This article is part of our Bill C-27 Business Insights Series: Navigating Canada’s Evolving Privacy Regime, written by McCarthy Tétrault’s multidisciplinary Cyber/Data team. This series brings you practical and integrative perspectives on Canada’s Bill C-27: Digital Charter Implementation Act, 2022 and how your organization can stay ahead of the curve.

Introduced on June 16, 2022, Bill C-27: Digital Charter Implementation Act, 2022 (“Bill C-27”) is the second attempt by Parliament at a modernized Canadian privacy regime, through both the Consumer Privacy Protection Act (“CPPA”) and the Artificial Intelligence and Data Act (“AIDA”).

In this blog post, we will consider Bill C-27’s new policies as they relate to data governance, including how its proposed requirements impact data use, data management, and record keeping.

A high-level overview of Bill C-27 can be found in our previous blog post here.

1. What is Data Governance?

Broadly, data governance can be understood as a framework of policies and practices relating to how organizations collect, use, disclose, retain, and dispose of data, including personal information.

2. How did Bill C-11 address Data Governance?

A previous iteration of the CPPA was introduced in November 2020 by way of Bill C-11: Digital Charter Implementation Act, 2020 (“Bill C-11”).

Under Bill C-11, among other things, organizations were to:

  • Maintain a privacy management program with policies, practices and procedures directly related to the protection of personal information, requests for information and complaints, staff training, and the development of privacy management materials;
  • Determine and record the purposes for which information would be collected, used, and disclosed; and
  • Only collect personal information necessary for its determined purposes unless they obtained the individual’s consent or the collection was otherwise subject to an exception under the Act.

Our previous blog post further detailing Bill C-11’s impact on data management can be found here.

3. How does Bill C-27 address Data Governance?

Bill C-27 contains several noteworthy updates for data governance. While consent still informs the collection, use and retention of data, Bill C-27 imports an important exception from the EU’s General Data Protection Regulation (“GDPR”) for identified business activities and “legitimate interest”. Further, while automated decision making was a minor focus of the previous Bill C-11, automated decision and AI systems have now made their way into the spotlight, informing many of the new proposed developments, including the introduction of a new act, AIDA.

These and other highlights from Bill C-27 are discussed in further detail below.

(a) Privacy Management Programs

The obligation for an organization to implement a privacy management program has remained largely consistent from Bill C-11 to Bill C-27, with an organization’s accountability for personal information under its control continuing as a prominent theme (ss. 7(1) and 9(1)).

A privacy management program should address an organization’s policies, practices, and procedures as they relate to protecting personal information, requests for information or complaints, staff training, and the development of relevant materials (s. 9(1)). In developing a program, organizations must give consideration to the volume and sensitivity of the information in their control (s. 9(2)). This suggests that programs must be individually tailored to each organization; standards will be more rigorous where organizations deal with more sensitive forms of information.

Under Bill C-27, the CPPA has been updated to include the following further additions:

  • The Privacy Commissioner may request access to a privacy management plan and recommend “corrective measures” upon review (s. 10(2));
  • Organizations must have readily available, in plain language, a general account of how they use personal information, including where such use involves automated decision systems that could have a “significant impact” on individuals (s. 62(2)(c)); and
  • Notably, under Bill C-27, contraventions in relation to the establishment and implementation of a privacy management program are now linked to administrative monetary penalties (“AMPs”) (s. 94(1)(a)). The maximum amount of AMPs is the higher of $10,000,000 or 3% of the organization’s gross global revenue (s. 95(4)).

(b) Appropriate Purposes

Subsection 12(1) of the CPPA now includes the following bolded language:

An organization may collect, use or disclose personal information only in a manner and for the purpose that a reasonable person would consider appropriate in the circumstances, whether or not consent is required under this Act.

These changes raise the standard that must be met in order for an organization to collect, use or disclose personal information. This test must be met regardless of whether consent is otherwise required under the CPPA.

Our previous post further detailing the constraints on processing personal information under Bill C-27 can be found here.

When it comes to documenting purposes, Bill C-11 has remained largely consistent with current obligations under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (PIPEDA, s. 5(3)). Specifically, under the new CPPA, an organization continues to be obliged to determine and record the purposes for which information is to be collected, used, or disclosed (s. 12(3)). If the organization determines at any point that there are new purposes for which the personal information will be used or disclosed, then those new purposes must also be recorded (s. 12(4)).

The CPPA prohibits an organization from using or disclosing personal information for a purpose other than those determined and recorded, unless an individual has consented prior to the use, or disclosure (s. 14(1)). However, exceptions are provided at subsection 14(2), including that an organization may use an individual’s personal information without their knowledge or consent if it is for the purpose of a business activity, or if it was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes the information was produced for.

(c) Plain Language Consent

In Bill C-11, subsection 15(3) stipulated that for consent to be valid, an organization needed to provide certain information (including, among other things, the purpose for the collection, use or disclosure, reasonably foreseeable consequences, and the names of any third parties to which the information may be disclosed) in plain language at or before the point of consent. Bill C-27 further details the concept of “plain language” with the addition of subsection 15(4):

The organization must provide the information referred to in section (3) in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.

This addition is noteworthy, as it will require organizations to assess what person or persons its activities are directed at and to tailor its plain language description based on such assessment. In other words, general or boilerplate disclosures will not be sufficient.

A future blog in this series will address in more detail the concept of consent and exceptions to consent under Bill C-27.

(d) Collecting and Using Personal Information for a Legitimate Interest

Bill C-27 has followed the lead of the EU’s GDPR by introducing the concept of “legitimate interest” as a lawful basis for the collection or use of personal information to the Canadian privacy landscape.

Specifically, the addition of subsections 18(3) to 18(5) expand an organization’s ability to collect or use an individual’s personal information without their consent, so long as the organization has a legitimate interest that outweighs any potential adverse effects, fulfills certain conditions precedent relating to the identification and mitigation of potential adverse effects of collection (s. 18(4)), and records its assessment of how it meets the conditions set out (s. 18(5)).

(e) Record Keeping, Record Retention and Breach Documentation

The CPPA prohibits an organization from retaining personal information for longer than necessary. Bill C-27 requires an organization to take into account the sensitivity of personal information when determining the appropriate retention period (s. 53(2)). Details of such retention periods are required to be readily available (s. 62(2)(c)).

Bill C-27 retains section 60 of the previous version of the CPPA which requires an organization to keep records of all security breaches involving any personal information under its control. Subsection 60(2) also requires an organization to provide the Commissioner with the record upon request.

Bill C-27 also retains section 61, requiring a service provider to notify an organization that controls the personal information as soon as feasible if it determines that a breach of security safeguards has occurred.

(f) Data Amendment and Disposal

Under Bill C-11, the CPPA mandated that if an organization received a written request from an individual to dispose of their personal information, the organization would have to do so with limited exceptions. Bill C-27 has introduced subsection 55(2) to expand on those exceptions. Now, if an organization receives a written request to dispose of an individual’s personal information because the individual has withdrawn their consent, or the information is no longer necessary, an organization may refuse such a request in certain if:

  • disposing of the information would result in the disposal of personal information about another individual and the information is not severable;
  • there are other requirements of the CPPA, of federal or provincial law or of the reasonable terms of a contract that prevent it from disposing of the information;
  • the information is necessary for the establishment of a legal defense or in the exercise of other legal remedies by the organization;
  • the information is not in relation to a minor and the disposal of the information must have an undue adverse impact on the accuracy or integrity of information that is necessary to the ongoing provision of a product or service to the individual in question;
  • the request is vexatious or made in bad faith; or
  • the information is not in relation to a minor and it is scheduled to be disposed of in accordance with the organization’s information retention policy, and the organization informs the individual of the remaining period of time for which the information will be retained.

(g) De-Identification obligations

Bill C-27 retains section 20 of the previous version of the CPPA which allows for an organization to use an individual’s personal information without their knowledge or consent in order to de-identify it. Section 75 of the previous version of the CPPA provided that an organization can only use de-identified information to identify an individual when it is conducting testing of the effectiveness of security safeguards to protect the information has also been retained. However, Bill C-27 expands section 75 of the CPPA to provide further exceptions under which organizations can use de-identified information to identify an individual, including:

  • To comply with any requirements under the CPPA or under federal or provincial law;
  • To conduct testing of the fairness and accuracy of models, processes and systems that were developed using information that has been de-identified;
  • To conduct testing of the effectiveness of its de-identification processes; and
  • For a purpose or situation authorized by the Commissioner under section 116 of the CPPA.

(h) AI and Data Governance

The introduction of AIDA represents one of Bill C-27’s most significant changes. Under this new proposed act, anyone responsible for an AI system must assess whether it is a “high impact system” (AIDA, s. 7). Where such a system is in place, measures must be established to identify, assess, and mitigate the risks of harm or biased output that could result from the use of the system (AIDA, s. 8). Compliance with such measures must be monitored and recorded (AIDA, s. 9).

Further, anyone carrying out a regulated activity and who processes or makes available for use anonymized data in the course of that activity, must establish measures with respect to the manner in which the data is anonymized and the use or management of anonymized data (AIDA, s. 6).

See our blog post further exploring AIDA and the predicted impact it will have on the development and use of AI in Canada here.

4. Potential Data Governance Challenges

While Bill C-27 has introduced some further clarity in respect of the “legitimate interest” concept, ambiguities nonetheless remain. Organizations will still need to undergo the weighing of potential adverse effects against an organization’s perceived legitimate interest. While recent European privacy regulators have commented on what may not qualify as a “legitimate interest” (including, for example, certain direct marketing efforts), for the time being, organizations collecting, using or disclosing personal information in Canada will be left with a difficult assessment and quantification when it comes to “adverse effects”.

Similarly, Bill C-27 also lacks guidance on what constitutes a “significant impact” on an individual under subsections 62(2)(c) and 63(3) of the CPPA. Though Bill C-27 narrows the occasions in which an organization will be required to provide an explanation about a decision made by an individual, in the absence of further guidance, organizations will nonetheless be required to make judgments on what will constitute a “significant impact”.

5. Data Governance Under Bill C-27 vs Quebec’s Loi 25

Bill C-27 shares many similarities with the data governance-related amendments introduced to Quebec’s public and private sector privacy laws in Quebec through Loi 25 (commonly referred to as Bill 64 prior to its enactment). Most notably, both Bill C-27 and Loi 25 require organizations to implement privacy management programs to ensure the protection of personal information (and to document policies and training efforts in respect to same). However, there are some significant differences when it comes to other data governance principles. See our blog post comparing Bill C-27 and Loi 25 here.

6. Looking Ahead

Bill C-27’s second reading is currently in progress. In anticipation of Bill C-27 receiving royal assent, organizations must prepare to ensure compliance with the new requirements. Specifically, organizations should review their privacy and data governance practices to ensure that:

  • If they do not already have one in place, they establish a privacy management program. Where one already exists, organizations should engage in a review to ensure its alignment with CPPA’s requirements. Where an organization uses AI systems, consideration should also be given to AIDA’s assessment and documentation requirements;
  • They have a plain language plan available to individuals who provide consent for collecting and using personal information;
  • If they plan to collect personal information on the basis of a “legitimate interest”, that they have satisfied the conditions set out in subsection 18(4); and
  • They have created a policy that is readily available which determines the retention periods for sensitive personal information.

Being able to identify and locate personal information, and automating this process, will be the key to ensuring compliance with these new laws.