I remember this headline well, and you may too: Back in 2017, the Economist published “The world’s most valuable resource is no longer oil, but data. While that article focused on antitrust issues surrounding internet giants like Meta, Amazon, and Alphabet, many believed that the gist of the piece was right: Data was increasingly becoming the key resource for the digital world. But gathering and managing data is getting more challenging. Consumers are pushing back, worried about privacy and demanding more control about how their personal information is collected and used. And governments around the world are responding, including a significant new piece of legislation in Canada: Bill C-27.
Canada has had a federal privacy law for more than two decades – the Personal Information Protection and Electronic Documents Act (PIPEDA) dates back to 2000 – but it is attempting to considerably up the stakes for a second time with Bill C-27 which currently includes three main pillars:
The Consumer Privacy Protection Act (CPPA), designed to ensure consumers have a greater degree of privacy and control over their personal information.
The Data Protection Tribunal Act, which creates a new enforcement organization for the CPPA – and will have the authority to levy large penalties for noncompliance.
The Artificial Intelligence Act creates new requirements for algorithmic transparency and automated decision-making in response to these emerging, AI-based uses of personal information.
The new legislation was introduced in 2022 and is currently under debate and tentatively expected to be enacted this year, pending further review in committee. This comes on the heels of changes to the private sector privacy act in Quebec, and reviews of the private sector privacy laws in Alberta and British Columbia.
Canada is part of a worldwide shift to strengthening privacy and trust
The new law would effectively replace PIPEDA and demand a new level of compliance rigor by Canadian companies and companies doing business in Canada. Bill C-27 also puts Canada squarely in the mainstream in terms of contemporary data privacy, which began in 2016 with the landmark General Data Protection Regulation (GDPR) in the European Union - considered by some to be the most rigorous privacy and security law in the world. Other statutes have followed, including regulations like the California Privacy Rights Act (CPRA), which added new privacy protections to the California Consumer Privacy Act (CCPA).
Where PIPEIDA was based on principles and guidance, Canada’s new legislation is based on more explicit and much more stringent requirements for the collection, use, and disclosure of personal information. Under Bill C-27, companies that collect personal information from Canadian consumers must be aware of several key provisions:
Collection, use, and disclosure of personal information generally requires explicit consent. You must tell consumers why you want the data and how it will be used, and the language used to generate consent must be clear and unambiguous.
Automated collection of email addresses and other information is much more restricted.
Data minimization will be the law of the land. Companies will be required to limit the data they collect to the absolute minimum amount required to do what they need to do.
Consumers will have new rights to ensure their ability to correct their personal information, to withdraw their consent to using it, and to ensure their data is deleted.
Consumers also have the right to data portability – to transfer information to a new organization (for example, when switching to a new service provider).
Perhaps even more significantly, Bill C-27 would substantially amend the existing enforcement framework through the Data Protection Tribunal Act. The Tribunal would be empowered to issue substantial fines for administrative noncompliance: up to 3% of your worldwide annual revenue or CAN$10 million. Furthermore, failures to report a data breach and other more serious infractions you could lead to fines of up to 5% of global revenues or CAN$25 million. Plus, affected individuals can sue for damages privately.
The third pillar of the Bill C-27, the Artificial Intelligence and Data Act, mandates “increased transparency” for algorithms and AI systems. In other words, you must be prepared to justify how your AI system delivered a recommendation or decision based on a user’s personal data.
What to do now
Consumers and governments are right to be concerned about privacy and data protection, and their expectations and legal frameworks about these issues will continue to evolve. I believe that Economist headline about data as “the new oil” was essentially right, but today, building trust with the suppliers of data – consumers – has become more important than ever.
Of course, it’s possible – perhaps even likely – that the CPPA and related components of Bill C-27 will evolve as the Canadian Parliament continues to debate the legislation. Nonetheless, now is an excellent time for companies doing business in Canada to look at the implications of this more stringent approach to privacy and the collection, use and disclosure of personal information – and not just because it would be expensive not do so. A key part of your motivation should be the desire to win the long-term trust of your consumers, and we believe that a strong focus and respect for privacy and privacy protection is the way to win that trust.
How OneTrust can help
Companies doing business in Canada can leverage OneTrust to comply with Bill C-27. Our Consent & Preference Management, Privacy Rights Automation, and Digital Policy Management solutions, along with our DataGuidance Research, help companies worldwide to manage the collection, protection, and transferability of personal information.
To see how OneTrust can help you navigate Bill C-27, request a free trial today.
