Canada: How Canada's Proposed Private Sector Modernized Privacy Law And New AI Systems Law Will Impact Canadian Businesses

Outline

• Background to and summary of Bill C-27
• Accountability and privacy management programs
• New conditions for valid consent
• Certain "business activities" and "legitimate interest" exceptions to consent
• Obligations of service providers
• Cross-border transfers of personal information
• Codes of practice and certification programs
• De-identification and anonymization
• Individual rights to data mobility, disposal, explanation in automated decision systems
• Increased risks for non-compliance – new model, powers, tools, administrative monetary penalties, fines, private right of action
• Oversight of high-impact AI systems – the new Artificial Intelligence and Data Act
• Comparisons to privacy laws in Europe
• Key differences from old Bill C-11
• Key takeaways for Canadian business
• How to submit concerns about Bill C-27
• Road ahead – preparing for CPPA and AIDA

Background to Bill C-27

• On June 16th, ISED Minister Champagne introduced Bill C-27, the Digital Charter Implementation Act, 2022.
• Bill C-27 will likely go to either the ETHI Committee or the INDU Committee in the Fall.
• If passed, Bill C-27 will:
  • replace and modernize the current federal private sector privacy law under PIPEDA with the Consumer Privacy Protection Act (CPPA);
  • create a new Personal Information and Data Protection Tribunal (Tribunal) with responsibility to impose administrative monetary penalties (AMPs) and fines; and
  • enact the Artificial Intelligence and Data Act (AIDA).
  • On June 23rd, Philippe Dufresne was appointed Canada's new Privacy Commissioner effective June 27th

Summary of Bill C-27

• Like PIPEDA, the CPPA:
  • provides principles-based rules that are technology-neutral, apply across sectors, and are grounded in a primacy-of-consent framework;
  • balances the interests of individuals and organizations;
  • does not expressly recognize privacy as a fundamental human right; and
  • does not expressly apply to federal political parties and politicians.
• See: New Privacy Bill: CPPA 2.0 - plus oversight of artificial intelligence,
  • DYL Compliance Bulletin, June 2022
• Unlike PIPEDA, the CPPA includes:
  • reinforced valid consent requirements with important new exceptions (that include an organization collecting and/or using an individual's personal information (PI), without their knowledge or consent, for certain "business activities" and "legitimate interests" of the organization or an organization disclosing PI to certain public institutions for defined "socially beneficial purposes";
  • increased flexibility and clarity for businesses (that include providing for codes of practice and certification programs, defining "de-identified" information and allowing for limited uses of it, and stipulating that the law does not apply to "anonymized" information);
  • clearer accountability requirements (for privacy management programs and service providers);
  • new individual rights (of data mobility, data disposal, and explanation of automated decision systems); and
  • new enforcement powers and tools (including new order-making powers for the Privacy Commissioner, potentially onerous AMPs and fines, and a limited private right of action (PRA) for affected individuals).

Accountability

An organization:

• is accountable for PI under its control (s. 7(1));
  • PI is "under the control" of the organization that decides to collect it and that determines the purposes of its collection, use or disclosure (s. 7(2));
  • even if the organization transfers PI to a service provider, control remains with the organization; and
• must designate an individual to be responsible for its compliance under the CPPA (e.g., a privacy officer) (s. 8) and must provide that designated individual's business contact information to anyone who requests it.

Privacy management programs

• Organizations must implement and maintain a privacy management program (PMP) that includes the organization's policies, practices and procedures (PPPs) to fulfill its CPPA obligations respecting (s. 9(1)):
  • protecting PI;
  • receiving and dealing with requests for information and complaints;
  • providing training and information to staff; and
  • developing materials to explain its policies and procedures.
• Unlike PIPEDA, the CPPA requires organizations to
  • take into account the volume and sensitivity of the PI under its control when developing its PMP (s. 9(2)); and
  • on the Privacy Commissioner's request, give the Commissioner access to an organization's PPPs (s. 10(1))
  • after reviewing the PPPs, the Commissioner may provide guidance on, or recommend corrective measures be taken in relation to, the organization's PMPs. But the Commissioner cannot use such accessed PPPs to initiate a complaint or carry out an audit unless the organization willfully disregards the Commissioner's recommendations (s. 111).

New conditions for valid consent

• The following elements must be provided in plain language at or before the time an individual's consent to collection, use or disclosure of their PI is sought (ss. 15(1), (2), (3) and (4)):
  • the purposes for which PI is collected, used or disclosed;
  • the manner in which PI is collected, used or disclosed;
  • any reasonably foreseeable consequences of the collection, use or disclosure of the PI;
  • the specific type of PI that is to be collected, used or disclosed; and
  • the names of any third parties or types of third parties to which the PI may be disclosed.
• Consent must be expressly obtained unless it is appropriate to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the PI (s. 15(5)).

To view the full article, click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.