Canada Introduces Infrastructure and Data Privacy BillsBills Address Reporting Timelines, Incident Response, Use of Personal Data
Businesses vital to maintaining daily life in Canada would be obliged to follow cybersecurity directives and report incidents under legislation backed by the government of Prime Minister Justin Trudeau.
The Liberal government also backs new general data protection and privacy legislation that introduces new rules for artificial intelligence.
The back-to-back bills introduced into Parliament underscore how cybersecurity and privacy have graduated from administrative to political issues, with all the attendant procedural hurdles that come bundled into any process led by lawmakers.
To become law, the bills must go through a roughly three-stage process, the first phase of which has been completed with their formal introduction. A date has yet to be set for the second stage, which includes a "second reading" and committee work. The final step includes receiving approval by both the House of Commons and the Senate, after which the bills would receive Royal Assent to come into force.
If passed, the Critical Cyber Systems Protection Act would introduce a new regulatory regime for designated operators in the finance, telecommunications, energy and transportation sectors.
The Digital Charter Implementation Act contains three proposed statutes that together would toughen privacy enforcement in Canada and place safeguards against biased outcomes from AI systems.
Critical Cyber Systems Protection Act
"Cybersecurity is national security," says Minister of Public Safety Marco Mendicino.
The bill, he says, aims to "help both the public and private sectors better protect themselves against cyberattacks."
The bill calls for certain companies within the four priority critical infrastructure sectors of finance, energy, telecommunications and transport to "immediately" report cybersecurity incidents to the national cybersecurity authority. The government could issue binding cybersecurity directives to those companies. Covered companies would be required to submit to regulators their cybersecurity programs, including details of how they manage risk found in the supply chain and associated with the use of third-party products.
The government has in the years since 2018 invested CA$4.8 billion in cybersecurity, and in 2019, it allocated CA$144.9 million to introduce a new critical cyber systems framework to protect critical infrastructure in the finance, telecommunications, energy and transport sectors, Mendicino says in his press statement.
Clear Framework, With Some Misses
The bill sets up a clear legal framework and details expectations for critical infrastructure operators, says Sam Andrey, a director at think tank Cybersecure Policy Exchange at Toronto Metropolitan University.
The act also creates a framework for businesses and government to exchange information on the vulnerabilities, risks and incidents, Andrey says, but it does not address some other key aspects of cybersecurity.
The bill should offer "greater clarity" on the transparency and oversight into what he says are "fairly sweeping powers." These powers, he says, could perhaps be monitored by the National Security and Intelligence Review Agency, an independent government watchdog.
It lacks provisions to protect "good faith" researchers. "We would urge the government to consider using this law to require government agencies and critical infrastructure operators to put in place coordinated vulnerability disclosure programs, through which security researchers can disclose vulnerabilities in good faith," Andrey says.
Also, "support, funding and developing new talent" will be critical to the implementation of the measures suggested in the bill, he says. "Further support for small and medium businesses and not-for-profit organizations not captured by this bill are also needed, particularly because cyber incidents' financial, operational and reputational impacts are greater for smaller organizations and those that are in more remote locations," Andrey says.
The Digital Charter Implementation Act 2022
This bill is necessary to ensure Canadians can trust "when and how their information is being used," says Minister of Innovation, Science and Industry François-Philippe Champagne, who introduced the bill along with David Lametti, minister of justice and attorney general of Canada. The bill contains three acts focused on consumer privacy, personal data protection, and the use and protection of data associated with artificial intelligence.
Today, we introduced a new bill to give people more power over their data.— François-Philippe Champagne (FPC)(@FP_Champagne) June 16, 2022
This will protect Canadians’ data online, increase protections for children, and will make sure AI is used responsibly.
We’re ensuring Canada is best in class in the digital world. pic.twitter.com/HcEdmPZpPG
The bill aims to "give businesses clear rules to support their efforts to innovate with data and will introduce a new regulatory framework for the responsible development of artificial intelligence systems, while recognizing the need to protect young people and their information," Champagne says.
The Consumer Privacy Protection Act
This section of the Digital Charter grants the Privacy Commissioner of Canada long-sought-after powers to order a company to stop collecting personal data and fine scofflaws up to 5% of gross global revenue or up to CA$25 million, whichever amount is greater. The worst penalties are reserved for corporations that fail to follow an order or commit infractions such as failing to keep records of data breaches. Lesser infractions are subject to less expensive fines that top out at 3% of gross global revenue or CA$10 million.
The private sector would be obligated to implement a privacy management program that includes methods for protecting personal information. Subject to exceptions, companies would need to obtain individual consent before collecting personal data and couldn't condition the provision of a service on the collection of data beyond what's necessary to provide it.
Data collected for one purpose but then used for another would be subject to a requirement to gain new consent from affected individuals.
Data collected for cybersecurity purposes would not be subject to consent requirements, so long as the data collection is reasonable and is not used for the purpose of influencing "behavior or decisions."
The Personal Information and Data Protection Tribunal Act
Given new powers for the Privacy Commissioner of Canada proposed by the bill, this act would establish a tribunal to hear appeals and impose penalties.
The Artificial Intelligence and Data Act
With this legislation, the government responds to concerns that AI systems, for all their seeming objectivity, can produce biased outcomes. Researchers increasingly find examples of automated decision-making made with the assistance of systems trained on biased data that results in skewed outcomes against people of color or women.
Under it, organizations with "high impact" systems would need to establish procedures for identifying and mitigating the risks of biased input or harm resulting from their use.
What would constitute a "high impact" system would be the subject of later regulation.
Organizations would have to provide plain-language descriptions of their high-impact systems, including how they're used, the decisions, recommendations or predictions they're used to make as well as what mitigation measures are in place.
The announcement by the Trudeau government of the Digital Charter proposal comes shortly after the retirement of Privacy Commissioner Daniel Therrien, who at a recent privacy-related event characterized the current state of privacy in Canada as "one of uncertainty."
Until Therrien's successor is appointed, Canadian Information Commissioner Caroline Maynard is the interim privacy commissioner, the Office of the Privacy Commissioner of Canada says. Trudeau on June 8 nominated a parliamentary counsel at the House of Commons, Philippe Dufresne, for the position.