OTTAWA — AI Minister Evan Solomon plans to expand the government’s proposed Digital Safety Commission to police the private sector when it comes to data privacy and security in the age of AI.

Solomon tabled Bill C-36 on Monday, which reintroduces some elements of the previous Liberal government’s attempt to modernize Canada’s privacy laws, including an enshrined right to privacy. It also guarantees Canadians the right to have their personal data deleted upon request; provides extra protection for children’s data; and requires companies to be transparent about their use of AI.

Though the government pitched the legislation as part of its AI strategy, the new rules will apply to the entire private sector, including foreign firms that operate in Canada. 

The government’s new Digital Safety Commission, which Culture Minister Marc Miller proposed last week to combat online harms, will be responsible for making sure that companies follow the new rules. It’ll have the power to impose penalties of up to $10 million or three percent of global revenue, whichever is greater, and fines of up to $25 million or five per cent of global revenue.

If the bill is passed, the new rules will be phased in over time as Ottawa establishes the new commission, according to senior government officials who provided a briefing on the condition they not be named. The process is expected to take about 18 months.

More bite: Privacy Commissioner Philippe Dufresne has all but begged the government to give him power to fine companies that violate Canada’s privacy laws. For now, all he can do is refer his findings to Federal Court, which is costly and takes a long time to resolve. 

Last year, after a damning investigation that found genetic testing company 23andMe failed to employ even basic privacy protections, Dufresne lamented that there was little he could do to hold the company accountable. His U.K. counterpart, however, hit 23andMe with a fine of $4.2 million. 

He has repeated his request for the power to punish companies that break the rules with just about every report he has released since. 

The new bill would leave the privacy commissioner in charge of public-sector privacy, but all private-sector data security investigations will be handled by the new commission. The government will appoint a privacy and consumer data commissioner as part of the new regulatory body that will focus specifically on those issues.

The issue of safety and privacy have blended together thanks to another measure of the online safety act, which calls for social media companies to ban children under the age of 16 from their platforms, unless the companies receive an exemption from the commission. That will mean collecting sensitive personal data from users to determine who should be allowed access. 

“Any form of collection of Canadians’ personal data will have to adhere to very robust new standards,” Solomon said. 

Transparency: The bill is a key element of the government’s AI strategy, and represents one of the safeguards intended to protect Canadians from the negative consequences of the technology. 

The bill would make it mandatory for companies to publish their privacy policies. If passed, it will also require firms to be transparent about when they use AI to make consequential decisions, such as calculating credit scores or issuing mortgages. When using algorithms or automated decision-makers, companies will have an obligation to reveal what inputs were used to come to a conclusion. 

As for the right to deletion, there will be exemptions for cases where data is needed for fraud prevention, potential litigation or cases where other laws require data to be retained. Companies won’t have to destroy data on request if it would create an adverse risk to the organization that outweighs the potential harm to the individual.

Solomon said the proposed law also takes aim at surveillance pricing. “Your personal information should not be used against you for price gouging,” he said. Surveillance pricing isn’t specifically mentioned in the bill, Solomon said, but he’ll be asking the regulator to draft guidance on the issue once the commission is up and running. 

A long-awaited update: Canada’s key private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act, is 26 years old and hasn’t been substantially updated. It was introduced before social media became as ubiquitous and lucrative as it is today.

The previous Liberal government had attempted to update the outdated laws twice before, but the bills never made it through Parliament. 

The most recent attempt, known as Bill C-27, was intended to give Canadians more control over their data and to demand greater transparency from companies about what their data is used for. 

Update: This story was updated to add details.