Nos services sont également offerts en français.


In its specialized disciplines, Aquilina Law publishes articles, research, reviews and more


Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act, 2022 (the “Act“), was introduced on June 16, 2022.  The Act has passed through the second reading of the House of Commons and is currently under consideration by the Standing Committee on Industry and Technology. As its name suggests, the Act seeks to amend and introduce new pieces of legislation pertaining to personal information and privacy protection, as follows:

The Consumer Privacy Protection Act (the “CPPA”)

The CPPA, once enacted, will replace part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA will introduce various changes, including new individual rights inspired by European Law, namely the right to the informed of automated decision-making and the right to disposal and to mobility of personal information. Furthermore, the CPPA will reinforce accountability rules by adding to the definition of the notion of “control”. Under section 7(1) of PIPEDA, an organization is accountable for personal information that is under its control. The CPPA will further define the notion of control as personal information that is “under the control of the organization that decides to collect it and that determines the purposes for its collection, use or disclosure” (section 7(2)).  Also, the CPPA will enforce a new obligation to establish, implement and make available a privacy management program, as well as provide clarity concerning the role and responsibilities of service providers.

The Personal Information and Data Protection Tribunal Act

The Tribunal would review recommendations by the Privacy Commissioner of Canada to impose administrative monetary penalties for certain contraventions of the Act. The Tribunal would provide an accessible mechanism for organizations and individuals to seek a review of the Privacy Commissioner’s decisions.

The Artificial Intelligence & Data Act (“AIDA”)

Following attempts at artificial intelligence regulation by the European Union in 2021 and the United States in 2022, AIDA  will be Canada’s first attempt to regulate artificial intelligence. AIDA, once enacted, will establish common requirements across Canada for the design, development and use of AI systems, and will prohibit certain conduct that may result in serious harm to individuals or to their interests. AIDA will apply to persons in one or more of the following categories:

  1. Persons who carry on regulated activities;
  2. Persons responsible for AI systems and high-impact AI systems;
  3. Persons who make available for use a high-impact system; and/or
  4. Persons who manage the operation of a high-impact system.

“Persons” under AIDA includes trusts, partnerships, unincorporated associations, and any other legal entity. Although AIDA applies to all AI systems (defined as a technological system that, using a model, makes inferences in order to generate output, including predictions, recommendations or decisions) more stringent requirements are applied to “high impact systems.” However, since AIDA regulations are yet to be drafted, a definition of a “high-impact” AI system is not yet available. In the interim, those responsible for an AI system may wish to conduct a preliminary assessment of whether the system falls under one of the high-impact areas, such as employment-related decisions and biometric information processing, or involves any of the high-impact considerations identified by Innovation, Science, and Economic Development Canada, such as:

  • evidence of risks of harm to health and safety, or a risk of adverse impact on human rights, based on both the intended purpose and potential unintended consequences;
  • the severity of potential harms;
  • the scale of use;
  • the nature of harms or adverse impacts that have already taken place;
  • the extent to which for practical or legal reasons it is not reasonably possible to opt-out from that system;
  • imbalances of economic or social circumstances, or age of impacted persons; and
  • the degree to which the risks are adequately regulated under another law.

The legislation provides that where the Minister responsible for administering AIDA has reasonable grounds to believe that a person may be in contravention of its requirements, the Minister may order that person to conduct an audit into the possible contravention, or alternatively, engage an independent auditor to conduct an audit. Contraventions of AIDA may result in administrative monetary penalties as high as 3% or 5% of global revenue or may even result in the imprisonment of individuals. 

Write a comment
Your email address will not be published. Required fields are marked *