The Canadian federal government is getting close to passing updated privacy legislation that will impact how you govern the personal information you are storing as well as address the impacts of artificial intelligence (AI).

These changes began more than a year ago and are expected to pass this year or in early 2025, including new privacy legislation that will make significant changes to the Personal Information Protection and Electronic Documents Act (PIPEDA).

Three Key Acts

Bill C-27 lays out a new statutory framework governing personal information practices in the private sector, and includes three new statutes:

Consumer Privacy Protection Act (CPPA): If Bill C-27 passes, this act would repeal and replace the private sector personal information protection framework in PIPEDA. This new privacy legislation would essentially replace PIPEDA with new requirements governing the protection of personal information.
Personal Information and Data Protection Tribunal Act: Under this act, an administrative tribunal would be established to review certain decisions made by the Privacy Commissioner of Canada and impose penalties for contraventions of the CPPA, which is a substantially enhanced enforcement regime when compared with that of PIPEDA.
Artificial Intelligence and Data Act (AIDA): This act would create a risk-based approach to regulating trade and commerce in AI systems.

CPPA would require that organizations implement a privacy management program that includes policies, practices, and procedures to ensure compliance. The act reinforces express consent for the organization to process personal information, although it does outline exceptions under certain circumstances.

Severe Penalties for Non-Compliance

The fines for not complying with CPPA are hefty – as much as $25 million and the amount corresponding to 5% of gross global revenue for the preceding fiscal year. Law firm Osler advises that organizations could also be subjected to administrative monetary penalties of up to the greater of $10 million and the amount corresponding to 3% of gross global revenue for the preceding fiscal year.

Regional Legislation is Also a Factor

If you’re doing business in Quebec, you must also comply with the Quebec Privacy Act, recently reformed by Bill 64, that includes an enforcement regime with potentially severe financial penalties for contraventions that are similar to CPPA.

Quebec’s legislation also requires organizations to create an internal policy suite to address the lifecycle of personal information they store and process.

Navigating data privacy legislation has become another cost of doing business – organizations are responsible for understanding which rules apply to them when operating across Canada and globally.

The many compliance obligations required by government privacy legislation can seem overwhelming, but a managed services provider can help you maintain the necessary IT infrastructure and best practices to secure and protect customer data.