In June 2022, the Minister of Innovation, Science and Industry introduced in the House of Commons Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.
Bill 27 represents the Canadian government’s second attempt to reform federal privacy laws applicable to commercial activities. If passed, it will create three new pieces of federal legislation: the Consumer Privacy Protection Act (CPPA), the Personal Information Protection Tribunal Act (Tribunal Act) and the Artificial Intelligence and Data Act (AI Act). It will also repeal Part 1 of the Personal Information Protection and Electronic Documents Act to remove its privacy protection authority, and change the short title to Electronic Documents Act.
At a recent symposium, Philippe Dufresne, the Privacy Commissioner of Canada, spoke about how Bill C-27 is an important step forward to modernizing Canadian privacy law. He emphasized the fundamental and quasi-constitutional nature of privacy, and reminded his audience that this means we should treat the right to privacy as a priority, as we do other human rights.
The Tribunal Act will establish a Tribunal to hear matters subject to the authority of the CPPA, and the AI Act will regulate international and interprovincial trade and commerce in artificial intelligence systems.
Among its provisions, the CPPA maintains informed consent as the primary authority for organizations to collect personal information. It includes the right to request disposal at an individual’s request, and also specifies “exceptions to consent” for the collection, use, or disclosure of personal information for certain business activities and for socially beneficial purposes. The CPPA imposes administrative monetary penalties if an organization is found to have violated provisions under the Act.
Of interest to the education sector is the treatment of personal information belonging to minors as “sensitive information”. This designation of “sensitive” will attract a higher degree of protection of the personal information of minors transferred by a school board to an organization regulated by the CPPA. When entering into an agreement that includes a transfer of personal information belonging to minors, provincially funded school boards will need to ensure by contract and otherwise that the organization receiving the personal information of minors maintains the required level of protection of the sensitive information.
Under section 4(a) of the CPPA, a parent, guardian, or tutor is authorized to provide consent on behalf of a child. Notably, the CPPA does not dictate an age requirement for when a child is capable of consent; rather, the draft legislation provides that a child can exercise control if they want to and when they are “capable of doing so.”
If passed, the CPPA will also mandate that commercial organizations providing services to school boards that involve the personal information of minors undertake physical, organizational and technological security safeguards proportionate to the sensitivity of the information. Since minors’ personal information is explicitly deemed “sensitive information”, this will require compliance with higher standards. The CPPA will impose an obligation on service providers to notify the organization that controls the personal information, such as a school board, in the event of a breach of security safeguards involving personal information.
Should Bill C-27 become law, school boards and other education sector organizations will have to work closely with service providers to ensure that existing agreements are consistent with the CPPA expectations. To the extent that school boards are entering into such agreements in the near future, they should consider whether to negotiate these protections in advance of Bill 27 becoming law.