Posted at 7:00 a.m.
In summary
The mere 46-word title of Bill C-27, which is 147 pages, is dizzying. The “An Act to enact the Consumer Privacy Act”, in summary, takes up the essentials of a first bill, C-11, tabled in November 2020. As at the time, we threaten fines of up to 25 million or 5% of revenue, whichever is greater. We still find the notion of “valid consent”, with clear confidentiality policies, the possibility of transferring one’s data from one organization to another, the destruction of these when they are no longer necessary and the placing on foot of a special tribunal.
nice listening
But the new law goes further than November 2020, rejoices Chantal Bernier, who was assistant and then interim commissioner at the Privacy Commission of Canada from 2008 to 2014. She is now a legal counsel for Cybersecurity and Privacy at Dentons.
“I am immediately struck by the government’s willingness to reconcile competing interests, to protect, on the one hand, personal information and, on the other hand, to promote the digital economy which is dependent on this information. »
Right from the preamble, she notes, the law establishes that protecting citizens’ right to privacy is “essential to their autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada.” “It gives it quasi-constitutional importance. »
The other part, she apologizes, “may seem technical, but it is critical”. In summary, the law distinguishes between data that has been “depersonalized”, protected, and that which is “anonymised”, which cannot be linked to a person, but which can be used.
“For companies, it makes all the difference in their ability to do research,” she says.
finally some teeth
“Recess is over. “Just like M.e Bernier, Éloïse Gratton, a lawyer specializing in privacy protection at BLG, uses this expression to describe an important measure that has not made the headlines. Essentially, companies that process personal data have an obligation to designate a controller and develop, for example, “codes of practice” and “certification programs” to protect it. The difference is that the Privacy Commissioner will now have the power to investigate, recommend and sanction.
Many small organizations had not yet complied with such requirements, underlines Me Gratton. “I think it will motivate companies to invest in information security and the protection of personal information. »
Taming the AI
The other important aspect of the new law is its desire to prevent the “reckless” use of artificial intelligence (AI) by ensuring, for example, that it was not designed with discriminatory biases. An artificial intelligence and data commissioner will have the power to conduct audits in companies on this subject.
“I see it with a very good eye, summarizes Me Bernard. We already have examples, particularly in the recruitment of employees with biased methods. However, many elements remain to be defined in this area, in particular to define what a bias is and how to establish the seriousness of a prejudice.
Powers and Responsibilities
The fact is undeniable, these new requirements result in an increased administrative burden for businesses. Me Gratton believes it is unavoidable, however. “It is a burden that corresponds to the power of organizations in the handling of personal information, including the risks of intrusion into privacy. “She paraphrases for the occasion, laughing, the motto of Spider-Man:” This power being increased, it generates increased responsibilities. »
Éloïse Gratton, she recalls that this federal bill comes after three other provincial laws, adopted in Alberta, British Columbia and, especially, in Quebec. “With the federal government, it’s just continuity. […] Already, it is clear that there is an evolution among companies in the way of writing confidentiality policies: we will prepare them in layers, with summaries, and if the person wants more information, there is access. »