The Canadian federal government is seeking to strengthen their privacy legislation with the introduction of new laws to the House of Commons. The developments to privacy law were introduced in the form of Bill C-27, a renovation of the previously proposed Bill C-11. The objective of Bill C-11 was to repeal the Personal Information Protection and Electronic Documents Act (PIPEDA), the current federal private sector privacy law and replace them with a new legislative framework for data and privacy. However, Bill C-11 was unsuccessful and never made it into law.
Bill C-27 is another attempt to introduce more stringent privacy laws.The new Bill maintains several core aspects of Bill C-11, including its proposals to replace Part 1 of the PIPEDA with the Consumer Privacy Protection Act (CPPA) and to create an administrative tribunal which oversees appeals of decisions made by the Privacy Commissioner and impose punishment for violations of certain provisions of the CPPA.
However, Bill C-27 contains several additions to Bill C-11. Significantly, its focus on artificial intelligence (AI). Despite Bill C-11 addressing some issues concerning the use of AI, Bill C-27 seeks to substantially expand its regulation of AI systems through the Artificial Intelligence and Data Act (AIDA). Under this act, the Canadian government will establish a standardized collection of requirements regulating trade and commerce in AI systems and will outlaw certain conducts regarding AI systems that result in serious harm to individuals or their interests. All organizations responsible for an AI system must determine whether the system is a high-impact system. When a high-impact system is identified, organizations must implement measures which recognize, examine and rescue the risks of harm that could result from the use of the system. In addition, the organization must ensure compliance to the mitigation measures and notify the Minister of Industry if the use of the systems will result in harm. In addition to administrative penalties, AIDA would also establish substantial fines and custodial sentencing for non-compliance. Serious offenses could result in penalties of up to $25 million.
Bill C-27 also seeks to introduce several key changes to the CCPA. The new Bill requires organizations to dispose of personal information upon the request of the subject individual under certain circumstances. The Bill also categorizes all personal information related to minors as sensitive information. As a result, more stringent requirements will be established further protecting minors. Additionally, Bill C-27 will require organizations to implement security safeguards that validate the identity of the individual subject to the information.
However, as Bill C-27 passes through Parliament, it will be subject to much debate and will potentially undergo several changes. But, the reintroduction of legislation regarding privacy laws sends a strong message that the Canadian government is dedicated to enacting significant improvements to Canadian Privacy Law and to public health and safety.