Connect. Support. Resources.
Be prepared for the Digital Charter Implementation Act.
On June 16, 2022, the federal government introduced Bill C-27, Digital Charter Implementation Act, 2022.
If passed, Bill C-27 would repeal Part 1 of the Personal Information and Electronic Documents Act (PIPEDA) and replace it with the new Consumer Privacy Protection Act (CPPA).
It would enact the Personal Information and Data Protection Tribunal Act (PIDPTA) which creates a new administrative tribunal to hear appeals of decisions made by the Privacy Commissioner (Commissioner) under the CPPA.
The Electronic Documents Act would remain as a separate act.
The Bill would also enact the Artificial Intelligence and Data Act (AIDA) to regulate international and interprovincial trade and commerce in artificial intelligence (AI) systems.
The Bill is similar to the former Bill C-11, Digital Charter Implementation Act, 2020, which was introduced but not passed prior to the last federal election.
The Canadian government recently introduced the Digital Charter Implementation Act, 2022 (C-27) (the Act), a bill designed to bolster Canada's privacy and data protection legal framework and regulate artificial intelligence (AI) systems. The Act expands upon its predecessor draft bill introduced in 2020 (C-11) and is comprised of three proposed statutes:
the Consumer Privacy Protection Act (CPPA), which would repeal and replace sections of the Personal Information Protection and Electronic Documents Act (PIPEDA);
the Personal Information Data Protection Tribunal Act (Tribunal Act), which would create an administrative tribunal that, among other things, can review decisions made by the Privacy Commissioner (the Commissioner) regarding violations of the CPPA; and
the Artificial Intelligence and Data Act (AIDA), which would regulate the design, development, sale, and operation of "AI systems" and related data processing.
The CPPA and Tribunal Act would tighten restraints on how organizations process personal information and give individuals greater insight into and choices regarding such processing. Those changes would in some ways bring Canadian privacy law more in line with stringent data protection regimes in other jurisdictions, such as the General Data Protection Regulation of the European Union (EU) and the United Kingdom. And the legislation would grant individuals a new private right of action for certain CPPA violations.
The AIDA would establish risk-based, Canada-wide requirements for AI systems and permit the federal government to prohibit the sale or operation of an AI system if there are "reasonable grounds to believe that the use of the system gives rise to a serious risk of imminent harm." At first blush, the legislation appears to be far less prescriptive than the proposed Artificial Intelligence Act (AIA) under consideration by the EU's co-legislators. However, the AIDA leaves many of the details of the requirements to the federal government to specify in future regulations, which might lead to a more burdensome regime.
Because the Act would have some extraterritorial effect, US and other non-Canadian businesses should watch the bill's evolution through the legislative process and consider the steps they would need to take to comply.
