What’s the State of Canada’s Data Privacy Bill C-27?
In today’s constantly evolving digital landscape, individuals' personally identifiable information (PII) has become a significant target for cyber thieves.
Since the EU’s General Data Protection Regulation (GDPR) became law in 2018, many organizations have worried about what the future would hold for companies as more and more governments passed different data privacy laws.
Companies now face an increasingly complex data privacy regulatory landscape, including hundreds of data privacy laws that differ in structure, definitions, exemptions, fines, notification requirements, timeframes, expectations, and legal risk. Data privacy laws have been passed in countries around the world, as well as several U.S. state legislatures. Now, Canada has a new data privacy bill that will modernize the country's data privacy protections.
Canadian data privacy
Canada has been a leader in data privacy legislation over the years. However, with the dramatic uptick in malware and ransomware, Canadian citizens are demanding changes to their country’s data privacy protections.
- Approximately 9 in 10 Canadians (91%) are at least somewhat concerned about people using information available about them online to attempt to steal their identity
- 53% of Canadians have been impacted by a data breach
- The average data breach cost in Canada is $7.1 million and rising
Canada has two current federal data privacy laws that are enforced by the Office of the Privacy Commissioner of Canada, namely:
1. The Privacy Act, which covers how the Canadian federal government handles personal information. The Privacy Act regulates how national government institutions collect, use, and disclose citizens’ personal information. It also gives individuals a right to access information held about them by the federal government and a right to request correction of any erroneous information.
2. The Personal Information Protection and Electronic Documents Act (PIPEDA) covers how businesses handle personal information they collect, use, and disclose during commercial activities. PIPEDA also applies to all federally regulated industries, such as banks, airlines, and telecommunications companies. PIPEDA sets out rules for obtaining consent and collecting, using, and disclosing personal information while providing individual citizens on-demand access to their personal information held by covered organizations.
In addition to the two federal privacy laws, there are several provincial privacy laws in Canada that also relate to end-user privacy rights. Several factors determine which laws apply and who oversees them, including:
- The nature of the organization collecting/handling the personal information
- Whether it is a federal government institution, a provincial or territorial government institution, a private sector company or a federally regulated business
- Where the organization is based
- The type of PII involved
- Whether the information crosses provincial or national borders
Like many other nations, Canada has recently taken additional steps to address the growing data privacy concerns by introducing new comprehensive data privacy legislation – Bill C-27.
Formally known as the Digital Charter Implementation Act, Bill C-27 is a significant piece of legislation that aims to modernize Canada's privacy laws and provide individuals with greater control over their personal information. Bill C-27 was introduced in 2022 and is the successor to Bill C-11, which died in August 2021.
So far, there is bipartisan support for Bill C-27 in Parliament. However, there are concerns about its scope, complexity, and cost.
The origins of Bill C-27
Bill C-27's origins can be traced back to PIPEDA, which was enacted in 2000. Over the ensuing years, PIPEDA has been criticized for its lack of adaptability to the rapidly evolving digital landscape, including the rise of ransomware and extortionware.
The rise of social media, e-commerce, collaboration applications such as Microsoft Teams and Zoom, new e-communications channels, and other data-driven technologies has rendered PIPEDA's provisions outdated and somewhat impotent.
To address PIPEDA’s shortcomings, the Canadian Government began a review of PIPEDA to address emerging technologies and attack vectors. That 2019 review concluded that a comprehensive overhaul of Canada's privacy laws was necessary to protect Canadian citizens from PII theft and misuse. The review conclusions paved the way for the creation of Bill C-27, introduced in the Canadian Parliament in June 2022.
Key provisions of Bill C-27
Bill C-27 encompasses a wide range of provisions to enhance individual privacy protections. Key aspects that subject matter experts point out include:
- Expanded consent requirements: Individuals will have greater control over how their personal information is collected, used, and disclosed. Organizations must obtain explicit and meaningful consent from individuals before collecting or using their personal information.
- Increased transparency: Organizations will be required to provide individuals with transparent and easily accessible information about their personal information practices. This includes providing individuals with clear explanations of how their data is collected, used, and disclosed.
- Right to access and rectification: Individuals will have the right to access their personal information held by organizations and to request corrections if the information is inaccurate or incomplete.
- Right to erasure (disposal): Individuals will have the right to request that their personal information be erased in certain circumstances.
- Prohibition of unauthorized collection and use: Organizations will be prohibited from collecting or using personal information without authorization.
- New enforcement mechanisms: The Privacy Commissioner of Canada will be granted new powers to enforce the legislation, including imposing significant penalties for non-compliance.
Two additional key points that I believe are also important include:
PII disposal is defined in the current Bill C-27 as permanently and irreversibly deleting personal information or anonymizing it when requested by the data subject. This might seem trivial, but as far as I know, unrecoverable PII deletion is not addressed in any of the major international or U.S. State data privacy laws.
Most general counsels and Chief Privacy Officers assume that PII deletion/disposal from within a computer application infers an unrecoverable deletion. However, a standard Windows delete means deleted files are sent to the Recycle Bin. On Apple computers, deleted files are sent to the trash but not immediately erased.
In most operating systems, deleted files are only marked as such but still exist on the hard drive until other data overwrite them. This condition is what makes data recovery possible. Otherwise, when a data subject requests the deletion of their PII from a company’s systems, the “deleted” files can be quickly recovered until they are overwritten. However, all data privacy laws potentially intend that deleted PII is unrecoverable.
Another key provision in Bill C-27 is the private right of action. The bill grants individuals affected by a violation of the Consumer Privacy Protection Act (CPPA) the ability to bring an individual legal claim against a company when an individual suffers losses or injuries due to the organization’s violation of the CPPA. Many data privacy laws leave it up to an Attorney General or Privacy Commissioner to address a violation.
The CPPA provides Canada's Privacy Commissioner with broad order-making powers and the authority to impose significant monetary penalties on organizations. These penalties can go up to $10 million (CAD) or 3% of global revenue. The maximum penalty increases to $25 million or 5% of global revenue for serious non-compliance.
The private right of action is important for individuals to seek remediation when their privacy rights have been violated. It allows them to hold organizations directly accountable and seek compensation for any harm they’ve suffered due to privacy breaches. It also adds additional complexity and liability for non-compliant organizations.
The private right of action provision in Bill C-27 empowers individuals to take legal action against organizations that fail to protect their privacy rights, ensuring more vigorous enforcement and accountability in the digital age.
An interesting side note is that the U.S. federal ADPPA data privacy bill (not passed into law yet) also includes a private right of action.
The impact of Bill C-27
Bill C-27 is expected to impact both individuals and organizations in Canada significantly. For individuals, the bill will provide greater control over their personal information and enhance their ability to protect their privacy online.
For organizations, the bill will introduce new compliance obligations and require them to adopt more transparent and privacy-protective practices including greater levels of PII handling and data security. They will need to adapt their data collection, data management and data handling practices to comply with the new (and eventually changing) requirements — which will likely involve significant investments in technology and training.
While many privacy advocates have welcomed Bill C-27, some stakeholders have raised concerns about its potential impact on their businesses. They argue that the new requirements could stifle innovation and make it more difficult for Canadian companies to compete in the global marketplace.
What the future holds
Bill C-27 has completed its first and second reading in the Canadian Parliament and is currently undergoing consideration in committee. It is expected to face significant scrutiny and debate before it’s passed (if it is) into law. The final form of the legislation could very well be different from the current draft, as the government is likely to make changes in response to stakeholder feedback.
With that said, many expect it to be passed into law in the coming months. Once enacted, the bill will come into force over a phased timeframe, giving organizations time to adjust to the new requirements.
The introduction of Bill C-27 is seen as a significant step forward in Canada’s efforts to protect citizens’ privacy in the digital age. The bill’s comprehensive approach to data privacy and focus on empowering individuals continues Canada’s emphasis on PII protection, and it is expected to have a sizable impact on the data privacy landscape for U.S. businesses that must also comply with its provisions if they are collecting Canadian citizen PII.
Several factors could influence the outcome of Bill C-27:
- The Canadian government has stated that it is committed to passing Bill C-27, but it is possible that this commitment could waver if the bill faces significant opposition from stakeholders
- Public opinion favors stronger privacy protections, but there is some concern that Bill C-27 could be too burdensome for businesses, which can sway public opinion
- The Liberal-controlled government is currently considering the bill, but it is possible for a Conservative government to come to power, which might make significant changes or scrap Bill C-27 altogether
It is too early to say what the future holds for Bill C-27. However, it is clear that the bill will face significant scrutiny before it is passed into law.
Regardless of its final form, Bill C-27 represents a significant step forward in Canada's efforts to protect Canadian citizen’s data privacy. The new law will undoubtedly profoundly impact Canadian personal information collection, use and disclosure worldwide.
Information management and data privacy
With the coming information management and data privacy inflection point, organizations must understand how information management will play a crucial role in safeguarding data privacy by ensuring that personal information is collected, used, stored, and disposed of responsibly and securely. Effective archiving and information management practices will help organizations minimize the risk of data breaches, protect individuals' privacy rights, and fully comply with a more complex data privacy landscape.
Organizations should regularly review their information management practices, ensuring they can effectively recognize and protect personal information. This could include conducting privacy audits, regularly updating privacy policies, and providing annual training to employees.
Organizations can minimize the risk of data breaches and loss, comply with data privacy regulations, and build trust with individuals by adopting newer information management and archiving technologies and implementing appropriate information management practices.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.