada
A private right of action against an organization for damages for loss due to a contravention of the CPPA

Personal Information and Data Protection Tribunal Act

Artificial Intelligence and Data Act

The AIDA would be the first piece of legislation in Canada to regulate the development and deployment of artificial intelligence (AI) systems in the private sector.

The purpose of the AIDA is twofold:

To regulate international and interprovincial trade and commerce in AI systems by establishing common requirements applicable across Canada for the design, development and use of those systems; and
To prohibit certain conduct in relation to AI systems that may result in serious harm to individuals or harm to their interests.

Who does it impact?

Generally, the AIDA will apply to persons carrying out a "regulated activity." A "person" is defined to include a trust, a joint venture, a partnership, an unincorporated association and any other legal entity." A regulated activity includes, in the course of international or interprovincial trade and commerce:

Processing or making available for use any data relating to human activities for the purpose of designing, developing or using an AI system; or
Designing, developing or making available for use an AI system or managing its operations.

Specific compliance requirements under the AIDA apply to five categories of persons. Persons may have responsibilities under more than one of these categories:

Persons who carry on regulated activities
Persons responsible for AI systems
Persons responsible for high-impact AI systems
Persons who make available for use a high-impact system
Persons who manage the operation of a high-impact system

The AIDA, as drafted, does not define "high-impact system." Although this term, and many other key concepts, remain to be defined in regulations to come, in a companion document, the Government of Canada identified the following as examples of systems that are of interest in terms of their potential impacts:

Screening systems impacting access to services or employment
Biometric systems used for identification and inference
Systems that can influence human behaviour at scale, such as AI-powered online content recommendation systems
Systems critical to health and safety, such as autonomous driving systems and systems making triage decisions in the health sector

What is the impact?

The AIDA sets out different requirements for a variety of persons responsible for AI systems at various stages of their lifecycle:

Anonymization of data

Regulated activities under the AIDA include processing or making available for use data relating to human activities; designing, developing or making available for use an AI system; or managing an artificial intelligence system's operations.

Persons who carry out these regulated activities would be required to establish measures with respect to the manner in which data is anonymized, as well as the use and management of anonymized data. They would also be required to keep records with respect to the measures adopted.

Harm and bias from high-impact AI systems

Persons responsible for designing, developing or making available for use an AI system would be required to conduct an impact assessment to determine whether that system is high impact.

Where a system is determined to be high impact, persons responsible for the high-impact AI system would be required to establish (and monitor compliance with) measures to identify, assess and mitigate risks of harm and bias.

Publication of descriptions

Persons who make available for use a high-impact system would be required to publish on a publicly available website a plain-language description of that system. These descriptions must include explanations of how the system is intended to be used, the types of content that it is intended to generate; the decisions, recommendations or predictions that it is intended to make; and the measures established to mitigate the risks of harm or biased output that could result from the use of the high-impact system.

Persons who manage the operation of a high-impact system have a similar obligation, though the description only need include an explanation of the actual use of the system; the types of content it generates; and the decisions, recommendations or predictions the system makes.

Penalties

Contraventions of the AIDA may generally result in administrative monetary penalties (AMPs) of as much as three per cent of global revenue or $10 million for non-compliance.

Commission of offences under sections 38 or 39 of the AIDA may result in AMPs of as much as five per cent of global revenue or $25 million or imprisonment of individuals.

Resources to learn more or get prepared

Read Bill 27

Innovation, Science and Economic Development Canada, The Artificial Intelligence and Data Act (AIDA) – Companion document
Innovation, Science and Economic Development Canada, Consumer Privacy Protection Act

Our insights:

Canadian privacy laws: new rules for a new era

What is Bill C-27?

Read on for more information about each piece of proposed legislation.

Consumer Privacy Protection Act

Who does it impact?

What is the impact?

Consumer Privacy Protection Act

Who does it impact?

What is the impact?

Personal Information and Data Protection Tribunal Act

Personal Information and Data Protection Tribunal Act

Who does it impact?

What is the impact?

Artificial Intelligence and Data Act

Artificial Intelligence and Data Act

Who does it impact?

What is the impact?

Resources to learn more or get prepared

Sign up to our newsletter

Stay connected