What privacy Bill C-27 means for business

The Federal government has tabled a new privacy Bill C-27 to replace the Personal Information Protection and Electronic Documents Act (PIPEDA), the legislation that governs the commercial use of personal information in most provinces, including Ontario. 

The official title of Bill C-27 is “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.”

It will take a while to fully digest the lengthy bill. Here are my initial observations.

• Bill C-27 would enact three separate statutes.
• The Consumer Privacy Protection Act (CPPA) replaces PIPEDA. The Personal Information and Data Protection Tribunal Act would create a tribunal to review Privacy Commissioner decisions and impose penalties. Those parts are similar to the former Bill C-11 (not to be confused with the current Bill C-11, the controversial Online Streaming Act) that was proposed but not passed before the last Federal election.
• The Artificial Intelligence and Data Act (AIDA) would regulate the commercial use of Artificial Intelligence. This is completely new.
• The outgoing Privacy Commissioner didn’t feel that the former Bill C-11 went far enough. We now have an interim Commissioner and a proposed new Commissioner who will take over in the near future. It will be interesting to see the perspective of the new Commissioners.
• The CPPA will include new order-making powers for the Commissioner.
• It will include more offences and potentially large administrative monetary penalties (aka fines) of millions of dollars.
• It introduces the need for businesses to have a privacy management program (in addition to the normal public-facing privacy policy) that sets out how the business will comply with the Act, including processes to deal with complaints and staff training. The Commissioner has the right to review that.
• The CPPA addresses issues of de-identified and anonymized data.
• It addresses issues relating to information about children.
• PIPEDA obligations extend only to the entity individuals deal with directly, and not to service providers to that entity. (The European Union’s General Data Protection Regulation — GDPR — calls them Data Controller and Data Processor.) It is up to that entity to impose privacy obligations on the service provider contractually. But the CPPA has language that imposes direct obligations on service providers under the Act for some things, such as security safeguards.
• AIDA would regulate “high impact” AI systems. The definition of “high impact” will be included in regulations that have yet to be drafted.
• The AIDA would require the publication of plain language explanations of how AI is used and what it does. Regulations that have yet to be drafted will contain much of the detail.
• The AIDA contemplates a new senior official called the “Artificial Intelligence and Data Commissioner.”
• Offences under AIDA carry significant eight-figure penalties. 

It will take some time before this becomes law, and we may see changes before it’s passed. The regulations that have yet to be drafted will be a crucial part.

There will no doubt be criticism from those who feel it does not go far enough, and from those who think parts are impractical.

No matter how it shakes out, all businesses subject to the act will have to review their privacy policies and procedures to make sure they are compliant. Most will have to revise or replace written policies and procedures they now have, especially in light of the new privacy management program obligations. They may also need to change processes and systems to comply with new obligations and rights of individuals.

David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn and Twitter.