Legislative Update: Respective Standing Committees Commence Review of Proposed Bills Related to Artificial Intelligence, Privacy and Cybersecurity

Over the last 30 days, federal privacy reform and new cybersecurity legislation for federally regulated entities reached significant milestones in the legislative process. On March 27, 2023, Parliament of Canada (“Parliament”) read Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, (“Bill C-26”) for a second time and referred it to the Standing Committee on Public Safety and National Security. Meanwhile, on April 24, 2023, Parliament read Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (“Bill C-27”) for a second time and referred it to the Standing Committee on Industry and Technology.

As summarized in our article, “Legislative Update: Bill C-26 Introduces New Requirements for Federally Regulated Industries”, Bill C-26 would establish measures to protect the critical cyber systems of specific federally regulated entities and Canada’s telecommunication infrastructure. Bill C-26 introduces measures, including:

• Obligations on designated operators of critical cyber systems related to vital services and systems in Canada (“Designated Operators”) to (i) establish, implement, maintain and share cybersecurity programs with their regulators, (ii) report cybersecurity incidents to such regulators, and (iii) keep records of such incidents;
• New order-making powers to the Governor in Council to prohibit Canadian telecommunication companies (“Telcos”) with respect to the use of products, including the suspension and removal of such products provided by specified persons;
• Broad order-making powers to the Minister of Industry (“Minister”) to direct Canadian Telcos to anything or refrain from doing anything that is in the Minister’s opinion necessary to secure the Canadian telecommunications system;
• New enforcement powers for the regulators of Designated Operators and the Minister, such as the imposition of administrative monetary penalties on Designated Operators and Telcos; and
• Requirements on Designated Operators and Telcos to share confidential information with their regulators, the Governor in Council and the Minister, who may then share such information with domestic and foreign organizations.

With respect to reforming federal privacy law, Bill C-27 would introduce many significant changes to Canadian privacy law that would better align it with international privacy laws, including:

• The establishment of a Personal Information and Data Protection Tribunal (“PIDPT”) that can hear appeals of decisions of Office of the Privacy Commissioner of Canada (“OPCC”) and impose administrative monetary penalties of up to the greater of CA$10 million or 3% of an organization’s gross global revenue;
• New enforcement powers for the OPCC, such as order-making powers and the recommendation for the PIDPT to impose administrative monetary penalties;
• A private right of action for individuals harmed by such contraventions of the Consumer Privacy Protection Act;
• New rights for individuals, such as rights related to data mobility, disposal of personal information, and transparency and explanationwith respect to automated decision systems;
• New obligations for service providers to maintain adequate security safeguards to protect personal information it holds on behalf of organizations and report any breaches of such safeguards to organizations, and penalties for violations of the foregoing;
• New requirements with respect to the use of de-identified information and the personal information of minors; and
• New obligations for organizations to describe their use of automated decision systems.

Please refer to our article, Proposed Privacy Bill Introduces Fines and New Requirements for Private Organizations, for more details with respect to Bill C-27.

Finally, as we discussed in our article, Canada’s First AI Act Proposed, Part 3 of Bill C-27 would introduce a legislative framework, Artificial Intelligence and Data Act (“AIDA”), to regulate certain types of AI systems and ensure that developers and operators of such systems adopt measures to mitigate various risks of harm and avoid biased output. AIDA introduces:

• Requirements for persons responsible for high impact systems in accordance with future regulations;
• Remedies for the Minister to mitigate harms, including the imposition of administrative monetary penalties of up to the greater of CA$10 million or 3% of an organization’s gross global revenue; and
• Offences with financial penalties, the highest of which is up to the greater of CA$25 million or 5% of the person’s gross global revenues in the person’s financial year before sentencing.

As we continue to monitor the progress of Bill C-26 and Bill C-27 through the legislative process, we will keep you apprised of any developments. In the meantime, if you have any questions regarding these Bills and how they may affect you, please do not hesitate to contact one of the members of Torkin Manes’ Technology, Privacy and Data Management Group.