In November, the federal government tabled privacy legislation that would impose heavier fines on businesses for breaching individuals’ digital privacy rights and give individuals greater control over their personal information.
The Digital Charter Implementation Act proposes the most significant changes to privacy legislation in a decade. The act will, if passed, enact two new acts: the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, as well as amend some other acts.
The proposed legislation is part of a trend toward overhauling privacy legislation. Bill C-11, the federal legislation, was introduced four months after Quebec “introduced just as dramatic if not more dramatic amendments [in Bill 64] to the Quebec privacy legislation that’s been in place since 1993,” says Charles Morgan, national co-leader of McCarthy Tétrault LLP’s Cyber Data Group, from the firm’s Montreal office.
And although the proposed changes are described as “momentous” for business — with some anticipating pushback due to potential fines in the millions or billions of dollars for data breaches — the modernization is “sorely needed,” says Daniel Fabiano, a partner at Fasken Martineau DuMoulin LLP in Toronto.
“Quebec privacy law is a creature of the 1990s; it does not speak in the language of today’s economy. PIPEDA [the federal Personal Information Protection and Electronic Documents Act] is a creature of 2000, and the British Columbia and Alberta equivalents to PIPEDA came into force a few years after that. So, we’re overdue for some reform and some modernization,” he says.
Quebec had the first privacy laws affecting the private sector in North America, says Morgan. Now, British Columbia is also looking at amending its privacy laws; Ontario updated its Personal Health Information Protection Act in March to implement tougher enforcement measures, and, in October, it completed a public consultation in preparation for further strengthening its privacy protection laws.
The proposed federal legislation represents “a massive change” in monetary sanctions for data breaches that are in line with the European Union’s General Data Protection Regulation implemented in May 2018, says Morgan. “We’ve never ever seen anything like [this] in Canada up until now.”
The corporate fines that would be imposed for the most serious infractions of digital privacy are significant: five per cent of an organization’s gross global revenue in its financial year before the one in which the organization is sentenced, or $25 million, whichever figure is higher. In announcing the legislation, then minister of Innovation, Science and Industry Navdeep Bains said these fines would be the highest among G7 countries.
Quebec’s Bill 64 would impose even harsher monetary sanctions: up to eight per cent of worldwide revenues for repeat offenders, says Daniel Glover, Morgan’s colleague and national co-leader of McCarthy’s cyber-data group, from his Toronto office.
“These are fines that are not just going to be in the millions but in the billions of dollars,” Glover says, and not all of these fines are attaching to criminal regimes. “Some of them are supported by fairly thin procedural protections for what are potentially immense penalties. . . .
“The new legislation is momentous, and it’s happening not only federally but in Quebec, Ontario, B.C. I think there’s a prospect for a lot of litigation coming out of this, frankly, if the bills remain in their present form, because the stakes are going to be very, very high. Penalties have been mostly focused on parties that don’t co-operate . . . as opposed to penalties for violation of a substantive provision of the act.”
New legislation contemplates changes to cross-border transfers of information, particularly in Quebec, Glover says. The first reading of Bill 64 looks to “equivalence,” meaning that information can’t be transferred from Ontario to Quebec without deeming Ontario’s law to be equivalent to Quebec law; this would apply to other jurisdictions to which Quebec is transferring information — a particularly onerous diligence exercise for a small company.
And businesses will be assessing, Glover says, “am I willing to offer business in a jurisdiction that carries a four- or eight-per-cent of revenue fine for data breaches?”
“Canadian jurisdictions have to consider the potential chill that might be created if the penalty is so high that companies that could do business in those jurisdictions [do so]: Is it worth it? Because we’re going from a regime in which there are very few penalties . . . to ones that are stronger even than [the] European Union,” he says. “There is a question as to whether the market size of Canada is significant enough for those businesses to be comfortable in continuing to offer business into Canada.”
Data protection and cybercrime
In recent years, data breaches and hacks have become far more common and COVID-19 has only exacerbated the problem, say the privacy and data protection lawyers, as hackers exploit vulnerabilities of a new remote, work-from-home environment.
“It’s amazing the sophistication resulting from COVID,” says Fabiano. Individuals are anxious and stressed and the ground has shifted. “That’s fertile ground for someone to exploit.” And although employee training in avoiding fraud is vital, even well-trained senior IT professionals can be duped by some of these hackers, he says.
Unusual internet/network activity can be disguised to company IT staff because employees are working at different times, says Glover. “If you’re looking at network traffic, there are no normal patterns of behaviour.”
For smaller companies, the cost of these attacks is proportionately very high, says Fabiano’s colleague Kateri-Anne Grenier, a partner at Fasken in Quebec City. The loss of business, reputation and providing compensatory credit monitoring to perhaps 100,000 people can be pricey, she notes, and today even smaller companies are purchasing cyber-insurance.
The cost of data breaches
Under Quebec’s proposed Bill 64, administrative sanctions for breaches would be up to $10 million or two per cent of global revenues, whichever is higher, and penal sanctions of up to $25 million or four per cent of worldwide turnover.
In addition, says Grenier, companies will have to comply with data breach notification requirements.
“Given the quantity of breaches we see nowadays, that [proposed legislation brings] enhanced security obligations and [for] retaining data: having a structure, being disciplined with what information is collected, what is kept and when is it necessary to delete personal information.”
Companies open themselves up to great risk by keeping personal customer information for longer than they need to or that is not necessary to its operations, Grenier says.
The manner of hacking into corporate accounts has also grown more vicious, she adds. While several years ago one might see criminals hacking into a site and holding the data ransom by encrypting it, now they will steal the information and sell it first — or at least will threaten to do so on the dark web or an auction site. Worse, companies are faced with sanctions if they are found to be at fault in the breach.
Companies must ensure that that their privacy policies are worth the paper they’re written on — or the websites they’re displayed on.
“Sometimes, there’s a gap between theory and practice,” says Grenier. This must be addressed through vigilant employee training, regularly updating security policies and understanding and honouring regulatory compliance obligations.
“You really do have to live privacy throughout your operations on a day-to-day basis,” Fabiano adds. “So, if you haven’t trained your people on privacy matters and in a way that’s relevant to their day-to-day duties, you’re just asking for trouble . . . breaches or lapses that could be real headaches in the future.”
Enhanced consent regime
Under the new privacy legislation, clearer consent will be required of customers and companies will have greater obligations for secondary use of information such as customer profiles after they have opened an account. Companies will now be required to disclose what they do with all the information they collect.
There is also a global trend to enhance data subject rights that Bill C-11 supports, says Laila Paszti, of counsel at Norton Rose Fulbright LLP’s Montreal office. Data subjects can now require a company to delete their data on a subject, also known as “the right to be forgotten.”
“But how will a company determine if the individual making the request is really that person?” asks Paszti.
The new consent regime in Bill C-11 also sets out several exceptions to consent, she says. A company doesn’t have to seek consent if it is transferring an individual’s personal information to a service provider; however, it does require a company “to really scrutinize the way in which it’s gaining consent,” and when drafting privacy policies, it may prove difficult for companies to determine all the circumstances under which they would need to get that consent, Paszti says.
“Part of the impetus for this legislation is for Canadian companies to compete in an increasingly global world,” she adds. Although the proposed legislation is a boon to privacy protection, “at the same time, it will negatively impact companies . . . because they will have to grapple with how this will affect their processing of personal information and how it will require them to retool their data platforms.”