Canada – Digital Charter Implementation Act introduced to strengthen federal data protection laws and regulate AI

The Act, which comprises a number of different Acts, will:

• replace the Personal Information Protection and Electronic Documents Act (PIPEDA) with a the Consumer Privacy Protection Act (CPPA);
  
  
• establish a new administrative tribunal for its enforcement, through the Personal Information and Data Protection Tribunal Act; and
   
• introduce an Artificial Intelligence and Data Act, to regulate responsible development of artificial intelligence (AI).

Under the CPPA, the Privacy Commissioner of Canada will be given increased enforcement powers, including the power to impose fines for violations of the CPPA of up to 5 % of the organisation’s gross global revenue in the preceding financial year or CAD 25 million, whichever is greater. The Privacy Commissioner will also be able to order organisations to comply with the CPPA or stop actions violating its requirements, as well as mandate third-party audits or require organisations to share information with other regulatory and enforcement authorities. The Privacy Commissioner will also be able to approve codes of practice and certification programs that would provide substantially the same or higher protection of personal information.

The CPPA will apply to every organisation processing personal information in the course of commercial activities or processing information about employees or job applicants in connection with the operation of a federal “work, undertaking or business”. It recognises the need of organisations to collect, use or disclose personal information of individuals “for purposes that a reasonable person would consider appropriate in the circumstances”. The CPPA sets out accountability obligations on organisations (e.g. to designate one or more individuals responsible for compliance, similar to a data protection officer under the GDPR, and to implement and maintain a privacy management program that includes the necessary policies, practices and procedures to fulfil obligations under the CPPA) and establishes a requirement to obtain the prior, informed and specific consent of individuals before an organisation collects, uses or discloses an individual’s personal information, unless a specific exception applies. Examples of these exceptions include:

• processing for the purposes of business operations, under condition that a reasonable person would expect the collection or use of data for such an activity and the information is not used for influencing the individual’s behaviour or decisions (including processing which is necessary to provide products or services, based on legitimate interests, the use of service providers and research and development, among other things);
  
  
• processing for public interest purposes (including emergencies, vital interests, preventing or investigating financial abuse against the individual; statistics, research or archival purposes, as well as for socially beneficial purposes related to health, public infrastructure or environmental protection);
  
  
• processing in the context of investigation of a breach of an agreement or contravention of federal or provincial law, as well as breach of security safeguards; and
  
  
• processing of publicly available information.

The CPPA provides new data subject rights, including the right to erasure, in addition to existing access and correction rights, as well as the right to data portability. Further, the CPPA proposes to limit the information that companies may collect from minors and increase the requirements with regards to processing the data of minors (covering children under 18 or 19 years old, depending on the provincial definition of minors).

The Personal Information and Data Protection Tribunal Act establishes the Personal Information and Data Protection Tribunal, consisting of three to six members with experience in information and privacy law, with the power to hear appeals against the decisions of the Privacy Commissioner and impose fines for violations of the CPPA.
  
The Artificial Intelligence and Data Act aims to regulate development and deployment of AI systems. Among other requirements, the Act requires persons responsible for “high-impact” AI systems to identify and mitigate the risks of AI bias and harm and publish key information about the system (including how it is used, the content and decisions it generates, the mitigating measures, etc.) The Act further prohibits certain conduct related to AI systems that may result in serious harm to individuals or to their interests. These provisions are proposed to be enforced by a new AI and Data Commissioner who would have the authority to monitor compliance, order third party audits and collaborate with other regulators in this area.
 
The Act further establishes offenses related to AI systems, including a criminal offence for persons that use unlawfully obtained personal information for designing, using or making available an AI system. Reckless deployment of an AI system that is likely to cause serious physical or psychological harm to an individual or substantial damage to property, as well as developing and deploying an AI system with intent to defraud the public and cause substantial economic loss to an individual are also prohibited. Potential penalties include fines of CAD 25 million or 5% of the organisation’s gross global revenues in the preceding financial year, or a fine and imprisonment of up to five years in case of individuals.

Read Innovation, Science and Economic Development Canada press release, the full text of the Digital Charter Implementation Act 2022 and the legislative file.