Five things to know about Bill C-27
In June 2022, the Canadian federal government introduced Bill C-27, the Digital Charter Implementation Act, which contains newly-proposed legislation relating to consumer privacy, data protection, and the first comprehensive laws governing artificial intelligence (AI) systems in Canada. In the first of a series of articles covering the bill’s potential impacts, SRI Policy Researcher Maggie Arai explores its key takeaways. Image: Connie Schneider/Unsplash.
As technology continues to advance and permeate almost all aspects of modern life, it has become necessary for regulators to grapple with how to best regulate it. New ways of collecting and processing personal information necessitate new regulations to protect those whose information is being collected, analyzed, and sold—often whenever they visit a new website or sign up to a new app like Facebook or TikTok. Advances in artificial intelligence (AI) are also top of mind for many regulators, posing unique risks and challenges that must be addressed. The recently tabled Bill C-27 represents Canadian regulators’ efforts on both fronts.
On June 16, 2022, the Canadian federal government introduced Bill C-27, the Digital Charter Implementation Act 2022, in the House of Commons. Bill C-27 is not entirely new, following in the footsteps of Bill C-11 (the Digital Charter Implementation Act 2020). Bill C-11 failed to pass, dying on the Order Paper when the Governor General dissolved Parliament to hold the 2021 federal election. While some aspects of C-27 will likely be familiar to those who followed the progress of Bill C-11, there are several key differences.
In the following article, we set out five key things you need to know about Bill C-27 and how this new legislation will impact the rights of Canadians when it comes to privacy, data protection, and AI systems.
Bill C-27 contains three proposed Acts, which relate to consumer privacy, data protection, and AI systems. The proposed Acts are The Consumer Privacy Protection Act (CPPA), The Personal Information and Data Protection Tribunal Act (PIDPTA), and The Artificial Intelligence and Data Act (AIDA). Of the three proposed Acts, both the CPPA and PIDPTA previously appeared in Bill C-11 (though both show some evolution in C-27), while AIDA is an entirely new draft legislation.
1. The Artificial Intelligence and Data Act represents Canada’s first comprehensive attempt at AI regulation.
The Artificial Intelligence and Data Act (AIDA) is the federal government’s first attempt to comprehensively regulate artificial intelligence. Canada is not alone in this: AIDA comes in the wake of similar initial attempts at AI regulation by other governments around the world, such as the European Union’s 2021 AI Act and the United States’ 2022 Algorithmic Accountability Act. AIDA, like the EU’s AI Act, takes a risk-based approach to regulating AI. However, it is worth noting that Canada proposes categorizing AI based on whether it is “high-impact,” while the EU uses the language of “high-risk.” AIDA is also far less prescriptive than the EU AI Act. The draft Act is quite short, with much room left for the enactment of provincial AI laws as well as further federal regulation, including future regulation to be made by the Governor in Council and the Minister pursuant to sections 36 and 37 of AIDA, respectively.
2. AIDA sets out new responsibility requirements for AI systems—including the potential for audits.
AIDA provides a definition of “person” that includes trusts, partnerships, unincorporated associations and any other legal entity, and further clarifies when a such a “person” will be considered responsible for an AI system. A person becomes a “person responsible” for an AI system if they design, develop, make available for use, or manage the operation of an AI system in the course of international or interprovincial trade and commerce.
The major requirements contained in AIDA for “persons responsible” for AI systems include ensuring the anonymization of data, conducting assessments to determine whether an AI system is “high-impact,” establishing measures related to risks, monitoring and keeping records on risk mitigation, and requirements for organizations to publish a plain-language description of all high-impact AI systems on a public website. If at any time the Minister has reasonable grounds to believe that a person may be in contravention of these requirements, the Minister may order that person to conduct an audit into the possible contravention, or engage an independent auditor to conduct the audit. This mention of an independent auditor leaves open the possibility for Canada to consider regulatory markets in its approach to regulating AI.
3. Many aspects of how Canada will regulate AI under AIDA remain to be seen.
As Canada’s first attempt to regulate AI, AIDA frequently makes reference to regulations that have yet to be developed. AIDA’s definition of a high-impact system, for example, is an AI system that “meets the criteria for a high-impact system that are established in regulations.” The requirements section of the Act similarly references fulfilling each requirement “in accordance with the regulations,” none of which yet exist. Sections 36 and 37 of the Act set out the respective abilities of the Governor in Council and the Minister to make these regulations. Additionally, it remains to be seen whether the Act will create a new Minister; AIDA allows the Governor in Council to designate any member of the Queen’s Privy Council of Canada to be the Minister for the purposes of the Act, but if the Governor in Council does not designate a member, then the position will fall to the Minister of Industry (currently Minister François-Philippe Champagne).
4. If passed, Bill C-27 would repeal and replace existing privacy provisions in Canada.
The Consumer Privacy Protection Act would set out the new Canadian privacy law regime, repealing and replacing the privacy provisions in the now 20-year-old Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA would become the Electronic Documents Act, losing its provisions on privacy but retaining those regarding electronic documents. The CPPA differs from PIPEDA in several key ways, such as the inclusion of significant consequences for non-compliance—with markedly higher fines than those set out in PIPEDA—quasi-criminal prosecutions; new opportunities for legal claims in response to breaches of privacy, with broader allowances for who can seek compensation and where they can file claims; and explanation requirements. Under the CPPA, organizations must, on request from an individual, provide explanations for how an automated decision-making system made a decision that could have a significant impact on that individual.
5. The Personal Information and Data Protection Tribunal Act would create a new data protection tribunal.
The newly-created Personal Information and Data Protection Tribunal would hear appeals of findings, interim or final orders made by the Privacy Commissioner, and determine whether penalties recommended by the Commissioner are appropriate. This Tribunal was also proposed in Bill C-11, but C-27 introduces some key differences, including the requirement that at least three members of the Tribunal have experience in the field of information and privacy law. Further, the Tribunal will review appeals under a stricter standard of review than the standard used in Federal Court appeals under PIPEDA. This means that the Tribunal has less leeway to overturn a finding or final order made by the Commissioner.
What comes next?
The tabling of Bill C-27 represents an exciting step forward for Canada as it attempts to forge a path towards regulating AI that will promote innovation of this advanced technology, while simultaneously offering consumers assurance and protection from the unique risks this new technology it poses. This second attempt towards the CPPA and PIDPTA is similarly positive, and addresses the need for updated and increased consumer protection, privacy, and data legislation.
However, as the saying goes, the devil is in the details. As we have outlined, several aspects of how Bill C-27 will be implemented are yet to be defined, and how the legislation will interact with existing social, economic, and legal dynamics also remains to be seen.
There are also sections of C-27 that could be improved, including areas where policymakers could benefit from the insights of researchers with domain expertise in areas such as data privacy, trusted computing, platform governance, and the social impacts of new technologies. In the coming weeks, the Schwartz Reisman Institute will present additional commentaries from our community that explore the implications of C-27 for Canadians when it comes to privacy, protection against harms, and technological governance.
To ensure that the powerful new technologies that shape our world today benefit everyone, it’s essential that our policies are well-informed—especially when it comes to how technical systems work, how they interact with our legal infrastructure, and how they impact society. As we approach the implementation of this landmark regulation, it’s critical that Canadians are engaged and informed on these topics and ready to make their voices heard.
Read the other commentaries in our C-27 series:
About the author
Maggie Arai is a policy researcher at the Schwartz Reisman Institute for Technology and Society, and holds a Juris Doctor degree from the University of Toronto's Faculty of Law. She conducts research and policy work on emerging policy issues and trends related to AI and other advanced technologies. Her current focus is on AI standards, certification, and regulation.
