Bill C-27: Modernizing Canada’s Privacy Laws and its Impact on Employers

/in /by

On June 16, 2022, the federal government tabled Bill C-27, Digital Charter Implementation Act, 2022. If passed, Bill C-27 would provide stronger legal frameworks in the areas of privacy and data protection throughout the country. Bill C-27 aims to accomplish this through the introduction of three acts: The Consumer Privacy Protection Act (the “CPPA”)The Personal Information and Data Protection Tribunal Act (the “PIPDTA”), and The Artificial Intelligence and Data Act (“AIDA”).

Overview:

The Bill aims to modernize the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which is Canada’s current federal private sector privacy law that came into effect more than 20 years ago.

The purpose of the CPPA remains essentially the same as PIPEDA; to establish rules governing the protection of personal information in a manner that recognizes individuals’ right of privacy and organizations’ need to collect, use or disclosure personal information for reasonable purposes. However, while the purpose remains essentially the same, the Bill acknowledges the modern context of digital information where personal information is constantly flowing across international borders and that commercial activity relies on the “analysis, circulation and exchange of personal information.”

The scope of the CPPA will be the same as PIPEDA, applying to every organization that collects, uses or discloses personal information in the course of a “commercial activity” or is about an employee of a federal work, undertaking or business. Provinces without private-sector privacy legislation, such as Ontario, remain unregulated in areas concerning personal employee information, but to the extent the personal information is being shared internationally or being used for any commercial purposes, the CPPA will still apply to provincial employers in Ontario.

The CPPA aims to strengthen the rights of individuals in respect of their personal information. However, this will place a heavier burden on employer organizations and create serious consequences if an employer violates the legislation. The latent implications of this modernized structure mean employer organizations will unavoidably have to take a more controlled, proactive approach to how they administer personal information management and all its related uses

The Bill proposes significant penalties for non-compliance. Organizations that are guilty of an indictable offence are liable to a fine of up to 5% of global revenue, or $25 million dollars, whichever is greater. There are also significant administrative monetary penalties of up to 3% of global revenue or $10 million dollars for an increased number of provisions under CPPA. For example, the CPPA imposes numerous obligations on organizations to which it applies, including the development of a privacy management program, including policies, practices and procedures, and failure to do so could result in significant administrative penalties.

The key elements of each proposed Act are outlined below.

The CPPA will implement the following:

  • repeal and replace part one of the Personal Information Protection and Electronic Documents Act, which pertains to the protection of personal information in the private sector;
  • increase control and transparency when Canadians’ personal information is handled by organizations;
  • the right to access and amend personal information;
  • the right to disposal of personal information (up to and including permanent and irreversible deletion);
  • the right to data portability and mobility;
  • establish stronger protections for the collection, use, and disclosure of minors’ personal information;
  • rights related to the transfer of information to service providers;
  • requirements to obtain valid consent;
  • using plain language notifications that speak to purpose, manner of processing; personal information to be processed, and the names of any third parties to whom the personal information may be disclosed to;
  • specified business activity exception, allowing employers to collect or use personal information without an individual’s consent if the purpose of a specified business activity falls within an individual’s reasonable expectation;
  • requirements for organizations related to the implementation and maintenance of a formal privacy management program comprised of procedures, policies, and practices;
  • give the Privacy Commissioner of Canada greater oversight; and
  • create larger fines for non-compliant organizations.

The PIPDTA will implement the following:

  • permit the creation of a new tribunal to facilitate the enforcement of the CPPA;
  • recommend administrative monetary penalties, reaching a maximum of $10,000,000.00 or 3% of the organization’s global gross revenues for the previous year, whichever is higher;
  • egregious violations can lead to penalties at the greater range of $25,000,000.00 or 5% of the gross global revenues in the preceding year, whichever is greater; and
  • if violation directly leads to an injury for an affected individual, a private right of action will allow individuals to bring a claim for damages against the wrongdoer organization.

The AIDA will implement the following:

  • direct organizations using high-impact AI systems to adopt measures to identify, assess and mitigate the risk of harm and bias;
  • create an AI and Data Commissioner to support the Minister of Innovation, Science and Industry with enforcement of the Act; and
  • outline criminal prohibitions and penalties regarding the use of illegal data for AI development, regarding reckless deployment of AI causing serious harm, and regarding AI development involving fraudulent intent to cause economic loss.

Potential Implications for Employers  

Federally regulated employers should initiate action on the assessment of their data policies and personal data management procedures. Although it is not anticipated that the Bill will come into force until 2023, employers should begin the process of developing enhanced privacy management systems and updating privacy policies recognizing the prevalence of digital information and the importance of protecting personal information.