Contact

Canada’s Digital Charter Implementation Act 2022 – And What Australia Can Learn From It

Published
12 Aug 2022
Read time
4 min read
Category
Law, Opinion, Privacy

Canada appears to be looking to update and strengthen its digital privacy with the introduction of three pieces of legislation. The Consumer Privacy Protection Act, the Personal Information and Data Protection Act, and the Artificial Intelligence and Data Act (together, the Digital Charter Implementation Act 2022) represent a three-pronged legislative approach to improve Canada’s data privacy framework. We’ll outline what it covers in this blog post. 

Canada’s Consumer Privacy Protection Act: Piece 1 of the Digital Charter Implementation Act 2022 

The Consumer Privacy Protection Act (CPPA) has been designed to repeal and replace Part 1 of Canada’s existing consumer privacy law – the Personal Information Protection and Electronic Document Act (PIPEDA).  

If passed, the CPPA would grant the Privacy Commission of Canada broad powers to make orders, including administrative penalties of up to $10 million CAD or 3% of global revenue in most cases. Serious cases would be liable for higher penalties of up to $25 million CAD or 5% of global revenue.  

The CCPA would also (amongst other things):  

  • Set out the information that must be supplied for consent to be valid.  
  • Require companies to implement a privacy management program.  
  • Increase standards for companies that process children’s data by classifying children’s data as sensitive.  
  • Introduce a privacy right of action for contraventions of the CCPA in circumstances where the Commissioner or Tribunal has made a finding.  

Interestingly, the CCPA also includes a provision covering automated decision systems (which is different to an AI). An automated decision system is defined as “ any technology that assists or replaces the judgment of human decision-makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other technique.” 

The CPPA states:  

Automated decision system 

(3) If the organization has used an automated decision system to make a prediction, recommendation or decision about the individual that could have a significant impact on them, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision.
 

The Personal Information and Data Protection Tribunal Act 

This Act would establish a Tribunal that would hear appeals relating to decisions, penalties, and orders made by the Privacy Commissioner of Canada. The appeals heard by the Tribunal would be final and binding and would be decided on a balance of probabilities. 

Artificial Intelligence and Data Act 

The Digital Charter Implementation Act 2022 also includes a third part that regulates artificial intelligence in the private sector. This was a relatively unexpected addition to Canada’s privacy law.  

The Artificial Intelligence and Data Act (AIDA) sets out requirements for companies to assess the risk associated with their system and to publish information about how high-impact AI systems are used. 

The AIDA also prohibits the use of data obtained unlawfully in the development of an AI. This is an important step in the development of a ‘responsible AI’ ecosystem since AI development relies on the AI system being fed data – and that data must originate somewhere.    

You can read the three acts comprising the Digital Charter Implementation Act 2022 and follow its progress through the Canadian Parliament. 

Lessons for Australia from Canada’s Proposed Digital Charter Implementation Act 2022 

While Canada’s proposed law still has to pass through multiple steps before it becomes law, you can draw several important takeaways for Australian organisations from the proposed law:  

  1. Penalties for non-compliance are increasing globally. From the criminal sanctions available under Thailand’s privacy law to the increased penalties under Canada’s Digital Charter Implementation Act 2022 (and the mammoth fines in Europe), the rest of the world is adopting steep penalties for privacy non-compliance. Australia’s penalties have, thus far, lacked teeth. Australian organisations operating in the global economy should be careful to comply with relevant privacy laws or risk significant penalties, unlike what we experience locally.  
  2. The CPPA contains a section dedicated to “Openness and Transparency”, which requires organisations to provide information about privacy practices in plain language. Again, we’re seeing lawmakers home in on transparency about data collection and usage, which is a trend we expect to continue long into the future.  
  3. Organisations that are adopting automated decision-making technologies should expect to be required to be more transparent about their usage of those technologies in the future. It is an increasing consumer expectation, and lawmakers are paying attention.  

See more on AI use and regulation here: 

https://privacy108.com.au/insights/using-artificial-intelligence-to-support-privacy-management/  

https://privacy108.com.au/insights/australias-ai-ethical-framework/  

https://privacy108.com.au/insights/new-ai-regulation-in-the-eu/  

Or ask us!

 

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.