menu-open menu-close
Header Logo
24 HOUR
SUPPORT OHS
Header Logo
Home / Insights
In A Flash

Federal Government Introduces New Federal Privacy and AI Legislation

By

On June 16, 2022, the Canadian government tabled Bill C-27, the Digital Charter Implementation Act, 2022. The three-pronged legislation aims to strengthen Canada’s data privacy framework and create new regulations for the responsible development of Artificial Intelligence (AI), while continuing to implement Canada’s Digital Charter. The proposal would also introduce significant changes in respect of enforcement.

Bill C-27 features three pieces of legislation: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA) and the Artificial Intelligence and Data Act (AIDA).

Consumer Privacy Protection Act (CPPA)

The CPPA is intended to replace Part 1 of the Personal Information and Electronic Documents Act (PIPEDA). It would govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities. The CPPA would, in part, increase Canadians’ ability to control personal information held about them by organizations, provide more freedom to move that information from one company to another securely, and hold companies that process children’s data to a higher standard.

Personal Information and Data Protection Tribunal Act (PIDPTA)

The second component of Bill C-27 would create a new administrative tribunal charged with levying monetary penalties against organizations that violate the CPPA. Under the proposed regime, the Office of the Privacy Commissioner (Commissioner) would continue to oversee compliance, and would also be granted authority to issue orders against companies and make recommendations for penalties. The Tribunal, however, would be tasked with reviewing the Commissioner’s orders and may substitute its own decision. 

Bill C-27 elevates the power of the Tribunal, making it equivalent to those of a superior court of record. A decision of the Tribunal is final and binding, although it will be subject to judicial review in the Federal Courts.

The Act also would establish significant fines for non-compliant organizations—with fines of up to 5% of global revenue or $25 million, depending on which monetary fine is greater, for the most serious offences. Factors that the Commissioner must take into account when recommending a penalty would be updated under Bill C-27 to include evidence that the organization exercised due diligence to avoid the contravention and reasonable efforts to mitigate or reverse the contravention’s effects, providing organizations with additional avenues to attempt to limit penalties, and heightening the importance of a robust privacy compliance program.

Artificial Intelligence and Data Act (AIDA)

The final component of Bill C-27 would regulate international and interprovincial trade and commerce in artificial intelligence systems. It would require companies building high-impact AI systems to identify, assess and mitigate the risk of harm and bias. It would establish an AI and Data Commissioner which would be charged with monitoring compliance and ordering third-party audits of a given system.

Potential Impact for Federal Employers

This proposed bill comes after Bill C-11, the Consumer Privacy Protection Act, did not proceed due to the most recent federal election.

Like PIPEDA currently, Bill C-27 would directly regulate personal information collected, used and disclosed by federal employers in the course of administering the employment relationship.  Notably, Bill C-27 would continue the consent exemption in PIPEDA for employee personal information.

From the federal employer perspective, the most significant reform in Bill C-27 relates to enforcement.   Currently, the Commissioner has no authority to make or enforce orders under PIPEDA.   Findings of the Commissioner constitute recommendations only, and a party must proceed in the Federal Courts to secure an enforceable order.  PIDPTA will enhance the authority of the Commissioner, introduce the Tribunal with significant adjudicative and enforcement powers, and limit the role of the Federal Courts to judicial review.

The full text of the bill is available here.

If you have any questions about this topic or any other questions relating to workplace law, please do not hesitate to contact a Mathews Dinsdale lawyer.

The Firm gratefully acknowledges the assistance of Amanda Finelli, a Summer Student in the firm’s Toronto office.

Expertise: Employment law, Federal Sector

Tags: Federal Sector, Artificial Intelligence, Bill C-27, Digital Charter Implementation Act 2022

Print article

More insights

In A Flash

Remote Worker Dismissed Over Vaccination Status Denied EI by Federal Court

In Spears v. Canada (Attorney General), 2024 FC 329, the employee, a public servant, was dismissed for misconduct after failing to comply with her employer’s Covid-19 Vaccination Policy, despite her status as a remote worker. Her subsequent application for employment insurance (“EI”) benefits was denied. After two failed appeals, the employee brought the matter before the Federal Court on judicial review. On February 28, 2024, the Federal Court dismissed her application, thereby affirming the original decision to deny her EI benefits.

Read more

Webinars

Our complimentary webinars address the practical and legal issues for Canadian employers.

View our Webinars