Privacy, Penalties and AI Regulation – The New Digital Charter Implementation Act


By Jeff Holowaychuk and Lauren Zeleschuk

Almost two years since it was first introduced as Bill C-11, Parliament is once again considering the Digital Charter Implementation Act, which, if enacted, will modernize Canada’s federal privacy law. On June 16, 2022, Bill C-27 was introduced in Parliament for its first reading. Bill C-27 revives and refines the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, which were initially introduced in Bill C-11. Bill C-27 also introduces new legislation targeting artificial intelligence systems, the Artificial Intelligence and Data Act.

Consumer Privacy Protection Act

The first part of the Digital Charter Implementation Act, 2022 enacts the Consumer Privacy Protection Act (“CPPA”), which repeals and replaces Part 1 of the Personal Information and Electronic Documents Act (“PIPEDA”), Canada’s current private-sector privacy legislation. The CPPA brings modern privacy protection, similar to that afforded under the EU’s General Data Protection Regulation (widely known as GDPR), to Canadians and provides more clarity for organizations compared to the version introduced under Bill C-11.

The CPPA generally balances an individual’s right to privacy with the need of organizations to collect, use or disclose personal information in the course of business. However, the revised CPPA now includes a lengthy preamble which recognizes that protection of privacy is “essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada”. This addition was likely made in response to some critiques of the former Bill that called for a shift towards a rights-based framework; the CPPA recognizes the importance of privacy but stops short of creating a rights-based framework or referencing privacy as a human right.

Many of the new privacy protections afforded to individuals are carried into the CPPA from its earlier iteration in 2020, including the following:

  • Plain language. Organizations are required to use plain language when seeking the consent to collect, use or disclose an individual’s personal information.
  • Misleading Practices. Organizations are prohibited from using of misleading practices to obtain consent.
  • Limited Right to be Forgotten. Individuals are entitled to request an organization dispose of their personal information, which is a limited right to be forgotten.
  • Automated Decision Making. Organizations are required to describe in their privacy policy the use of any automated decision-making systems to make predications, recommendations or decisions about individuals that could have a significant impact on them and to provide an explanation of the prediction, recommendation or decision, including the reasons or principal factors that led to that prediction, recommendation or decision, on request.
  • Data Portability. Certain organizations are required to provide information in a format that allows individuals to move their data to other organizations.
  • Private Right of Action. Individuals that are affected by an organization’s contravention of the CPPA are entitled to bring a direct action for damages that an organization.

Similarly, the revised CPPA carries forward and builds off of the strengthened enforcement regime first introduced under Bill C-11. Like its predecessor, Bill C-27 proposes significant fines for privacy violations:

  • organizations guilty of an indictable offence under the CPPA could be fined up to 5% of gross global revenue in the year proceeding the penalty or $25,000,000, whichever is greater; and
  • organizations that violate select provisions of the CPPA could face administrative monetary penalties of up to 3% of gross global revenue in the year proceeding the penalty or $10,000,000, whichever is greater.

The current iteration of the CPPA expands the list of privacy law contraventions that could result in significant fines. For example, organizations that have not implemented privacy management programs, have not ensured service providers are providing equivalent protection, or do not obtain consent before collecting, using or disclosing personal information are all at risk of an administrative monetary penalty being levied against them.

The enforcement regime is two-layered. At the first layer, the Office of the Privacy Commissioner of Canada oversees compliance with the Act, and has authority to make orders and recommend penalties. However, the imposition of penalties is left to the newly created Personal Information and Data Protection Tribunal, which can make decisions that are enforceable in the same manner as an order of the Federal Court.

Artificial Intelligence and Data Act

Finally, Bill C-27 introduces the new Artificial Intelligence and Data Act (“AIDA”), which:

  • regulates international and interprovincial trade and commerce in artificial intelligence systems;
  • establishes common requirements for the design, development and use of artificial intelligence systems; and
  • prohibits certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or their interests.

The AIDA further establishes an Artificial Intelligence and Data Commissioner to assist the Minister in the administration and enforcement of the AIDA, and introduces an enforcement regime that includes fines and administrative monetary penalties similar to those under the CPPA.

Privacy professionals have been pushing for Canada to update its privacy legislation, and organizations should be alert to the potential changes to Canada’s privacy landscape brought about by Bill C-27. While the Bill itself remains subject to amendment before becoming law, it emphasizes the importance of creating and maintaining robust privacy policies, procedures, and practices, as compliance gaps could soon result in substantial financial impacts for organizations.

If you have any questions about the changes proposed by Bill C-27, or would like to discuss your organization’s privacy management practices, please reach out to a member of our Privacy Team.