Authors
Grace Mangusso
Last week, the federal government introduced two pieces of legislation proposing major privacy, cybersecurity and data governance reforms. The first, Bill C-26, would enact the Critical Cyber Systems Protection Act (CCSPA), which aims to protect critical cyber systems in the telecom, financial, energy and infrastructure sectors and grants substantial new order-making and information-gathering powers to federal regulators overseeing them. The second, Bill C-27, would enact the Consumer Privacy Protection Act (CPPA), a previously proposed statute that has been updated since the last Parliament, and the Artificial Intelligence and Data Act (AIDA), which would govern the use of AI and automated decision systems.
The proposed CCSPA imposes obligations on certain classes of organizations that provide services or operate systems that are “vital” to national security or public safety. Services and systems presently designated as vital include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, banking systems, clearing and settlement systems, and transportation systems that are within the legislative authority of Parliament. Most obligations under the CCSPA would apply to “designated operators” within these sectors that own, control or operate a “critical cyber system”. While no classes of designated operators are listed in the current draft, a cyber system qualifies as a “critical cyber system” where “if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system”
Under the CCSPA, a designated operator would be required to:
Bill C-26 grants extensive powers to designated regulatory authorities to enforce the requirements of the CCSPA. Currently, the designated regulatory authorities include the Office of the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transport. Their powers include the authority to:
Bill C-26 would also amend the Telecommunications Act to give the Minister of Industry the power to prohibit a telecommunications service provider from using products or services provided by a specified person, or from providing certain products or services to specified person. As under the CCSPA, penalties for non-compliance can be as high as $15,000,000.
While Bill C-26 has only just been introduced, companies governed by the Telecommunications Act and that are likely to be subject to the CCSPA should be as proactive as possible with respect to three matters in particular.
First, companies should give significant consideration to how they will protect information subject to solicitor-client, litigation, and other legal privileges. Protecting privilege could be particularly challenging in the event of a cybersecurity incident given the extensive enforcement (including search and seizure) powers afforded to regulators, the record-keeping requirements imposed on designated operators to demonstrate compliance, and the requirement to immediately notify the CSE and appropriate regulator upon discovering a cybersecurity incident.
Second, companies should plan to review and update their incident response plans and cybersecurity policies in accordance with Bill C-26’s reforms. Current and upcoming reviews should consider third-party and supply chain risks, including those posed by critical service providers (particularly those providing IT services), key suppliers, and device or product manufacturers. Once more information is provided, companies will also want to explore the extent to which their “critical cyber systems” can be segregated from other systems and whether doing so would assist in streamlining compliance efforts.
Third, companies subject to Bill C-26’s reforms should consider how these new requirements could or should be reflected when contracting for services with third parties. Likewise, service providers should expect increasing cybersecurity standards from regulated customers, particularly when services provided relate to critical cyber systems.
Bill C-27 proposes to erase the privacy section of the Personal Information Protection and Electronic Documents Act (PIPEDA) and create three new statutes: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA). The CPPA and PIDPTA in most ways remain very similar to the legislation proposed in 2020 in the previous Parliament (referred to as Bill C-11 at the time). We wrote about the main reforms proposed in Privacy modernization with a northern touch: the proposed Digital Charter Implementation Act.
Below we have set out the highlights of which reforms remain from the previous (Bill C-11) iteration of the CPPA and the PIDPTDA, and what is new in Bill C-27:
Ongoing from Bill C-11 |
New reforms in Bill C-27 |
Consent |
Use of plain language |
The CPPA establishes the need for express consent unless the organization can demonstrate that implied consent is appropriate in the circumstances. This largely aligns with regulatory guidance in recent years interpreting the scenarios in which organizations can rely on implied or express consent. To obtain consent, information must be presented in plain language. |
The CPPA now clarifies that “plain language” depends on who the information is directed to. Specifically, organizations must use “plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.” |
Consent exemptions |
Legitimate interest exemption |
The CPPA maintains and adds to the consent exemptions under PIPEDA, including exemptions for de-identified information, as well as certain business operations for purposes of service delivery, safety, and cybersecurity. |
In another step toward the GDPR, Bill C-27 adds a new exemption which permits an organization to collect and use personal information without consent where it is for “the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use”. In addition, (i) the collection or use must be within the reasonable expectations of the individual, (ii) the collection or use cannot be for the purpose of influencing behaviour or decisions, (iii) prior to collecting or using the information, the organization must identify and take reasonable steps to mitigate any potentially adverse effects on the individual (and keep a record of this assessment), and (iv) the organization must comply with any additional requirements set out in regulations. |
Expanded Commissioner powers and responsibilities |
Power to recommend improvements |
The CPPA gives the Office of the Privacy Commissioner of Canada (OPC) extensive investigation and order making powers, including the power to require access to the policies, practices and procedures that are included in an organization’s privacy management program, and require an organization to modify its practices or to take any public steps to correct its practices. |
The OPC may provide guidance on an organization’s privacy policies, practices and procedures, or recommend corrective measures be taken by, an organization after the OPC reviews them. |
De-identified information |
De-identified and anonymized information |
The CPPA governs the handling of de-identified information and prohibits re-identification except under specific circumstances. |
The CPPA clarifies that de-identified information is information from which an individual cannot be directly identified, though a risk of identification remains. |
Penalties and fines |
New grounds for penalties |
The new Personal Information and Data Protection Tribunal will have the power to impose administrative monetary penalties for non-compliance of an amount up to the greater of $10,000,000 and 3% of the organization’s gross global revenue. Organizations that commit certain offences can be ordered to pay fines of up to the greater of $25,000,000 and 5% of the organization’s gross global revenue. |
Bill C-27 includes new grounds for penalties, including the failure to: (i) implement and maintain a privacy management program; (ii) ensure service providers provide an equivalent level of protection of personal information; (iii) determine and record the applicable purposes for handling information before beginning to handle it; (iv) properly respond to a withdrawal of consent; (v) as a service provider, notify the organization that controls the personal information as soon as feasible of any breach of security safeguards involving personal information; and (vi) make readily available information that explains the organization’s privacy policies and practices. |
Data subject rights |
Altered rights |
The CPPA provides individuals a right to request disposal (deletion or anonymization) of their personal information. |
The right to disposal has been expanded to apply to all information under the organization’s control, but is also subject to a number of new exceptions. |
Data retention |
Additional data retention requirements |
The CPPA prohibits an organization from retaining personal information for a period longer than necessary to fulfill the purposes for which the information was collected, used or disclosed or to comply with law or the reasonable terms of a contract. |
Bill C-27 adds that an organization must take into account sensitivity of information when determining retention period, and must make available information regarding retention periods applicable for sensitive information. |
Protection for minors |
Expanded protection of minors |
The originally proposed version gave some rights to minors, such as the power of a parent or guardian to exercise rights under the CPPA on their behalf. |
The CPPA now specifies that any personal information about a minor is considered sensitive information. |
Bill C-27 also maintains the CPPA’s private right of action in the Federal Court or Superior Court as long as the OPC or the Data Protection Tribunal have issued findings of non-compliance. However, there are no statutory damages—claimants must still prove some loss or injury.
Organizations should continue to monitor developments as this legislation progresses through Parliament. Even without a final version of the CPPA, organizations can begin preparing for its requirements by taking stock of their current privacy program, including making an inventory of the types of personal and de-identified information they hold, and the ways they collect, use, disclose and retain this information. Organizations that make these preparations will be well-situated to implement the reforms the CPPA would require.
The third statute that would be enacted by Bill C-27 is the Artificial Intelligence and Data Act (AIDA).
The AIDA applies primarily to designing, developing, making available or using artificial intelligence systems in the course of international or interprovincial trade and commerce. An “artificial intelligence system” is defined as “a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.” The AIDA also creates a sub-type of an artificial intelligence system called a “high-impact system.” However, precisely what constitutes a high-impact system is unknown and set to be determined by regulation.
The AIDA also gives the responsible Minister the power to appoint an Artificial Intelligence and Data Commissioner, and to delegate to them any of the roles referred to below as belonging to the Minister.
Developers and operators of artificial intelligence systems covered by the AIDA but do not qualify as high-impact systems have limited obligations. They are required to:
Developers and operators of high-impact systems, however, have far more onerous obligations. They would be required to:
The AIDA gives the Minister substantial investigation and enforcement powers. These include the power to: (i) require the production of records; (ii) require a company to conduct an internal audit or engage the services of an independent auditor to investigate possible contraventions; (iii) order a company to implement any measure to address anything raised in an audit report; and (iv) to order a company to pay an administrative monetary penalty.
The violations that would attract an administrative monetary penalty and the possible amounts of those penalties would be determined by regulation. However, the AIDA does establish that it is an offence to:
More uncertainty hangs over this proposed statute compared to the other components of Bills C-26 and C-27. First, much of the scope and content of the AIDA is still to be determined by regulation. In addition, the AIDA may be more susceptible to (and perhaps require) more substantive amendments than its contemporaries. As such, companies leveraging AI should continue to monitor developments as Bill C-27 progresses through Parliament.
Despite this uncertainty, companies that leverage AI can take some proactive steps now. In particular, companies should ensure they are documenting their existing AI and automated decision-making systems, with information regarding each system’s purposes, inputs, outputs, processes, impacts and safeguards. Doing so will put companies in a good position to respond to and comply with the final version of the AIDA, should it pass. Companies may find there are efficiencies to be gained by combining these steps with preparations in anticipation of the CPPA’s and Québec Bill 64’s automated decision-making requirements.
Bills C-26 and C-27 will proceed through subsequent readings and committee review. It remains to be seen what amendments will be made as the proposed legislation progresses through a minority-controlled House of Commons.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.