Impact of Bill C-27 on Canada’s Privacy Laws

privacy law

Most organizations need the personal information of employees and often that of customers, in order to conduct their commercial activities. If you’re such an organization, you should be aware of Bill C-27, the Digital charter Implementation Act, 2022. This bill proposes changes to how personal information is collected, used, disclosed and disposed of. Businesses need to ensure that personal data is secure to comply with the changes the new legislation proposes.

Overview of Bill C-27

Bill C-27 has three parts. The first one is to enact the Consumer Privacy Protection Act (CPPA), which aims to protect the personal information of employees and customers while considering an organization’s need to collect specific data for transaction purposes.

Part 2 establishes the Personal Information and Data Protection Tribunal. This is where the Privacy Commissioner of Canada will submit cases for review.  The Tribunal can impose penalties for the breach of certain provisions of the act.

Part 3 enacts the Artificial Intelligence and Data Act to regulate international and inter-provincial trade and commerce in artificial intelligence systems. Organizations must adopt certain cybersecurity measures to mitigate the risks of high-impact artificial intelligence systems.

How Will Bill C-27 Impact Canada’s Privacy Laws?

Since there are no specific provisions in Canadian privacy law to protect children’s personal information, Bill C-27 has certain provisions to protect the privacy of minors by mandating more care and security in collecting and handling children’s data.

The proposed Bill would also impose new obligations on organizations concerning collecting, using, and disclosing personal information. For example, organizations would be required to get express consent from individuals before collecting their data. They would also be required to disclose their privacy policies clearly and concisely and ensure they are easily accessible.

The Implication of the Commissioner’s Power

According to this bill, the Privacy Commissioner will have extensive authority to conduct audits, issue orders, and recommend that the Tribunal impose severe administrative fines on entities breaking the law. The new law would enhance the Commissioner’s authority to investigate and issue compliance orders.

The Tribunal can levy administrative monetary penalties as high as $10 Million CDN, or 3% of the organization’s worldwide gross revenues, whichever is greater.

The most severe violations of the new regulations would be punishable, upon prosecution, by a penalty of up to $25 Million CDN or 5% of the organization’s global gross revenues. Major violations include,

  • Not reporting cybersecurity breaches to the Commissioner.
  • Not keeping records of same.
  • Willfully disregarding a regulatory order issued by the Commissioner.

What Should Organizations Do to Prepare for Bill C-27?

Organizations need to assess their data protection measures and ensure that they have strong cybersecurity protections in place. A third-party security provider can help you identify the gaps in your IT infrastructure, policies and procedures, and implement enhanced security measures where needed.

Training your employees on the importance of cybersecurity and safely collecting and handling data is crucial to stay in compliance with the new bill.

The bill will significantly impact how organizations collect, use, disclose and destroy personal information. If you are looking for a team of cybersecurity experts to assess, report on and provide a strategy to help your organization prepare for Bill C-27, reach out to BSC Solutions Group.