Bill C-27: Canada reintroduces sweeping changes to federal privacy law, proposes new AI legislation

In November 2020, the federal government tabled substantial changes to the Canadian privacy landscape with the introduction of Bill C-11, which proposed to repeal the personal information-related provisions of the current federal private sector privacy law, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and replace them with a new privacy and data legal framework.

Bill C-11 never made it into law, in part because a federal election was called in 2021.

However, on June 16, 2022 — following last year's elections and a period of suspense — the federal government resurrected Bill C-11 with the introduction of Bill C-27 in the House of Commons. Titled the Digital Charter Implementation Act, 2022, Bill C-27 retains the core elements of Bill C-11, including its proposals to:

1. enact the Consumer Privacy Protection Act ("CPPA") , which would replace Part 1 of PIPEDA entitled "Protection of Personal Information in the Private Sector,"[1] and
2. enact the Personal Information and Data Protection Tribunal Act ("PIDPTA"), which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA and impose penalties for the contravention of certain provisions of the CPPA, or conversely, allow the appeal, and in doing so, substitute its own finding, order or decision for that of the Commissioner.

Despite these similarities, there are notable differences between bills C-11 and C-27. A key new aspect of Bill C-27 is how it deals with artificial intelligence ("AI"); while Bill C-11 addressed certain issues related to the use of AI via its proposed provisions on automated decision-making, Bill C-27 would vastly expand on this framework through its proposal to enact the Artificial Intelligence and Data Act ("AIDA") to regulate AI systems.

Bill C-27 is part of a global push to strengthen privacy regulations around the world — a trend that commenced with the European Union's General Data Protection Regulation ("GDPR"), which came into effect on May 25, 2018, and that also includes Bill 64, Quebec's new privacy legislation. For more information about Bill 64, please refer to our prior articles published on April 27, 2022 and June 19, 2020.

This article focuses on the key distinctions between Bill C-27 and Bill C-11. For an in-depth review of the changes first proposed under Bill C-11, please refer to our prior article.

The Consumer Privacy Protection Act

The CCPA retains the expanded powers of Privacy Commissioner of Canada, as well as the severe penalties in case of contravention. These include:

• administrative monetary penalties of up to the higher of 3 per cent of gross global revenue or $10 million;
• increased fines for certain serious contraventions of the law, up to a maximum fine of the higher of 5 per cent of gross global revenue or $25 million;
• auditing and ordering-making powers for the Privacy Commissioner of Canada; and
• a private right of action against an organization for damages for loss due to a contravention of the CPPA.

Bill C-27 proposes the following additional key changes:

• personal information of minors is expressly considered to be sensitive personal information, thereby potentially imposing more rigorous requirements with respect to appropriate purposes for its use, the nature of the consent required (i.e. express vs implied), the duration of the retention period, the security safeguards undertaken, breach notification and de-identification;
• the "business activity" exemption to consent includes an additional exception: an organization may collect or use an individual's personal information without the individual's knowledge or consent for the purpose of an activity in which the organization has a  "legitimate interest" that outweighs the potential adverse effect on the individual, subject to certain conditions;
• the term "anonymize" is defined, and it is clarified that anonymized information is not subject to the CPPA;
• it clarifies that "de-identified" information is personal information, subject to a few exceptions, but expands the cases where de-identified information may be used to re-identify an individual;
• organizations are required to consider the sensitivity of personal information when determining retention periods, and make readily available information regarding those retention periods;
• security safeguards must include reasonable measures to authenticate the identity of the individual to whom the personal information relates;
• organizations are required to dispose of personal information (which can include anonymization) upon the request of an individual, but only in certain circumstances and where the request does not otherwise fall within an enhanced list of exceptions; and
• while an organization using an automated decision system must, like in the prior Bill C-11, provide an explanation of the system's prediction, recommendation or decision regarding an individual, the circumstances in which such an explanation must be provided are limited to those where there could be a significant impact on the individual. Where applicable, the factors that must be addressed in the explanation have been expanded to include the type of personal information that was used, its source, and the reasons or principal factors that led to the prediction, recommendation or decision.

The Artificial Intelligence and Data Act

A new feature of Bill C-27 is a proposal to enact the Artificial Intelligence and Data Act ("AIDA"). The AIDA is the first federal law in Canada regulating the creation and use of AI systems and would create penalties for non-compliance. The stated purposes of the AIDA are to:

1. regulate international and interprovincial trade and commerce in AI systems by establishing common requirements applicable across Canada for the design, development and use of those systems, and
2. prohibit certain conduct in relation to AI systems that may result in serious harm to individuals or harm to their interests. The AIDA defines "harm" as (a) physical or psychological harm to an individual, (b) damage to an individual's property, or (c) economic loss to an individual.

The AIDA defines an "artificial intelligence system" as a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.

Regulation of AI under the AIDA is focused on organizations carrying out a "regulated activity," which means (a) processing or making available for use any data relating to human activities for the purpose of designing, developing or using an AI system, or (b) designing, developing or making available for use an AI system or managing its operations.

Organizations that carry out any regulated activity and process or make available for use anonymized data must establish measures with respect to the manner in which data is anonymized, and the use or management of anonymized data.

The AIDA imposes regulatory requirements for both AI systems generally and those AI systems specifically referred to as "high-impact systems." The existing definition of a "high-impact system" is vague and will be addressed by criteria to be established by regulation. These regulations remain to be drafted as of the publication of this article.

All organizations responsible for an AI system will be required to assess whether the AI system is a high-impact system. Where an AI system meets the definition of a high-impact system, the person responsible must:

• establish measures to identify, assess and mitigate the risks of harm or biased output that could result from the use of the system;
• establish measures to monitor compliance with the mitigation measures and the effectiveness of those mitigation measures;
• where the system is made available for use or an organization is managing the operation of the system, publish on a public website a plain-language description of the system that includes prescribed content; and
• notify the Minister of Industry (or other designated Minister) if use of the system results or is likely to result in material harm.

Further, the AIDA provides the Minister with broad order-making powers and audit rights. In addition, the AIDA provides authority for the Minister to designate an Artificial Intelligence and Data Commissioner, whose role would be to assist in the administration and enforcement of the AIDA.

In addition to administrative penalties, the AIDA would also introduce offences that include significant fines and potential imprisonment for non-compliance. Generally, an organization that contravenes the AIDA is liable on indictment to a maximum fine of the greater of $10 million and 3 per cent of gross global revenues. Further, the AIDA establishes an even higher class of prohibited activities where the contravention involves:

• processing or use of unlawfully obtained personal information in AI system;
• an AI system resulting in serious physical or psychological harm or substantial damage to property; or
• an AI system defrauding the public and causing substantial economic loss.

Such serious offences would result in fines on indictment of up to the greater of $25 million and 5 per cent of gross global revenues.

Next steps

As Bill C-27 is only at the second reading stage, there will likely be much more debate and potential amendments as the bill makes its way through Parliament. The reintroduction of privacy reform legislation in the current parliamentary session is a clear signal that the federal government is committed to implementing sweeping changes to Canadian privacy law, following changes enacted by the province of Québec with Bill 64.

If enacted, Bill C-27 will come into force on a date to be fixed by order of the Governor in Council, though each part of Bill C-27 also contains specific coming into force provisions.

Contributors: Wendy Wagner, Chris Oates and Naïm Alexandre Antaki.