This afternoon, the Trudeau government is launching its campaign to convince businesses that there is nothing to fear in its second attempt to update federal privacy law that covers the private sector.
Innovation Minister François-Philippe Champagne will speak at the Canadian Marketing Association’s online privacy conference on a new package of private sector privacy legislation called the Digital Charter Implementation Act 2022 (Bill C-27).
The last time the government made an effort, then-federal privacy commissioner Daniel Therrien issued a stinging criticism that didn’t count for much as an October 2021 election was called and the proposed law died.
After making some changes and adding an important new part, the legislation was re-introduced in June.
It consists of three parts:
— that Consumer Privacy Protection Act of 2022 (CPPA), which replaces the Personal Information Protection and Privacy Act (PIPEDA), but adds powers for a privacy commissioner. Changes compared to the original version of the CPPA include a distinction between de-identified and anonymous personal data, situations where companies do not need to obtain express consent to collect personal data, and added mandatory protection of children’s data.
— that Personal Information and Data Protection Tribunal Actwhich, as in the original legislation, creates a government-appointed body to hear the Privacy Commissioner’s recommendations on financial penalties for ignoring orders or failing to comply with the law;
— and new Artificial Intelligence and Data Actwhich will require “highly effective” AI programs to comply with yet-to-be-written rules to ensure risks of harm or bias are identified and mitigated.
While a new AI and data commissioner will be appointed to oversee the act, the innovation minister will have the power to order anyone responsible for a serious system that causes harm or bias to hand over any records governing the system – possibly , including software code — and/or conduct a system audit.
The law has not yet been sent to a committee of the House of Commons for detailed study. This is expected by the end of the year.
The CPPA may face opposition from witnesses who believe it unnecessarily creates a court that wastes time, rather than allowing the Privacy Commissioner to levy fines. The government apparently does not want to make the commissioner judge and jury.
So far, the current privacy commissioner, Philippe Dufresne, has not yet released his analysis of the proposed bill, and may not until he testifies before the committee.
There are also likely to be witnesses complaining that the new proposed CPPA allows for exceptions in certain circumstances to requiring companies to obtain express consent from individuals to collect and use personal data.
The new proposed AI bill will also be scrutinized for what it does and doesn’t include.
A preview of what parliamentary witnesses (and possibly opposition MPs) might say about the bill was presented last month during sessions at the Data and AI Conference in Toronto.
Jill Briggs, head of policy and regulation at the Canadian Interactive Advertising Bureau, said “there’s a lot of discomfort” among online advertisers about the lack of detail in the AI bill. “It’s very empty,” she said. “There is none [proposed] normative acts. It just says if you have a high-risk system, you’re in a lot of trouble and you’re going to get fined.” We don’t even know what high risk means. So I think there’s still a lot of work to do.”
Chetan Full, senior associate in the cybersecurity, technology and data management practice at Deloitte Legal, noted that while the proposed AI law clearly allows an individual to sue for alleged bias by an AI system, that right may not extend to groups alleging bias. .
Mark Schaan, senior assistant to the deputy minister for strategy and innovation policy in the innovation division, admitted he had heard the complaints. Some told him, “It looks like we’re going to have a huge criminal liability, isn’t this going to chill the industry, how can we make sure you get it right,” Schaan said.
But he believes the department has established a reasonable test for interfering with AI systems. Only the “most egregious” systems that show evidence of causing significant and significant harm, and with the intent of the app’s operator, could attract sanctions, he said.
And the promised rules will be written after “extensive consultation” with business, he added. They will “fill in the color,” he said, to strike a balance between encouraging innovation and Canadians’ trust in AI systems.
In short, AI systems must meet accepted data management standards. Compliance measurement will be done through “a robust and competitive private sector enforcement ecosystem, which may include accredited compliance assessment bodies, certification programs and other enforcement tools and service providers,” Schaan said.
As for the CPPA, watch for critics at parliamentary hearings like Teresa Scassa, a Canada Research Chair in Information Law and a law professor at the University of Ottawa, who wrote in the Toronto Star last month that the government has “clearly listened more to industry concerns.” in S-27. “Human rights still take a backseat to commercial interests.”
“Privacy by design and by default is absent from the bill,” she complained, “which still does not address the growing exploitation of personal data by political parties.” The exception for using personal information without knowledge or consent for ‘socially beneficial purposes’ still has wide gaps, and little attention is paid to the flow of personal data across Canadian borders.”
Skassa and others called for the CPPA to clearly make privacy a right.
The conference will begin at 3:00 PM ET with a panel discussion on C-27. Champagne speaks at 4:15. Registration is free for Canadian Marketing Association members, non-members pay $49.