Last week, the federal government introduced two pieces of legislation proposing major privacy, cybersecurity and data governance reforms. The first, Bill C-26, would enact the Critical Cyber Systems Protection Act (CCSPA), which aims to protect critical cyber systems in the telecom, financial, energy and infrastructure sectors and grants substantial new order-making and information-gathering powers to federal regulators overseeing them. The second, Bill C-27, would enact the Consumer Privacy Protection Act (CPPA), a previously proposed statute that has been updated since the last Parliament, and the Artificial Intelligence and Data Act (AIDA), which would govern the use of AI and automated decision systems.

What you need to know

  • New obligations for certain sectors. The proposed CCSPA in Bill C-26 would require organizations in designated "vital systems" or providing "vital services" in the financial, telecom, energy and infrastructure sectors to maintain and regularly review a cybersecurity program, mitigate third-party and supply chain risks, and immediately report cybersecurity incidents. Regulators in these sectors would also be given extensive new powers, including the power to:
    • request any information or search any place for the purpose of verifying compliance or preventing non-compliance;
    • order designated operators to conduct internal audits and report the results; and
    • order penalties of up to $15,000,000 for non-compliance with orders and regulations.
  • Enforcement powers. Bill C-26 would also amend the Telecommunications Act to give the Minister of Industry the power to prohibit a telecommunications service provider from using products or services provided by, or from providing certain products or services to, a person specified by the Minister.
  • Privacy reforms. Bill C-27 proposes a version of the CPPA that maintains most of the reforms proposed in the original version, though with some notable updates (see our table for more details).
  • AI governance. The AIDA would govern the use of AI systems, with significant requirements for companies using the yet-to-be-defined category of "high-impact systems" and fines as high as $10,000,000 and 3% of annual gross global revenues for non-compliance.

Cybersecurity reforms under Bill C-26

Scope of the CCSPA

The proposed CCSPA imposes obligations on certain classes of organizations that provide services or operate systems that are "vital" to national security or public safety. Services and systems presently designated as vital include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, banking systems, clearing and settlement systems, and transportation systems that are within the legislative authority of Parliament. Most obligations under the CCSPA would apply to "designated operators" within these sectors that own, control or operate a "critical cyber system". While no classes of designated operators are listed in the current draft, a cyber system qualifies as a "critical cyber system" where "if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system"

Obligations under the CCSPA

Under the CCSPA, a designated operator would be required to:

  • establish a cybersecurity program in respect of its critical cyber systems soon after becoming a designated operator;
  • include in its cyber program reasonable steps to: (i) protect its critical cyber systems from being compromised, (ii) detect cybersecurity threats and incidents, and (iii) minimize the impact of cybersecurity incidents that occur;
  • identify and take reasonable steps to mitigate supply chain and third-party risks;
  • regularly review and improve its cybersecurity program;
  • immediately report any cybersecurity incident in respect of any critical cyber systems to the Communications Security Establishment (CSE), then immediately notify the appropriate regulator of the incident; and
  • maintain records documenting compliance with CCSPA obligations.

Enforcement of CCSPA

Bill C-26 grants extensive powers to designated regulatory authorities to enforce the requirements of the CCSPA. Currently, the designated regulatory authorities include the Office of the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transport. Their powers include the authority to:

  • request any information or search any place for the purpose of verifying compliance or preventing non-compliance;
  • order designated operators to conduct internal audits and report the results;
  • issue compliance orders and enter into compliance agreements; and
  • order penalties of up to $15,000,000 for non-compliance with orders and regulations.

Amendments to Telecommunications Act

Bill C-26 would also amend the Telecommunications Act to give the Minister of Industry the power to prohibit a telecommunications service provider from using products or services provided by a specified person, or from providing certain products or services to specified person. As under the CCSPA, penalties for non-compliance can be as high as $15,000,000.

Takeaways for companies

While Bill C-26 has only just been introduced, companies governed by the Telecommunications Act and that are likely to be subject to the CCSPA should be as proactive as possible with respect to three matters in particular.

First, companies should give significant consideration to how they will protect information subject to solicitor-client, litigation, and other legal privileges. Protecting privilege could be particularly challenging in the event of a cybersecurity incident given the extensive enforcement (including search and seizure) powers afforded to regulators, the record-keeping requirements imposed on designated operators to demonstrate compliance, and the requirement to immediately notify the CSE and appropriate regulator upon discovering a cybersecurity incident.

Second, companies should plan to review and update their incident response plans and cybersecurity policies in accordance with Bill C-26's reforms. Current and upcoming reviews should consider third-party and supply chain risks, including those posed by critical service providers (particularly those providing IT services), key suppliers, and device or product manufacturers. Once more information is provided, companies will also want to explore the extent to which their "critical cyber systems" can be segregated from other systems and whether doing so would assist in streamlining compliance efforts.

Third, companies subject to Bill C-26's reforms should consider how these new requirements could or should be reflected when contracting for services with third parties. Likewise, service providers should expect increasing cybersecurity standards from regulated customers, particularly when services provided relate to critical cyber systems.

Bill C-27: Privacy modernization with a northern touch (Remix)

Bill C-27 proposes to erase the privacy section of the Personal Information Protection and Electronic Documents Act (PIPEDA) and create three new statutes: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA). The CPPA and PIDPTA in most ways remain very similar to the legislation proposed in 2020 in the previous Parliament (referred to as Bill C-11 at the time). We wrote about the main reforms proposed in Privacy modernization with a northern touch: the proposed Digital Charter Implementation Act.

Below we have set out the highlights of which reforms remain from the previous (Bill C-11) iteration of the CPPA and the PIDPTDA, and what is new in Bill C-27:

Ongoing from Bill C-11

New reforms in Bill C-27

Consent

Use of plain language

The CPPA establishes the need for express consent unless the organization can demonstrate that implied consent is appropriate in the circumstances. This largely aligns with regulatory guidance in recent years interpreting the scenarios in which organizations can rely on implied or express consent. To obtain consent, information must be presented in plain language.

The CPPA now clarifies that "plain language" depends on who the information is directed to. Specifically, organizations must use "plain language that an individual to whom the organization's activities are directed would reasonably be expected to understand."

Consent exemptions

Legitimate interest exemption

The CPPA maintains and adds to the consent exemptions under PIPEDA, including exemptions for de-identified information, as well as certain business operations for purposes of service delivery, safety, and cybersecurity.

In another step toward the GDPR, Bill C-27 adds a new exemption which permits an organization to collect and use personal information without consent where it is for "the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use". In addition, (i) the collection or use must be within the reasonable expectations of the individual, (ii) the collection or use cannot be for the purpose of influencing behaviour or decisions, (iii) prior to collecting or using the information, the organization must identify and take reasonable steps to mitigate any potentially adverse effects on the individual (and keep a record of this assessment), and (iv) the organization must comply with any additional requirements set out in regulations.

Expanded Commissioner powers and responsibilities

Power to recommend improvements

The CPPA gives the Office of the Privacy Commissioner of Canada (OPC) extensive investigation and order making powers, including the power to require access to the policies, practices and procedures that are included in an organization's privacy management program, and require an organization to modify its practices or to take any public steps to correct its practices.

On request by an organization, the OPC must (in a form and manner at its discretion), provide the organization with guidance on its privacy management program.

The OPC may provide guidance on an organization's privacy policies, practices and procedures, or recommend corrective measures be taken by, an organization after the OPC reviews them.

De-identified information

De-identified and anonymized information

The CPPA governs the handling of de-identified information and prohibits re-identification except under specific circumstances.

The CPPA clarifies that de-identified information is information from which an individual cannot be directly identified, though a risk of identification remains.

The legislation now clarifies that it does not create obligations in relation to anonymized information, which is information from which no individual can be identified, whether directly or indirectly.

Penalties and fines

New grounds for penalties

The new Personal Information and Data Protection Tribunal will have the power to impose administrative monetary penalties for non-compliance of an amount up to the greater of $10,000,000 and 3% of the organization's gross global revenue. Organizations that commit certain offences can be ordered to pay fines of up to the greater of $25,000,000 and 5% of the organization's gross global revenue.

Bill C-27 includes new grounds for penalties, including the failure to: (i) implement and maintain a privacy management program; (ii) ensure service providers provide an equivalent level of protection of personal information; (iii) determine and record the applicable purposes for handling information before beginning to handle it; (iv) properly respond to a withdrawal of consent; (v) as a service provider, notify the organization that controls the personal information as soon as feasible of any breach of security safeguards involving personal information; and (vi) make readily available information that explains the organization's privacy policies and practices.

Data subject rights

Altered rights

The CPPA provides individuals a right to request disposal (deletion or anonymization) of their personal information.

Individuals are also given a right to request an explanation regarding the use of their information in automated decision systems.

The right to disposal has been expanded to apply to all information under the organization's control, but is also subject to a number of new exceptions.

The transparency requirement for automated decision systems now only applies to those that could have a significant impact on the individual.

Data retention

Additional data retention requirements

The CPPA prohibits an organization from retaining personal information for a period longer than necessary to fulfill the purposes for which the information was collected, used or disclosed or to comply with law or the reasonable terms of a contract.

Bill C-27 adds that an organization must take into account sensitivity of information when determining retention period, and must make available information regarding retention periods applicable for sensitive information.

Protection for minors

Expanded protection of minors

The originally proposed version gave some rights to minors, such as the power of a parent or guardian to exercise rights under the CPPA on their behalf.

The CPPA now specifies that any personal information about a minor is considered sensitive information.


Bill C-27 also maintains the CPPA's private right of action in the Federal Court or Superior Court as long as the OPC or the Data Protection Tribunal have issued findings of non-compliance. However, there are no statutory damages-claimants must still prove some loss or injury.

Analysis

Organizations should continue to monitor developments as this legislation progresses through Parliament. Even without a final version of the CPPA, organizations can begin preparing for its requirements by taking stock of their current privacy program, including making an inventory of the types of personal and de-identified information they hold, and the ways they collect, use, disclose and retain this information. Organizations that make these preparations will be well-situated to implement the reforms the CPPA would require.

AI regulation in the Artificial Intelligence and Data Act

The third statute that would be enacted by Bill C-27 is the Artificial Intelligence and Data Act (AIDA).

Scope of application

The AIDA applies primarily to designing, developing, making available or using artificial intelligence systems in the course of international or interprovincial trade and commerce. An "artificial intelligence system" is defined as "a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions." The AIDA also creates a sub-type of an artificial intelligence system called a "high-impact system." However, precisely what constitutes a high-impact system is unknown and set to be determined by regulation.

The AIDA also gives the responsible Minister the power to appoint an Artificial Intelligence and Data Commissioner, and to delegate to them any of the roles referred to below as belonging to the Minister.

Obligations

Developers and operators of artificial intelligence systems covered by the AIDA but do not qualify as high-impact systems have limited obligations. They are required to:

  • assess whether their system qualifies as a high-impact system; and
  • where the system processes or makes available for use anonymized data, they must (in accordance with regulations) establish measures with respect to the manner of anonymization and the use or management of anonymized data.

Developers and operators of high-impact systems, however, have far more onerous obligations. They would be required to:

  • establish measures to identify, assess and mitigate the risks of harm or biased output ("biased output" referring to prohibited grounds of discrimination under the Canadian Human Rights Act);
  • monitor compliance and effectiveness of those measures;
  • publish on a publicly available website a plain-language description of the system that covers how the system is used, the types of content and outputs it is intended to generate, the mitigation measures established, and any other information prescribed by regulation; and
  • notify the Minister as soon as feasible if use of the system results or is likely to result in material harm.

Enforcement

The AIDA gives the Minister substantial investigation and enforcement powers. These include the power to: (i) require the production of records; (ii) require a company to conduct an internal audit or engage the services of an independent auditor to investigate possible contraventions; (iii) order a company to implement any measure to address anything raised in an audit report; and (iv) to order a company to pay an administrative monetary penalty.

The violations that would attract an administrative monetary penalty and the possible amounts of those penalties would be determined by regulation. However, the AIDA does establish that it is an offence to:

  • contravene any of the obligations set out above;
  • obstruct, or provide false or misleading information to the Minister; and
  • possess or use personal information, knowing it was obtained illegally, "for the purpose of designing, developing, using or making available for use an artificial intelligence system".

Analysis

More uncertainty hangs over this proposed statute compared to the other components of Bills C-26 and C-27. First, much of the scope and content of the AIDA is still to be determined by regulation. In addition, the AIDA may be more susceptible to (and perhaps require) more substantive amendments than its contemporaries. As such, companies leveraging AI should continue to monitor developments as Bill C-27 progresses through Parliament.

Despite this uncertainty, companies that leverage AI can take some proactive steps now. In particular, companies should ensure they are documenting their existing AI and automated decision-making systems, with information regarding each system's purposes, inputs, outputs, processes, impacts and safeguards. Doing so will put companies in a good position to respond to and comply with the final version of the AIDA, should it pass. Companies may find there are efficiencies to be gained by combining these steps with preparations in anticipation of the CPPA's and Québec Bill 64's automated decision-making requirements.

Next steps

Bills C-26 and C-27 will proceed through subsequent readings and committee review. It remains to be seen what amendments will be made as the proposed legislation progresses through a minority-controlled House of Commons.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.