Canada’s Digital Charter Implementation Act 2022 – And What Australia Can Learn From It
Canada appears to be looking to update and strengthen its digital privacy with the introduction of three pieces of legislation. The Consumer Privacy Protection Act, the Personal Information and Data Protection Act, and the Artificial Intelligence and Data Act (together, the Digital Charter Implementation Act 2022) represent a three-pronged legislative approach to improve Canada’s data privacy framework. We’ll outline what it covers in this blog post.
Canada’s Consumer Privacy Protection Act: Piece 1 of the Digital Charter Implementation Act 2022
The Consumer Privacy Protection Act (CPPA) has been designed to repeal and replace Part 1 of Canada’s existing consumer privacy law – the Personal Information Protection and Electronic Document Act (PIPEDA).
If passed, the CPPA would grant the Privacy Commission of Canada broad powers to make orders, including administrative penalties of up to $10 million CAD or 3% of global revenue in most cases. Serious cases would be liable for higher penalties of up to $25 million CAD or 5% of global revenue.
The CCPA would also (amongst other things):
- Set out the information that must be supplied for consent to be valid.
- Require companies to implement a privacy management program.
- Increase standards for companies that process children’s data by classifying children’s data as sensitive.
- Introduce a privacy right of action for contraventions of the CCPA in circumstances where the Commissioner or Tribunal has made a finding.
Interestingly, the CCPA also includes a provision covering automated decision systems (which is different to an AI). An automated decision system is defined as “ any technology that assists or replaces the judgment of human decision-makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other technique.”
The CPPA states:
Automated decision system
(3) If the organization has used an automated decision system to make a prediction, recommendation or decision about the individual that could have a significant impact on them, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision.
The Personal Information and Data Protection Tribunal Act
This Act would establish a Tribunal that would hear appeals relating to decisions, penalties, and orders made by the Privacy Commissioner of Canada. The appeals heard by the Tribunal would be final and binding and would be decided on a balance of probabilities.
Artificial Intelligence and Data Act
The Digital Charter Implementation Act 2022 also includes a third part that regulates artificial intelligence in the private sector. This was a relatively unexpected addition to Canada’s privacy law.
The Artificial Intelligence and Data Act (AIDA) sets out requirements for companies to assess the risk associated with their system and to publish information about how high-impact AI systems are used.
The AIDA also prohibits the use of data obtained unlawfully in the development of an AI. This is an important step in the development of a ‘responsible AI’ ecosystem since AI development relies on the AI system being fed data – and that data must originate somewhere.
You can read the three acts comprising the Digital Charter Implementation Act 2022 and follow its progress through the Canadian Parliament.
Lessons for Australia from Canada’s Proposed Digital Charter Implementation Act 2022
While Canada’s proposed law still has to pass through multiple steps before it becomes law, you can draw several important takeaways for Australian organisations from the proposed law:
- Penalties for non-compliance are increasing globally. From the criminal sanctions available under Thailand’s privacy law to the increased penalties under Canada’s Digital Charter Implementation Act 2022 (and the mammoth fines in Europe), the rest of the world is adopting steep penalties for privacy non-compliance. Australia’s penalties have, thus far, lacked teeth. Australian organisations operating in the global economy should be careful to comply with relevant privacy laws or risk significant penalties, unlike what we experience locally.
- The CPPA contains a section dedicated to “Openness and Transparency”, which requires organisations to provide information about privacy practices in plain language. Again, we’re seeing lawmakers home in on transparency about data collection and usage, which is a trend we expect to continue long into the future.
- Organisations that are adopting automated decision-making technologies should expect to be required to be more transparent about their usage of those technologies in the future. It is an increasing consumer expectation, and lawmakers are paying attention.
See more on AI use and regulation here:
Or ask us!