Remove AIDA from Bill C-27

Bill C-27, the proposed legislation that will replace the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy legislation, is slowly making its way through the legislative process. This post sets out where it is at, and what businesses need to know.

Bill C-27 includes:

• The Consumer Privacy Protection Act (CPPA) that will replace PIPEDA;
• The Personal Information and Data Protection Tribunal Act that would create a privacy tribunal as an enforcement mechanism in addition to the Privacy Commissioner; and,
• The Artificial Intelligence and Data Act (AIDA) that will regulate some commercial uses of artificial intelligence.

While the CPPA needs some changes before it is passed, it is the second attempt to draft a PIPEDA replacement and is reasonably close to the final form.

The AIDA on the other hand is a hastily put-together high-level shell without substance or detail. It needs a lot of work.

Bill C-27 recent developments

The Ministry just started hearings into Bill C-27 that got off to a bad start. The hearings were set to hear about 30 witnesses over several sessions. The Minister had promised amendments to the bill and was criticized for hearing from witnesses about the draft bill without knowing what the proposed changes were. Professor Michael Geist wrote, “This secretive, non-transparent approach is unfortunately consistent with the privacy and AI reform process.”

A group of 45 organizations and experts sent an open letter to the Industry, Science, and Economic Development (ISED) Minister. The letter sets out a number of concerns and wants the AIDA separated from the CPPA so the AIDA can be properly considered and drafted. They want ministries other than the ISED to be involved in the AIDA drafting process.

A few months ago, the government published The Artificial Intelligence and Data Act (AIDA) — Companion document. It is a high-level primer on the government’s approach to AI regulation.

The government just released a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. It is a non-binding voluntary code that was signed by 14 businesses, including Telus, Open Text, and Blackberry.  The government refers to this code as “… a critical bridge between now and when [AIDA] would be coming into force.”

My take on all this

The government should disclose its proposed amendments to the CPPA so the witness comments are more relevant.

The AIDA should be separated from C-27. The CPPA is in a more mature state and should not be held up by the AIDA drafting and comment process.  It is crucial to get AIDA right and pushing it through with the CPPA is not conducive to that.

What business should do

On the privacy side, be aware that when the CPPA replaces PIPEDA it will require a review of privacy practices to make sure they comply with the new rules. And that it will require internal documentation and policies in addition to current privacy policies.

If a business is providing AI products, it should become familiar with the AIDA companion document, and the voluntary code of conduct. While neither of those is enforceable law, they give an indication of where legislation is headed. Being able to state that you comply with the code may give some comfort to potential customers.

David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn and Twitter.

Image credit: ©Sono Creative – stock.adobe.com