Bill C-27 and the protection of children’s privacy

November 23, 2022 | Nadya Tymochenko, Kayla Cockburn

In June 2022, the Minister of Innovation, Science and Industry introduced in the House of Commons Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.

Bill 27 represents the Canadian government’s second attempt to reform federal privacy laws applicable to commercial activities. If passed, it will create three new pieces of federal legislation: the Consumer Privacy Protection Act (CPPA), the Personal Information Protection Tribunal Act (Tribunal Act) and the Artificial Intelligence and Data Act (AI Act). It will also repeal Part 1 of the Personal Information Protection and Electronic Documents Act to remove its privacy protection authority, and change the short title to Electronic Documents Act.

At a recent symposium, Philippe Dufresne, the Privacy Commissioner of Canada, spoke about how Bill C-27 is an important step forward to modernizing Canadian privacy law.[1] He emphasized the fundamental and quasi-constitutional nature of privacy, and reminded his audience that this means we should treat the right to privacy as a priority, as we do other human rights.

The Tribunal Act will establish a Tribunal to hear matters subject to the authority of the CPPA, and the AI Act will regulate international and interprovincial trade and commerce in artificial intelligence systems.

Among its provisions, the CPPA maintains informed consent as the primary authority for organizations to collect personal information.[2] It includes the right to request disposal at an individual’s request[3], and also specifies “exceptions to consent” for the collection, use, or disclosure of personal information for certain business activities and for socially beneficial purposes.[4] The CPPA imposes administrative monetary penalties if an organization is found to have violated provisions under the Act.[5]

Of interest to the education sector is the treatment of personal information belonging to minors as “sensitive information”.[6] This designation of “sensitive” will attract a higher degree of protection of the personal information of minors transferred by a school board to an organization regulated by the CPPA.[7] When entering into an agreement that includes a transfer of personal information belonging to minors, provincially funded school boards will need to ensure by contract and otherwise that the organization receiving the personal information of minors maintains the required level of protection of the sensitive information.[8]

Under section 4(a) of the CPPA, a parent, guardian, or tutor is authorized to provide consent on behalf of a child. Notably, the CPPA does not dictate an age requirement for when a child is capable of consent; rather, the draft legislation provides that a child can exercise control if they want to and when they are “capable of doing so.”[9]

If passed, the CPPA will also mandate that commercial organizations providing services to school boards that involve the personal information of minors undertake physical, organizational and technological security safeguards proportionate to the sensitivity of the information.[10] Since minors’ personal information is explicitly deemed “sensitive information”, this will require compliance with higher standards. The CPPA will impose an obligation on service providers to notify the organization that controls the personal information, such as a school board, in the event of a breach of security safeguards involving personal information.[11]

Should Bill C-27 become law, school boards and other education sector organizations will have to work closely with service providers to ensure that existing agreements are consistent with the CPPA expectations.  To the extent that school boards are entering into such agreements in the near future, they should consider whether to negotiate these protections in advance of Bill 27 becoming law.

We will endeavor to update our readers as to the progress of this legislation. Should you have any questions or concerns, please do not hesitate to contact a member of  Miller Thomson’s Education group.

[1] Philippe Dufresne, Privacy Commissioner of Canada, “A vision for privacy: Rights, trust and public interest”, virtual, (November 4 2022).

[2] Section 15.

[3] Section 55.

[4] Section 18 to 52.

[5] Section 94(1).

[6] Section 2(2).

[7] Office of Privacy Commissioner of Canada, “Announcement – OPC updates guidance regarding sensitive information”, (August 13 2021).

[8] Section 11(2) and 11(2)

[9] Section 4(a).

[10] Section 57(1).

[11] Section 61.

Disclaimer

This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice.

Miller Thomson LLP uses your contact information to send you information electronically on legal topics, seminars, and firm events that may be of interest to you. If you have any questions about our information practices or obligations under Canada’s anti-spam laws, please contact us at [email protected].

© Miller Thomson LLP. This publication may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested by contacting [email protected].