Bill C-27, the Digital Charter Implementation Act, 2022 (DICA) was introduced on June 16, proposing to enact three pieces of legislation aimed at strengthening the private sector privacy framework in Canada. If passed in its current form, DICA will enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA), as well as the Artificial Intelligence and Data Act (AIDA) to regulate the development and deployment of AI.
CPPA
Like its failed 2020 predecessor the 2022 version of the CPPA is consistent with PIPEDA's 10 fair information principles and if passed proposes a number of changes, including:
- increasing control and transparency when Canadians’ personal information is handled by organizations;
- giving Canadians the freedom to move their information from one organization to another in a secure manner;
- ensuring that Canadians can request that their information be disposed of when it is no longer needed;
- establishing stronger protections for minors, including by limiting organizations’ right to collect or use information on minors and holding organizations to a higher standard when handling minors’ information;
- providing the Privacy Commissioner of Canada with broad order-making powers, including the ability to order a company to stop collecting data or using personal information; and
- establishing significant fines for non-compliant organizations—with fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offences.
PIDPTA
The DICA also establishes a new tribunal responsible for imposing administrative monetary penalties against organizations that contravene the CPPA. The Tribunal will also provide an accessible mechanism for organizations and individuals to appeal findings or decisions of Privacy Commissioner made under the CPPA.
AIDA
One novel aspect of the DICA is the introduction of the AIDA which establishes new rules based on responsible development and deployment of AI systems and the imposition of penalties for those who contravene the AIDA, including:
- protecting Canadians by ensuring high-impact AI systems are developed and deployed in a way that identifies, assesses and mitigates the risks of harm and bias;
- establishing an Artificial Intelligence and Data Commissioner to support the Minister of Innovation, Science and Industry in fulfilling ministerial responsibilities under the Act, including by monitoring company compliance, ordering third-party audits, and sharing information with other regulators and enforcers as appropriate; and
- outlining clear criminal prohibitions and penalties regarding the use of data obtained unlawfully for AI development or where the reckless deployment of AI poses serious harm and where there is fraudulent intent to cause substantial economic loss through its deployment.
Conclusion
The Digital Charter Implementation Act seeks to align Canada’s privacy framework with international standards and secure Canada as a global competitor in AI. Organizations should therefore begin considering the impact DCIA will have their current privacy practices, policies and use of AI if enacted.
