There was some movement at the federal level this week with the introduction of a couple of pieces of legislation privacy pros in Canada need to know about.

Earlier in the week, Bill C-26 was introduced and would require certain organizations to build cyber resilience programs and, in certain circumstances, report cyberattacks to the federal government. Time to dust off that infosecurity training and start working with your chief information security officer to get ready for the new law.

Then on Thursday, Bill C-27 was tabled. It is essentially the new C-11 from the last Parliament. Once passed, this law will replace the Personal Information Protection and Electronic Documents Act with the Consumer Privacy Protection Act. It will also create the Personal Information and Data Protection Tribunal, which will have a role in reviewing orders made by the privacy commissioner. Lastly — and this part is new — the bill also will enact a law called the Artificial Intelligence and Data Act.

Next week, the IAPP will publish a more in-depth analysis of the C-27, but here are a few quick takeaways:

  • The privacy commissioner’s office will operate more like an administrative tribunal. They seem to have modeled it on the human rights commission and tribunal system. The Office of the Privacy Commissioner of Canada will investigate and be able to order compliance, but there will be a tribunal that will hear appeals and levy fines (if recommended by the OPC).
  • The fines are potentially steep: CA$10 million or 3% of annual revenue and even higher if an organization commits a criminal offense under the law.
  • They are introducing the EU General Data Protection Regulation concept of legitimate interests as a basis to process personal information without consent.
  • Speaking of consent, it is still important and plays a role, but the new law is markedly different than PIPEDA’s reliance on consent, instead focusing more on accountability and transparency.

The Artificial Intelligence and Data Act, meanwhile, introduces new rules, including:

  • Protecting Canadians by ensuring high-impact AI systems are developed and deployed in a way that identifies, assesses and mitigates the risks of harm and bias. 
  • Establishing an AI and Data Commissioner to support the Minister of Innovation, Science and Industry in fulfilling ministerial responsibilities under the Act, including by monitoring company compliance, ordering third-party audits, and sharing information with other regulators and enforcers as appropriate. 
  • Outlining criminal prohibitions and penalties regarding the use of data obtained unlawfully for AI development or where the reckless deployment of AI poses serious harm and where there is fraudulent intent to cause substantial economic loss through its deployment.

Like I said, we will work over the weekend to get a more comprehensive analysis out as soon possible. If you can’t wait, here’s a link to the LegisInfo website where they should be posting the text of the bill. Happy reading!