Bill C-27: Landmark Privacy and AI Bill Undergoes Committee Review after Yearlong Wait

After more than a year since Bill C-27 was first introduced, the Standing Committee on Industry Science and Technology (INDU) finally began its study of the bill. Bill C-27, the Digital Charter Implementation Act, 2022, is the Government’s latest attempt to modernize Canada’s private-sector privacy laws, which are nearly 20 years old.

At the first committee meeting, the Minister of Innovation, Science and Industry, the Hon. Francois-Phillippe Champagne, stressed the urgency of passing updated privacy and artificial intelligence (AI) legislation to keep up with modern developments in technology. Canada’s current privacy laws not only pre-dates technologies such as smart phones and cloud computing, but rapid developments in technology, such as ChatGPT have necessitated a renewed urgency to introduce a regulatory framework for artificial intelligence (AI). Minister Champagne noted privacy, AI and data go hand in hand and that Canada’s approach aims to establish robust guardrails for the development and use of AI such that Canada’s legislation can be considered synonymous with safe AI.

About Bill C-27

Introduced last June, Bill C-27 is divided into three parts:

  • the Consumer Privacy Protection Act (CPPA)
  • the Personal Information and Data Protection Tribunal Act (PIDPTA)
  • the Artificial Intelligence and Data Act (AIDA).

The CPPA would replace the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the protection of personal information in the private sector. For more information about Bill C-27, please refer to our article: Proposed Changes to Canada’s Privacy Laws: What Organizations Need to Know.

Proposed Amendments

Minister Champagne proposed new amendments to Bill C-27. These include:

  • Explicitly recognizing a fundamental right to privacy. This was one of the key recommendations made by the Privacy Commissioner in its submission on Bill C-27. The intent here is to include language recognizing a fundamental right to privacy in the preamble to the Bill as well as the purpose clause (Section 5). By recognizing privacy as a fundamental right, the Government’s objective is to ensure that privacy rights are given due importance in the interpretation of the legislation. For example, in cases of conflict between the privacy rights and private or public interests, privacy rights would take precedence;
  • Providing the Privacy Commissioner more flexibility to reach compliance agreements with organizations that are non-compliant, allowing for faster resolution of matters without implicating the courts or the tribunal; and
  • Recognizing and strengthening the protection of children’s privacy by amending the preamble of the bill to include a specific reference to the interests of children with respect to their personal information and by amending Section 12 so that organizations consider the special interests of minor when determining whether personal information being collected, used or disclosed is for an appropriate purpose.

The Minister also proposed five amendments to AIDA, the AI part of the bill. These include:

(1) providing more clarity to the definition of “high-impact systems”, which are the focus of the AI part of the bill, but the definition was undefined in the draft bill.  The proposed amendment defines classes of systems that would be considered high impact. This includes the use of AI systems in matters relating to employment, healthcare or emergency systems, among others;

(2) introducing specific and distinct obligations for general purpose AI systems, like ChatGPT;

(3) developing clear obligations for companies that develop AI by differentiating between a person who develops AI and one who manages and deploys AI systems in their business;

(4) clarifying the role of the proposed AI and Data Commissioner and enable better information sharing with other regulators; and

(5) introducing targeted amendments to key definitions to ensure interoperability of the legislation with other jurisdictions.

Next Steps

As the review progresses, the Committee aims to deal first with the privacy parts of the bill and then shift its attention to the AIDA part of the bill.  Thirteen meetings are planned. The Committee will hear from various witnesses over the course of the review. We can expect to see an updated version of the bill that reflects the proposed amendments when the Committee proceeds to a clause-by-clause review of the bill, if not sooner.

Of likely importance in the Committee review moving forward will be issues related to the inclusion of privacy as a fundamental right, clarity regarding the scope and application of AIDA, privacy rights of minors, oversight and enforcement powers as well as the need for clear definitions to help avoid ambiguity.

Our Privacy & Access to Information team remains available to answer questions as the Committee review unfolds.

The information and comments herein are for the general information of the reader and are not intended as advice or opinion to be relied upon in relation to any particular circumstances. For particular application of the law to specific situations, the reader should seek professional advice.


Related Categories
Core Areas