Is your Business Prepared for Bill C-27?

The federal government introduced the Digital Charter Implementation Act (Bill C-27) with the aim to protect personal data in June 2022 as a revamp to the previously introduced Bill C-11, which did not pass. Bill C-27 passed a second reading in April 2023, introducing three new acts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act (AIDA) – which will replace PIPEDA (the Personal Information Protection and Electronic Documents Act).  

Several notable changes impact how Canadian businesses manage and govern their IT, including the mandatory implementation of a Privacy Management Program, stronger safeguards for the processing of personal information by Service Providers, enhanced security, AI and data regulations and higher monetary consequences for non-compliance. 

Organizations must have and maintain a Privacy Management Program 

Under CPPA, businesses must implement a Privacy Management Program that clearly outlines the policies, practices, and procedures of processing personal information. If your business already has a Privacy Management Program, it’s important to ensure it is compliant with the new requirements. 

Service Providers 

The CPPA also requires businesses to ensure that all service providers engaged to process personal information on the business’ behalf provide an equivalent level of protection as required of the business itself. It is recommended that businesses review existing service provider agreements and have agreements in place addressing privacy and security.  

Security Safeguards 

The CPPA introduces a new requirement, in that businesses must have a way of authenticating an individual to whom personal information relates. It is further recommended that businesses review the sensitivity of personal information, but also consider:

• the quantity, format and storage of personal information  
• means of authenticating individuals 
• existing data breach response plan and related processed 
• ensure service providers provide proper notifications 

AI and Data Governance 

AIDA is principles-based, and businesses are expected to comply voluntarily and demonstrate the deployment of "responsible AI." The purpose of AIDA is to protect Canadian by ensuring that anyone responsible for an AI system must assess whether it is a “high impact system” and that measures are established to identify, assess, and mitigate the risks of harm or biased output that could result from the use of the system. Additionally, businesses that process or make available anonymized data must establish measures through which the data is anonymized and outline the use or management of anonymized data. 

Non-Compliance = Significant Monetary Penalties 

Organizations found non-compliant of an offense under Canada’s privacy laws face higher monetary consequences under Bill C-27. Penalties are as follows: 

• Liable to a fine of up to 5% of global revenue or CA$25 million, whichever is greater 
• Administrative monetary penalties of up to 3% of global revenue or CA$10 million for other select violations of the CPPA 

The changes introduced by the Digital Charter Implementation Act will have a significant impact on businesses’ privacy policies and procedures. Nucleus' Client Success Managers can help business leaders understand these changes and assist in the assessment of data practices to ensure compliance with all applicable aspects of the Act.