• Insights

Regulating privacy and artificial intelligence: what’s changing

Written by
Mathews Dinsdale, Canada’s only national labour and employment law firm.
Regulation of data privacy may be changing in Canada, with the proposed creation of a new enforcement body with the power to impose very significant fines. The proposed reform also includes new regulation of the use of artificial intelligence.


On 16 June 2022, the Canadian government introduced a proposal for three-pronged legislation to strengthen Canada’s data privacy framework and create new regulations for the responsible development of artificial intelligence (AI), while continuing to implement Canada’s Digital Charter. The Digital Charter establishes ten key principles for the digital landscape, such as universal access, safety, and control and consent in relation to personal data. The proposal (Bill C-27, the Digital Charter Implementation Act, 2022) would also introduce significant changes to enforcement.

It features three pieces of legislation: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA) and the Artificial Intelligence and Data Act (AIDA).

1. The Consumer Privacy Protection Act

The CPPA would govern the protection of individuals’ personal information while taking into account the need of organisations to collect, use or disclose personal information in the course of commercial activities.

The CPPA would, in part, increase Canadians’ ability to control personal information held about them by organisations, provide more freedom to move that information from one organisation to another securely, and hold organisations that process children’s data to a higher standard.

(The CPPA would replace Part 1 of the current Personal Information and Electronic Documents Act, PIPEDA.)

2. The Personal Information and Data Protection Tribunal Act

PIDPTA would create a new administrative tribunal with the power to impose penalties on organisations that violate the CPPA. Under the proposed regime, the Office of the Privacy Commissioner (Commissioner) would continue to oversee compliance, and would also be granted authority to issue orders against organisations and make recommendations for penalties. The Tribunal, however, would be tasked with reviewing the Commissioner’s orders and may substitute its own decision.

The Tribunal’s decisions would be final and binding, although subject to judicial review in the Federal Courts.

The Act would also establish significant fines for non-compliant organisations, with fines of up to the greater of 5% of global revenue or CAD 25 million for the most serious offences. Factors that the Commissioner must take into account when recommending a penalty would be updated to include evidence that the organisation exercised due diligence to avoid the contravention and reasonable efforts to mitigate or reverse its effects. This would provide organisations with additional avenues to attempt to limit penalties, heightening the importance of a robust privacy compliance programme.

3. The Artificial Intelligence and Data Act

AIDA would regulate international and interprovincial trade and commerce in artificial intelligence systems.

It would require organisations building high-impact AI systems to identify, assess and mitigate the risk of harm and bias, a concern often raised in the context of AI use in recruitment. It would establish an AI and Data Commissioner, which would be charged with monitoring compliance and ordering third-party audits of AI systems.

Potential impact for federal employers

This proposed bill comes after a proposed Consumer Privacy Protection Act did not proceed due to the most recent Canadian federal election.

Like PIPEDA currently, the Act would directly regulate personal information collected, used and disclosed by federal employers in the course of administering the employment relationship. Notably, it would continue the consent exemption that is currently set out in PIPEDA for employee personal information. This states that the collection or use of personal information must be reasonable, regardless of whether or not employees consent.

For federal employers, the most significant reform proposed relates to enforcement. Currently, the Commissioner has no authority to make or enforce orders under PIPEDA (the Commissioner’s findings constitute recommendations only, and a party must take court action to secure an enforceable order). PIDPTA will enhance the Commissioner’s authority, introduce the Tribunal with significant powers to make rulings and impose penalties, and limit the role of the Federal Courts to judicial review.

The full text of the bill is available here.

For more information about employee data privacy

John D. R. Craig
Partner - Canada
Mathews Dinsdale