Canada: Digital Charter Implementation Act 2022 - What you need to know
On 16 June 2022, Bill C-27 for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022'), was introduced in the House of Commons, where it passed first reading. This comes after a similar bill, Bill C-11 for the Digital Charter Implementation Act, 2020, failed to pass in 2021. The DCIA 2022 is divided into three main parts, with the aim of enacting three new Acts, namely the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
In this article, OneTrust DataGuidance Research provides an overview of each part of the DCIA 2022 and its main provisions, focusing on the key developments and considerations for businesses.
The DCIA 2022 aims to establish rules to govern the protection of personal information, and to do so in a manner that recognises individuals' right of privacy with respect to their personal information, and the associated need of organisations to collect, use, or disclose such personal information for purposes that a reasonable person would consider appropriate.
To ensure this, the DCIA 2022 would apply to every organisation in respect of personal information that:
- is collected, used, or disclosed in the course of commercial activities; or
- is about an employee of, or an applicant for employment with, the organisation and which the organisation collects, uses, or discloses, in connection with the operation of a federal work, undertaking, or business.
To clarify its scope of applicability with respect to personal information, the DCIA 2022 also provides that it applies to personal information:
- that is collected, used, or disclosed interprovincially or internationally by an organisation; or
- that is collected, used, or disclosed by an organisation within a province, to the extent that the organisation is not exempt from the application of the DCIA 2022.
Part 1: Consumer Privacy Protection Act
Part 1 of the DCIA 2022, which would enact the Consumer Privacy Protection Act, would make several changes to the current regulatory regime under the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'). Notably, it aims to repeal Part 1 of PIPEDA and rename it as the Electronic Documents Act, thereby changing its nature and instead allowing the DCIA 2022, and specifically the Consumer Privacy Protection Act, to be the main private sector privacy regulatory regime.
In this sense, the Consumer Privacy Protection Act would govern the protection of personal information, and address organisations' collection, use, or disclosure of such information in the course of commercial activities. Specifically, it would provide for provisions around:
- consent and provided exceptions;
- organisations' obligations, including:
- appropriate purpose;
- collection, use, and disclosure limitation;
- data retention and disposal requirements;
- requirements to maintain data accuracy; and
- security safeguards;
- powers, duties, and functions of the Office of the Privacy Commissioner of Canada ('OPC');
- administrative monetary penalties and enforcement orders; and
- private right of action, among others.
The DCIA 2022 would establish several obligations for organisations in their management and processing of individuals' personal information, with some requirements within PIPEDA, and others expanded on or improved. Among those obligations is the accountability of organisations for their practices, with a requirement to, among other things, designate one or more individuals to be responsible for matters related to the organisation's obligations.
Moreover, organisations would be required to implement and maintain a privacy management program, which includes the policies, practices, and procedures in place for the organisation to fulfil its obligations. Such policies, practices, and procedures should consider the protection of personal information, how requests for information and complaints are received and dealt with, staff training and information regarding policies, practices, and procedures, and the development of materials to explain the policies and procedures.
One key requirement which is also seen across other global privacy laws is the obligation to have an appropriate purpose for the collection, use, and disclosure of individuals' personal information. In this respect, the DCIA 2022 provides that organisations may only collect, use, or disclose personal information in a manner and for purposes that a reasonable person would consider appropriate in the circumstances, and this would be the case regardless of whether or not consent is required. Determining the appropriate purpose(s) also needs to be done at, or before, the time of the collection, and if collected information is to be used or disclosed for a new purpose, there must be a record of this new purpose before any such collection or disclosure.
To facilitate this understanding, the DCIA 2022 provides for factors which should be considered in determining the appropriate purpose for collection, use, and disclosure, namely:
- the sensitivity of the personal information;
- whether the purposes represent legitimate business needs;
- the effectiveness of the collection, use, or disclosure in meeting the organisation's legitimate business needs;
- whether there are less intrusive means of achieving those purposes; and
- whether the loss of privacy is proportionate to the benefits in light of the measures implemented to mitigate any impacts to the loss of privacy.
Generally, however, the DCIA 2022 requires organisations to limit the overall collection, use, and disclosure of individuals' personal information, and to avoid any such actions for further purposes unless individuals' valid consent is obtained.
Consent has been a widely discussed topic within Canada's private sector privacy legislation and how it is regulated under PIPEDA, with the OPC issuing additional guidelines on the matter. Now, the DCIA 2022 would aim to lay out the requirements for consent and exceptions to needing consent.
Generally, the DCIA 2022 requires that consent from an individual be valid, and to determine that consent qualifies as being valid, the DCIA 2022 the following information to be provided, in plain language and at, or before, the time that consent is sought:
- the purposes for the collection, use, or disclosure;
- the manner in which personal information is to be collected, used, or disclosed;
- any reasonably foreseeable consequences of such collection, use, or disclosure;
- the specific type of personal information to be collected, used, or disclosed; and
- the names of third parties or types of third parties, if any, to which personal information may be disclosed.
Once given, consent can also be withdrawn by the individual, at any time upon reasonable notice.
Nevertheless, the DCIA 2022 also outlines various circumstances in which organisations will not be under a requirement to obtain consent. These include, among others:
- certain business activities which a reasonable person would expect, such as a necessary activity;
- the organisation's legitimate interest, which outweighs any potential adverse effect on the individual;
- transferring personal information to a service provider;
- use and disclosure as part of a prospective business transaction, given that certain additional criteria are met;
- certain noted circumstances within a business relationship;
- disclosure to a lawyer or notary;
- circumstances in the public interest;
- disclosures to government institutions;
- where required by law; and
- if information is publicly available.
As is commonly seen in other national privacy laws, organisations have requirements around maintaining the security of personal information and their systems. In this context, the DCIA 2022 requires organisations to protect personal information through physical, organisational, and technological security safeguards in a manner that is proportionate to the sensitivity of the information, while also considering the quantity, distribution, format, and method of storage of the information.
The DCIA 2022 goes on to briefly address security incidents and breaches, requiring notice of such incidents to individuals and any other bodies. Such notification must be as soon as feasible after the organisation determines that the breach has occurred, with the notification containing sufficient information to understand the significance of the breach steps taken to reduce the risk of harm. In understanding whether an incident may result in a risk of significant harm, the DCIA 2022 considers the sensitivity of the personal information involved, the probability that the personal information has been, is being, or will be misused, along with any other prescribed factors.
Transparency and privacy policies
The provision of privacy policies is another common element in privacy-related laws, with the DCIA 2022 being no different. As such, it would require organisations to make readily available, in plain language, information explaining the organisation's policies and practices, where such information includes:
- a description of the type of personal information under the organisation's control;
- a general account of how the organisation uses the personal information;
- an explanation of how the organisation applies the exceptions to its requirement to obtain consent;
- a description of the activities in which the organisation has a legitimate interest;
- a general account of the organisation's use of any automated decision system;
- whether or not the organisation carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
- the retention periods applicable to sensitive personal information;
- how an individual may make a request for disposal or access to their personal information; and
- contact information of the business and individual to whom complaints or requests for information may be made.
OPC powers, duties, and functions
Generally, the DCIA 2022 outlines the key powers of the OPC Commissioner, including, among others:
- various powers with respect to entities that operate an approved certification program;
- initiating a complaint if the Commissioner is satisfied that there are reasonable grounds to investigate a matter;
- entering into a compliance agreement with an organisation that the Commissioner believes on reasonable grounds has committed, is about to commit, or is likely to commit an act or omission that could constitute a contravention;
- auditing the personal information management practices of an organisation under certain circumstances; and
- recommending that a monetary penalty be imposed if the Commissioner finds that an organisation has contravened the DCIA 2022.
In addition to these powers, the OPC has further functions with respect to organisations' activities and efforts of compliance. Interestingly, the DCIA 2022 would provide organisations with the possibility of applying to the OPC for approval of a code of practice that provides substantially same or greater protection as some or all of the protection under the DCIA 2022, with the OPC having the power to approve or reject any such codes of practice.
Administrative monetary penalties
While the Commissioner may recommend that a monetary penalty be imposed for a violation, it is ultimately the Personal Information and Data Protection Tribunal ('the Tribunal'), to be established by the Personal Information and Data Protection Tribunal Act, which would impose any penalty. If a penalty is to be imposed, following the required procedure for the Tribunal to assess whether to do so, the maximum penalty for all the contraventions in a recommendation taken together is the higher of CAD 10 million (approx. €7,330,020) and 3% of the organisation's gross global revenue in its financial year before the one in which the penalty is imposed.
Private right of action
The DCIA 2022 would provide an individual affected by an organisation's act or omission that constitutes a contravention of the DCIA 2022 to bring a cause of action against the organisation for damages for loss or injury suffered. However, the DCIA 2022 provides this as a possibility if:
- the Commissioner makes a finding that the organisation contravened the DCIA 2022, and that this finding is:
- not appealed and the time limit for making an appeal has expired; or
- the Tribunal has dismissed an appeal of the finding; or
- the Tribunal has made a finding that the organisation has contravened the DCIA 2022.
Part 2: Personal Information and Data Protection Tribunal Act
Part 2 of the DCIA 2022, which would enact the Personal Information and Data Protection Tribunal Act, would provide for the establishment of the Tribunal, and contain provisions around:
- the jurisdiction of the Tribunal;
- the Tribunal's composition;
- the nature of the Tribunal's hearings; and
- the Tribunal's powers and enforcement of decisions, among others.
More specifically, and among the various provisions within the Personal Information and Data Protection Tribunal Act, the Tribunal would have jurisdiction over appeals and in respect of the imposition of penalties.
Part 3: Artificial Intelligence and Data Act
Finally, the third part of the bill, which would enact the Artificial Intelligence and Data Act, would aim to regulate international and interprovincial trade and commerce in artificial intelligence systems ('AI'). To do this, it would, among other things:
- require the adoption of measures to mitigate risks of harm and biased output which relate to high-impact AI systems;
- provide for public reporting on AI;
- authorise the Minister of Innovation, Science and Industry ('the Minister') to order the production of records related to AI systems; and
- establish prohibitions related to the possession or use of illegally obtained personal information for the purpose of designing, developing, using, or making available for use an AI system and making such use available if it causes serious harm to individuals.
Regulation of AI in the private sector
In regulating AI through the Artificial Intelligence and Data Act, the DCIA 2022 outlines various requirements that need to be complied with in regards to AI systems. Specifically, the DCIA 2022 would require measures to be in place concerning the manner in which data is anonymised, and the use or management of such data, applicable to persons who carry out a regulated activity and process or make anonymised data available for use in the course of that activity.
Additionally, and with respect to high-impact systems, measures must be established to identify, assess, and mitigate the risks of harm or biased output that could result from the use of the AI system.
The DCIA 2022 would also require the publication of descriptions, which must be on a publicly available website, and in plain language describe the use of the high-impact system, and any management of the operation thereof. Regarding the former, a description as an explanation of the use of a high-impact system must address:
- how the system is intended to be used;
- the types of content that it is intended to generate and the decisions, recommendations, or predictions that it is intended to make;
- the mitigation measures; and
- any other information that may be prescribed by regulation.
Similarly, the description as an explanation of the managing operation of the system must address:
- how the system is used;
- the types of content generated and the decisions, recommendations, or predictions made;
- the mitigation measures; and
- any other information that may be prescribed by regulation.
If any material harm occurs, or is likely to occur, as a result of the use of a high-impact system, the Minister must be notified as soon as feasible.
Offences related to AI systems
Among other noted offences and violations of the DCIA 2022, it also addresses specific offences related to AI systems. One such offence relates to the possession or use of personal information. Specifically, a person is deemed to have committed an offence if, for the purpose of designing, developing, using, or making available for use an AI system, they possess or use personal information, knowing or believing that the information is obtained or derived, directly or indirectly, as a result of:
- the commission of an offence in Canada or a provincial legislature; or
- an act or omission anywhere that, if it had occurred in Canada, would have constituted such an offence.
Additionally, and with respect to making an AI system available for use, the DCIA 2022 provides that a person is also deemed to have committed an offence if they:
- without lawful excuse and knowing that, or being reckless as to whether, the use of an AI system is likely to cause serious physical or psychological harm to an individual or substantial damage to an individual's property, make the AI system available for use and this use causes harm or damage; or
- with intent to defraud the public and to cause substantial economic loss to an individual, make an AI system available for use and its use causes that loss.
The DCIA 2022 is now under consideration in the House of Commons of the Parliament of Canada. It has completed its first reading, but must undergo three readings in the House of Commons before it is sent to the Senate for consideration, where it must also undergo three readings.
As such, there is still some time to see how this bill will progress, and if it will have any further progress compared to its predecessor, Bill C-11, in 2021.
Iana Gaytandjieva, Lead Privacy Analyst