How This Proposed Canadian Privacy Law Could Impact Your Business

These days, the world runs on data. Your auto mechanic needs to be a computer technician because an embedded Android system runs your car. You’ve probably bought something online this week, but even your brick and mortar store purchases go through the internet. A nation-state cyber attack can make a power plant grind to a halt. Your business has sensitive, proprietary data that needs to remain confidential. And on top of that, if your business’ computer network malfunctions, the lost productivity could cost your business millions of dollars or more.

Data breaches have already done measurable damage to companies in all industries. And consumers and enterprises alike need to know there are legal consequences for not doing what it takes to keep our data safe.

Countries worldwide have struggled to legislate at the speed of technological evolution, and Canada is no exception. 

Data privacy legislation has a direct effect on your business’ bottom line. Not only could your company be harmed in a data breach, but you also should assure regulatory compliance to prevent fines, excessive litigation costs, or even worse - repetitional damage.

There is a major change coming to Canadian data privacy legislation that all companies that operate in Canada should be aware of. Without getting into geek speak, here’s what you need to know.

Canada’s current privacy law: PIPEDA

PIPEDA is Canada’s current data privacy legislation as of December 2020. The Personal Information Protection and Electronic Documents Act became law on April 13th, 2000. Through PIPEDA’s over twenty year lifespan, the world has changed a lot. In the year 2000, Facebook had yet to exist. Our briefcases had clunky cellphones that could only make phone calls and text messages. Your schedule and calendar was on your PDA, which spent long periods of time disconnected from the internet. Even the humble BlackBerry had yet to become popular, to merge the two functions. Amazon existed solely as an ecommerce website, and most of your purchases were still made in physical shops. The internet was certainly there, but it played a much smaller role in our everyday lives. That’s the world in which PIPEDA was designed.

PIPEDA applies to private-sector organizations which operate in Canada. It governs how commercial organizations request and handle personal information from citizens and consumers. Personal information can be anything from ages, names, and ID numbers, to social status and opinions, to credit records, medical records, and employee files. PIPEDA requires that organizations only acquire data from consumers that’s necessary in order to operate business, and it also requires their consent regarding data acquisition. 

But aside from being outdated legislation, PIPEDA has some weaknesses. 

PIPEDA requires data collection consent, but doesn’t mandate that the consent is requested with plain language. Sometimes organizations can request consent with language that’s too esoteric for consumers to properly understand. 

PIPEDA isn’t designed to account for when personal data is transferred from one organization to another. In our new cloud-driven reality, multiple organizations can share the same data on an individual multiple times. For example, many businesses use AWS. Amazon, which owns AWS, has a responsibility to safeguard their infrastructure to prevent data breaches. Some of that data could be shared with Google Analytics for market research purposes. And then it can go through Apple’s servers to reach an individual’s iPhone. You may be just a mortgage broker in Saskatoon, but your clients’ data must run through the networks and software of several different organizations. Who’s responsible when there’s a data breach?

Lastly, PIPEDA has no teeth. The Privacy Commissioner does a great job on suggesting changes, and assisting businesses, but they don't have the ability for enforcement.

Canada’s new privacy law: Consumer Privacy Protection Act

On November 17th, 2020, Canada’s Minister of Innovation, Science and Industry, Navdeep Bains, proposed the Digital Charter Implementation Act, 2020 in order to establish the the Consumer Privacy Protection Act. Upon introducing the legislation in the House of Commons, Bains said:

“The COVID-19 pandemic has accelerated the digital transformation which is changing how Canadians work, access information, access services, and connect with their loved ones. This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement. This legislation represents an important step towards achieving this goal.”

CPPA will likely become law in late 2021. It will change how your company does business.

The most important thing your company must know about the CPPA is its harsher fines for noncompliance, and establish an entirely new administrative Tribunal that would be empowered to implement penalties (unlike the Privacy Commissioner).

What are the penalties?

Under PIPEDA, the maximum fine per violation is $100,000, but many fines for minor violations are much smaller. Fines under PIPEDA can be much greater, under most circumstances “the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.” So the kind of violation that could be fined $50,000 under PIPEDA could be fined $10,000,000 under CPPA. Some fines could be much greater than $10,000,000. 

Under some circumstances, such as identifying someone using de-identified data (such as a person’s name), or the violation of some of the security breach disclosure rules, fines can be $25,000,000 or 5% of the organization’s gross global revenue, “whichever the higher.”

The CPPA also pertains to Canadian data that’s transferred cross border to computers in other countries.

What are some of the requirements?

The CPPA requires that organizations do the following:

• Acquire meaningful consent from consumers when their personal information is requested. Plain language must be used in the requests.
• Individuals would have the right to direct the transfer of their personal information from one organization to another. This transfer could be between one telecommunications provider to another, for example.
• Individuals would have the right to get a copy of their data, or delete their data across your organization.
• Unlike PIPEDA, the CPPA allows individuals to request that organizations dispose of their personal information. Under some circumstances, consumers may even withdraw their consent.
• Computer systems often employ algorithms with personal data in order to make predictions and recommendations. For example, a computer application may recommend the best life insurance based on an individual’s data. Under CPPA, businesses will have to be transparent with consumers about how their algorithms are used.

Canada’s CPPA law versus European GDPR law

The European Union enacted their General Data Privacy Regulation in May 2018. The GDPR not only applies to organizations that operate in European Union countries, but it also applies to data pertaining to EU citizens wherever the data resides, even if it’s on a server in Canada. 

In some ways, the CPPA attempts to follow the GDPR’s lead. The GDPR is truly groundbreaking data privacy legislation. The fact that the GDPR not only applies to organizations within EU countries but also to data on EU citizens that’s stored worldwide makes it unique. The GDPR’s other major breakthroughs are the necessity of requesting and receiving explicit user consent before any data collection occurs, and the much harsher fines for violations. These fines have two tiers as follows:

• If a company cannot prove they have adequate security, if they don’t have someone responsible for data privacy, or if the data processor agreement wasn’t established, a company can face a fine of €10,000,000 or 2% of a company’s annual turnover, whichever is higher.
• If a company’s data subjects have been infringed, if international data transfers are noncompliant, or if the main principles for processing have been breached, a company can face a fine of €20,000,000 or 4% of a company’s annual turnover, whichever is higher.

The CPPA and the GDPR are similar respective to the much larger fines, often based on a factor of a company’s income. The other major similarities are the need to acquire explicit consent from consumers, the ability for consumers to delete their data (“the right to be forgotten” in Europe), and rules for transferring data between organizations.

Most notably, unlike PIPEDA, the CPPA pertains to Canadian personal data that’s transferred to computers outside of Canada. That moves Canadian data privacy legislation more closely in line with European data privacy legislation.

Conclusion

It would be prudent for your business to investigate whether or not your practices and policies need to change if and when the CPPA becomes law. A little bit of money spent on auditing and automating compliance ahead of time can save your organization from much more expensive fines in the future.

Even more importantly, when consumers can be confident that your organization takes data privacy seriously, they can be more eager to spend money on your products and services. Providing privacy assurances is key to building trust with your customers - a win-win all around!

If you're interested in learning more, or understanding how you can achieve CPPA compliance, schedule a time to chat on Opsware Data's website.