Blog

Minister of Innovation, Science and Industry of Canada Releases Proposed Amendments to the Digital Charter Implementation Act

October 11, 2023

Close

Written By Stephen Burns, Ruth Promislow, Caroline Poirier, Matthew Flynn, Sebastien Gittens, Emmanuelle Demers, David Wainer and Michael Iankilevitch

On September 26, 2023, the House of Common's Standing Committee on Industry and Technology (the Standing Committee) embarked on a comprehensive examination of Bill C-27, the Digital Charter Implementation Act. If passed, this legislation would repeal part 1 of the Personal Information Protection and Electronic Documents Act and enact three separate Acts designed to revamp privacy laws and govern the burgeoning field of artificial intelligence in Canada. These three Acts include the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act, collectively heralding a modernized legal landscape.

Against the backdrop of the ongoing evaluation of Canada's adequacy status by the European Commission,1 the commencement of the study on Bill C-27 takes on heightened importance. Article 45 of the European Union's General Data Protection Regulation grants the European Commission the authority to conduct periodic reviews, usually occurring every four years, in order to evaluate the adequacy of data protection measures in non-E.U. countries.2 In light of this, the passage of Bill C-27 takes on a critical significance, highlighting the urgent need for the swift enactment up-to-date privacy laws.

The Honourable François-Philippe Champagne, the bill's sponsor and Minister of Innovation, Science, and Industry, made his appearance as the inaugural witness before the Standing Committee, offering a series of proposed amendments to Bill C-27. While the precise wording of these amendments was not disclosed during the session, Minster Champagne followed-up his appearance with a letter addressed to the committee in the ensuing week, setting out the proposed amendments in greater detail. Despite the increased clarity in the subsequent letter, the comprehensive legislative language outlining the implementation of these amendments will only be unveiled during the clause-by-clause review of the bill, emphasizing the importance of the procedural aspect.

The Minister's letter sets out proposed amendments to the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act for the Standing Committee to consider as they advance their study of Bill C-27. Notable proposed amendments include:

The Consumer Privacy Protection Act

The Minister proposes an amendment to the preamble and purpose of the Consumer Privacy Protection Act (CPPA) such that the CPPA will expressly qualify the right to privacy as a fundamental right to all Canadians. The CPPA will also give special consideration to the protection of children's personal information and ensure organizations give adequate consideration to the interests of minors when determining whether their personal information is collected, used or disclosed appropriately.

The Minister's letter also notes that the CPPA already contained strong protection for minors and that the proposed amendments further reinforces such protections. If personal information belonging to a minor is "sensitive," organizations will generally need: (1) express consent to collect, use or disclose that information; (2) to carefully consider their reason for collecting such information; (3) employ stronger safeguards to protect the information; and (4) implement shorter retention periods for such information.

A further proposed amendment to the CPPA seeks to amend compliance agreements. These agreements contemplate an agreement between the Office of the Privacy Commissioner of Canada (OPC) and any organization found to be non-compliant with the CPPA. The amendment seeks to include financial consideration as part of a compliance agreement, such that the OPC would be able to levy a financial penalty on non-compliant organizations. Compliance agreements would be final, reached without the need of a tribunal or court, and would not be subject to appeals.

The Artificial Intelligence and Data Act

Previous language of the Artificial Intelligence and Data Act (AIDA) included "high impact" artificial intelligence (AI) systems. The proposed amendments helpfully clarify the meaning of "high impact" systems as "those of which at least one intended use may reasonably be concluded to fall within a list of classes to be set out in a schedule in the Act." The proposed amendments also set forth a list of initial classes, including:

  1. the use of an AI system used in matters relating to employment;
  2. the use of  an AI system in matters relating to the determination of services being provided to an individual, including the type or cost of such services or the prioritization of how such services are provided;
  3. the use of an AI system to process biometric information;
  4. the use of an AI system relating to the moderation of content on an online communications platform;
  5. the use of an AI system in matters related to healthcare or emergency systems;
  6. the use of an AI system by a court or administrative body; and
  7. the use of an AI system to assist a peace officer.

The amendments note that the list of classes could evolve and suggests a further amendment granting the Governor in Council the authority to modify the list in the future.

The proposed amendments also seek to align AIDA's definition of AI with the Organization for Economic Co-operation and Development, wherein AI would be defined as a "technological system that, using a model, makes inferences in order to generate output, including predictions, recommendations or decisions."

In seeking to align with international best practices, such as the European Union Artificial Intelligence Act, the letter states that the government would propose amendments relating to the responsibilities of persons developing a machine learning model for high impact use, persons putting into service a high impact system, and persons managing the operations of a high impact system.

Finally, the amendments propose that all actors conducting regulated activities would be required to prepare an accountability framework, consisting of: (1) reporting structure; (2) policies and procedures relating to risks; (3) policies and procedures when advising an individual subject to a serious incident; (4) policies and procedures respecting the data used by the system; (5) the training that individuals must go through; and (6) any other future regulatory requirement.

Other noteworthy proposed amendments to AIDA include clearer obligations to each actor across the AI value chain as well as implementing future obligations for general purpose AI systems such as ChatGPT. The letter notes that while these systems could be regulated as high-impact systems, stakeholder input proposes that these systems are distinct in their own right and should have unique regulations. Finally, the amendments seek to clarify the role of the AI and Data Commissioner, a role that would be created pursuant to Bill C-27 should it receive royal assent.

The Minister's letter may foretell the future of personal information and artificial intelligence regulation in Canada. Accordingly, organizations should consider their own practices to ensure they are ready for the implementation of the CPPA and AIDA should Bill C-27 receive royal assent. The Bennett Jones Privacy & Data Protection group is available to discuss how your organization can responsibly and effectively manage the use of information and artificial intelligence in its operations.


1 Office of the Privacy Commissioner of Canada, "OPC updates guidance regarding sensitive information" (13 August 2021), online: <www.priv.gc.ca/en/opc-news/news-and-announcements/2021/an_210813/>.

2 GDPR, Regulation (EU) 2016/679, 2016 OJ (L 119) 1 (EU), at 45.

Authors

Related Links



View Full Mobile Experience