Alycia Riley
Associate
Article
13
In November 2020, the federal government tabled substantial changes to the Canadian privacy landscape with the introduction of Bill C-11, which proposed to repeal the personal information-related provisions of the current federal private sector privacy law, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and replace them with a new privacy and data legal framework.
Bill C-11 never made it into law, in part because a federal election was called in 2021.
However, on June 16, 2022 — following last year's elections and a period of suspense — the federal government resurrected Bill C-11 with the introduction of Bill C-27 in the House of Commons. Titled the Digital Charter Implementation Act, 2022, Bill C-27 retains the core elements of Bill C-11, including its proposals to:
Despite these similarities, there are notable differences between bills C-11 and C-27. A key new aspect of Bill C-27 is how it deals with artificial intelligence ("AI"); while Bill C-11 addressed certain issues related to the use of AI via its proposed provisions on automated decision-making, Bill C-27 would vastly expand on this framework through its proposal to enact the Artificial Intelligence and Data Act ("AIDA") to regulate AI systems.
Bill C-27 is part of a global push to strengthen privacy regulations around the world — a trend that commenced with the European Union's General Data Protection Regulation ("GDPR"), which came into effect on May 25, 2018, and that also includes Bill 64, Quebec's new privacy legislation. For more information about Bill 64, please refer to our prior articles published on April 27, 2022 and June 19, 2020.
This article focuses on the key distinctions between Bill C-27 and Bill C-11. For an in-depth review of the changes first proposed under Bill C-11, please refer to our prior article.
The CCPA retains the expanded powers of Privacy Commissioner of Canada, as well as the severe penalties in case of contravention. These include:
Bill C-27 proposes the following additional key changes:
A new feature of Bill C-27 is a proposal to enact the Artificial Intelligence and Data Act ("AIDA"). The AIDA is the first federal law in Canada regulating the creation and use of AI systems and would create penalties for non-compliance. The stated purposes of the AIDA are to:
The AIDA defines an "artificial intelligence system" as a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.
Regulation of AI under the AIDA is focused on organizations carrying out a "regulated activity," which means (a) processing or making available for use any data relating to human activities for the purpose of designing, developing or using an AI system, or (b) designing, developing or making available for use an AI system or managing its operations.
Organizations that carry out any regulated activity and process or make available for use anonymized data must establish measures with respect to the manner in which data is anonymized, and the use or management of anonymized data.
The AIDA imposes regulatory requirements for both AI systems generally and those AI systems specifically referred to as "high-impact systems." The existing definition of a "high-impact system" is vague and will be addressed by criteria to be established by regulation. These regulations remain to be drafted as of the publication of this article.
All organizations responsible for an AI system will be required to assess whether the AI system is a high-impact system. Where an AI system meets the definition of a high-impact system, the person responsible must:
Further, the AIDA provides the Minister with broad order-making powers and audit rights. In addition, the AIDA provides authority for the Minister to designate an Artificial Intelligence and Data Commissioner, whose role would be to assist in the administration and enforcement of the AIDA.
In addition to administrative penalties, the AIDA would also introduce offences that include significant fines and potential imprisonment for non-compliance. Generally, an organization that contravenes the AIDA is liable on indictment to a maximum fine of the greater of $10 million and 3 per cent of gross global revenues. Further, the AIDA establishes an even higher class of prohibited activities where the contravention involves:
Such serious offences would result in fines on indictment of up to the greater of $25 million and 5 per cent of gross global revenues.
As Bill C-27 is only at the second reading stage, there will likely be much more debate and potential amendments as the bill makes its way through Parliament. The reintroduction of privacy reform legislation in the current parliamentary session is a clear signal that the federal government is committed to implementing sweeping changes to Canadian privacy law, following changes enacted by the province of Québec with Bill 64.
If enacted, Bill C-27 will come into force on a date to be fixed by order of the Governor in Council, though each part of Bill C-27 also contains specific coming into force provisions.
Contributors: Wendy Wagner, Chris Oates and Naïm Alexandre Antaki.
[1] For context, the other Parts of PIPEDA principally deal with electronic documents and consequential amendments.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.