Canada’s Bill C-27

Canada’s Bill C-27

Article by Tsaaro

7 min read

Canada’s Bill C-27

The Liberal Party of Canada introduced Bill C-27, the Digital Charter Implementation Act 2022, before the nation’s Parliament on June 16, 2022, in an effort to tighten the laws governing data and privacy protection. Three new laws are included in the charter: the Artificial Intelligence and Data Act, the Personal Information and Data Protection Tribunal Act, and the Consumer Privacy Protection Act. 

The new Bill is intended to give Canadians greater control over how firms use their personal data, impose fines on non-compliant businesses, and create new rules for the application of artificial intelligence (AI). 

Bill C-27 is seen as an update of Bill C-11 (43-2), a digital charter that was introduced in 2020 but was shelved by the House of Commons shortly after the announcement of the federal election in late 2020. Notably, a sizable section of Bill C-11 has been transferred to Bill C-27. 

The new Digital Charter has the authority to change other current statutes under the 2020 charter in ways that are consequential and connected. Bill C-27, if passed, would likely replace the Personal Information Protection and Electronic Documents Act, altering the legal framework for privacy and data protection in Canada (PIPEDA). 

Why is it relevant? 

Although the Canadian Constitution recognizes the right to privacy as a basic one, the existing legislation controlling personal data is weak in terms of how Big Tech corporations can utilize customers’ personal data for services like targeted advertising, among others. One of the “most restrictive” legal frameworks for data governance among the G7 nations, Bill C-27 is praised for explicitly stating that safeguarding privacy rights is essential to preserving individual liberty and dignity. Canadian rights organizations see this Bill as a positive development. 

Consumer Privacy Protection Act (CPPA) 
“An Act to Support and Promote Electronic Commerce by Protecting the Personal Information that is Collected, Used or Disclosed in the Course of Commercial Activities,” is how the first law under the 2022 Digital Charter is described. 
The Act aims to create regulations for the protection of personal information in a way that strikes a balance between the need for organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate under the circumstances and the right of individuals to privacy. Regarding the use of personal data by organizations for commercial purposes, it is applicable to all organizations.  
The following is a list of all the key elements of the Consumer Privacy Protection Act: 
1. Giving organizations more authority and transparency when handling Canadians’ private information. 

  1. Providing citizens with the freedom to securely transfer their information from one organization to another.
  2. Making sure that Canadians can ask for their data to be deleted when it is no longer needed.
  3. Creating tighter safeguards for children, such as restricting organizations’ access to and use of information on children and holding them to a higher standard for handling such data.
  4. Giving the Privacy Commissioner of Canada wide authority to issue orders, such as the power to direct a business to cease collecting data or utilizing personal information.
  5. Setting up severe penalties for non-compliant organizations, with the most egregious offences subject to fines of up to 5% of global revenue or $25 million, whichever is greater.
    Unless one of the aforementioned exceptions to consent applies, the CPPA is built around the necessity that consent be obtained for the collection, use, and disclosure of personal information: 
    – Transfers to providers of services  
    – Utilizing private data for internal research, analysis, and development as long as it is de-identified  
    – Defined commercial activities, if a reasonable person would anticipate the collection or use for such an activity and the personal information isn’t gathered or used to persuade the person to act in a certain way. 
    It must be noted that government institutions to which the Privacy Act applies are exempted from this law. Additionally noted are individuals gathering private information about others for domestic use and businesses gathering the same for journalistic or academic objectives are also listed as exceptions from the law. 


1.Artificial Intelligence and Data Act 
New regulations are expected to be included as part of the planned Artificial Intelligence and Data Act to enhance governmental authorization for the creation and use of AI systems. By setting uniform standards that apply across Canada for the design, development, and use of these systems, it aims to control international and interprovincial trade and commerce in artificial intelligence systems. Additionally, it forbids any behavior involving AI systems that might seriously hurt people or their interests.  
The AI and Data Act’s main requirement is that all personal information used to train artificial intelligence programs must be encrypted and permanently de-identified before it can be used to draw any conclusions about its owners. Although the word “high-impact” systems are not defined in the proposed legislation, it is also intended to address the potential of bias in analyses (it is left to regulation). 
The following is a list of some of the key components of the AI and Data Act:  
1. Defining, assessing, and mitigating the risks of harm and bias in high-impact AI systems during development and deployment to protect Canadians. 
2. Appointing an AI and Data Commissioner to assist the Minister of Innovation, Science, and Industry in carrying out his or her ministerial duties under the Act, such as overseeing corporate compliance, ordering outside audits, and, when necessary, exchanging data with other regulators and enforcers. 
3. Setting forth unambiguous legal restrictions and sanctions surrounding the use of data obtained illegally for AI development, when AI is used carelessly and causes significant harm, or when there is fraudulent intent to significantly harm the economy. 
4. Build a machine with artificial intelligence a ministry with a data commissioner on staff who would help with enforcement. When there is a “severe risk of imminent harm,” the minister may provide the Commissioner access to information and the authority to issue orders, including those that require organizations to undertake audits, correct problems, and halt the functioning of specific high-impact systems. 
The AI Act includes fines for failing to comply with the Act’s obligations as well as administrative financial penalties for breaking the rules. 

2.Personal Information and Data Protection Tribunal Act 
The Consumer Privacy Protection Act would be enforced in part by the Personal Information and Data Protection Tribunal, which would be established by Bill C-27. The tribunal would specifically consider suggestions made by the Canadian Privacy Commissioner to impose administrative fines for specific Act violations. An “accessible mechanism for organizations and people to seek a review of Privacy Commissioner judgements” is what it’s meant to be.  
It should be highlighted that the present PIPED Act already establishes a tribunal to oversee personal information on the internet. The new Act will increase the tribunal’s authority to the level of a superior court of record, nevertheless. Any decision made by the Personal Information Tribunal may be converted into an order of the Federal Court or another superior court, and it has the same legal effect as a court order. 
If an inquiry reveals that it is necessary, it may also punish a company, but only after giving both the organization and the Office of the Privacy Commissioner a chance to respond. Additionally, appeals of any findings, orders, and judgements made under the Consumer Privacy Protection Act. 


If passed, Bill C-27 -27 would bring forth long-overdue changes to Canada’s privacy regulations. With the understanding that data are a source of competitiveness and innovation, this new law tries to strike a balance between an individual’s rights regarding their personal information. This statute establishes Canada as a pioneer in ethical innovation. The enforcement of the law is one of many significant planned reforms. Businesses in Canada and, increasingly, around the world need to be prepared for these legal changes. 

It is just the start of what we may anticipate in terms of future technologies, like artificial intelligence, being used to regulate data. By preparing early, businesses can benefit from more streamlined, compliant, and reliable processes under the new law. 

Stay updated with us. Get a grasp on guidelines for better Privacy management and administration straightforward once you understand them. Once they become ingrained in your behaviour, they will aid in defending you from frequent scam tactics. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Get in touch with us at 

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  GRC (for governance, risk, and compliance) is an organizational strategy for managing governance, risk management, and compliance with industry …

Shubham Bansal

Introduction A majority of the organizations across the globe use the cloud platforms for various purposes. A large portion of …

Shubham Bansal

INTRODUCTION:  The phrase “data is the new oil” is attributed to British mathematician Clive Humby, who purportedly coined it in …

Shubham Bansal

Today, technology continues to evolve, with companies all over the globe required to adapt to the constant evolution. It is …

Shubham Bansal

INTRODUCTION:  Data governance is an instrument for determining who within an organization is responsible for overseeing data assets and establishing …

Recent Comments


    Would you like to read regular updates from Tsaaro.
    Subscribe to our newsletter

    Our Latest Blogs

    Read what the latest hapennings in the cyber world are and learn what the
    experts have to say about them