Consumer Privacy Protection Act (Canada’s Bill C-27): Feedback from industry participants

Bill C-27 – the second iteration of Bill C-11 (2020), which died on the order paper in 2021 – is currently at second reading in the House of Commons. Canada’s Consumer Privacy Protection Act introduces two new statutes that would make substantial changes to the federal data protection legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). First, the Consumer Privacy Protection Act (CPPA) would replace Part 1 of PIPEDA, which relates to the protection of personal information. Second, the Personal Information and Data Protection Tribunal Act (PIDPT) would create a new Data Protection Tribunal.

Bill C-27 also introduces the Artificial Intelligence and Data Act (AIDA), which would create a new legal and general framework for the regulation of artificial intelligence (AI). During the second reading of Bill C-27, it was suggested that AIDA be voted on separately from the privacy aspects of the Bill, namely CPPA and PIDPT. The proposal aims to operationalize the Canadian government’s Digital Charter as well as past proposals to strengthen privacy in the digital age in order to address the challenges posed by the digital economy and new technologies.

The most serious violations of the CPPA could result, upon prosecution, in fines that have been described as the strongest among G7 privacy laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA). While clearly inspired by similar initiatives in other countries, namely the GDPR and the CCPA, the Canadian proposal is unique in its approach in that, in many instances, it affords businesses greater flexibility and clarity relative to the present privacy regime’s requirements. Most notably, it borrows directly from past guidance and decisions issued by the federal privacy commissioner, the Office of the Privacy Commissioner of Canada (Commissioner), and provides individuals with new rights that are more narrowly framed than those currently found under the GDPR.

It should also be noted that Québec’s private-sector data protection regime, the Québec Act respecting the protection of personal information in the private sector (Québec Private Sector Act), as modified by Bill 64 (Bill 64), is in many respects more onerous than the CPPA, raising a number of challenges from an interoperability standpoint for businesses operating at a national level. For a summary of the key differences between the rights and obligations under C-27 and Bill 64, see Schedule “A” at the end of this article. For a detailed analysis of the changes introduced by Bill 64, please review our Bill 64 Compliance Guide.

Parliament has invited input from industry participants regarding Bill C-27. Various organizations and industry stakeholders have recently raised legal and operational concerns with some of the proposed provisions of this bill, especially regarding those that could have unintended or inimical effects.

In that context, we have prepared an article which provides an overview of some of these concerns, with a focus on the CPPA, and summarizes certain salient points that industry participants may consider raising in their commentary on Bill C-27. Our article does not cover all submissions presented by various industry-specific organizations nor does it provide a complete overview of all such concerns.

You can read our article available on BLG’s website.

This content has been updated on January 30, 2023 at 17 h 26 min.