What You Need to Know About Canada Bill C-27

Bill C-27: The Digital Carter Implementation Act, 2022

A part of its digital charter, the Canadian government has tabled Bill C-27, the Digital Charter Implementation Act, 2022. The Act aims to strengthen privacy laws in the country. It also introduces rules that support responsible development of artificial intelligence (AI).

Bill C-27 will introduce three new acts when it is passed:

• The Consumer Privacy Protection Act (CPPA)
• The Artificial Intelligence and Data Act
• The Personal Information and Data Protection Tribunal Act

In this post, we’ll explore the acts proposed by Bill C-27 and what you can do to prepare for the new legislation.

The Consumer Privacy Protection Act (CPPA)

The CPPA aims to protect Canadians’ privacy and provide data rights to individuals. If Bill C-27 is passed, the CPPA will replace the current Personal Information Protection and Electronic Documents Act (PIPEDA).

Organizations will need to explain why they need to collect individuals’ data and what it will be used for. Individuals will be able to move their information securely between organizations and request that their information is deleted when it’s no longer needed.

The act also requires stronger protection for minors and establishes penalties for noncompliance. Business could receive fines of up to 5% of global revenue or CA$25 million, whichever is greater.

The Privacy Commissioner of Canada will be given greater powers ultimately allowing them to stop noncompliant companies collecting or using personal information.

The Artificial Intelligence and Data Act

The Artificial Intelligence and Data Act aims to protect Canadians from the risks of harm and potential biases in some AI systems. AI systems are increasingly used in decision-making processes by businesses. If they are not trained using bias-free data, this can influence the outcomes they produce, with life-affecting consequences.

The act establishes an AI and Data Commissioner. The Commissioner will be responsible for monitoring compliance and overseeing enforcement action. Unlawful use of data for AI development or irresponsible deployment could result in criminal prosecution and penalties.

The Personal Information and Data Protection Tribunal Act

This act provides the enforcement authority for the CPPA. The Tribunal will be responsible for reviewing penalties and other enforcement action proposed by the Privacy Commissioner. They will also provide an appeals mechanism for organizations and individuals.

How You Can Prepare

For organizations looking to prepare themselves for these new acts, understanding their data is the best place to start. Businesses that are subject to Quebec’s Bill 64 and the European GDPR may have an advantage, but they will need to review the new legislation and update their processes to comply where there are gaps.

Among the most important steps for businesses to take is a periodic inventory of all personal information across the organization, specifically identifying information that relates to Canadian individuals.

Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and focusing on specific targets based on over 300 pre-packaged data types from over 50 countries including Canada and the US.

To understand how data discovery can support compliance with Canada’s Bill C-27 and the new acts it introduces, download your free copy of our white paper, Data Discovery: The Foundation of Any Compliance or Regulatory Obligation