Privacy Law Update: Are you ready for privacy law reforms?
January 20, 2021
The wave of cyberattacks brought on by the COVID-19 pandemic has underscored the importance of data security like never before. Nations around the world, Canada included, are under significant pressure to match the standards of privacy protection set by the EU’s GDPR.
In a major overhaul of Canada’s privacy landscape, the federal government has proposed Bill C-11, or the Digital Charter Implementation Act, 2020 (the Digital Charter or simply, the DCIA) to strengthen user rights in today’s increasingly digital world. With greater regulatory scrutiny and stricter sanctions for non-compliance, the DCIA will completely change the way organizations collect and process data and respond to cyber events.
What will the new laws look like? And how should organizations prepare? Read on to learn more about the DCIA and what the impending privacy reforms mean for your business.
Disclaimer: The information presented herein is general in nature and provided for educational purposes only. It is not exhaustive nor is it a substitute for legal or insurance advice.
What privacy laws are in place now?
Currently, consumer data is protected under a federal law known as the Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities. PIPEDA’s mandate also includes key rules for breach notification, record-keeping, and risk assessment.
Compliance with PIPEDA is overseen by a federal regulator known as the Office of the Privacy Commissioner of Canada (OPC). The OPC takes an ombudsman approach to PIPEDA, in that it investigates and handles data security complaints, but has no power to order compliance or levy fines.
Additional laws may apply in specific provinces for health and/or employment information. For a full list of Canadian privacy laws, please consult the following resources from the OPC:
What is the Digital Charter Implementation Act, 2020?
Introduced on November 17, 2020, Bill C-11, or the DCIA, is the first step towards a complete and comprehensive reform of Canada’s private sector privacy legislation. This is a significant change; Canadian privacy laws haven’t been updated since PIPEDA came into force nearly 20 years ago, well before the age of social media, the Internet of Things (IoT), and e-commerce dominance.
The DCIA is intended to keep up with global standards of privacy protection, the growing impact of artificial intelligence, and rising demands for the ethical use of personal data. The proposal would establish a modernized, responsive, and clear framework that reflects the world we live in today, even as technology evolves. In its current form, the DCIA appears to borrow key concepts from the GDPR (like the rights to disposal and mobility) giving Canadians more control, transparency, and input into how their data is used.
To learn more about the European Union’s General Data Protection Regulation (GDPR) and its impact on Canadian businesses, read: Heads Up! Coming soon to a country near you: data protection regulation with TEETH.
What changes are in store under the DCIA?
As currently proposed, some of the most notable changes include the following:
NEW ENFORCEMENT TOOLS:
The DCIA consists of two parts. Part I would effectively replace PIPEDA with a new federal statute known as the Consumer Privacy Protection Act (CPPA) to govern the collection, use, and disclosure of personal information in commercial activities. The CPPA would apply to all federally-regulated and private sector firms in provinces and territories that don’t have their own privacy law (all provinces and territories except Alberta, British Columbia, and Quebec). However, part of PIPEDA will still be preserved and rehoused in the newly created Electronic Documents Act.
Part II of the DCIA would enact the Personal Information and Data Protection Tribunal Act (PIDPTA, or the Tribunal Act) and institute the Personal Information and Data Protection Tribunal. The Tribunal would be made up of 3-6 members appointed by the Governor in Council and granted the ability to: impose penalties (recommended by the OPC) and hear appeals on decisions made by the OPC. For example, individuals whose data was breached will have the right to go before the Tribunal and request damages.
Increased OPC Oversight
At present, the OPC must take non-compliant organizations to federal court to ensure enforcement. If passed, the CPPA will provide the Privacy Commissioner with broader order-making powers, including the ability to: issue binding orders; force organizations to stop collecting or using personal data; conduct audits of internal corporate systems on-demand; and recommend higher monetary penalties to the Tribunal.
Failure to comply with breach reporting requirements or orders made by the OPC could leave organizations liable for administrative monetary fines up to $10 million or 3% of the organization’s annual gross revenue (whichever is greater). The most egregious offences are subject to a maximum fine of up to $25 million or 5% of global revenue, the strongest penalties among any G7 nation. In comparison, fines under PIPEDA sit at a maximum of $100,000 for organizations.
All organizations must create and maintain a privacy management system that explicitly defines policies and procedures for collecting, protecting, and disposing of personal information in compliance with the CPPA. Organizations must also provide the OPC with access to these policies and procedures upon request.
For better transparency, organizations must provide documents in clear, plain-language that explains: how information is collected, processed, and used; any reasonably foreseeable consequences; and any third-parties to whom the information may be disclosed. This will enable individuals to make informed, meaningful decisions about the use of their personal data.
Under the CPPA, businesses must be more transparent about how they use automated decision-making systems, like algorithms and artificial intelligence, to make predictions, recommendations, or decisions about individuals. Individuals also have the right to request an explanation about how a prediction, recommendation, or decision was made by these systems and how their personal information was used to that effect.
Right to Data Portability
The CPPA will give individuals the freedom to direct the transfer of their personal information between organizations in a secure manner. For example, individuals could request their bank to share their data with another financial institution or telecommunications company.
Right to Disposal
Individuals would have the right to request disposal of any personal information that is retained by an organization or transferred to service providers. If their request is not fulfilled, consumers may complain to the OPC. Additionally, individuals are permitted to withdraw consent for the use of their information at any time.
For more information on the DCIA, please consult the following federal resources:
How will the DCIA affect other provincial privacy laws?
For now, we cannot be certain how these changes will affect other provincial privacy, healthcare, and employment legislation, especially since PIPEDA only applies in jurisdictions that do not have a “substantially similar” law in force. Nonetheless, it’s probable that federal reform will encourage provincial governments to substantially revise their existing privacy laws.
In June 2020, the government of Quebec introduced Bill 64, aimed at making both private and public sector privacy laws more relevant to the modern data protection context. Similarly, Ontario and British Columbia have begun reviews and consultations on their own private sector regulations.
What does the DCIA mean for privacy breach reporting?
Despite these impending reforms, organizations have become increasingly wary of privacy laws. According to the 2019 CIRA Cybersecurity Survey, just under half—an alarming 43%—of respondents were unaware of PIPEDA’s mandatory breach disclosures. In 2020, CIRA revealed that a mere 36% of Canadian organizations notified a regulatory body of a breach and only 31% told law enforcement.
Even before the outbreak of coronavirus, research from Risk Based Security found that the number of publicly reported breached in the first quarter of 2020 decreased by 58% compared to Q1 2019. And yet, the number of exposed records increased 48% during the same period of time. To put it simply, more records are being exposed, but fewer companies are reporting breaches.
While the implementation of the GDPR and the amendments to PIPEDA in 2019 may have created some fatigue around this issue, the fact remains: restrictions will only get tighter from here on out. And if businesses are already more willing to risk penalties than report security incidents, they’ll be hard-pressed to maintain compliance going forward.
How will the DCIA affect my insurance?
Challenges brought on by the pandemic have elevated cyber risk to levels previously unseen. Privacy breach claims have skyrocketed and insurers are looking to pull back on certain coverages after years of incurring massive cyber losses.
With stricter sanctions introduced by the Digital Charter, the insurance market may not be able to cover the higher penalties, more so for companies that knowingly violate breach security, reporting, and record-keeping requirements. Insurance carriers will likely be looking to assess each business’s cyber controls, potential fines, and levels of non-compliance before insurance coverage can respond.
To learn more about why insurance companies pull back on coverages, read our report: The Insurance Pendulum: What’s a Hard Market?
What can businesses do?
It’ll be quite some time before the DCIA is enacted, if it passes, or before the nitty gritty details are even finalized. But the changes will bring added pressure to companies that are faltering in their cybersecurity. Without proper privacy protections, the consequences could be dire. And with little or no insurance coverage, your business may not even recover.
It is time for all organizations to begin preparing. Security—and privacy compliance—are not and should not be viewed as an unnecessary expense. In this day and age, they’re a required cost of doing business. While building an adequate program will take time, organizations must take preventative action now to demonstrate their due diligence to regulators, the courts, and the public.
Not sure where to start? For a list of standard cybersecurity measures, read: COVID-19: How to Keep Employees Cyber-Safe While Working From Home. For more comprehensive guidance, connect with PROLINK. We can share what steps others in your industry are taking and advise you based on your unique operations.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.