Privacy Law for the Digital Economy: The new Digital Charter Implementation Act

The Canadian government has introduced a new bill that proposes major reform to Canada’s privacy law and introduces initial regulation of Artificial Intelligence (“AI”).

Executive Summary

If you have less than one minute to read about Canada’s new privacy bill, this summary tells you what you need to know by answering two questions: (1) what are the major changes proposed under this new Bill? (2) what does this mean for your business?

What are the major changes proposed under this new Bill?

The DCIA was tabled in the House of Commons on Tuesday, November 17, 2020 as Bill C-11. This Bill, if passed, would further balance privacy interests with the recognition that data are fuel for Canadian competitiveness and innovation. The Bill’s significant provisions are as follows:

  1. Part I of Canada’s current Personal Information and Protection of Electronic Documents Act (“PIPEDA”) would be replaced by the new Consumer Privacy Protection Act (“CPPA”).
  1. The CPPA is being introduced under Part 1 of the DCIA. Part II of the DCIA introduces the Personal Information and Data Protection Tribunal (“Tribunal”), a new administrative tribunal empowered to levy significant fines for non-compliance with the CPPA.
  1. The CPPA introduces some significant changes to Canadian private sector privacy laws, including:
    • right to explainability and algorithmic transparency for all automated decision systems that assist or render decisions about an individual (see section 1 below);
    • new exceptions to consent that would permit the collection, use and disclosure of personal information without consent for various purposes including new business operations (see section 2 below);
    • stronger accountability requires including the codification of a privacy management program for all applicable businesses (see section 3 below);
    • right to data mobility, which allows individuals to move their data from one platform to another (see section 4 below);
    • right to data deletion, in which an individual can both request that their data be deleted and, in some cases, withdraw consent for use of their personal information (see section 5 below);
    • new codes of practice and certification scheme on how the business will comply with the CPPA that can be pre-approved by the Privacy Commissioner (see section 6 below);
    • new private right of action for violation of the Act. This private right of action after the Privacy Commissioner refers the matter to the new Tribunal and either there is no further administrative recourse under the DCIA (see section 7 below);
    • stricter enforcement powers for the Office of the Privacy Commissioner as well as a new Tribunal capable of levying fines up to 5% of global revenue or C$25 million, whichever is greater (see section 7).

The DCIA aligns more closely with Europe’s General Data Protection Regulations (“GDPR”) while distinguishing Canada in important respects, namely regarding requirements for algorithmic accountability and by maintaining a principle-based approach to data protection.

The implications of this new law are far-reaching including the reconsideration of what it means for all provincial privacy laws such as the Personal Health Information Protection Act (“PHIPA”) in Ontario to maintain its status as substantially similar to existing federal law.

What does this mean for your business?

Bill C-11 established in law the importance of good data governance practices. The Bill, if passed, would require a clear and well-documented privacy management program for all applicable organizations. This privacy management program should not be construed too narrowly. This Bill is starting to regulate technologies like artificial intelligence. More is yet to come.

Good data governance means documenting policies and procedures that follow the flow of data from collection to use and documents the various intentions and practices. Simply, this means your program should not focus narrowly on personal information but should start conceptualizing its program more broadly to include uses of data (both personal and non-personal information) within the organization. It is important to document:

  • intentions; e. why your business seeks to use data for particular business objectives and applications (data/AI strategy);
  • uses; e. where your data comes from and how it is being / will be used (both in terms of the business objective and application); and
  • controls; e. what your business is doing to ensure data are being used as intended and that the uses (through AI or otherwise) are not causing harm or that potential harms are reasonably identified and mitigated.

Background: How we got here

May 2019 saw the release of Canada’s first Digital Charter. The Digital Charter is a statement of ten principles that rearticulates Canadian values in the digital economy. The Digital Charter balances principles of control over one’s personal information (principles 2-4) with promoting data as a fuel for competitiveness (principle 6) with enabling Canada to be a modern, ethical and accountable country for data use (principles 1, 5, 7-10).

At the time of its release, the Digital Charter was accompanied by a White Paper on reform of Canada’s privacy law, “Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information Protection and Electronic Documents Act”. In recent years, PIPEDA has been widely criticized for being outdated and unfit for a digital-first Canada. The new Digital Charter Implementation Act (Bill C-11) proposes to address many of the issues that have plagued PIPEDA for the several years, mainly as described in the White Paper.

Bill C-11: The Digital Charter Implementation Act (DCIA)

On November 17, 2020, the federal government tabled a long-awaited Bill in the House of Commons (Bill C-11) proposing major reform to PIPEDA that would more closely align Canadian private sector privacy laws with Europe’s GDPR.

DCIA is an omnibus data protection Bill that not only regulates the collection, use and disclosure of personal information, but also regulates aspects of AI and establishes a new adjudication body, the Personal Information and Data Protection Tribunal, that can levy significant fines. Major developments under Bill C-11 are discussed in the following seven sections.

Click to read the full article: Bill C-11 Implications of Canada's New Privacy Law_INQ Data Law_No 2020

This post was originally published here. Reposted with permission from the authors.

Carole Piovesan is a partner at INQ Data Law. In 2018, Carole served as a digital leader at the request of the Minister of Innovation in the national consultations that led to the Digital Charter.

Noel Corriveau is senior counsel at INQ Data Law. Noel was the principle architect of Canada’s Algorithmic Impact Assessment and senior advisor to the Chief Information Officer of Canada.

Many thanks to Ellen Xu for her contributions to this article.