Digital Policy Issues Face Uncertain Future After Prorogation of Parliament

On January 6, 2025, the federal parliamentary session ended when the Governor General of Canada accepted Prime Minister Justin Trudeau’s request to prorogue Parliament until March 24, 2025.

Prorogation means that all bills being considered by Parliament “die” on the Order Paper, and all legislative committees are dissolved. To become law, these bills must be reintroduced and restart the legislative process, which comprises three readings before each of the House of Commons and the Senate.

A number of bills impacting cybersecurity, privacy, artificial intelligence (AI) and financial services are now considered dead, with no suggestion that they will be quickly reintroduced once Parliament returns — especially given an anticipated election this year.

However, when parliamentary business returns, regardless of the party in power, these issues may be priorities and businesses should be prepared to consult and engage with the government on key digital policy issues and comment on future proposed legislation.

Bill C-26, Cybersecurity Regulation under the Critical Cyber Systems Protection Act  

Bill C-26 would have enacted the Critical Cyber Systems Protection Act (CCSPA) and amended other laws, including the Telecommunications Act. The bill imposed comprehensive cybersecurity-related obligations on private-sector entities in four federally regulated sectors: telecommunications, finance, energy and transportation. Companies in these sectors would have been required to implement a cybersecurity risk mitigation program, put in place measures to mitigate third-party cybersecurity risks, report cybersecurity incidents to the Canadian Communications Security Establishment and their industry regulator, and comply with directions from the federal cabinet to protect critical systems.

The CCSPA sought to align Canada more closely with other jurisdictions by establishing a federal cybersecurity regime and imposing minimum safeguards for critical infrastructure. The death of this bill means that cybersecurity preparedness and breach reporting will continue to be governed by a patchwork of rules governing specific industries or areas of law.

Bill C-27: Consumer Privacy Protection Act and the Artificial Intelligence and Data Act

Bill C-27 would have put in place a new federal privacy regime under the Consumer Privacy Protection Act (CPPA) and enacted the Artificial Intelligence and Data Act (AIDA). The AIDA imposed compliance, monitoring and record-keeping measures on entities that develop AI internally or that use AI systems created by third parties in the course of business.

With respect to privacy, Bill C-27 would have repealed the Personal Information Protection and Electronic Documents Act (PIPEDA), the existing privacy statute, and replaced it with the CPPA. The bill would have also enacted the Personal Information and Data Protection Tribunal Act (PIDPTA), which would have established an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA and imposed monetary penalties for contravention of certain provisions.

Bill C-27 updated Canada’s federal privacy regime, which has not undergone substantial amendment in nearly a decade. It also provided the Privacy Commissioner of Canada with enforcement tools comparable to other Canadian regulators. The AIDA would have been the first step in establishing a comprehensive regulatory scheme for AI and reflected internal trends in moving to regulating AI. However, the proposed Act was criticized for its broad scope, reliance on future regulation for substantive details and lack of consultation. The government will eventually have to contend with the right balance of regulation for AI as it rapidly develops and becomes more prominent in Canada’s economy.

Bill C-63: Online Content Moderation on Social Media Platforms under the Online Harms Act

Bill C-63 proposed a prescriptive content moderation regime through the Online Harms Act (OHA), which was aimed at mitigating the risks to Canadians posed by harmful content online generally and protecting children particularly. Social media platforms operating in Canada would have been required to implement tools to detect harmful content, develop a digital safety plan and remove some types of harmful content. The OHA also set up a new online harms regulator, the Digital Safety Commission of Canada, with broad search and seizure powers and the ability to levy fines of up to 6% of an entity’s global revenues for non-compliance.

Despite public engagement and extended consultation, the OHA attracted controversy for its potential impacts on free speech and the establishment of a new regulator. Although this bill was the government’s proposed approach for regulating online harms, opposition parties also advanced private members’ bills to respond to calls for regulation related to harmful content, hate speech and intimate images distributed without consent. Whether a subsequent Parliament proposes measures to respond to minor safety concerns online will be a key issue to track.

Bill C-65: Amending the Canada Elections Act

Bill C-65 would have enacted measures to protect against foreign interference in Canada’s federal elections through further limitations on third-party financing and by expanding the definition of “foreign entities” that are subject to restrictions on their ability to exert influence. The bill also prescribes further safeguards to protect personal information gathered by political parties and eligible parties, such as reporting data breaches that may cause significant harm, implementing security measures for personal information, training staff and prohibiting the sale of personal information.

Bill C-65 had significant implications for foreign entities, third-party financing, political contributions, and partisan and election advertising. The bill endeavoured to adapt Canada’s electoral rules and third-party financing requirements in response to new technologies that may allow for the proliferation of deepfakes impersonating political actors or anonymous contributions. Additionally, the processing of personal information by political parties and eligible parties is not subject to the enhanced safeguards proposed by the bill. The issues addressed by Bill C-65 will continue to impact Canada’s electoral system until addressed by future legislation introduced by Parliament.

Open Banking and Financial Services

In April 2024, the government released Canada’s Consumer-Driven Banking Framework (Framework), which would be implemented through two pieces of legislation: the Consumer-Driven Banking Act (CBD Act) and a subsequent bill that was expected in Fall 2024. The CBD Act became law in June 2024 and established the underlying Framework, the data and entities within scope, penalties for non-compliance and the Financial Consumer Agency of Canada’s supervisory mandate. The government’s Fall Economic Statement of December 2024 sets out next steps, which would have included the second piece of legislation.

As a result of prorogation, the implementation of open banking in Canada is uncertain. While the initial structure of the Framework is set out in the CBD Act, core issues such as standards related to privacy and security of data, accreditation process for participation in the regime, the use of screen scraping, outsourcing to third-party service providers and the delegation of authority to provincial regulators have not been addressed. These remaining gaps create uncertainty regarding potential security, liability and privacy risks to businesses operating in the financial sector.

Conclusion

Given the risk that Parliament will return to addressing regulatory gaps in digital policy, Blakes provides multifaceted expertise in public sector advisory work, technology policy and financial services and can provide strategic advice to businesses seeking to favourably shape policy outcomes and navigate evolving regulations that could impact business operations and innovation.

For further information on the bills and digital policy considerations above, see past Blakes Bulletins, including:

• Canadian Cybersecurity Law Update: Bill C-26 Gains Momentum in the House of Commons
• Canada’s Bill C-63: Online Harms Act Targets Harmful Content on Social Media
• Canada’s New Elections Bill to Limit Third-Party Financing, Advertising and Disinformation
• 2024 Federal Budget: Update on Financial Services Regulatory Policy Changes
• Canadian Privacy Law 2024 Year in Review

Or reach out to any member of our Public Sector Crisis & Compliance, Financial Services or Technology groups.