On June 20th, 2022, BILL C-27 was introduced which is the continuation of BILL C-11 that died on the order table as a result of the announced federal election. The Digital Charter Implementation Act is comprised of three proposed acts, namely: The Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.1
The proposed Consumer Privacy Protection Act will address the needs of Canadians who rely on digital technology and respond to feedback received on previous proposed legislation. This law will ensure that the privacy of Canadians will be protected and that innovative businesses can benefit from clear rules as technology continues to evolve.
What is new? The administrative monetary penalties (AMPs) apply to a greater number of provisions, which now include contraventions related to: establishment and implementation of a privacy management program, failure to ensure equivalent protection for personal information transferred to a service provider, failure to adequately specify purpose, consent, breach notification obligations on a service provider, and transparency.
The proposed Personal Information and Data Protection Tribunal Act will enable the creation of a new tribunal to facilitate the enforcement of the Consumer Privacy Protection Act.
The proposed Artificial Intelligence and Data Act will introduce new rules to strengthen Canadians’ trust in the development and deployment of AI systems, including:
- protecting Canadians by ensuring high-impact AI systems are developed and deployed in a way that identifies, assesses and mitigates the risks of harm and bias;
- establishing an AI and Data Commissioner to support the Minister of Innovation, Science and Industry in fulfilling ministerial responsibilities under the Act, including by monitoring company compliance, ordering third-party audits, and sharing information with other regulators and enforcers as appropriate; and
- outlining clear criminal prohibitions and penalties regarding the use of data obtained unlawfully for AI development or where the reckless deployment of AI poses serious harm and where there is fraudulent intent to cause substantial economic loss through its deployment.
The next three monthly newsletters will address some specific changes worth noting.
The United States has made significant progress of late with the proposed American Data Privacy and Protection Act (ADPPA) that is before Congress.2 The House Committee on Energy and Commerce approved ADPPA on July 20th, 2022 and H.R. 8152 will be sent to the full U.S. House of Representatives for a vote. However, due to the mid term elections, the vote could be delayed.
With a growing number of states enacting their own privacy laws, such as California, Virginia, Colorado, Connecticut and Utah, ADPPA would largely preempt state privacy laws. Enforcement of the ADPPA would be by federal and state regulators, such as the Federal Trade Commission (FTC) and state attorneys general (AGs).
ADPPA applies to data controllers and data processors. The legislative intent is to reign in abuses of “Big Tech” companies and restrict their consumer data collection, and the use and transfer of that consumer data. The new law effectively becomes a consumer “Bill of Rights,” providing greater transparency in the collection, use and sale of consumer data. The law would provide minimum safeguards for data protection and require management oversight of data privacy and security.
The entities subject to compliance with the ADPPA
Though ADPPA would define a covered entity broadly, there are three specific groups of entities subject to compliance with ADPPA:
- Data controllers, which are covered entities that decide the purpose and means of collecting, processing and/or transferring personal information of U.S. residents
- Service providers, such as data processors that collect, process and transfer personal information at the direction of a covered entity
- Large data holders that have an annual gross revenue of $250 million or more and collect or process data for five million persons (or devices) and the sensitive personal information is greater than 200,000 persons or devices.
Furthermore, government agencies are exempt and are not subject to compliance with ADPPA.
It is Important as to how to DEFINE COVERED DATA
ADPPA would define covered data as personal information, which is generally any information linked to an identifiable individual. Exemptions to this definition are de-identifiable data, employee data and publicly available information.
Though ADPPA will define covered data broadly, one of its primary impacts is to protect sensitive personal information. Sensitive personal information includes government-issued identification (including social security number, driver’s license number and passport number); health condition, treatment, diagnosis; financial account information, debit or credit card number, income level, bank balance; biometric or genetic information; precise geolocation information; account logins, passwords, access codes; sexual orientation; and minors’ data.
Entities are required to disclose to individuals that personal information is being collected and their use of the individuals’ personal information. Entities must disclose the collection and use of personal information in a clear and conspicuous privacy notice that includes:
- Categories of personal information collected and processed
- Purpose for which personal information is collected and processed
- Categories and names of third parties to whom personal information is transferred
- Purpose for which personal information is transferred to the third parties
- Retention time for sorting personal information
- How individuals can exercise their rights over their personal information
- General description of the organization’s data security practices
- Whether personal information is accessible to China, Russia, Iran or North Korea.
The entities also will be required to have a clear and conspicuous link on their internet homepage similar to: “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.” ADPPA also provides limitations on the use of personal information and provides consumers the right to opt out of the sale or sharing of their personal information. In addition, consumers who are minors will require consent by a parent or guardian to opt in.
How will the Regulatory Enforcement regime work?
ADPPA will be enforced primarily by the FTC, allowing the FTC to institute a civil action for violation of the ADPPA. Additionally, no state AG may file its own suit on behalf of a nationwide class of consumers; however, an AG of any implicated state may choose to interview in the FTC action. The ADPPA also will require the FTC to create a new Bureau of Privacy and a separate fund in the U.S. Treasury called the Privacy and Security Victims’ Relief Fund. Moreover, violations of the ADPPA constitute “deceptive practices” under the FTC Act and will require recovery of damages, civil penalties, restitution, attorneys’ fees and costs.
It is clear from the above new proposed law that any business based in Canada that will have customers who are US citizens, they will definitely have to keep in mind the strict new provisions that will be becoming law very soon in the USA.
David H. Davis of Davis Cyber Law specializes in strategic risk management, incident response, privacy & data protection, and advocacy. He can be reached by email at david@daviscyberlaw.com or by telephone at 204-956-2336. We are also on the web at www.daviscyberlaw.com