Privacy Reforms Now Back Along with New AI RegulationOn June 16, 2022, the Digital Charter Implementation Act, 2022 (DCIA) was introduced as Bill C-27. The DCIA will enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), the Artificial Intelligence and Data Act (AIDA), and make amendments to other related acts. The CPPA will effectively replace the current federal legislative scheme governing the collection, use and disclosure of personal information by private sector organizations under the Personal Information Protection and Electronic Documents Act (PIPEDA). The PIDPTA will establish the new Personal Information and Data Protection Tribunal. It will have jurisdiction in respect of all appeals relating to various findings, orders or decisions made under the CPPA and in respect of the imposition of certain penalties under that Act. The AIDA, on the other hand, will seek to regulate international and interprovincial trade and commerce in artificial intelligence systems by: establishing common requirements for the design, development and use of those systems; and prohibiting certain conduct in relation to such systems. CPPA and PIDPTADespite the former federal Privacy Commissioner's concerns regarding the previous draft of the CPPA, the new draft of the CPPA is substantially similar to the previous draft. Just like the previous draft, the new version is built on the foundation of PIPEDA's 10 fair information principles, and proposes a number of material changes to PIPEDA, including the following: Application: The CPPA will continue to apply in respect of personal information that:
There are provinces with private sector privacy or health legislation that have been deemed substantially similar to PIPEDA and, as a result, PIPEDA does not apply in respect of such privacy or health information activities within such provinces. Given the changes in CPPA, the question continues: will such substantial similarity orders continue to apply in respect of such provincial legislation? As a result, should the existing substantial similarity orders not continue to apply, then organizations in British Columbia, Alberta and Quebec for personal information, and Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia for health information, may need to comply with both the provincial and federal legislation in respect of those activities. Appropriate Purpose: Consistent with PIPEDA's 10 fair information principles, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. In the draft, the CPPA also includes specific factors an organization must consider in determining whether such purposes are appropriate, including, for example, the sensitivity of the personal information, and whether the purposes represent legitimate business needs of the organization. Accountability: Consistent with PIPEDA's 10 fair information principles, an organization is accountable for personal information under its control. In the draft, the CCPA also includes specific guidance on when an organization "controls" personal information: namely, control arises when an organization decides to collect personal information and determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization. Obligation to Implement Privacy Management Program: Expanding on the obligation to have policies and practices to give effect to PIPEDA, organizations will now be required to implement and maintain a "privacy management program" that includes the organization's policies, practices and procedures put in place to fulfil its obligations under the CPPA. Record Purpose for Collection: Consistent with PIPEDA's 10 fair information principles, an organization must determine at or before the time of collection each of the purposes for which the personal information is to be collected, used or disclosed. Under the CPPA, it must also record those purposes. Record New Purpose: Consistent with PIPEDA's 10 fair information principles, an organization must not use or disclose personal information for a new purpose unless the organization obtains valid consent before any use or disclosure for that new purpose. Under the CPPA, it must also record those purposes. Consent: Consistent with PIPEDA's 10 fair information principles, the individual's consent (express, deemed or implied) must be obtained at or before the time of collection. In the draft, the CCPA also includes specific guidance on the requirements for consent to be valid. Specifically, an organization must provide the following information in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand:
Exception for Business Activities: Consistent with PIPEDA's 10 fair information principles, there are exceptions under the draft CPPA that permit collection, use or disclosure of personal information without the knowledge or consent of the individual. In the draft, the CCPA also includes an exemption for 'business activity', where a reasonable person would expect such a collection or use of personal information for that activity, which is defined to include:
In addition, an organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use and:
To do so, the organization must:
Right to Disposal: Consistent with PIPEDA's 10 fair information principles, personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. In the draft, the CCPA also provides that organizations must, subject to certain limitations, also dispose of personal information upon request by the individual if:
It should be noted, however, that an organization may, in certain circumstances, refuse a request to dispose of personal information if:
Safeguards: Consistent with PIPEDA's 10 fair information principles, an organization must protect personal information through physical, organizational and technological security safeguards that are proportionate to the sensitivity of the information. In the draft, the CCPA also provides that in addition to considering the sensitivity of the personal information, an organization must also take into account the quantity, distribution, format and method of storage of the information, in establishing its security safeguards. Of note: the security safeguards must now include reasonable measures to authenticate the identity of the individual to whom the personal information relates. Transfers to Service Providers: In the draft, the CCPA clarifies that an organization may transfer personal information to a service provider without the knowledge or consent of the individual, providing that the organization ensures, by contract or otherwise, that the service provider provides a level of protection of the personal information equivalent to that which the organization is required to provide under the CPPA. Service Provider Obligations: Consistent with PIPEDA's 10 fair information principles, if an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection for the personal information as that which the organization is required to provide under the CPPA. In the draft, the CCPA also clarifies that: (i) service providers are directly responsible under the CPPA to protect personal information through physical, organization and technological safeguards; and (ii) if a service provider determines that a breach of security safeguards has occurred that involves personal information, it must notify the organization that controls the personal information as soon as feasible. Prospective Business Transactions: Consistent with PIPEDA's business transactions exemption, the CPPA includes an exemption for certain business transactions. Unlike PIPEDA, the CPPA also provides that, absent valid consent, an organization can only provide de-identified information to a potential counterparty in connection with a prospective business transaction—unless doing so would undermine the objectives for carrying out the transaction and the organization has taken into account the risk of harm to the individual that could result from using or disclosing the information. This marks a material shift from the existing legislation that permits personal information to be disclosed to a prospective purchaser without knowledge or consent of the individuals. Automated Decision System: New to the federal private sector privacy regime, the draft CPPA provides that if the organization has used an automated decision system to make a prediction, recommendation or decision about the individual that could have a significant impact on them, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision that indicates the type of personal information that was used to make the prediction, recommendation or decision, the source of the information and the reasons or principal factors that led to the prediction, recommendation or decision. De-Identified and Anonymized Information: New to the federal private sector privacy regime, the draft CPPA addresses the collection, use and disclosure of "de-identified information" in certain circumstances:
It should be noted, however, that for the purposes of various sections under the draft CPPA, personal information that has been de-identified is considered to be personal information. "De-identify" is defined as the process of ensuring that information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual. The current drafting of the Act is unclear regarding the extent to which the Act will be relied on to regulate the use and disclosure of de-identified information. The draft CPPA also makes clear that it does not apply in respect of personal information that has been anonymized (i.e., personal information that has been irreversibly and permanently modified, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means). Access by Privacy Commissioner: Expanding on the powers of the Privacy Commissioner under PIPEDA, under the draft CPPA, on request of the Privacy Commissioner, an organization must provide the Commissioner with access to the policies, practices and procedures that are in included in the organization's privacy management program. While the draft CPPA provides that the Privacy Commissioner may not use the information obtained by way of this access right as a basis to initiate a complaint or audit, it is difficult to see how the Privacy Commissioner can separate what he learns from this access from what he considers to be "reasonable grounds" for initiating a complaint or audit. Commissioner's Powers: While the Privacy Commissioner has only limited enforcement powers under PIPEDA, under the draft CPPA, this will no longer be the case:
The Tribunal: The new Personal Information and Data Protection Tribunal will be established under the draft PIDPTA. The Tribunal will have jurisdiction in respect of all appeals relating to various findings, orders or decisions made under the CPPA and in respect of the imposition of certain penalties under that Act. Any decision of the Tribunal may, for the purposes of its enforcement, be made an order of the Federal Court or of any superior court and is enforceable in the same manner as an order of the court. Penalties for Non-Compliance: While the penalty provisions are limited under PIPEDA, under the draft CPPA, the Privacy Commissioner may recommend to the Tribunal that a penalty for contravention of the various obligations in the CPPA be imposed on the organization. The maximum penalty is the higher of $10 million or 3 percent of gross global revenue.
Penalties for Knowing Contravention: While the penalty provisions are limited under PIPEDA, under the draft CPPA, every organization that knowingly contravenes one of the following obligations is guilty of an indictable offense and is liable to a fine not exceeding the higher of $25 million or 5 percent of gross global revenue:
Private Right of Action: Building upon the private right of action under PIPEDA, the draft CPPA also establishes a cause of action for loss or injury arising from an organization's contravention of its obligations under the legislation. The CPPA extends the limitation period to two years after the day on which the individual (who is affected by an act or omission by an organization that constitutes a contravention of the CPPA) becomes aware of:
The private right of action may extend to service providers to the extent there is a finding that they failed to comply with their obligations under the CPPA. AIDAIntended to regulate international and interprovincial trade and commerce in artificial intelligence system, the draft AIDA introduces various obligations on organizations using artificial intelligence. The following is a summary of some of the material obligations in this proposed legislation. Establishing Measures: The draft AIDA requires that anyone who carries out a "regulated activity" and who processes or makes available for use anonymized data in the course of that activity must establish measures with respect to:
In this context, a "regulated activity" means any of the following activities carried out in the course of international or interprovincial trade and commerce:
High-Impact Systems: A person who is responsible for an artificial intelligence system must assess whether it is a "high-impact system" (i.e., an artificial intelligence system that meets the applicable criteria set out in the regulations), and if so:
Publication of Description: Organizations that make available for use a high-impact system must publish on a publicly available website a plain-language description of the system that includes an explanation of:
On the other hand, organizations who manage the operation of a high-impact system must on a publicly available website a plain-language description of the system that includes an explanation of:
Record Keeping: The draft AIDA establishes various record keeping obligations with respect organizations that carry out any regulated activities. Penalties for Non-Compliance: A contravention of the AIDA may result in significant consequences: a fine of not more than the greater of $10,000,000 and 3 percent of gross global revenues. Artificial Intelligence and Data Commissioner: A senior official may be appointed as the Artificial Intelligence and Data Commissioner, whose role will be to assist the Minister in the administration and enforcement of the AIDA.
If enacted as currently drafted, we anticipate that the CPPA and AIDA will have a substantial impact on the extent of regulatory scrutiny of organizations with respect to their privacy practices, and use of artificial intelligence. As a result, organizations will likely need to undertake a comprehensive review of how they conduct business and manage their privacy practices, policies and procedures across Canada, and AI systems. The Bennett Jones Privacy & Data Protection group is available to discuss how the changes may affect an organization's privacy obligations. Authors
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs. For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com. |