On June 16th, 2022, a new privacy regime was proposed in Bill C-27, the Digital Charter Implementation Act. This Act, which is still at first reading, would protect individuals’ personal information and regulate organizations’ privacy practices. It is intended to modernize Canada’s private sector privacy laws.
New Acts Created by Bill C-27
This ambitious bill aims to implement numerous privacy changes. If enacted, Bill C-27 would:
- Create the Consumer Privacy Protection Act (CPPA)
The CPPA would replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s current private sector privacy law. It proposes modern privacy protection similar to the EU’s General Data Protection Regulation (GDPR) and provides more clarity for organizations than our current privacy regime.
- Create the Personal Information and Data Protection Tribunal Act (PIDPTA)
The PIDPTA would establish a tribunal that would hear the Office of the Privacy Commissioner of Canada’s (OPC) recommendations on administrative monetary penalties and appeals from certain inquiry findings and specific orders of the OPC.
- Enact the Artificial Intelligence and Data Act (AIDA)
The AIDA would regulate “international and interprovincial trade and commerce in AI systems” and prohibit certain conduct that could seriously harm individuals and their interests.
Bill C-27’s Impact on Canadian Charities
If Bill C-27 is passed, it will set out legal requirements for those subject to its jurisdiction, and it will set expectations for best practices. Canadian charities should consider how Bill C-27 would impact the way they handle personal information. Given increased liability and penalties under the proposed CPPA, charities should vigorously review their existing data policies and management to protect themselves from legal liabilities and to protect the privacy of their stakeholders.
Definition of Commercial Activities
Bill C-27 uses PIPEDA’s definition of “commercial activities” which includes selling, bartering, leasing donor, membership, or other fundraising lists. Therefore, federal privacy laws will still apply to Canadian charities engaged in such activities.
Bill C-27’s failed predecessor, Bill C-11, proposed a restricted definition of “commercial activities,” that could have led many charities and non-profits to believe they no longer had to comply with federal private sector privacy laws. By returning to PIPEDA’s definition of “commercial activities”, Bill C-27 will still capture elements of what charities may do, such as selling, bartering, leasing donor, membership, or other fundraising lists.
Other Important Proposals
This is only a partial list, and since the bill has only just begun its journey through Parliament it could see significant changes along the way. This partial list highlights notable changes that may interest Canadian charities.
Organizations must use plain language when seeking permission to collect, use or disclose an individual’s personal information.
Organizations must not use misleading practices to obtain consent.
Organizations can sometimes collect and use data without consent:
- If its reasonable for security purposes
- If its reasonable for safety reasons
- In other prescribed situations
- When there are “legitimate interests.’
People can withdraw consent subject to similar limitations that currently exist in PIPEDA. However, unlike PIPEDA, under the CPPA, an individual can also require that an organization dispose of their information. Disposal includes deletion and rendering the data anonymous.
Minors’ data means any “sensitive personal information.” Accordingly, privacy practices may require changes to ensure this information is adequately protected.
Individuals can bring a direct action for damages if they are affected by an organization’s infringement of the CPPA. The Act will also allow aggrieved individuals to file such actions in the superior court of a province.
Strengthened Enforcement Regime
Bill C-27 implements significant penalties for non-compliance with the CPPA.
Organizations with operations in Quebec, British Columbia and Alberta will have to comply with both (the substantially similar) provincial privacy laws and with the CPPA when moving data from one province to another.
Individuals will have the right to require an organization to explain how an automated decision-making system could significantly impact them.
For more on privacy…
Members can check out CCCC privacy resources in our Knowledge Base.
Noteworthy is provided for general information purposes and does not constitute legal or professional advice. Every organization’s circumstances are unique. Before acting on the basis of information contained in this blog, readers should consult with a qualified lawyer for advice specific to their situation.