Gearing Up for the New Privacy Regime

 Co-Authored with Ashley Goren-Gibson, Lawyer

A new federal privacy regime should serve as a wake-up call to any Canadian private sector businesses that have not yet implemented comprehensive protocols for the collection, use and disclosure of consumers’ personal information. Bill C-11, officially called An Act to enact the Consumer Privacy Protection Act and to make consequential and related amendments to other Acts, proposes the Consumer Privacy Protection Act (CPPA) to effectively replace the Personal Information Protection and Electronic Documents Act (PIPEDA). The Canadian government estimates that the CPPA could become law in approximately 18 months.

If passed in its current form, the CPPA would introduce sweeping changes to Canada’s privacy protections and have significant consequences for Canadian businesses. While it will take a while (and be costly) for most small- and medium-sized businesses to become compliant with CPPA, there are a few essential steps that can be taken now in preparation for what is about to become very stringent Canadian privacy legislation.

To start, companies need to get to the foundational level of privacy protection (why are you collecting the personal information?) and then add meat to the bone by developing policies, procedures and practices around the protection and proper use of the personal information.

Build the Foundation

As a first step, and in accordance with s. 12(2), a business should identify the purpose for collecting, using or disclosing personal information. In doing so, the business should consider whether a “reasonable person” would consider that purpose to be appropriate in the circumstances. The company must record the purposes (and additional purposes as they arise). In determining whether a purpose is appropriate, amongst other things, consider whether there is a less intrusive means of achieving that purpose; the type and sensitivity of the information collected; whether the loss of privacy is proportionate to the benefits of the purpose; and whether the purpose represents a legitimate business need.

Collect the Bricks and Mortar

Section 15(4) of the CPPA requires businesses to seek “express” consent as a default model. Businesses that previously relied on implied consent may need to re-evaluate whether express consent is now required.

Furthermore, for consent (express or implied) to be valid, it must be “meaningful,” with a high level of transparency about how information is being collected, what it is being collected for, the reasonably foreseeable consequences of the collection, use and disclosure of personal information, as well as who that information will be disclosed to. Businesses should also review the list of consent exceptions under s. 18 to identify where consent is not required. Lastly, companies should think about implementing a consent management system to demonstrate they have obtained express consent, where required.

Cut the Fat
Section 13 of the CPPA requires companies to limit the collection of personal information. Businesses will be required to consider what personal information is “required” to fulfil the purposes, and not rely, more broadly, on what information is “reasonable.” Collecting personal information that is not required to fulfil the purpose may result in hefty fines. Companies using artificial intelligence and machine learning will find this higher standard difficult to meet given the amount of data needed to accurately operate those systems.

The White Picket Fence

According to s. 9, businesses are required to establish, implement and maintain a comprehensive privacy management program (PMP) setting out a robust set of privacy-related policies, procedures and practices. Amongst other things, the PMP should address the business’ protection of personal information, responses to inquiries and complaints and implement privacy training for staff. For example, businesses should develop privacy breach management plans, access, correction, deletion and portability procedures, retention policies, privacy training and a privacy compliance plan as some of the basics. The formalized PMP must be available on demand for inspection by the Office of the Privacy Commissioner of Canada.

Having words on paper will not be enough. There is an expectation that businesses properly implement the policies, procedures and practices they develop. Businesses would benefit from developing a process map and data inventory, which should be kept up to date. A process map allows a business to understand the flow of its data from inception to destruction. A process map will also come in handy when businesses need to fulfil a new requirement to delete an individual’s personal information upon request and therefore identify where the personal information is located within the matrix of systems, including backups and legacy systems.

As part of the PMP, to the extent that companies rely on de-identified data, those companies should regularly evaluate the probability of re-identification. Furthermore, businesses that rely on automated decision making, such as machine learning or artificial intelligence, will need to have practices in place to ensure explainability is accounted for decision-making transactions that impact an individual.

Opening the Blinds

The CPPA requires businesses to be more transparent about their personal information handling practices. In doing so, businesses must ensure their privacy notices are accessible and explain in “plain language” how personal information is being collected, used and disclosed. Amongst other things, if a company engages in automated decision making that has a significant impact on an individual, the company must spell this out in its privacy notice. The notice must also provide transparency about data residency, whether exceptions to consent are being relied upon, any reasonably foreseeable consequences of the collection, use or disclosure of personal information, the names or types of third parties the personal information is being disclosed to, as well as how individuals can access, delete or port their data. Companies will need to review their privacy notices and update them accordingly.

Trespass

Failure to comply with the CPPA may lead to significant penalties, including the greater of three per cent of a company’s gross global revenue in its previous financial year, or $10 million. In addition, the CPPA creates a private right of action for litigants to claim damages for privacy breaches, whereas litigants must currently rely on judge-made law without clear entitlement to damages.

This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.

Previous
Previous

Apple’s New Regime: Tracing with Transparency

Next
Next

Online Education and the Responsibility to Protect Children’s Privacy