This afternoon the Trudeau government begins its campaign to convince businesses that there’s nothing to fear in its second attempt to update the federal privacy law covering the private sector.
Innovation Minister François-Philippe Champagne will address the Canadian Marketing Association’s online privacy conference on the new private-sector privacy law package, called the Digital Charter Implementation Act 2022 (Bill C-27).
The last time the government made an effort, then-federal privacy commissioner Daniel Therien led pointed criticism, which didn’t make much difference because the October, 2021 election was called and the proposed legislation died.
After making some changes and adding a crucial new piece, the legislation was re-introduced in June.
It’s composed of three parts:
— the Consumer Privacy Protection Act 2022 (CPPA), which replaces the Personal Information Protection and Privacy Act (PIPEDA) but adds order-making powers for the Privacy Commissioner. Changes from the original version of the CPPA include making a distinction between de-identified and anonymized personal data, situations where businesses don’t have to get explicit consent for the collection of personal data, and added obligatory protection for the data of children.
— the Personal Information and Data Protection Tribunal Act, which, as in the original legislation, creates a body appointed by the government to hear recommendations by the Privacy Commissioner for financial penalties for ignoring orders or not complying with the act;
— and the new Artificial Intelligence and Data Act, which will require “high-impact” AI applications to follow as yet unwritten regulations to ensure risks of harm or bias are identified and mitigated.
While a new AI and Data Commissioner will be appointed to oversee this act, the Innovation Minister will have powers to order anyone responsible for a high-impact system causing harm or bias to hand over any records governing the system — possibly including software code — and/or to have the system audited.
The legislation hasn’t yet been sent to a House of Commons committee for detailed examination. That is expected before the end of the year.
The CPPA may face opposition from witnesses who feel it unnecessarily creates a time-wasting tribunal instead of letting the Privacy Commissioner levy fines. The government apparently doesn’t want to make the commissioner a judge and jury.
So far, current Privacy Commissioner Philippe Dufresne has yet to make his analysis of the proposed bill public, and possibly won’t until he testifies before the committee.
There will also likely be witnesses who will complain the new proposed CPPA allows exemptions in certain circumstances for the requirement of businesses to get explicit consent from individuals for the collection and use of personal data.
The new proposed AI bill will also come under close scrutiny for what it includes, and what it doesn’t.
A preview of what parliamentary witnesses (and perhaps opposition MPs) may say on that bill came last month during sessions at a data and AI conference in Toronto.
Jill Briggs, head of policy and regulatory affairs at the Interactive Advertising Bureau of Canada, said “there is a lot of discomfort” among online advertisers at the lack of detail in the AI bill. “It’s very blank,” she said. “There’s no [proposed] regulations. It just basically says if you have a high-risk system you’re in a lot of trouble and you’re going to get fined.’ We don’t even know what high-risk means. So I think there’s a lot of work to be done.”
Chetan Phull, senior associate lawyer in the cybersecurity, technology and data management practice at Deloitte Legal, noted that while the proposed AI law clearly allows an individual to sue for an AI system’s alleged bias, that right may not cover groups who allege bias.
Mark Schaan, the Innovation department’s senior assistant deputy minister for strategy and innovation policy, admitted he’s heard complaints. Some have told him, “‘This looks like a massive criminal liability coming our way, is it going to put a chill on the industry, how can we make sure you’re going to get it right?’,” Schaan said.
But he believes the department has set a reasonable test for interfering in AI systems. Only “the most egregious” systems showing evidence of causing significant and considerable harm, and with intent from the application operator, could possibly draw sanction, he said.
And the promised regulations would be written after “extensive consultation” with businesses, he added. They will “fill in the colour” to find a balance between encouraging innovation and giving Canadians trust in AI systems, he said.
Briefly, AI systems would have to meet accepted data management standards. Compliance measurement will be done through a “robust and competitive private sector assurance ecosystem which could include accredited conformance assessment bodies, certification programs, and other assurance tools and service providers,” Schaan said.
As for the CPPA, watch for critics at parliamentary hearings like Teresa Scassa, Canada Research Chair in Information Law and University of Ottawa law professor, who wrote in the Toronto Star last month that the government “has clearly listened more to the concerns of industry” in C-27. “Human rights still take a back seat to commercial interests.”
“Privacy by design and by default are absent from the bill,” she complained, “which still does not cover the growing exploitation of personal data by political parties. The exception for use of personal information without knowledge or consent for ‘socially beneficially purposes’ still has major holes and scant attention is paid to the flows of personal data across Canada’s borders.”‘
Scassa and others have called for CPPA to clearly make privacy a right.
The conference starts at 3 p.m. Eastern, with a panel discussion on C-27. Champagne speaks at 4:15. Registration is free for members of the Canadian Marketing Association, non-members pay $49.