As data privacy evolves and new technologies such as artificial intelligence (AI) and machine learning become more commonplace, new challenges to the protection of personal information arise, confronting data protection authorities (DPAs) with the need to modernize existing privacy laws to keep up with these new technological developments.
In that regard, Canada introduced a new federal data privacy bill, Bill C-27, poised to replace the data privacy law in place in the Great White North, PIPEDA.
This article breaks down Bill C-27 and its requirements so you can prepare accordingly.
What is Canada's Bill C-27?
Bill C-27 is the draft privacy law in Canada. Once signed into law, it will regulate the collection, use, and disclosure of personal information in Canada on the federal level and will apply to private-sector organizations.
Therefore, it is critical for businesses operating in Canada to familiarize themselves with the draft bill’s requirements.
For instance, the new law clarifies the rules and exceptions to obtaining consent from consumers, introduces new privacy rights such as the right to data portability, and requires businesses to implement a privacy management program.
Additionally, the new law introduces new requirements for the use of artificial intelligence (AI) systems and provides the Information Commissioner and the Tribunal with new powers, from auditing businesses to imposing fines for a broader range of non-compliance matters, such as failure to implement a privacy management program.
The Bill C-27 consists of three separate laws:
The Consumer Privacy Protection Act (CPPA)
The Consumer Privacy Protection Act (Part of Bill C-27) will revise and replace the existing privacy law PIPEDA.
The Personal Information and Data Protection Tribunal Act
This Act will establish the Personal Information and Data Protection Tribunal ('the Tribunal') and grant it the power to impose fines on businesses for failing to comply with the CPPA’s requirements.
The Artificial Intelligence and Data Act (AI Act)
This new Act aims to introduce new limitations on the use of AI systems such as machine learning and deep learning-based technologies.
What are the main requirements of Bill C-27, and how to comply?
In this section, we will help you understand the key compliance requirements you need to satisfy under Bill C-27.
Enhanced consent requirements
Under the Consumer Privacy Protection Act, the general rule is that an organization must obtain explicit consent from individuals before organizations collect, share, or disclose personal information.
However, before you can obtain valid consent from individuals, you first need to inform them about the following:
The list of types of personal information you collect, use or disclose;
The purposes for the collection, use, or disclosure of personal information;
How you will collect, use, and disclose personal data, and the reasonably foreseeable consequences of such processing activities, as the case may be;
The names or categories of third parties to whom you will disclose personal data.
Another key condition for obtaining consent is to provide the above-mentioned information in clear language so it is easy for a reasonable person to understand.
Regarding timing, consent must be obtained at or before the time of the collection of the personal information.
Privacy management program
Section 9 of the Consumer Privacy Protection Act requires organizations to implement and maintain a privacy management program which should include “the policies, practices, and procedures the organization has put in place to fulfill its obligations under this Act.”
The Consumer Privacy Protection Act states that these policies, practices, and procedures could be related to:
The protection of personal information;
How requests for information and complaints are received and dealt with;
The training and information provided to the organization’s staff respecting its policies, practices and procedures;
The development of materials to explain the organization’s policies and procedures.
For instance, a data subject handling policy, an IT security policy, or an organization-wide data transfer policy could help you comply with this requirement.
When putting in place these policies and procedures, you need to consider the level of sensitivity of personal information and the amount of personal information you handle.
Section 62 of The Consumer Privacy Protection Act requires organizations to be transparent about what personal information they collect and use and how they handle such data by making this information readily available. They should also inform individuals about how they disclose personal information to third parties.
As an organization, you should make the following information available for your users:
The type of personal information you have in your control;
How you use that personal information and how you apply the exceptions to consent (legitimate interest, for example)
Your use of any automated decision system to make predictions, recommendations, or decisions about individuals that could have a significant impact on them;
How you carry out any international or interprovincial transfer or disclosure of personal information that may reasonably have privacy implications;
Your retention periods for sensitive personal information;
How users are able to make a request for disposal or access;
The contact information where complaints or requests for information may be made.
Under article 12 of the Consumer Privacy Protection Act, you can legally handle personal data only if the manner and purpose of collecting, sharing, and using personal information would be considered appropriate. This appropriateness will be evaluated from a reasonable person’s perspective.
When deciding if the manner and purpose of data collection and use are appropriate, the following will be taken into account:
The sensitivity of the personal information;
Whether the purposes represent legitimate business needs of the organization;
The effectiveness of the collection, use, or disclosure in meeting the organization’s legitimate business needs;
Whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits;
Whether the individual’s loss of privacy is proportionate to the benefits in light of the measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
To comply with the Consumer Privacy Protection Act, organizations need to implement appropriate organizational, technical, contractual, and physical measures to ensure the security of personal information.
This includes having a mechanism in place to authenticate the identity of individuals whose data they collect and handle.
Penalties and fines
Bill C-27 grants the Tribunal the power to impose fines on businesses that fail to fulfill their obligations related to personal information protection under the Act.
Under Bill C-27, organizations can face the following categories of fines depending on the violation committed. The maximum penalty is $10,000,000 or 3% of the organization’s gross global revenue in its previous financial year (whichever is higher).
Every organization that knowingly contravenes the law or obstructs the Commissioner in an investigation can be guilty of:
An indictable offense, and be liable to a fine of $25,000,000 or 5% of the organization’s gross global revenue in its previous financial year (whichever is greater);
An offense punishable on summary conviction, and be liable to a fine of $20,000,000 or 4% of the organization’s gross global revenue in its previous financial year (whichever is greater).
Furthermore, section 107 of the CPPA also gives individuals to claim damages when their business fails to comply with the requirements.
How Didomi can help you get ready for Bill C-27
Under Bill C-27, consent is the primary basis to collect, use, and share personal information.
Consent in Bill C-27 is subject to narrow exceptions such as legitimate interests (under certain conditions), transfers to a service provider, and defined business activities such as internal research. However, organizations need to present individuals with certain information when collecting their personal information. In addition, they need to show proof of their compliance with personal information protection to the Information Commissioner if requested.
For instance, when your customers sign up for your services on your website or when you display targeted ads on your platform or mobile app, you will have to obtain valid consent for collecting and sharing personal information unless the exceptions apply.
On top of that, obtaining valid consent can also allow you to purchase, sell, and share personal information in compliance with the Bill. Therefore, you must obtain consent that fulfills the criteria set by the new law, something you can do with a Consent Management Platform (CMP).
Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you turn data privacy into a business opportunity and how Didomi focuses on addressing regulations and assisting companies around the world.
Frequently Asked Questions (FAQ)
When will the Bill C-27 become enforceable?
Bill C-27 is still under consideration in the Parliament and has not become law yet.
What are the fines under Bill C-27?
Organizations can face several categories of fines depending on the violation committed, up to $25,000,000 or 5% of the organization’s gross global revenue in its previous financial year, whichever is greater.
Can individuals bring a private action for violations of Bill C-27?
Section 107 of the Consumer Privacy Protection Act gives individuals the right to claim damages when an organization fails to comply with the new Law’s requirements for personal information.
What does the Bill C-27 entail?
The draft Law consists of three parts:
The Consumer Privacy Protection Act ('CPPA')
The Personal Information and Data Protection Tribunal Act
The Artificial Intelligence and Data Act ('the AI Act')
Who imposes penalties for violations of Bill C-27?
The new Data Protection Tribunal can levy fines under the Personal Information and Data Protection Tribunal Act (Bill C-27).
Is anonymized data outside the scope of Bill C-27?
Yes, the Bill C-27 does not apply to such personal information.
Is there a right to data portability?
Similar to the EU General Data Protection Regulation, there is a right to data portability under the new Act.