The federal government of Canada is taking significant strides to bolster its privacy legislation, recognizing the critical importance of these fields in today’s digital age. With cyber threats on the rise and artificial intelligence (“AI”) technologies evolving rapidly, the need to strengthen Canada’s legal framework as it relates to these technologies and managing personal data is paramount. These updates aim to enhance cybersecurity measures, protect personal data, and ensure ethical and responsible AI development and deployment.

This blog will provide an overview of ongoing updates to cybersecurity and AI legislation in Canada and their implications for businesses, consumers, and the broader digital landscape.

Current Cybersecurity Legislation

The primary legislation governing Canada’s privacy laws is the Personal Information Protection and Electronic Documents Act (also referred to as “PIPEDA”). In essence, PIPEDA governs how private sector organizations collect, use, and disclose personal information during commercial activities by setting out rules or obtaining consent, limiting the collection of personal information, and mandating safeguards for businesses collecting such information.

As mentioned above, a fundamental principle of PIPEDA requires organizations to obtain meaningful consent from individuals before collecting, using, or disclosing their personal information. This means that organizations must clearly explain the purposes for which they are collecting personal information and obtain consent that is informed, voluntary, and appropriate for the sensitivity of the information. PIPEDA also requires organizations to protect personal information by implementing appropriate security safeguards and to be transparent about their privacy practices. Businesses and organizations that fail to comply with the Personal Information Protection and Electronic Documents Act can face significant fines.

However, despite its principles and frameworks, PIPEDA has its weaknesses. From 2018 to 2022, the Commissioner and the House Commons Standing Committee on Access to Information, Privacy and Ethics have called for its reform in the rapidly changing digital environment, especially concerning the collection of mobility data and the regulation of AI. In response, the Minister of Innovation, Science and Industry tabled Bill C-27 to address these concerns.

Bill C-27: New Privacy Protection and AI Regulation

Bill C-27 creates three new Acts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. Together, these Acts reform PIPEDA and would create a new privacy regime in Canada.

It has completed the second reading in the House of Commons and is currently undergoing committee discussions by the Standing Committee on Industry and Technology. The Bill still needs to be approved by the Senate, so subject to the changes that may occur during that stage, the proposed Acts currently include the following provisions:

Consumer Privacy Protection Act

The Consumer Privacy Protection Act replaces Schedule 1 of PIPEDA but would maintain its consent provisions. It also includes exceptions to the requirement for consent, such as disclosing personal information for socially beneficial purposes. Crucially, it also includes consumers’ key rights regarding their data. For example, it consists of the right to erasure of data, and the right to an explanation concerning decisions made by an automated decision system.

If an organization were to fail to comply, the Consumer Privacy Protection Act grants the Privacy Commissioner powers to make decisions and recommendations for penalties, which cannot exceed $10,000,000 and 3% of an organization’s gross global revenue, and fines the higher of $25,000,000 and 5% of an organization’s gross global revenue.

Personal Information and Data Protection Tribunal Act

This Act establishes the Personal Information and Data Protection Tribunal and its principles of operation. This Tribunal would be the body that would deal with appeals of decisions and penalties made under the Consumer Privacy Protection Act.

Artificial Intelligence and Data Act

In general, the Artificial Intelligence and Data Act provides the first extensive regulatory framework for AI systems. It requires individuals and businesses to identify, assess and mitigate the risks of harm or biased output of AI systems. It also allows a minister broad power to require an organization subject to the Act to cease making available an AI system if there are reasonable grounds to believe that this system gives rise to a serious risk of imminent harm.

Contact Bader Law to Learn More About Impending Privacy Regulations and Proactive Policy Compliance

At Bader Law, our business law team successfully advises tech start-ups and business owners on privacy issues, including cloud computing, blockchain, other crypto-currency, and FinTech. We are familiar with the various challenges that organizations face, particularly in the technology sector, and work closely with entrepreneurs and employers to ensure that their legal needs are met.

With offices in Mississauga and Oakville, the corporate lawyers at Bader Law have decades of experience helping businesses grow and expand, and helping corporations negotiate licensing agreements and prepare companies for exit events. We are thorough, efficient, and focused on delivering the best possible outcome for every client. Contact us online or at (289) 652-9092 to discuss your matter with a member of our team.