The Canadian privacy landscape in 2023 is evolving. In this article, we provide you with an overview of the latest developments in the Canadian data protection landscape. In doing so, we cover the upcoming privacy requirements in Quebec, the new AI regulations, particularly under the Consumer Privacy Act (Bill C-27), and further privacy updates from other Canadian provinces regarding the regulation of AI.
If you are a Canadian resident or do business within Canada, you may need to ensure your business is compliant with forthcoming changes in Canadian legislation.
Below is an overview of the details and the potential impact on your business.
New Phase of Quebec Privacy Requirements Effective September 22, 2023
Quebec’s Private Sector Personal Information Protection Act (“PPIPS” ) is being updated in a second round by Bill 64 , now Law 25 , and is scheduled to take effect on September 22, 2023. By then, companies doing business in Québec must meet the following key requirements, among others:
- Conducting a Privacy Impact Assessment (PIA) is now mandatory: Organizations must now conduct a PIA for every privacy-sensitive activity. That is, if your company engages in privacy-sensitive activities involving, among other things, the collection, processing, or storage of personal data, the processing of biometric data, or the sharing and disclosure of information.
- Policies need to be updated: companies must now give users the option to keep or delete their personal data. The updated policy must now explain the roles and responsibilities of employees who handle personal information throughout its lifecycle, and also how the company handles complaints.
- Other rights for individuals : Law 25 establishes rights for individuals, including the right to data portability, automated decision-making, data profiling and to be forgotten. Individuals have additional rights to withdraw further processing and disclosure of their personal data.
- Data processing agreements with service providers that contain specific provisions: Legislative 64 requires organizations that have not yet done so to enter into written data processing agreements with service providers with whom they share personal data.
- Penalties: Similar to European data protection laws, such as the GDPR, Canada’s new data protection laws provide for penalties of up to $50,000 per person and up to $10,000,000 or 2% of a company’s prior-year worldwide revenue, whichever is greater.
New AI regulations under the Consumer Privacy Act (Bill C-27):
Canada’s Bill C-27, the Consumer Privacy Protection Act, enters its second reading since its inception in June 2022. This legislation, which has not yet come into force, would replace the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”) privacy legislation and together the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act (“PIDPTA”) and the Artificial Intelligence and Data Act (“AIDA”).
Likewise, the Office of the Privacy Commissioner of Canada (OPC) has made 15 important recommendations on Bill C-27. These include recognizing privacy as a fundamental right, the right to access personal data, creating a privacy culture in organizations to develop products and services based on the principle of “privacy by design”, and obliging organizations to monitor their decisions and creation of profiles by automated decision-making systems to explain on request.
AIDA , a new regulation responding to the changing and rapidly evolving artificial intelligence (AI) landscape, will impose new laws on the use of AI systems. Therefore, if you do business in Canada, it is important that you start thinking now about how your company uses AI and what measures you are taking to protect the privacy and personal information of your users. Similar to previous privacy laws, AIDA requires you to explain what data you collect, how you collect it, and that individuals can request access to that data. They must explain how the algorithm works and be willing to disclose information in a transparent manner. This also applies to third-party providers who use AI systems.
The C-27 bill is currently in its second reading and will likely go through several changes before it officially becomes law.
Other Canadian states are following suit in regulating AI systems:
Since May, Canadian privacy commissioners and, at the federal level, privacy commissioners from Quebec, British Columbia and Alberta have jointly launched an investigation into OpenA I, the company behind the artificial intelligence-powered chatbot ChatGPT.
Among other things, it examines whether OpenAI has obtained valid and appropriate consent for ChatGPT’s collection and use of personal data from Canadian residents, whether it has met its transparency and accountability obligations, and whether the personal data collected is based on the for the specified and intended purposes are limited to the extent necessary.
A statement by Philippe Dufresne, Canada’s Privacy Commissioner, signals Canada’s willingness to stay ahead of the curve on evolving technologies like artificial intelligence, while putting privacy at the forefront.
“Artificial intelligence and its impact on privacy are global issues that are of key concern to privacy regulators in Canada and around the world. As regulators, we must keep pace with and stay ahead of rapid technological advances to protect Canadians’ fundamental privacy rights.”
Companies based in Canada can already embark on the path to comprehensive compliance with consentmanager . Just click here to see our dedicated Canadian compliance page.