By Dan Daniele
Bill C-27, the Digital Charter Implementation Act, 2022 seeks to bring “safety and trust” to the forefront of Canada’s evolving digital sphere, according to the Minister of Innovation, Science and Technology, Francois-Philippe Champagne, who introduced this bill on June 16, 2022. Bill C-27 promises to update and strengthen Canadian privacy law, govern the responsible development and use of artificial intelligence (“AI”), and continue implementing the principles of Canada’s Digital Charter. As social media companies deal with large volumes of personal data and are increasingly relying on AI systems, these companies and their consumers will surely experience the impacts of this bill if it becomes law. In Europe, where privacy laws are stringent, social media companies have already faced significant fines for data misuse.
Bill C-27 would repeal Part 1 of the Personal Information Protection and Electronic Documents Act, which has been Canada’s main source of law governing how businesses handle personal information. Bill C-27 would also enact three new statutes that will introduce notable changes to Canadian privacy law, some examples of which are summarized in the following chart:
|Statutes to be enacted by Bill C-27
|Consumer Privacy Protection Act
|· Organizations will be required to get consent from individuals and inform them, in plain language, of how the organization will collect, use, and disclose their information.
· Organizations will be held to a higher standard when dealing with minors’ personal information.
· Canada’s privacy commissioner will have broader powers, including the ability to stop a business from collecting data.
· Non-compliant organizations could face significant fines of up to 5% of global revenue or $25 million for the most serious offences.
|Personal Information and Data Protection Tribunal Act
|· A new tribunal will hear appeals of the privacy commissioner’s decisions.
· The tribunal will be able to impose penalties for contraventions of privacy law.
|Artificial Intelligence and Data Act
|· Those using high-impact AI systems will be required to identify, assess, and mitigate risks of harm and bias.
· Non-compliant persons could face criminal sanctions for unlawfully using/obtaining data for AI development, recklessly using AI in a way that seriously harms others, or fraudulently using AI in a way that causes economic loss to others.
· A new AI and Data Commissioner for Canada will be able to monitor company compliance and share information with enforcers.
Impact of Bill C-27
Reports have shown that Canadians ranks 5th in the world for experiencing aggressive data misuse and that Canadians are in the dark about how organizations deal with their personal information, including about how AI algorithms gather and use their information. This lack of information demonstrates the need for greater protections, according to the sponsor. Bill C-27 aims to benefit both consumers and companies: first, by providing transparency and control to consumers regarding how their personal information is used by businesses and second, by providing clarity to businesses regarding how to comply with privacy law. Moreover, by bringing Canada’s privacy and data protection laws closer to international trade partners (such as Europe’s General Data Protection Regulation), compliance becomes easier for businesses operating internationally. However, the bill would mean more stringent requirements for businesses and therefore, a increased potential for liability.
A similar bill (Bill C-11, the Digital Charter Implementation Act, 2020) was introduced in 2020, but did not make it past its first reading in the House of Commons. While the former bill was criticized for lacking teeth, Bill C-27 imposes the world’s largest fines for personal data misuse. Despite this, Bill C-27 has been criticized for being drafted in a way that makes its apparent protections meaningless.
For instance, critics have pointed out that there are significant exceptions in the Consumer Privacy Protection Act to the requirement that users consent to organizations collecting and using their personal information. One exception allows organizations to collect and use personal information without an individual’s knowledge or consent if the organization’s legitimate interest in doing so outweighs any potential adverse effect on the individual. In addition, while the Artificial Intelligence and Data Act requires those using high-impact AI systems to mitigate risks of harm, some have criticized that the definition of “harm” in the act is too narrow and does not account for the ways that AI algorithms can disproportionately impact minority communities.
Bill C-27 responds to some of the criticisms of the former Bill C-11, but it remains to be seen how the changes will impact its success. While Bill C-27 is sure to change and develop as it progresses through the House of Commons, Canadians and Canadian companies should be aware of these potential changes and the giant push for privacy protection symbolized by this bill.