ARTICLE
18 July 2022

How Canada's Proposed Private Sector Modernized Privacy Law And New AI Systems Law Will Impact Canadian Businesses

FR
Fogler, Rubinoff LLP

Contributor

Fogler, Rubinoff LLP logo
For more than 40 years, we have invested in the success of each of our clients, leading them toward the achievement of their business and legal goals. The team focused nature of our firm means that clients benefit from our collective experience and the tailored approach we bring to each matter. At Fogler, Rubinoff LLP we pride ourselves on our exceptional client service, resourcefulness, and our entrepreneurial spirit. With expertise in over twenty areas of practice and across numerous industries, we see ourselves as a centralized resource for our clients. Our clients include financial institutions, publicly traded corporations, securities dealers, emerging companies, construction companies, real estate developers and lenders, franchisors, First Nations, and family-owned enterprises and individuals. To learn more about how we can assist with your business and legal needs visit: foglers.com.
Explore
On June 16th, ISED Minister Champagne introduced Bill C-27, the Digital Charter Implementation Act, 2022....
Canada Privacy
Photo of Bill Hearn
Photo of David Young
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Outline

  • Background to and summary of Bill C-27
  • Accountability and privacy management programs
  • New conditions for valid consent
  • Certain "business activities" and "legitimate interest" exceptions to consent
  • Obligations of service providers
  • Cross-border transfers of personal information
  • Codes of practice and certification programs
  • De-identification and anonymization
  • Individual rights to data mobility, disposal, explanation in automated decision systems
  • Increased risks for non-compliance – new model, powers, tools, administrative monetary penalties, fines, private right of action
  • Oversight of high-impact AI systems – the new Artificial Intelligence and Data Act
  • Comparisons to privacy laws in Europe
  • Key differences from old Bill C-11
  • Key takeaways for Canadian business
  • How to submit concerns about Bill C-27
  • Road ahead – preparing for CPPA and AIDA

 

Background to Bill C-27

  • On June 16th, ISED Minister Champagne introduced Bill C-27, the Digital Charter Implementation Act, 2022.
  • Bill C-27 will likely go to either the ETHI Committee or the INDU Committee in the Fall.
  • If passed, Bill C-27 will:
    • replace and modernize the current federal private sector privacy law under PIPEDA with the Consumer Privacy Protection Act (CPPA);
    • create a new Personal Information and Data Protection Tribunal (Tribunal) with responsibility to impose administrative monetary penalties (AMPs) and fines; and
    • enact the Artificial Intelligence and Data Act (AIDA).
    • On June 23rd, Philippe Dufresne was appointed Canada's new Privacy Commissioner effective June 27th

Summary of Bill C-27

  • Like PIPEDA, the CPPA:
    • provides principles-based rules that are technology-neutral, apply across sectors, and are grounded in a primacy-of-consent framework;
    • balances the interests of individuals and organizations;
    • does not expressly recognize privacy as a fundamental human right; and
    • does not expressly apply to federal political parties and politicians.
  • See: New Privacy Bill: CPPA 2.0 - plus oversight of artificial intelligence,
    • DYL Compliance Bulletin, June 2022
  • Unlike PIPEDA, the CPPA includes:
    • reinforced valid consent requirements with important new exceptions (that include an organization collecting and/or using an individual's personal information (PI), without their knowledge or consent, for certain "business activities" and "legitimate interests" of the organization or an organization disclosing PI to certain public institutions for defined "socially beneficial purposes";
    • increased flexibility and clarity for businesses (that include providing for codes of practice and certification programs, defining "de-identified" information and allowing for limited uses of it, and stipulating that the law does not apply to "anonymized" information);
    • clearer accountability requirements (for privacy management programs and service providers);
    • new individual rights (of data mobility, data disposal, and explanation of automated decision systems); and
    • new enforcement powers and tools (including new order-making powers for the Privacy Commissioner, potentially onerous AMPs and fines, and a limited private right of action (PRA) for affected individuals).

Accountability

An organization:

  • is accountable for PI under its control (s. 7(1));
    • PI is "under the control" of the organization that decides to collect it and that determines the purposes of its collection, use or disclosure (s. 7(2));
    • even if the organization transfers PI to a service provider, control remains with the organization; and
  • must designate an individual to be responsible for its compliance under the CPPA (e.g., a privacy officer) (s. 8) and must provide that designated individual's business contact information to anyone who requests it.

Privacy management programs

  • Organizations must implement and maintain a privacy management program (PMP) that includes the organization's policies, practices and procedures (PPPs) to fulfill its CPPA obligations respecting (s. 9(1)):
    • protecting PI;
    • receiving and dealing with requests for information and complaints;
    • providing training and information to staff; and
    • developing materials to explain its policies and procedures.
  • Unlike PIPEDA, the CPPA requires organizations to
    • take into account the volume and sensitivity of the PI under its control when developing its PMP (s. 9(2)); and
    • on the Privacy Commissioner's request, give the Commissioner access to an organization's PPPs (s. 10(1))
    • after reviewing the PPPs, the Commissioner may provide guidance on, or recommend corrective measures be taken in relation to, the organization's PMPs. But the Commissioner cannot use such accessed PPPs to initiate a complaint or carry out an audit unless the organization willfully disregards the Commissioner's recommendations (s. 111).

New conditions for valid consent

  • The following elements must be provided in plain language at or before the time an individual's consent to collection, use or disclosure of their PI is sought (ss. 15(1), (2), (3) and (4)):
    • the purposes for which PI is collected, used or disclosed;
    • the manner in which PI is collected, used or disclosed;
    • any reasonably foreseeable consequences of the collection, use or disclosure of the PI;
    • the specific type of PI that is to be collected, used or disclosed; and
    • the names of any third parties or types of third parties to which the PI may be disclosed.
  • Consent must be expressly obtained unless it is appropriate to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the PI (s. 15(5)).

To view the full article, click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Bill Hearn
Bill Hearn
Photo of David Young
David Young
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More