Introduction of Bill C-27

The federal government introduced Bill C-27, Digital Charter Implementation Act, 2022 on June 16, 2022. It was the subject of debate on the Cabinet floor in November 2022. The Bill aims to amend and introduce different pieces of legislation pertaining to personal information and privacy protection. The federal government had introduced a similar bill, Bill C-11 (Digital Charter Implementation Act 2020) before the October 2019 federal election but failed to pass it before the election was called. Bill C-27 bases much of its provisions on Bill C-11, but with several notable changes (many of which reflect feedback received on Bill C-11).

If it becomes law, Bill C-27 will significantly change the way privacy is regulated in Canada. Namely, it would:

  • repeal Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and replace it with the new Consumer Privacy Protection Act (CPPA);
  • enact the Personal Information and Data Protection Tribunal Act which would create a new administrative tribunal with greater powers to impose penalties for violation of the CPPA and hear appeals of decisions made by the Privacy Commissioner; and
  • enact the Artificial Intelligence & Data Act to regulate international and interprovincial trade and commerce in artificial intelligence systems.

Scope of Legislation

The focus of this article is on material changes to privacy laws in Canada expected to be implemented under the CPPA. Similar to PIPEDA, personal information is defined as 'information about an identifiable individual'. The CPPA applies to every organization that collects, uses or discloses personal information in the course of commercial activities, and all personal information an organization collects, uses or discloses interprovincially or internationally. It also applies to employee information of federally regulated organizations, although is not proposed to extend to protect the personal information of employees and job applicants in the private sector. The CPPA does not apply to personal information that has been anonymized.

New Obligations

The CPPA will have significant impacts on Canadian businesses, some of which are outlined below:

Organizations must implement and maintain a Privacy Management Program: Every organization must have a privacy management program in place that outlines the policies, practices and procedures the organization has implemented to fulfil its obligations under the CPPA. The program must set out how the organization will develop privacy management materials, protect personal information, manage requests for information and complaints, and train and inform staff. This notwithstanding, an organization may elect to establish a 'code of practice' or 'certification program' that provides the same or greater protection to personal information as required under the CPPA. Upon approval by the Privacy Commissioner (in accordance with the yet-to-be-defined regulations), the organization must comply with that code of practice or certification program.

Required updates to existing policies, practices and procedures: Organizations will need to adapt their existing policies, practices and procedures to account for new or amended obligations under the CPPA including:

  • recognition of the volume and sensitivity of personal information in the organization's control and corresponding differences in the collection, use, and disclosure requirements for that information, how consent must be acquired, the measures that the organization will enact to protect the information, and the period of time such information will be retained;
  • higher thresholds for processing personal information of minors;
  • strengthened requirements to obtain and document valid consent;
  • limited exceptions to the requirement to obtain consent for the collection, use and disclosure of personal information and the potential need to prepare a privacy impact assessment;
  • allowances and limitations on the use of de-identified personal information;
  • requirements to implement reasonable measures to authenticate the identity of an individual to whom personal information relates; and
  • increased transparency regarding cross-border transfers of personal information.

Organizations' will remain responsible for service providers acting on their behalf: All organization's will be accountable for personal information under their control – even in circumstances where an organization has engaged a service provider to collect, use or disclosure personal information on its behalf. This means that organizations must continue to pay close attention to the contract terms used to engage third parties and ensure that they include provisions to protect that personal information to a level equivalent to obligations under the CPPA.

Non-Compliance may result in significant monetary penalties: Non-compliance with Canada's privacy laws law can carry significant consequences. Organizations can face the following monetary penalties and quasi-criminal prosecutions for violation of the CPPA:

  • an administrative monetary penalty up to the higher of $10 million or 3% of the organization's gross global revenue in the previous financial year; and
  • quasi-criminal prosecutions that can carry significant monetary penalties. Crown prosecutors have discretion to proceed either by an indictable offence through which organizations can be liable of up to $25 million and 5% of their global revenue or a summary offence with a fine not exceeding the higher of $20 million and 4% of the organization's global revenue.

New individual rights: The CPPA recognises new rights for individuals' that will require organizations to:

  • explain to the individual any predictions, recommendations or decisions made about them by automated means that could have a significant impact on them (referred to as algorithmic transparency);
  • facilitate the transfer of the individual's personal information to another organization (i.e., the right of data portability), subject to a 'data mobility framework' and future regulations to be drafted under the CPPA; and
  • action the individual's request to dispose of their personal information under the organization's control, subject to certain exceptions (i.e., the right to deletion).

Statutory private right of action for privacy breaches: The CPPA will introduce a statutory private right of action where the Privacy Commissioner of Canada or Data Protection Tribunal find that an organization contravened its privacy obligations. This means that individuals harmed by a privacy breach would be able to sue the breaching organization for compensation for loss or injury suffered as a result of the privacy violation.

Stay Informed

Bill C-27 remains at second reading stage in the House of Commons and some of it may change. In the coming period, it will still need to go to a parliamentary committee before advancing further in Parliament. Until then, organizations should remain mindful that Bill C-27 is but one of many different global efforts that aim to address privacy and data security in a constantly evolving technological landscape. Organizations should therefore proactively assess their current privacy policies and data management systems to ensure they are prepared for the inevitable changes to come. Organizations that are already subject to the stricter requirements of Quebec's Bill 64 and the European Union's General Data Protection Regulation may have a head start, but all organizations will need to ensure that compliance with the CPPA is a top priority.

This article was written with contributions by Haneen Al-Noman, an articling clerk at Cox & Palmer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.