In a major overhaul of Canada’s privacy landscape, the federal government has proposed Bill C-11, or the Digital Charter Implementation Act, 2020 (the Digital Charter or simply, the DCIA) to strengthen user rights in today’s increasingly digital world. With greater regulatory scrutiny and stricter sanctions for non-compliance, the DCIA will completely change the way organizations collect and process data and respond to cyber events.

What will the new laws look like? And how should organizations prepare? Read on to learn more about the DCIA and what the impending privacy reforms mean for your business.

Disclaimer: The information presented herein is general in nature and provided for educational purposes only. It is not exhaustive nor is it a substitute for legal or insurance advice.

What privacy laws are in place now?

Currently, consumer data is protected under a federal law known as the Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities. PIPEDA’s mandate also includes key rules for breach notification, record-keeping, and risk assessment.

Compliance with PIPEDA is overseen by a federal regulator known as the Office of the Privacy Commissioner of Canada (OPC). The OPC takes an ombudsman approach to PIPEDA, in that it investigates and handles data security complaints, but has no power to order compliance or levy fines.

Additional laws may apply in specific provinces for health and/or employment information. For a full list of Canadian privacy laws, please consult the following resources from the OPC:

• Summary of privacy laws in Canada
• Provincial and territorial privacy laws and oversight
• Provincial laws that may apply instead of PIPEDA

What is the Digital Charter Implementation Act, 2020?

Introduced on November 17, 2020, Bill C-11, or the DCIA, is the first step towards a complete and comprehensive reform of Canada’s private sector privacy legislation. This is a significant change; Canadian privacy laws haven’t been updated since PIPEDA came into force nearly 20 years ago, well before the age of social media, the Internet of Things (IoT), and e-commerce dominance.

The DCIA is intended to keep up with global standards of privacy protection, the growing impact of artificial intelligence, and rising demands for the ethical use of personal data. The proposal would establish a modernized, responsive, and clear framework that reflects the world we live in today, even as technology evolves. In its current form, the DCIA appears to borrow key concepts from the GDPR (like the rights to disposal and mobility) giving Canadians more control, transparency, and input into how their data is used.

To learn more about the European Union’s General Data Protection Regulation (GDPR) and its impact on Canadian businesses, read: Heads Up! Coming soon to a country near you: data protection regulation with TEETH.

What changes are in store under the DCIA?

As currently proposed, some of the most notable changes include the following:

How will the DCIA affect other provincial privacy laws?

For now, we cannot be certain how these changes will affect other provincial privacy, healthcare, and employment legislation, especially since PIPEDA only applies in jurisdictions that do not have a “substantially similar” law in force. Nonetheless, it’s probable that federal reform will encourage provincial governments to substantially revise their existing privacy laws.

In June 2020, the government of Quebec introduced Bill 64, aimed at making both private and public sector privacy laws more relevant to the modern data protection context. Similarly, Ontario and British Columbia have begun reviews and consultations on their own private sector regulations.

What does the DCIA mean for privacy breach reporting?

Despite these impending reforms, organizations have become increasingly wary of privacy laws. According to the 2019 CIRA Cybersecurity Survey, just under half—an alarming 43%—of respondents were unaware of PIPEDA’s mandatory breach disclosures. In 2020, CIRA revealed that a mere 36% of Canadian organizations notified a regulatory body of a breach and only 31% told law enforcement.

Even before the outbreak of coronavirus, research from Risk Based Security found that the number of publicly reported breached in the first quarter of 2020 decreased by 58% compared to Q1 2019. And yet, the number of exposed records increased 48% during the same period of time. To put it simply, more records are being exposed, but fewer companies are reporting breaches.

While the implementation of the GDPR and the amendments to PIPEDA in 2019 may have created some fatigue around this issue, the fact remains: restrictions will only get tighter from here on out. And if businesses are already more willing to risk penalties than report security incidents, they’ll be hard-pressed to maintain compliance going forward.

How will the DCIA affect my insurance?

Challenges brought on by the pandemic have elevated cyber risk to levels previously unseen. Privacy breach claims have skyrocketed and insurers are looking to pull back on certain coverages after years of incurring massive cyber losses.

With stricter sanctions introduced by the Digital Charter, the insurance market may not be able to cover the higher penalties, more so for companies that knowingly violate breach security, reporting, and record-keeping requirements. Insurance carriers will likely be looking to assess each business’s cyber controls, potential fines, and levels of non-compliance before insurance coverage can respond.

To learn more about why insurance companies pull back on coverages, read our report: The Insurance Pendulum: What’s a Hard Market?

What can businesses do?

It’ll be quite some time before the DCIA is enacted, if it passes, or before the nitty gritty details are even finalized. But the changes will bring added pressure to companies that are faltering in their cybersecurity. Without proper privacy protections, the consequences could be dire. And with little or no insurance coverage, your business may not even recover.

It is time for all organizations to begin preparing. Security—and privacy compliance—are not and should not be viewed as an unnecessary expense. In this day and age, they’re a required cost of doing business. While building an adequate program will take time, organizations must take preventative action now to demonstrate their due diligence to regulators, the courts, and the public.

Not sure where to start? For a list of standard cybersecurity measures, read: COVID-19: How to Keep Employees Cyber-Safe While Working From Home. For more comprehensive guidance, connect with PROLINK. We can share what steps others in your industry are taking and advise you based on your unique operations.