On 15 Jan., the European Commission announced it was renewing data adequacy decisions for 11 nations, including Canada, which is now four years into its efforts to modernize its data privacy legal regime with Bill C-27, the Digital Charter Implementation Act, and preceded by the introduction of Bill C-11 in 2020.
However, with federal elections looming, some stakeholders in the legislative process are expressing doubt the omnibus C-27 proposal will pass before the election is held prior to October 2025.
In its decision to renew Canada's adequacy, the European Commission recommended "enshrining some of the protections that have been developed at sub-legislative level in legislation to enhance legal certainty and consolidate" data protection requirements, such as processing sensitive data, into federal law. The Commission ruling alludes to Canada's modernization efforts of the Personal Information Protection and Electronic Documents Act, which includes passing C-27, as significant developments for renewing its adequacy.
"The ongoing legislative reform of PIPEDA could notably offer an opportunity to codify such developments, and thereby further strengthen the Canadian privacy framework," the European Commission's decision reads. "The Commission will closely monitor future developments in this area."
Impact of adequacy renewal
Privacy Commissioner of Canada Philippe Dufresne said the European Commission's decision to renew Canada's adequacy underscores the significance of his country's efforts to make meaningful reforms to the country's federal privacy regime.
"(The adequacy renewal) was a positive recognition of the importance the reform efforts carry, the legal amendments that have been added and the progressive efforts to extend privacy rights to non-Canadians outside of Canada," Dufresne said in a recent interview with the IAPP. He added how pleased he was regarding the implementation of some proposed amendments he submitted to members of the House of Commons' Standing Committee on Industry and Technology.
"The European Commission specifically talks about C-27 in its decision, and I think that momentum will continue," Dufresne continued. "It's certainly my hope that the bill passes (before the election). As Parliament continues its study of the legislation, we’ll see what the future holds."
Speaking during a breakout session at the IAPP Canada Privacy Symposium, nNovation Counsel Constantine Karbaliotis, AIGP, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP, said he thought the European Commission renewing Canada's adequacy was a "fundamental mistake." He also indicated little confidence C-27 will pass prior to the next federal election, noting diminished urgency on the part Parliamentarians to given the Commission's adequacy decision.
"It surprised many of us in Canada that we got adequacy again, because our law has not kept pace with the (EU) GDPR," Karbaliotis told the IAPP after his breakout session. "It's unfortunate (the EU Commission) renewed our adequacy, or didn't qualify it more heavily, because I think that if they had said, 'Canada, you're not adequate,' this would have lit a fire under the butts of our Parliamentarians to get the legislation done because no party wants to be responsible for Canada losing its adequacy."
The whole C-27 proposal containing the proposed Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and Artificial Intelligence and Data Act, is currently undergoing clause-by-clause review in-committee. If C-27 passes the full House of Commons this session, the bill then goes to the Senate for deliberation.
Karbaliotis said once the Senate completes its three readings of the legislation, C-27 would go to Royal Assent. Once Royal Assent is completed, Minister of Innovation, Science and Industry François-Philippe Champagne would set the effective date for the bill, which he previously indicated would be 18-24 months following final passage, according to Karbaliotis.
In emailed comments to the IAPP, Champagne said C-27 represents Canada's recognition of "the urgent need to update our privacy laws and establish a regulatory framework for responsible AI development."
"With Canadians increasingly reliant on the digital economy, it's crucial that our legislation evolves alongside technology," Champagne said. "The proposed Consumer Privacy Protection Act within C-27 offers clear rules to protect Canadians and guide businesses in a rapidly changing technological landscape. Aligning with key aspects of the EU's framework, we are taking action to strengthen privacy protections and bolster trust in the digital ecosystem, for both Canadians and all our partners."
AIDA's impact on legislative work
Among other stakeholders following C-27's progress in Parliament, there is a lingering sense that the best road for expedited passage may be to remove the AIDA from the broader C-27 package and pursue passing the proposed CPPA and tribunal act.
Parliamentarians previously discussed separating AIDA from the rest of C-27 during its first reading in-committee but opted to keep the legislation intact. Champagne told the IAPP that AIDA "will ensure responsible AI development, to keep businesses accountable and promote transparency."
McMaster University Education Public Policy in Digital Society Executive Director Brenda McPhail believes concerns expressed toward the AIDA may ultimately prove to be the reason why C-27 stalls before the next election. For instance, McPhail said one major perceived flaw with AIDA is how it purported to regulate high-impact AI systems, however, the bill does not adequately define the term "high-impact." Critics have also pointed to the fact that much of the proposed AIDA rulemaking will be left to the Minister of Innovation, Science and Industry after it passes.
"A couple of weeks ago I would have said there was no doubt C-27 would pass because there is substantial political will," McPhail said in an interview. "Now I think there may be less of a chance because there is gaining momentum in the idea that AIDA needs to be severed because of some of the serious flaws that have been identified with it."
On balance, Big Tech firms have been receptive to the objectives of Canada’s privacy law modernization efforts through C-27. During a Standing Committee on Industry and Technology hearing 7 Feb., representatives from companies including Amazon, Google and Microsoft testified on the legislation and offered recommendations for improvements.
Amazon Web Services Global AI and Machine Learning and Canada Public Policy Director Michelle Foster said the AIDA's revised definition of "high-impact" AI systems is "still too ambiguous, capturing a number of use cases that would be unnecessarily subject to costly and burdensome compliance requirements."
With much of the standing committee's C-27 work this year primarily revolving around AIDA, University of Toronto Professor Emeritus Andrew Clement said the bill is largely viewed by industry and civil society as not being as comprehensive as the proposed CPPA and tribunal act, telling the IAPP, the "AIDA definitely needs more work than parts one and two."
Clement is a proponent for severing the AIDA from the rest of C-27 and replacing its proposed "high-impact" approach with a tiered risk-based approach, similar to the EU AI Act, and ground the law in a "principles-based framework explicitly in the protection of fundamental human rights and compliance with international humanitarian law."
Ernst and Young Canada Private Cybersecurity and Privacy Leader Carlos Chalico, CIPP/C, CIPM, FIP, also expressed doubt C-27 will pass in Parliament prior to the next federal election.
"Unfortunately, it appears there is little chance anything gets done before the election,” Chalico said at CPS 2024. "AI has really pushed the legislative activity with this bill. We thought privacy was the purpose of introducing C-27 but it appears Canada will keep kicking the can down the road in terms of privacy law reform."
Planning contingencies
nNovation's Karbaliotis said with Quebec's Law 25 fully entering into force in September of last year, pan-Canadian businesses outside of the province are updating their company data collection practices in order to meet the Quebec requirements. He said as most privacy professionals are familiar with the "Brussels effect," even without C-27 passing, Canada could still stand to see a "Quebec effect."
"When Law 25 came out, I immediately wondered who's going to set the tone for Canada, because as is typical for our country, it's a contest between the federal government and Quebec," Karbaliotis said. "Large companies in Canada, whether they're governed directly by Law 25 or not, are going to have already heard that they're following Quebec's lead in terms of what to comply with because it's the most onerous and similar to many kinds of companies who had to deal with the GDPR in a multinational compliance context."
Alex LaCasse is a staff writer for the IAPP.