Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27

The protection of privacy, cybersecurity, and the management of artificial intelligence are issues of growing importance to citizens. In response, the federal government tabled Bills C-26 and C-27 on June 14 and 16, 2022.

In our last article, we provided an overview of the new obligations specific to Bill C-26, An Act respecting cybersecurity, to amend the Telecommunications Act and to make consequential amendments to other acts.As a follow up, we discuss below Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Digital Charter Implementation Act, 2022) (the “Bill”)

This new Bill may seem familiar to some since it introduces, like its predecessor Bill C-11 (which died on the order paper in 2019 due to the federal election) two long-awaited bills: the Consumer Privacy Protection Act (the “CPPA”) and the Personal Information and Data Protection Tribunal Act. A third statute is also introduced by Bill C-27: the Artificial Intelligence and Data Act.

Consumer Privacy Protection Act: A Bill with Teeth

The CPPA repeals, modifies, and replaces the first part of the Personal Information Protection and Electronic Documents Act (Electronic Documents Act) currently in force. 

The Commissioner’s New Investigative Power

In the CPPA, the Commissioner is given new powers. In addition to being able to examine complaints, enter into a compliance agreement with organizations in contravention of the CPPA, and proceed to verify the compliance of organizations, the commissioner now has a power of investigation.

He will thus be able to examine complaints and non-compliance with respect to any agreement concluded between the commissioner and an organization. At the end of his investigation, the Commissioner will render a decision and may also issue a compliance order to ensure that the organization complies.

A Heavy Fine

The Commissioner may recommend to the Personal Information and Data Protection Tribunal (the "Tribunal") that a penalty be imposed on the organization found to be in violation of the CPPA following an investigation. The nature and scope of the violation are considered to determine the amount of the penalty, The penalty cannot exceed the greater of $10 million or 3% of the organization’s gross aggregate revenue in its preceding fiscal year.

An organization that knowingly contravenes various sections of the statute also exposes itself to criminal prosecution and, upon conviction, can incur hefty fines.

The Private Right of Action

A claim for damages for loss or injury suffered by an individual because of an organization's violation of the law is also available under the CPPA. Note that this right of action is prescribed by two years.

Consent to the Collection of Personal Information

Collecting, using, or disclosing personal information requires obtaining the prior and valid consent of the individual. To do so, the organization will have to provide the individual with several pieces of information such as the purposes, manner, and reasonably foreseeable consequences of the collection, use, or communication of personal information.

Disclosure of Cross-Border Data Transfers

The CPPA, which applies to the collection, use and disclosure of personal information interprovincially or internationally, requires the organization to state whether it transfers personal information.

Personal Information of Minors, Automated Decision-Making System, and Anonymized Information:

Other significant changes would also come into effect with this new statute, including:

• The personal information of minors would henceforth be considered to be of a sensitive nature;
• The organization that uses an automated decision-making system could be asked for an explanation if the decision, recommendation, or prediction made about an individual could have a significant impact on him or her;
• Anonymized personal information would be distinguished from de-identified personal information. The law would not apply to anonymized personal information that is permanently and irreversibly altered and by which individuals cannot be directly or indirectly identified.

The Creation of a Personal Information and Data Protection Tribunal

The Personal Information and Data Protection Tribunal Act creates the Personal Information and Data Protection Tribunal (the “Tribunal”). This brand-new Tribunal, which has all the powers of a superior court, can render a decision based on the Commissioner’s penalty recommendations and hear the appeal of the complainant or the organization affected by a decision or order of the Commissioner.

The decisions of the Tribunal are rendered in writing and are public. They are also final and binding and may be deemed to be orders of the Federal Court or any superior court.  

Circumscribing Artificial Intelligence in Canada 

The purpose of the Artificial Intelligence and Data Act (hereinafter the “AIDA”) is, on the one hand, to regulate international and interprovincial trade and commerce in artificial intelligence systems and, on the other, to prohibit certain behaviours in relation to these systems when they can cause serious harm to individuals.

The AIDA applies to regulated activities carried on in the context of international or interprovincial trade or commerce. The regulated activities are:

• processing or making available data related to human activity in order to design, develop or use an artificial intelligence system;
• designing, developing, or making available an artificial intelligence system or managing its operation.

According to the AIDA, an artificial intelligence system is defined as a “technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions”. The persons who design, develop, make available, or manage the operation of particularly high impact systems in the context of international or interprovincial trade or commerce are responsible for these systems and their compliance with the AIDA.

To comply with the AIDA, several requirements must be met, particularly in terms of anonymized data, measures to be taken with respect to risks, and record keeping. The AIDA will be supplemented by a regulation which has not yet been proposed to establish the criteria for compliance with the obligations created by the statute.

Non-compliance with the requirements established by the AIDA may give rise to administrative monetary penalties which will be stipulated in the regulations. At this point, we know that breaching the AIDA’s obligations can also lead to criminal prosecutions involving significant financial issues. For example, if a person who is not an individual is prosecuted by indictment, the fine may be the greater of $10 million or an amount equal to 3% the person's gross aggregate receipts in fiscal year preceding the one in which they were convicted.

At present, the regulations that could affect these three statutes have not yet been enacted, but the BCF team remains on the lookout for developments regarding this Bill. We will keep you informed of any noteworthy changes, clarifications, or regulations.

If you have any questions about the impacts the Bill could have on your business, do not hesitate to contact our team, who will be happy to advise you.