Canada's proposed data privacy law an opportunity to re-think data architecture
Updated: Jun 27, 2022
Bill C-27 is the latest national legislation to require organizations to get control of the information they manage or face significant consequences
On June 16, 2022 Canada passed a first reading of Bill C-27 (aka Digital Charter Implementation Act, 2022) which was tabelled by Innovation Minister François-Philippe Champagne in the House of Commons.
The bill aims to build on the government’s previous attempts to revamp Canada’s private-sector privacy laws and better align with established laws such as California's CPRA and Europe's GDPR and other proposed legilsation such as the American Data Privacy and Protection Act.
Summary of Bill C-27
"An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act,and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts" - view full text of Bill C-27.
Introduces 3 new acts:
Bill C-27 would create three new acts to regulate business’ use of personal data:
Consumer Privacy Protection Act (successor to PIPEDA)
Personal Information and Data Protection Tribunal Act (to enforce CPPA)
Artificial Intelligence and Data Act
Enhances rights for citizens and consumers:
Right to data deletion
Right to data custodianship (for parents)
Special status for children's data, including enhaced rights
Introduces an new AI and data commissioner:
Purpose is to identify, assess, and mitigate the risks of harm and bias related to algorithmic decision-making
Order 3rd party algorithm audits
Share information with other regulators and enforcers
Enhances powers of Privacy Commissioner:
Compel organizations to stop collecting and/or use of personal data
Issue fines up to $25 million or 5% of gross global revenue (whichever is greater) for:
Using de-identified information to identify an individual person
Implementing AI systems that cause harm, possessing
Using data that has been obtained in a way the contravenes the law
Failing to report or record breaches of the Act
Issue fines up to $10 million or 3% of gross global revenue (whichever is greater) for:
Failing to establish measures to manage and report on their use and monitoring of data, including failing to publicly report in plain language how AI systems are intended to be used and the outputs it generates
These are among the strongest fines among G7 countries - the EU’s GDPR carries a maximum fine of 10 million Euros (roughly $14 million CAD) or up to 2% of revenues.
Future-proofing for Bill C-27
A second reading of the bill is planned for the Fall 2022 session of parliament which provides a window of opportunity for organizations to evaluate their data management strategy.
The Data Collaboration Alliance advocates organizations wishing to take a long-term strategic view consider Zero-Copy Integration, an approach to digital solution development that eliminates the use of app-specific databases in favor of a connected, controlled, and collaborative data management ecosystem.