July 26, 2022

How Bill C-27 May Impact Canadian Businesses

Event Date:
Hosted By:
Register Now
Mark Rowan

The much-awaited "Digital Charter Implementation Act, 2022," commonly known as Bill C-27, was introduced by the federal government recently. It is a relaunch of Bill C-11, which was initially submitted in 2020 and failed on the order paper as a result of the federal election in 2021, and some may argue that it is an improvement.

There is great potential for this bill to be made into law. So what exactly does this mean for businesses in Canada? What exactly does Bill C-27 entail? We'll break down everything you need to know in this guide.

What is Bill C-27?

The Canadian government introduced Bill C-27 back in June. The Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada's universal private sector privacy law, would be updated by the Bill, along with a new tribunal and proposed guidelines for AI systems.

Bill C-11, the Digital Charter Implementation Act, which was introduced in November 2020 but died on the order paper when it was announced that there would be a federal election, was reworked into Bill C-27. It is noteworthy that a sizable chunk of Bill C-11 has been transferred to Bill C-27.

The administrative monetary penalties now cover violations relating to the creation and implementation of a privacy management program, failure to ensure an equivalent level of protection for personal information transferred to a service provider, inadequately defining the purpose, consent, service provider breach notification obligations, and transparency.

The following is an overview of Bill C-27's main points, including the salient differences between its new provisions and those in C-11.

Consumer Privacy Protection Act

Part One of the Personal Information Protection and Electronic Document Act would be repealed and replaced by the Consumer Privacy Protection Act. The Electronic Documents Act would replace Part Two of PIPEDA.

The CPPA gives the Privacy Commissioner of Canada considerable authority to issue orders and imposes severe administrative fines of up to $10 million CAD or three percent of worldwide sales. Serious violations that result in crimes that might result in a maximum fine of $25 million CAD or 5% of worldwide revenue will have their fines increased. Any person who experiences losses or injuries as a result of the CPPA's violation is also granted a new private right of action.

Even if permission is still a crucial gatekeeper, the CPPA lessens the burden on the individual to comprehend and provide consent by emphasizing the organization's responsibility and openness. For instance, a privacy management program must now be implemented by organizations. The organization must take into account the amount and sensitivity of the personal information it controls while creating such a program. The commissioner may have access to the privacy management program's policies, practices, and processes and, after analyzing them, may offer advice or suggest remedial actions for the organization's privacy management program.

The CPPA provides the following list of exemptions from the need for approval under the heading of business operations in order to give firms flexibility:

  • Information generated via work, commerce, or vocation
  • Employment relationships, such as a federal job, project, or enterprise
  • Legal or notary disclosure
  • Statement of a witness
  • Fraud reduction, detection, or prevention
  • Debt collection
  • Commercial activity
  • Personal information deidentification
  • Development, analysis, and research
  • Prospective business transactions

To every rule there are exceptions. If a person's electronic address is gathered using a computer software created or marketed for generating, looking up, and gathering electronic addresses, some of the aforementioned exclusions may not be applicable. Additionally, the exclusions do not apply when a computer system is used directly or indirectly in order to acquire personal data. In these circumstances, an explicit agreement is necessary.

Personal Information and Data Protection Tribunal Act

An administrative tribunal would be created under the Personal Information and Data Protection Tribunal Act to examine specific decisions made by the Privacy Commissioner of Canada and issue judgments for CPPA violations.

The Consumer Privacy Protection Act would be amended to enact the Personal Information and Data Protection Tribunal Act, which would establish a Tribunal to review appeals of orders made by the Privacy Commissioner and implement a new administrative monetary penalty scheme. Under the new name of the Electronic Documents Act, the provisions of the Personal Information Protection and Electronic Documents Act controlling electronic substitutes for paper documents will remain in effect.

While the Personal Information and Data Safeguarding Tribunal Act requires that the Tribunal's adjudicative activities be open to the public by default, there are several exceptions that permit the protection of sensitive data and private hearings. In addition, the Tribunal would be prohibited from disclosing the complainant's name or other identifying information without the complainant's permission, and it would have discretion over whether to name specific organizations in its rulings.

Artificial Intelligence and Data Act

The Artificial Intelligence and Data Act, which was recently passed and may have gone unnoticed by many, will regulate interprovincial and international trade and commerce in artificial intelligence systems by establishing uniform standards that will apply to all of Canada for the creation, development, and use of these systems.

Although "artificial intelligence systems" as defined by the AIDA are included in the CPPA's definition of "automated decision systems," the two statutes' respective approaches to this topic are different. The CPPA safeguards people's rights and covers big, automated decision-making processes that don't always forecast outcomes "autonomously." With deterministic algorithms, advanced computing systems are included in the CPPA. A person has the right to inquire about the reasoning behind any forecast, suggestion, or decision that might have a "substantial impact" on them.

The AIDA, on the other hand, focuses on "actual" AI systems whose outputs may be hard to trace or understand in relation to their inputs. This challenge is sometimes referred to as the "black box" of AI systems. Since it is challenging to create explainable AI, and many would disagree that "explainable" does not imply more accuracy, managing "actual" AI systems will depend on the organization's code of ethics.

The AIDA is founded on principles, and companies are expected to voluntarily comply with it and use "responsible AI" in their operations. There are two goals for AIDA. First and foremost, it serves to protect Canadian consumers by ensuring that "high-impact" AI technology is developed and implemented in a way that recognizes, evaluates, and reduces the risks of biases and damage. The second is to forbid actions involving AI systems that might seriously hurt people or their interests.

According to the AIDA, an entity must set up policies for the anonymization of data and the use or management of anonymized data. To back up those actions, there are additional documentation needs.

The definition of "high-impact" for any "high-impact" AI system still has to be established by legislation. The usage of the system, the kinds of material it produces, the conclusions, suggestions, or forecasts it offers, the mitigation actions, and any other information that may be required by legislation must all be described by the organization in clear language.

It is unclear what steps must be taken to recognize and address dangers to human health and safety, as well as how to lessen biases in AI systems. Regulation could bring more clarity.

How Could Bill C-27 Impact Businesses in the Context of Data Privacy?

The introduction of radical new provisions into Canada's privacy law by Bill C-27 will have a big impact on Canadian companies. Businesses in Canada will have to make investments to safeguard customer information or risk severe financial and administrative fines.

Additionally, these changes put Canadian privacy legislation closer in line with Quebec's privacy laws brought about by the recently passed Bill 64 as well as the General Data Protection Regulation of the European Union. By preserving its adequate status beneath the GDPR and being seen as a significantly similar jurisdiction underneath the Bill 64, respectively, Canada will benefit from closer conformity with both of these laws. This enables the movement of personal data by Canadian firms from the EU and Quebec to Canada and other provinces without the need for extra data protection protections.

Data Governance is Key to the New Bill C-27 Regulations for Canadian Businesses

The CPPA also adds additional violations with significantly harsher monetary penalties. A breach of security protections involving personal information under an organization's control that poses a plausible risk of irreparable harm to a person must be reported to the Commissioner by the organization. if a company doesn't keep track of every time personal information is breached during security precautions. If a company makes an effort to re-identify people using de-identified data without adhering to the established exceptions. If an organization deletes personal data after a person requests access to it and the person has not used all of their CPPA rights of recourse.

Any organization found guilty of any of the aforementioned offenses may be subject to a fine of up to the greater of $25,000,000 or 5% of its gross global revenue in the fiscal year prior to the one in which the organization is sentenced, or $20,000,000 or 4% for summary convictions, whichever is greater.

When it comes to compliance, businesses should concentrate largely on the Private Right of Action. The CPPA creates a new private right of action for people who are harmed by an organization's act or omission that violates the CPPA. These people have the option to file a lawsuit against the organization using their private right of action to recover damages for any losses or harms they have endured as a result of the organization's CPPA violations. The Office of the Privacy Commissioner and the Tribunal must have determined that the organization has violated the CPPA in order to bring this action, and either the decision has not been appealed to the Tribunal or the Tribunal has rejected the appeal.

The Bill also specifically mentions an organization's privacy responsibilities with regard to automated decision systems, which are any tools that supplement or take the place of human decision-makers' judgment through the use of regression analysis, predictive analytics, virtual machine learning, neural networks, or other methodologies. A broad overview of the organization's use of any automated decision system to make forecasts, suggestions, or choices about persons that potentially have substantial effects on them must be provided by companies that use personal or sensitive information to inform their automated decision systems. Businesses must also keep the personal data involved in the choices around for long enough to allow the person to seek access.

With the passage of Bill C-27, the range of security precautions has been increased to cover reasonable steps to confirm the identity of the person to whom the personal information belongs. The Bill also affirms that businesses must use technological, organizational, and physical security measures to secure personal data. The degree of protection offered by those measures must be commensurate with how sensitive the information is. The company must consider the quantity, distribution, format, and mode of storage of the information while creating its security protections in addition to the sensitivity of the information. The security measures must include reasonable steps to authenticate the identity of the person to whom the personal information pertains and must secure personal information against, among other things, loss, theft, unauthorized access, disclosure, copying, use, and alteration.

Businesses that are considered service providers or use service providers should also be wary of this new potential regulation. In accordance with the CCPA, organizations retain ownership over personal data even when a service provider gathers, uses, and discloses the data on their behalf. The new Bill C-27 mandates that businesses make sure that the service provider offers a comparable degree of security, as opposed to security that is substantially similar to the baseline security utilized under Bill C-11. The goal of Bill C-27 is to impose a stricter or less lenient requirement on businesses that work with service providers.

Sign up to be notified about future Publications!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
July 26, 2022

How Bill C-27 May Impact Canadian Businesses

Date:
Hosted By:
Register Now

The much-awaited "Digital Charter Implementation Act, 2022," commonly known as Bill C-27, was introduced by the federal government recently. It is a relaunch of Bill C-11, which was initially submitted in 2020 and failed on the order paper as a result of the federal election in 2021, and some may argue that it is an improvement.

There is great potential for this bill to be made into law. So what exactly does this mean for businesses in Canada? What exactly does Bill C-27 entail? We'll break down everything you need to know in this guide.

What is Bill C-27?

The Canadian government introduced Bill C-27 back in June. The Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada's universal private sector privacy law, would be updated by the Bill, along with a new tribunal and proposed guidelines for AI systems.

Bill C-11, the Digital Charter Implementation Act, which was introduced in November 2020 but died on the order paper when it was announced that there would be a federal election, was reworked into Bill C-27. It is noteworthy that a sizable chunk of Bill C-11 has been transferred to Bill C-27.

The administrative monetary penalties now cover violations relating to the creation and implementation of a privacy management program, failure to ensure an equivalent level of protection for personal information transferred to a service provider, inadequately defining the purpose, consent, service provider breach notification obligations, and transparency.

The following is an overview of Bill C-27's main points, including the salient differences between its new provisions and those in C-11.

Consumer Privacy Protection Act

Part One of the Personal Information Protection and Electronic Document Act would be repealed and replaced by the Consumer Privacy Protection Act. The Electronic Documents Act would replace Part Two of PIPEDA.

The CPPA gives the Privacy Commissioner of Canada considerable authority to issue orders and imposes severe administrative fines of up to $10 million CAD or three percent of worldwide sales. Serious violations that result in crimes that might result in a maximum fine of $25 million CAD or 5% of worldwide revenue will have their fines increased. Any person who experiences losses or injuries as a result of the CPPA's violation is also granted a new private right of action.

Even if permission is still a crucial gatekeeper, the CPPA lessens the burden on the individual to comprehend and provide consent by emphasizing the organization's responsibility and openness. For instance, a privacy management program must now be implemented by organizations. The organization must take into account the amount and sensitivity of the personal information it controls while creating such a program. The commissioner may have access to the privacy management program's policies, practices, and processes and, after analyzing them, may offer advice or suggest remedial actions for the organization's privacy management program.

The CPPA provides the following list of exemptions from the need for approval under the heading of business operations in order to give firms flexibility:

  • Information generated via work, commerce, or vocation
  • Employment relationships, such as a federal job, project, or enterprise
  • Legal or notary disclosure
  • Statement of a witness
  • Fraud reduction, detection, or prevention
  • Debt collection
  • Commercial activity
  • Personal information deidentification
  • Development, analysis, and research
  • Prospective business transactions

To every rule there are exceptions. If a person's electronic address is gathered using a computer software created or marketed for generating, looking up, and gathering electronic addresses, some of the aforementioned exclusions may not be applicable. Additionally, the exclusions do not apply when a computer system is used directly or indirectly in order to acquire personal data. In these circumstances, an explicit agreement is necessary.

Personal Information and Data Protection Tribunal Act

An administrative tribunal would be created under the Personal Information and Data Protection Tribunal Act to examine specific decisions made by the Privacy Commissioner of Canada and issue judgments for CPPA violations.

The Consumer Privacy Protection Act would be amended to enact the Personal Information and Data Protection Tribunal Act, which would establish a Tribunal to review appeals of orders made by the Privacy Commissioner and implement a new administrative monetary penalty scheme. Under the new name of the Electronic Documents Act, the provisions of the Personal Information Protection and Electronic Documents Act controlling electronic substitutes for paper documents will remain in effect.

While the Personal Information and Data Safeguarding Tribunal Act requires that the Tribunal's adjudicative activities be open to the public by default, there are several exceptions that permit the protection of sensitive data and private hearings. In addition, the Tribunal would be prohibited from disclosing the complainant's name or other identifying information without the complainant's permission, and it would have discretion over whether to name specific organizations in its rulings.

Artificial Intelligence and Data Act

The Artificial Intelligence and Data Act, which was recently passed and may have gone unnoticed by many, will regulate interprovincial and international trade and commerce in artificial intelligence systems by establishing uniform standards that will apply to all of Canada for the creation, development, and use of these systems.

Although "artificial intelligence systems" as defined by the AIDA are included in the CPPA's definition of "automated decision systems," the two statutes' respective approaches to this topic are different. The CPPA safeguards people's rights and covers big, automated decision-making processes that don't always forecast outcomes "autonomously." With deterministic algorithms, advanced computing systems are included in the CPPA. A person has the right to inquire about the reasoning behind any forecast, suggestion, or decision that might have a "substantial impact" on them.

The AIDA, on the other hand, focuses on "actual" AI systems whose outputs may be hard to trace or understand in relation to their inputs. This challenge is sometimes referred to as the "black box" of AI systems. Since it is challenging to create explainable AI, and many would disagree that "explainable" does not imply more accuracy, managing "actual" AI systems will depend on the organization's code of ethics.

The AIDA is founded on principles, and companies are expected to voluntarily comply with it and use "responsible AI" in their operations. There are two goals for AIDA. First and foremost, it serves to protect Canadian consumers by ensuring that "high-impact" AI technology is developed and implemented in a way that recognizes, evaluates, and reduces the risks of biases and damage. The second is to forbid actions involving AI systems that might seriously hurt people or their interests.

According to the AIDA, an entity must set up policies for the anonymization of data and the use or management of anonymized data. To back up those actions, there are additional documentation needs.

The definition of "high-impact" for any "high-impact" AI system still has to be established by legislation. The usage of the system, the kinds of material it produces, the conclusions, suggestions, or forecasts it offers, the mitigation actions, and any other information that may be required by legislation must all be described by the organization in clear language.

It is unclear what steps must be taken to recognize and address dangers to human health and safety, as well as how to lessen biases in AI systems. Regulation could bring more clarity.

How Could Bill C-27 Impact Businesses in the Context of Data Privacy?

The introduction of radical new provisions into Canada's privacy law by Bill C-27 will have a big impact on Canadian companies. Businesses in Canada will have to make investments to safeguard customer information or risk severe financial and administrative fines.

Additionally, these changes put Canadian privacy legislation closer in line with Quebec's privacy laws brought about by the recently passed Bill 64 as well as the General Data Protection Regulation of the European Union. By preserving its adequate status beneath the GDPR and being seen as a significantly similar jurisdiction underneath the Bill 64, respectively, Canada will benefit from closer conformity with both of these laws. This enables the movement of personal data by Canadian firms from the EU and Quebec to Canada and other provinces without the need for extra data protection protections.

Data Governance is Key to the New Bill C-27 Regulations for Canadian Businesses

The CPPA also adds additional violations with significantly harsher monetary penalties. A breach of security protections involving personal information under an organization's control that poses a plausible risk of irreparable harm to a person must be reported to the Commissioner by the organization. if a company doesn't keep track of every time personal information is breached during security precautions. If a company makes an effort to re-identify people using de-identified data without adhering to the established exceptions. If an organization deletes personal data after a person requests access to it and the person has not used all of their CPPA rights of recourse.

Any organization found guilty of any of the aforementioned offenses may be subject to a fine of up to the greater of $25,000,000 or 5% of its gross global revenue in the fiscal year prior to the one in which the organization is sentenced, or $20,000,000 or 4% for summary convictions, whichever is greater.

When it comes to compliance, businesses should concentrate largely on the Private Right of Action. The CPPA creates a new private right of action for people who are harmed by an organization's act or omission that violates the CPPA. These people have the option to file a lawsuit against the organization using their private right of action to recover damages for any losses or harms they have endured as a result of the organization's CPPA violations. The Office of the Privacy Commissioner and the Tribunal must have determined that the organization has violated the CPPA in order to bring this action, and either the decision has not been appealed to the Tribunal or the Tribunal has rejected the appeal.

The Bill also specifically mentions an organization's privacy responsibilities with regard to automated decision systems, which are any tools that supplement or take the place of human decision-makers' judgment through the use of regression analysis, predictive analytics, virtual machine learning, neural networks, or other methodologies. A broad overview of the organization's use of any automated decision system to make forecasts, suggestions, or choices about persons that potentially have substantial effects on them must be provided by companies that use personal or sensitive information to inform their automated decision systems. Businesses must also keep the personal data involved in the choices around for long enough to allow the person to seek access.

With the passage of Bill C-27, the range of security precautions has been increased to cover reasonable steps to confirm the identity of the person to whom the personal information belongs. The Bill also affirms that businesses must use technological, organizational, and physical security measures to secure personal data. The degree of protection offered by those measures must be commensurate with how sensitive the information is. The company must consider the quantity, distribution, format, and mode of storage of the information while creating its security protections in addition to the sensitivity of the information. The security measures must include reasonable steps to authenticate the identity of the person to whom the personal information pertains and must secure personal information against, among other things, loss, theft, unauthorized access, disclosure, copying, use, and alteration.

Businesses that are considered service providers or use service providers should also be wary of this new potential regulation. In accordance with the CCPA, organizations retain ownership over personal data even when a service provider gathers, uses, and discloses the data on their behalf. The new Bill C-27 mandates that businesses make sure that the service provider offers a comparable degree of security, as opposed to security that is substantially similar to the baseline security utilized under Bill C-11. The goal of Bill C-27 is to impose a stricter or less lenient requirement on businesses that work with service providers.

Let's talk

Ready To Discuss Your Data Challenges?

you may also like

Blog

Are you in the eye of the storm…

A troublesome combination of factors contributes to the perfect storm. There are six key factors swirling together to create what we at Data Sentinel affectionately call the perfect storm.

News

Made in Canada

Mark Rowan was interviewed for Made in Canada Magazine.

Webinar

Webinar - C27 and the impact to Canadian businesses

Canadian data privacy bill C27 and its impact on Canadian businesses.