By Esther Shainblum and Martin U. Wissmath

Federal Government Tables 2 Bills to Enhance Cyber-security and Reform Privacy laws

In recent weeks, the federal government introduced two new pieces of legislation that deal with privacy and cyber security issues.

1. On June 14, 2022, the federal government introduced Bill C-26, An Act Respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, which passed first reading in the House of Commons on the same date. Bill C-26 would enact the Critical Cyber Systems Protection Act (CCSPA), which would require designated operators that operate “vital systems” or “vital services” to establish, maintain and regularly review a cyber security program in respect of their critical cyber systems, identify and manage cyber security risks, protect their critical cyber systems from being compromised and detect and minimize the impact of any cyber security incidents affecting their critical cyber systems (section 9).  Bill C-26 does not pertain directly to the charitable sector, however, as it relates to cyber-security issues of national concern, it is of interest to all Canadians and organizations in Canada.

A “critical cyber system” is defined under section 2 of the CCSPA as a “cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.” Schedule 1 of the CCSPA lists the following six “vital services and vital systems”:

1. Telecommunications services
2. Interprovincial or international pipeline and power line systems
3. Nuclear energy systems
4. Transportation systems that are within the legislative authority of Parliament
5. Banking systems
6. Clearing and settlement systems.

Under section 6(1) the federal government can amend Schedule 1 by adding any service or system within its legislative authority determined to be vital to national security or public safety.

Section 7 of the CCSPA would allow the federal government to designate a “class of operators” that operate a work or carry on an undertaking or business that is within the legislative authority of Parliament – in respect of a vital service or vital system” to be set out in Schedule 2 to CCPSA. There are no designated operators currently listed in Schedule 2.

Under section 8, a designated operator that owns, controls or operates a critical cyber system is required to comply with the requirements of the CCPSA.  These obligations include various record-keeping requirements as well as the obligation to immediately report a cyber security incident to the Communications Security Establishment, and to “the appropriate regulator”. The regulators have various investigative and enforcement powers, including issuing notices of violation and imposing administrative monetary penalties of up to $1 million in the case of an individual or $15 million in any other case. The following six regulators are listed in the CCSPA: the Superintendent of Financial Institutions; the Minister of Industry; the Bank of Canada; the Canadian Nuclear Safety Commission; the Canadian Energy Regulator; and the Minister of Transport.

2. On June 16, 2022 the Minister of Innovation, Science and Industry introduced Bill C-27, the Digital Charter Implementation Act, 2022 , which passed first reading in the House of Commons on that date. Bill C-27 is fundamentally similar to Bill C-11, the Digital Charter Implementation Act, 2020, which was introduced on November 17, 2020 but died on the order paper with the 2021 federal election. Like Bill C-11, Bill-C27 is designed to update Canada’s federal private sector privacy legislation, but contains certain new aspects that were not included in Bill-C11. Like Bill C-11, Bill C-27 would enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA), both of which are very similar to what was introduced under Bill C-11.  However, Bill C-27 would also enact the new Artificial Intelligence and Data Act (AIDA), introducing new rules to regulate the development and deployment of artificial intelligence systems (“AI”).  There are some new aspects to the CPPA, including new provisions relating to personal information of minors, expanded powers of the Office of the Privacy Commissioner and a new “legitimate interest” exception to the requirement for consent to the collection, use and disclosure of personal information.

In terms of its application to charities and not for profits, section 6(1) of the CPPA provides that it applies to organizations in respect of personal information that they collect, use or disclose in the course of “commercial activities”. “Commercial activities” is defined in section 2(1) as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists” (emphasis added).  This definition is different from the definition in Bill C-11, which, among other differences, did not include the reference to the sale, barter or lease of membership and fundraising lists.  Therefore, unlike Bill C-11, Bill C-27 does appear to apply to charities and not-for-profits to the extent that they engage in the sale, barter or lease of membership and fundraising lists. However, on balance, the bulk of the CPPA would appear to not apply to charities and not-for-profits, whose activities are not typically of a commercial character.

This situation is similar to that under the current Personal Information Protection and Electronic Documents Act (“PIPEDA”), which also applies to organizations that are engaged in commercial activities. However, under PIPEDA, in situations in which they are not subject to the legislation itself, charities and not for profits are able to refer to the ten fair information principles listed in Schedule 1 to PIPEDA as best practices and guidelines for them to follow in handling personal information. 

The CPPA would repeal much of PIPEDA, including Schedule 1 and its ten fair information principles, leaving charities and not-for-profits without a framework for their handling of personal information.

We will provide further updates as Bill C-27 makes it way through the legislative process.

​Read the June 2022 Charity & NFP Law Update