Part #4: Proposed Technology-Related Laws in Canada
Canada's Responsible Technology Landscape
Introduction
GoodBot’s Canadian Responsible Tech Landscape: Part 3 documents technology-related legislative proposals in Canada that have not yet come into force (as of August 2023), at federal, provincial, and territorial levels. Unlike Part 3 which focuses on the landscape of existing laws, the proposals covered in this document are necessarily a work-in-progress, as some of these proposals will be signed into law or will fail to advance, and new proposals will emerge.
At the federal level, the proposed legislation discussed below includes the following:
Digital Charter Implementation Act (Bill C-27), which features the Consumer Privacy Protection Act, Artificial Intelligence and Data Act, and Personal Information and Data Protection Tribunal Act;
Online Safety Bill (Bill C-36) which aims to amend the Criminal Code and the Human Rights Act to address online harassment, extremism, child sexual abuse material, and the sharing of intimate images;
Amendments to the Telecommunications Act including Bill C-26 which aims to strengthen technology infrastructure in response to cyber security threats, and Bill C-288 requiring transparency on fixed broadband services offered by carriers.
Amendments to the Copyright Act include Bills C-244 legalizing consumer rights to maintain, diagnose, and repair consumer products, and C-294 which aims to make technology interoperable with other programs, devices, or components.
Amendments to the Income Tax Act (Bill C-47) require gig economy platforms to report both their own financial activities and the activities of sellers operating through their platforms who are based in Canada.
Additionally, a number of provincial bills from Alberta, British Columbia, Manitoba, Newfoundland and Labrador, Nova Scotia, Ontario, and Prince Edward Island are listed.
If trends in the United States (US) and the European Union (EU) hold true, Canada can expect in the coming months and years to see even more legislation and implementation mechanisms aimed at both protecting consumers and citizens from potential harm caused by technology companies.
Federal Bills
Digital Charter Implementation Act (Bill C-27)
An Act to Enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA); a.k.a. Digital Charter Implementation Act (Bill C-27, CPPA, 2022)
Bill C-27 The Digital Charter Implementation Act (DCIA), attempts to bring together consumer privacy protection and AI regulation into one bill. In its current form, Bill C-27 focuses primarily on regulating the private sector while largely excluding the public sector. This bill focuses on three key expansions of Canada’s privacy law:
The Consumer Privacy Protection Act (CPPA) aspect of Bill C-27 proposes major changes to Canada’s current privacy legislation Personal Information Protection and Electronic Documents Act (PIPEDA) — which was first enacted in 2000 — by expanding the definition of personal information to “information about an identifiable person.” This definition materially lowers the threshold for what counts as personal information. Some of the criticisms of the Act involve the lack of transparency in how the bill was drafted, the absence of feedback from people in the technology sector, inconsistent definitions of AI within the bill, lack of attention to the human rights implications of algorithms, and the exclusion of many public-sector organizations from the scope of the law. Some commentators note that its provisions are weaker than the European Union’s GDPR. For example, GDPR’s clauses on pseudonymization classify data into various levels of identifiability and assign differing protections based on risk levels, emphasizing privacy as a fundamental human right. Bill C-27’s CPPA lacks these differentiating and balancing measures because of its narrow approach to the pseudonymization of data which raises concerns about the potential misuse of sensitive data collected, bought, and sold in Canada.
The Artificial Intelligence and Data Act (AIDA) part of the bill aims to introduce new obligations and responsibilities for entities accountable for AI systems, especially high-impact ones. It also covers those handling anonymized data for AI use. AIDA addresses emerging challenges in AI and data processing, promoting responsible use and privacy protection. Effective oversight and enforcement are prioritized to uphold AIDA’s integrity and ensure accountability among stakeholders.
Bill C-27 also introduces the Personal Information and Data Protection Tribunal Act (PIDPTA), which would establish a specialized tribunal composed of three to six privacy experts to hear cases of companies that the Privacy Commission has found guilty of breaching data privacy laws. Currently, under PIPEDA, the Privacy Commissioner has the authority to investigate companies for data privacy violations but lacks the power to impose fines or issue orders. Instead, the Commissioner can only issue findings, express opinions on complaints, and make recommendations. To apply fines and other non-monetary orders under PIPEDA, the Commissioner or the complainant must initiate a legal process by submitting an application to the Federal Court.
Under PIDPTA, however, the Commissioner not only examines privacy breaches but can also take legal action against violators and issue decisions and rulings on breaches. The Tribunal will then have the authority to handle appeals related to decisions made by the Privacy Commissioner following an inquiry, issuance of a compliance order, or recommendation of administrative penalties for violating the CPPA. Once the Tribunal makes a decision, the outcome will be considered final and binding, though companies will retain the right to seek judicial review under the Federal Courts Act. To enforce the Tribunal’s decision, it can be made an official order of the Federal Court or a provincial/territorial superior court.
Status of the Bill: The second reading was completed on April 24, 2023, at the House of Commons.
Cybersecure Policy Exchange’s analysis of AIDA part of Bill C-27 of 2022 — Link
John Beardwood’s analysis of Bill C-27 of 2022 — Link and Link
Magali Feys’s analysis of CPPA part of Bill C-27 of 2022 — Link
Michael Geist’s podcast AIDA part of Bill C-27 of 2022 — Link
Shaun Brown’s (IAPP) analysis of CPPA part of Bill C-27 of 2022 — Link
Justin Hendrix (Tech Policy Press) response to AIDA — Link
Tsaaro’s analysis of PIDPTA part of Bill C-27 — Link
Bill C- 27 Summary (ISED) — Link
Kirsten Thompson’s general analysis of Bill C-27 — Link
Teresa Scassa’s analysis of AIDA part of Bill C- 27 — Link
Online Safety Bill (formerly Online Harms Bill)
An Act to amend the Criminal Code and the Canadian Human Rights Act to address hate propaganda, hate crimes, and hate speech (Bill C-36, 2021 — Link)
Bill C-36 — a failed Bill known as the Online Harms Bill — was introduced in June 2021, but this failed due to a lack of consultations and an election call that resulted in the dissolution of parliament. The substance of the bill proved to be controversial among civil society organizations because some approaches being considered in the bill would be inconsistent with freedom of expression and privacy. Read responses from OpenMedia.
A subsequent Bill now known as the Online Safety Bill is expected to be re-introduced before the House of Commons for debate in the fall of, 2023. A joint statement issued by civil society organizations urges the government to prioritize the protection of privacy and freedom of expression in the proposed legislation.
Status of the Bill: The first reading was completed on June 23, 2021, at the House of Commons.
Telecommunication Act
Bill C-26, 2022, An Act respecting cyber security, amending the Telecommunications Act, and making consequential amendments to other Acts.
Bill C-26 aims to provide the government with the authority to compel telecommunications companies operating in Canada to address vulnerabilities within their communications infrastructure, particularly as it relates to matters of national security. While critics of this bill do not disagree with the need for cybersecurity legislation, they do object to overly vague terms, a lack of transparency, and a risk that requirements will not be proportional to the risk.
Status of the Bill: The second reading was Completed on March 27, 2023, at the House of Commons.
Bill C-26, 2022 — Link
Response from Citizen Lab — Link
Bill C-288. An Act to amend the Telecommunications Act (transparent and accurate broadband services information).
The aim of Bill C-288 is to amend the Telecommunications Act, requiring Canadian Internet Service Providers to publicly report on the performance of the broadband network services that they offer. It also requires the Canadian Radio-Television and Telecommunications Commission to hold public hearings to inform decisions on how Canadian carriers should fulfill this obligation.
Status of the Bill: At second reading in the Senate.
Online Article on Bill C-288 — Link
Open Media on Bill C-288 — Link
Copyright Act
Bill C-244, An Act to amend the Copyright Act (diagnose, maintain, and repair).
Bill C-244 aims to modify section 41 of the Copyright Act, granting permission for the diagnosis, maintenance, and repair of products protected by TPM (Technological Protection Measures). Under the current provisions of the Copyright Act in Canada, consumers are prohibited from repairing their own devices without authorization from manufacturers. This restriction allows manufacturers to employ various digital software locks and other restrictive measures that prevent consumers from accessing essential components for diagnosing and repairing their devices or seeking assistance from third-party repair services. The proposed changes outlined in Bill C-244 aim to guarantee that all Canadians have complete ownership rights over their devices, including the ability to independently repair them at an affordable cost. These changes would not only reduce electronic waste but also promote consumer rights and empowerment.
Status of the Bill: At third reading in the House of Commons.
Bill C-244 — Link
Open Media” Comment about Bill C-244- Link
Western News article about Bill C-244- Link
Bill C-294, An Act to amend the Copyright Act (interoperability)
Bill C-294 aims to amend the Copyright Act to allow a person, in certain circumstances, to circumvent a technological protection measure to make a computer program or a device in which it is embedded interoperable with any other computer program, device, or component. While Bill C-294 has a different focus from Bill C-244, both share a common objective of enabling consumers to have more control and choice related to the technology they purchase.
Status of the Bill: At second reading in the Senate.
Steinbach Article on Bill C-294- Link
Western Article on Bill C-294 — Link
Income Tax Act
Bill C- 47 Reporting Platform Operators Part XX of the Income Tax Act (the ITA)
Under the new Reporting Platform Operators Part XX of Section 282, Subsection 1 of the Income Tax Act, also known as the “ITA”, Bill C- 47 aims to address concerns among tax authorities that digital platforms and sellers on those platforms who work in the gig economy are miscalculating tax obligations. Specifically, they seek information from certain platform operators for the purpose of determining the jurisdiction of residence of sellers on their platforms and to report information related to these sellers and their activities. Amendments apply to platform operators that contract with sellers to provide services, such as property rentals, personal services, transportation, and goods include platforms, and are either: 1) based in Canada; 2) based in a partner jurisdiction while facilitating activities by sellers in Canada, or; 3) not based in Canada or a partner jurisdiction while facilitating activities by sellers in Canada.
Status of the Bill: This bill received royal assent on June 22, 2023, and most provisions are expected to come into force in December 2023 and January 2024.
Provincial Bills
Legislative Assembly of Alberta
Bill 203 (2022) — Technology Innovation and Alberta Venture Fund Act
Bill 203’s objective is to invest in the expansion of Alberta’s tech and AI sectors, specifically focusing on supporting early-stage companies and start-ups. By investing in this fund, Albertans would have the opportunity to generate returns while contributing to economic growth, diversification, job creation, and the long-term economic prosperity of the province.
Legislative Assembly of British Columbia
Bill 12 (2023) — Intimate Images Protection Act
The purpose of Bill 12 is to address privacy concerns and to safeguard individuals from the non-consensual sharing of intimate images. The bill addresses the distribution of intimate images without consent or threats of distribution, by defining them as unlawful acts.
Bill M 204 (2023) — Freedom Of Information And Protection Of Privacy Amendment Act
Bill M 204 removes the discretion that the head of a public body has to demand a prescribed application fee from an applicant during the processing of formal Freedom of Information (FOI) requests. Instead, it offers clear guidance on evaluating and potentially waiving such fees.
Legislative Assembly of Manitoba
Bill 234 (2021) — The Consumer Protection Amendment Act (Right To Repair)
Bill 234 seeks to mandate manufacturers to provide consumers and repair businesses with affordable access to necessary maintenance and repair items for electronic products, and if they fail to do so, they must offer free replacements or refunds upon request by the purchaser.
Legislative Assembly of Newfoundland and Labrador
Bill 22 (2023) — An Act To Amend The Management Of Information Act And The House Of Assembly Accountability, Integrity, and Administration Act
Bill 22 requires that record and information management systems developed under the Act follow the Chief Information Officer’s (CIO) directive for creating records of decisions, with public bodies reporting annually to the CIO and the CIO submitting a report on these records to the Minister.
Legislative Assembly of Nova Scotia
Bill 146 (2022) — Freedom of Information and Protection of Privacy Act
Bill 146 aims to limit the fees under the Act to a $5.00 application fee. Section 11(1) of the previous provisions of the Act states that “An applicant who makes a request pursuant to Section 6 shall pay to the public body the application fee prescribed by the regulations” which puts a sort of discretion on the authority to prescribe the fee required. However, the new provisions were enacted to put a cap and a specific amount of $5.00 on the application fee required to obtain access to a record.
Bill 139 (2022) — An Act to Enhance Privacy and Access to Information
Bill 139 aims to allow public bodies and municipalities to share personal information to verify accuracy in the event of a privacy breach, conduct privacy impact assessments for new projects, notify individuals about privacy breaches, and empower a review officer to compel witnesses and access records for reviews.
Legislative Assembly of Ontario
Bill 126 (2023) — Ban iGaming Advertising Act
Bill 126 aims to make it illegal to advertise online gambling sites. People and organizations breaking this law can be charged and could face fines ranging from $25,000 to $1,000,000.
Bill 88 (2022) — Digital Platform Workers’ Rights Act
Bill 88 aims to protect the rights of gig workers for such services as ride-sharing, delivery, and courier services, through digital platforms such as Uber, Amazon, and Doordash. This Act comes in response to efforts by digital platforms to limit workers’ rights. In Uber vs. Heller, the Supreme Court of Canada ruled that it was unconscionable for Uber to force gig workers to resolve disputes and complaints through arbitration via courts in the Netherlands. The Act also addresses issues regarding the platforms’ withholding of tips from drivers, such as with Uber Eats and Doordash. Additionally, the bill seeks to address concerns about the extent to which employees can be monitored.
Legislative Assembly of Prince Edward Island
Bill 78 (2022) — An Act to Amend the Health Information Act
Bill 78, among other things, aims to refine the definition of “custodian” under the Act, by distinguishing between health care providers as custodians and as agents or employees of a custodian, while removing information managers from the custodian category as they act on behalf of a custodian under the Act. Additionally, the amendment eliminates the need for notifying an individual when a custodian collects personal information about them from a third party, as authorized in section 18.
National Assembly of Quebec
Bill 195 (2023) — An Act to amend the Consumer Protection Act to fight planned obsolescence and assert the right to repair goods
Bill 195 mandates that replacement components, tools, and repair services necessary for maintaining or fixing a product covered by a contract must be reasonably priced and made available under reasonable terms for the entire duration the product remains on the market. Alternatively, this availability should persist for a practical period following the contract’s initiation, depending on which option better serves the interests of the consumer.
Bill 29 (2023) — An Act to protect consumers from planned obsolescence and to promote the durability, repairability, and maintenance of goods
Bill 29 aims to stop the ‘planned obsolescence’ of consumer products such as mobile phones and computers which occurs when a product is subject to “techniques aimed at reducing its normal operating life”. This Bill would require that companies that make and sell technology products create durable products that can be fixed. Companies and leaders who fail to follow these rules, including by intentionally shortening product lifespans could be subject to fines.
Analysis & Conclusion
Part 4 documents proposed technology legislation at the federal and provincial levels in Canada. Major federal bills, like Bill C-27, have sparked debates about the goals and tools of technology legislation in Parliament and beyond. What remains beyond any doubt is that the technology regulation landscape will look very different in a couple of years.
Canada’s slew of bills has not appeared in a vacuum; rather, the proposals should be seen as responses to the state of technology regulation in the United States and the European Union. The US, where a large portion of the innovation related to the Internet, technology, and digital platforms has taken place for the past thirty years, is known for its permissive laws that do not constrain technology companies in meaningful ways. As harms and risks associated with emerging technologies have become increasingly apparent, this permissive approach has drawn criticism from researchers, journalists, civil society, parents, and concerned politicians in the US, Canada, and far beyond. The US context has the potential to change, as federal legislators scramble to direct the development of AI and curb anti-competitive behavior by tech giants. Yet, as of August 2023, very few legislative bills at the federal level in the US, aimed at reining in the excesses of technology have advanced. Instead, non-binding and unmonitored promises of self-constraint by businesses have remained the primary form of regulation. More progress can be seen at the state level in certain parts of the country.
Meanwhile, the EU has presented an altogether different model of technology regulation. The General Data Protection Regulation (GDPR), which has been in effect since 2018, was the first major piece of legislation aimed at protecting the safety and privacy of EU citizens. Since then, the EU has passed the Digital Services Act (DSA) and the Digital Markets Act (DMA) and is on the way to voting on the AI Act. EU legislation intentionally generates impacts above and beyond its borders because non-EU companies doing business in the EU and/ or with EU citizens have to abide by the same set of rules as European ones. In fact, the implementation of the GDPR means that American companies have already and are very likely to continue to face hefty penalties for violations of European law.
In several ways, legislation in Canada has followed global trends. PIPEDA was modified in response to GDPR, and Canada’s Online News Act follows similar Australian legislation. Canadian legal philosophy guiding responses to issues like privacy violations or hate speech is more aligned with the EU than the United States. In many other ways, however, Canada occupies a unique place. It is economically more integrated with the United States, even though the Canadian market is smaller than its European counterpart. Canadian lawmakers largely do not share the same permissive ethos of American technology legislation; thus, in Canada, the willingness to regulate technology through legislation is comparatively stronger. Yet Canadian lawmakers have also been slower to propose legislation than their European colleagues. Furthermore, the federal system enables legislative change at multiple levels; therefore, novel laws at the federal and provincial levels have been passed.
In this context, key questions remain for Canada related to developing processes for modifying, voting on, and implementing bills that will affect legislative impact and outcomes:
What approach will Canada take to uphold new and existing technology legislation? Will legislation follow the EU’s path focused on US technology giants (the fallout from the Online News Act suggests this may be unavoidable), or will it instead focus on regulating Canadian technology businesses? What impact will these choices have on Canadian consumers and businesses?
Can and should Canadian law and policy be shaped in a way to influence other countries in advancing responsible tech policy, including the US?
Can current and prospective legislative proposals address the asymmetry of power between US technology giants on one hand and Canada’s technology sector and consumers on the other?
How will proposed bills affect small and medium-sized companies in comparison to large ones? Will bills take differentiated approaches to the obligations and burdens based on size, risk, and other relevant factors?
How can Canada build governance frameworks and mechanisms that are nimble enough to respond to evolving technology innovation, responsive to emerging harms and human rights matters, and robust enough to prevent politicization?
How will political shifts related to election cycles affect technology law and policy in the coming years?
And finally, how will Canada work to effectively implement and enforce new laws to protect Canadians and hold companies to account for violations?
Version 1.0 - August 2023
Legal Contributors: Barakat Abdulmumini, Femi Gbolahan & Onur Bakiner Editors: Onur Bakiner and Renee Black