Add a bookmark to get started

25 April 20233 minute read

Privacy update: Bill C-27 onto the committee stage

As previously discussed, Bill C-27, the Digital Charter Implementation Act, 2022 (“DCIA”) is Canada’s second attempt to reform privacy law, and its first update of federal private-sector privacy laws in more than two decades. Bill C-27 will replace the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) by splitting its contents into several Acts.

As a refresher, the DCIA enacts the Consumer Privacy Protection Act, which will provide fresh updates to reflect changing realities in the private sector; the Personal Information and Data Protection Tribunal Act, which will establish a new Personal Information and Data Protection Tribunal (the “Tribunal”); and a new Artificial Intelligence and Data Act (“AIDA”), which creates rules around AI technologies. The “electronic documents” part will stay in the existing legislation and be renamed to the Electronic Documents Act.

After its first reading on June 16, 2022, the House of Commons has had six sittings for second reading over the span of more than five months. On April 24, 2023, the House finally agreed to the entirety of the Bill and the Bill was successfully moved to the Standing Committee on Industry and Technology.

Many concerns regarding the Bill were raised during second reading. One of the primary concerns involved the “legitimate interest” exception to the requirements to obtain consent for the collection, use, and disclosure of personal information. For example, Mr. Ryan Williams (CPC - Bay of Quinte) argues that the exception is overly broad because “legitimate interest” is not defined in the Bill and is instead determined by businesses themselves. It remains to be seen whether the committee will take up the concerns of the opposition and heed their calls for a “massive rewrite.”

Other concerns were raised as to whether the Tribunal was necessary when the Privacy Commission is available, whether the Bill would create too much of a burden on small businesses and start-ups, and whether the Bill adequately addresses data collection and privacy concerns around AI. For more details on AIDA, please see our recent article on the topic.

As the Bill enters the Committee stage, it will be interesting to see whether and how the Committee will address these and other concerns and subsequently make changes to the Bill. Please stay tuned for more updates from DLA Piper’s Data Protection, Privacy and Cybersecurity Team as new information about Bill C-27 becomes available.

Print