In a move towards strengthening data and privacy protection rules, the Liberal Party of Canada tabled Bill C-27, the Digital Charter Implementation Act 2022, before the country’s Parliament, a month ago, on June 16. The charter includes a collection of three new laws: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.
The new Bill is pitched to offer Canadians more significant control over the usage of their personal data by businesses, levy fines on non-compliant companies and establish new guidelines for the use of artificial intelligence (AI).
Bill C-27 is considered to be an update of Bill C-11 (43-2), the digital charter proposed in 2020 which never made it past a first reading at the House of Commons, as shortly after the announcement of the federal election in late 2020. Notably, a significant portion of Bill C-11 has been transported over to Bill C-27.
The 2022 Digital Charter will need to go to an inquiry committee like Bill C-11 went to the Committee on Access to Information, Privacy and Ethics. If the C-27 were also to go through the privacy commission, newly minted Privacy Commissioner Philippe Dufresne is expected to push it through so certain other parties are already campaigning for the Parliament to send it to the Standing Committee on Industry and Technology instead.
The new Digital Charter is also empowered to make consequential and related amendments to other pre-existing acts under the 2020 charter. If passed, Bill C-27 is likely to change the legal landscape for privacy and data protection in Canada by replacing the Personal Information Protection and Electronic Documents Act (PIPEDA).
Why does it matter? While the Canadian Constitution recognises privacy as a fundamental right, the current law governing personal data is lax on how Big Tech companies can use someone’s personal information in terms of targeted advertising, among other services. Bill C-27 clearly states that protecting privacy interests is critical to individual autonomy and dignity and is being hailed as one of the “most stringent” legal frameworks surrounding data governance among the G7 countries. Canadian rights groups are considering this Bill to be a step in the right direction.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
Consumer Privacy Protection Act (CPPA)
The first law under the 2022 Digital Charter is described as: “An Act to support and promote electronic commerce by protecting the personal information that is collected, used or disclosed in the course of commercial activities.”
The Act seeks to establish rules to govern the protection of personal information in a manner that balances the right of privacy of individuals with the need of organisations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. It applies to every organisation in respect of personal information that an organisation uses in the course of commercial activities. It also forbids companies from using or disclosing the personal data of employees or applicants for employment. Although they are allowed to use this data to contact their current or prospective employees.
All the major characteristics of the Consumer Privacy Protection Act are listed below:
- Increasing control and transparency when Canadians’ personal information is handled by organisations
- Giving citizens the freedom to move their information from one organisation to another in a secure manner
- Ensuring that Canadians can request that their information be disposed of when it is no longer needed
- Establishing stronger protections for minors, including limiting organisations’ right to collect or use the information on minors and holding organisations to a higher standard when handling minors’ information
- Providing the Privacy Commissioner of Canada with broad order-making powers, including the ability to order a company to stop collecting data or using personal information
- Establishing significant fines for non-compliant organisations — with fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offences.
The CPPA is designed around a requirement that consent is obtained for the collection, use, and disclosure of personal information unless one of the listed exceptions to consent applies:
- Transfers to service providers
- Use of personal information for internal research, analysis and development, provided the information is de-identified
- Defined business activities if a reasonable person would expect the collection or use for such an activity; and the personal information is not collected or used to influence the individual’s behaviour or decisions.
It must be noted that government institutions to which the Privacy Act applies are exempted from this law. Individuals collecting personal information of others for domestic purposes and organisations collecting the same for journalistic or academic purposes are also listed as exceptions from the law.
Artificial Intelligence and Data Act
The proposed Artificial Intelligence and Data Act is set to introduce new rules to strengthen government approval in the development and deployment of AI systems. It is purposed to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of these systems. It also prohibits any conduct concerning artificial intelligence systems that may result in serious harm to citizens or their interests.
One of the primary aspects of the AI and Data Act is that the personal data analysed by artificial intelligence programs need to be encrypted and permanently anonymised so that there is no way to connect the findings of the data with the owners. It is also designed to address the risk of bias in analyses by “high-impact” systems, though the term is not defined in the proposed legislation (it is left to regulation).
Some of the prominent features of the AI and Data Act are listed below:
- Protecting Canadians by ensuring high-impact AI systems are developed and deployed in a way that identifies, assesses and mitigates the risks of harm and bias
- Establishing an AI and Data Commissioner to support the Minister of Innovation, Science and Industry in fulfilling ministerial responsibilities under the Act, including monitoring company compliance, ordering third-party audits, and sharing information with other regulators and enforcers as appropriate
- Outlining clear criminal prohibitions and penalties regarding the use of data obtained unlawfully for AI development or where the reckless deployment of AI poses serious harm and where there is fraudulent intent to cause substantial economic loss through its deployment.
- Create an Artificial Intelligence Data Commissioner housed within a ministry, who would assist with enforcement. The minister may delegate to the Commissioner information-sharing powers and order-making authority, including requesting records, requiring organisations to conduct audits, take action to address issues, and cease operation of certain high-impact systems where there is a “serious risk of imminent harm”.
The AI Act provides for administrative monetary penalties for violations of the regulations and fines for violations of the requirements set out in the Act.
Personal Information and Data Protection Tribunal Act
Bill C-27 also proposes to establish the Personal Information and Data Protection Tribunal, which would play a role in the enforcement of the Consumer Privacy Protection Act. In particular, the tribunal would review recommendations by the Privacy Commissioner of Canada to impose administrative monetary penalties for certain contraventions of the Act. It is supposed to be an “accessible mechanism for organisations and individuals to seek a review of Privacy Commissioner decisions.”
It must be noted that a tribunal to govern personal information on the internet already exists under the current PIPED Act. However, the new act will elevate the powers of the tribunal to be equivalent to those of a superior court of record. Any decision of the Personal Information Tribunal may be made an order of the Federal Court or of any superior court and is enforceable in the same manner as an order of the court.
It may also impose a penalty on a business, if it deems appropriate as per investigation, after providing the organisation and the Office of Privacy Commissioner with an opportunity to make representations. The PI Tribunal will also handle appeals of certain findings, orders and decisions under the Consumer Privacy Protection Act.
Data privacy measures around the world
The Canada Digital Charter is presented at a time when countries around the world are bringing out their respective personal data privacy measurements, with the US, Europe and India being three important players. We have summarised the salient features of these laws (and proposed laws) below.
United States: Canada’s southern neighbour is home to tech companies that amass the most amount of user data worldwide, but the US does not have a law that regulates what data is collected and how it’s used, as of yet. The American Data Privacy and Protection Act is set to change that status quo by becoming the first comprehensive national data privacy framework that has bipartisan and bicameral support, which makes it closer to becoming law than any other federal privacy legislation introduced in the US in the past.
In summary, the American Data Privacy and Protection Act:
- Requires covered entities to minimise data collection to what is necessary
- Requires covered entities to ensure privacy by design and that users don’t have to pay for privacy
- Requires covered entities to allow consumers to turn off targeted advertisements
- Provides enhanced data protection for children and minors
- Provides consumers rights to access, correct, delete, port their data, and withdraw consent at any time
- Increases transparency on how companies collect and use data
- Provides greater protection to sensitive personal data
- More accountability measures for larger platforms.
Europe: The Data Act proposed by the Commission on February 23 looks to regulate who can use and access data generated in the EU across all economic sectors. It is part of the overall European strategy for data privacy and complements the Data Governance Regulation of November 2020.
The Data Act applies to all of the EU’s market participants including manufacturers, suppliers, data holders, public sector bodies and data processing services. Some of the Act’s features are listed below:
- Enabling consumers to access data generated from the use of products they own or rent
- Obligations of data holders to price data reasonably and be non-discriminatory
- Unfair data sharing contracts, in which contractual term is unilaterally imposed by one party, are not binding
- Data should be made available to public sector bodies in case of exceptional need
- Data can only be transferred on an international scale only if there is a legal basis for it.
- Setting up requirements for operators of data spaces to enable interoperability and offer smart contracts for data sharing
India: Currently, India does not have any kind of data protection law but the Personal Data Protection Bill has remained tabled in front of the Parliament since 2019. If passed, it will impact how businesses collect data about users and the rights that users have over the data that is collected about them.
Some of the key aspects of the Indian Personal Data Protection Bill are listed below:
- The Bill regulates 3 categories of data – Personal Data, Sensitive Personal Data, and Critical Personal Data.
- It dilutes data localisation requirements, as envisaged in the 2018 PDP draft bill, and mandatory mirroring of personal data has also been removed
- The PDP Bill gives a user the right to be forgotten, that is to stop their data from being disclosed if the purpose of data collection has been served
- The Bill is responsible for the implementation and enforcement of the Data Act by setting up state-based competent authorities and empowering them to impose fines on offenders.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also read:
