a hand holding a guitar

Insights

ARTICLE

Bill C-27: Upcoming amendments to privacy and AI legislation

After the second reading of Bill C-27 was completed last April, the Standing Committee on Industry and Technology (INDU) finally began its review of the highly anticipated bill on Sept. 26, 2023. The very first witness to appear was Minister of Innovation, Science and Industry, François-Philippe Champagne, who took the opportunity to announce significant amendments to the bill that was originally introduced in June 2022. Here is what you should keep an eye on.

Privacy

With respect to the first part of the bill, the Consumer Privacy Protection Act (CPPA), the proposed amendments are threefold:

1. Privacy as a fundamental right

The Government proposes to amend Bill C-27’s preamble and the purpose clause of the CPPA (section 5) to expressly recognized the right to privacy as fundamental. This change would ensure that Canadians’ privacy rights receive proper recognition in the interpretation of the Act. While courts have already recognized that privacy has a quasi-constitutional status in Canadian law, this proposed amendment would go a step further in affirming the importance of privacy.

The Personal Information Protection and Electronic Documents Act (PIPEDA) – the current federal privacy law – called for a balancing of the individuals’ right of privacy with the needs of organizations to collect, use and disclose personal information. If the CPPA comes into force, this new status conferred upon the right to privacy may tilt the interpretation of the act in favour of the individuals for interpretation issues that fall into grey zones.

2. Protection of children’s privacy1

To ensure proper protection of children’s privacy, the Government proposes recognizing and reinforcing the protections afforded to children by requiring organizations to consider the special interests of minors when determining whether personal information is being collected, used or disclosed for an appropriate purpose.

We do not know yet exactly how “special interests of minors” will be defined, but it is fair to assume that at the inception of projects, organizations will have to consider the fact that minor are generally more vulnerable than adults, especially online, when assessing whether a given purpose is appropriate.

3. A new enforcement tool for the regulator

Under the current version of Bill C-27, only the proposed Personal Information and Data Protection Tribunal would have the authority to impose a monetary penalty. However, to address concerns that the Office of the Privacy Commissioner (OPC) cannot levy a financial penalty on non-compliant organizations, the Government proposes amending the CPPA to allow the OPC to enter into compliance agreements that include financial considerations. Such agreements, which would be binding and not subject to appeal, would allow the OPC to resolve issues without resorting to the Tribunal or courts.

Artificial intelligence

With respect to the Artificial Intelligence and Data Act (AIDA), the proposed amendments are fivefold:

1. High impact AI systems

The Government proposes amending the Act to include an initial list of key classes of “high impact AI systems” that would be subject to AIDA at the outset. These classes encompass the use of AI systems in matter relating to:

  1. Employment-related determinations including recruitment, remuneration and termination;
  2. Determination regarding the type, cost or prioritization of services to be provided to individuals;
  3. Processing biometric information for identification purposes to influence behaviour or state of mind;
  4. Content moderation of online platforms;
  5. Healthcare or emergency services;
  6. Decision-making by courts or administrative body; and
  7. Law enforcement.

Should the amendments listing high-impact systems be adopted, the current Section 7, which specifies that the person in charge of an AI system must evaluate whether it is a high-impact system in compliance with regulations, would be subject to removal.

As many observers have noted, one irritant with the current version of AIDA is that it left to unseen regulations most, if not all, of its obligatory content. By trying to define classes of high impact AI systems, to which are attached many obligations under the Act, the Government is at least taking a step towards greater clarity. However, some of these categories are so broad (e.g., services) that it remains a challenge for businesses to ascertain if and how AIDA will apply to them.

2. Interoperability and clearer obligations across the AI value chain

To ensure that Canada’s framework is interoperable and consistent with international best practices, the Government proposes amendments to broaden the scope of AI systems covered in AIDA and align with evolving international frameworks. In this vein, the Government proposes amending the definition of AI system to align with the OECD definition.

Furthermore, the Government proposes amendments to clarify the responsibilities and obligations of different actors in the AI value chain along the lines of the AIDA Companion Document.

Specifically, the amendments would impose specific obligations on developers of machine learning models for high-impact use and of high-impact systems, and on persons making available a high-impact system or managing its operations. These obligations are further detailed in the table below:

Actors

Responsibilities

Developers of machine learning models for high-impact use

  • Data governance measures
  • Impact assessments

Developers of high-impact Al system

  • Impact assessments
  • Risk mitigation measures
  • Human oversight
  • Testing for reliability and robustness
  • Documentation for end-users
  • Comply with regulations

 

Persons making available a high-impact system

  • Publish documentation for end-users
  • Comply with regulations

 

Persons managing the operations of a high-impact system

  • Impact assessments and risk mitigation measures
  • Testing for effectiveness
  • Human oversight
  • Publish a description of the system
  • Report serious incidents to the developer and the Commissioner
  • Comply with regulations

 

3. Obligations for general purpose AI systems

The Government proposes to create specific requirements for general purpose AI systems, like ChatGPT, that are designed to be used in many different contexts. For illustration, the European Union’s Artificial Intelligence Act defines general purpose AI as “an AI system that can be used in and adapted to a wide range of applications for which it was not intentionally and specifically designed”.

Responsibilities would vary depending on the actor (i.e., developers of general-purpose systems; persons making them available or managing their operations) and could include impact assessments, testing, mitigation measures to reduce biased output and plan language documentation.

4. AI and Data Commissioner

The Government wishes to clarify more specifically the functions and roles of the AI and Data Commissioner to build confidence in their ability to carry out their mandate independently and to ensure coherence and avoid duplication.

The Government proposed amendments offer important improvements and clarification to Bill C- 27 to move towards greater transparency. Unfortunately, without a consolidated, clear, and concise written version of these amendments, it is difficult to establish with certainty what they entail for businesses. It also remains to be seen how the proposed amendments will impact the legislative agenda, as we still don’t know with any certainty when the bill could be adopted.

The authors would like to thank student-at-law Cléa Jullien for her help in drafting this article.


1 Note: The CPPA already contains strong protections for the collection, use and disclosure of children’s personal information. Notably, the Bill deems all personal information belonging to a minor as “sensitive.” This means that: (1) organizations will generally need to use express consent when collecting, using, or disclosing the information; (2) organizations will need to consider carefully whether their reason for collecting, (3) stronger security safeguards must be employed to protect the information; and (4) retention periods for this information should generally be shorter than for information of adults.

Key Contacts