Earning and maintaining consumer trust is not just a good idea – it’s central to creating brand loyalty. Great companies know that loyalty is an asset that will pay dividends in terms of growth and profitability for years to come. And every company today recognizes that trust goes hand in hand with personal and data privacy. Protecting your customers’ information is more vital than ever before.
Conversely, failing to protect your customers’ information is getting much more expensive, thanks to more laws and regulations and more costly penalties in jurisdictions around the world. Canada’s Bill C-27, introduced in 2022 and expected to become law in 2023, is one of the most recent examples of privacy statutes designed to give consumers more control over their personal information. The new legislation also amends the current approach to enforcement and penalties against companies.
Bill C-27, also known as the Digital Charter Implementation Act, of 2022 – is designed to protect consumer privacy more fully through the Consumer Privacy Protection Act (CPPA); it also creates new requirements for “algorithmic transparency” through the Artificial Intelligence and Data Act. Part 2 of Bill C-27 proposes a substantial transformation in the enforcement of the CPPA through a new organization, the Personal Information and Data Protection Tribunal, a specialized administrative body that will have the power to directly levy monetary penalties against organizations for contraventions of the CPPA.
It’s expected that Bill C-27 will become Canadian law sometime in 2023, and it will replace the Personal Information Protection and Electronic Document Act (PIPEDA) of 2000. It codifies into law the ten principles of Canada’s Digital Charter including “Strong Enforcement and Real Accountability.” Under PIPEDA, Canada’s federal Office of the Privacy Commissioner (OPC) is responsible for enforcement of the PIPEDA and substantial powers of investigation and audit, however reports are generally nonbinding – it could “name and shame” a company to nudge it towards compliance, but is required at the moment to apply to the federal court to request enforcement of recommendations.
For example, consider the 2019 data breach at a Canadian financial services firm, which affected more than 40% of the company’s clients and members and went unreported for six months. The breach quickly became headline news, and eventually, the Privacy Commission issued a report highlighting the firm’s lack of oversight and accountability and made several recommendations. In this case, the OPC was restricted to issuing recommendations only and was unable to levy any administrative monetary penalty – although it is worth noting that a class action was brought directly by those affected by the breach. Under the proposed Personal Information and Data Protection Tribunal Act, this would change as the OPC would be able to make recommendations to the newly established Tribunal, and any decision of the Tribunal would be final and binding, and not subject to appeal.
Consequently, both the OPC and the new Tribunal will have substantially more power to enforce certain provisions of Bill C-27 directly against organizations. If you do business in Canada, you’re going to have to be much more vigilant and accountable about how you’re gathering and using data. You’ll be required to create and maintain privacy management programs that reflect the volume and sensitivity of the information being collected. If you don’t comply, you can face administrative monetary penalties.
Data breach notification under Bill C-27
- One area in particular will be the notification of data breaches. Companies doing business in Canada will have to be more proactive (and faster) about reporting data breaches and failing to do so will potentially cost a substantial amount, in addition to any hit to your reputation. Under section 94(1) of the CPPA, failure to implement sufficient security safeguards that result in a data breach could see companies liable for AMPs of up to 3% of global annual revenue or CAN$10 million – whichever is higher. Significantly, failing to report a data breach is even more expensive: the maximum fine is 5% of global revenue or CAN$25 million (again, whichever number is higher).
- Data breaches, of course, generate headlines but now they can also result in substantial penalties. And is important to note that data breaches are not the only situations where AMPs may be levied. Under the new law, the Tribunal will be able to impose fines for misusing personal information or not enabling proper access to collected information by consumers. They have a right to know what’s been collected about them and the right to have it disposed of properly if desired. Finally, under section 107(1) of the new privacy legislation, individuals whose privacy rights have been violated will be able to bring a private right of action against the company responsible – another potential source of reputational damage and financial exposure.
What you should be doing to prepare
- Your company should already be actively engaged in ensuring that you closely govern what kind of information you gather from customers and users as well as how you collect, store, and manage that data – legislation or no legislation. Failing to do this will put your reputation at risk.
- But given the likely passage of Bill C-27 and the establishment of the new Tribunal, you should also make sure your privacy management strategy is up to date. Put automated systems and guardrails in place to ensure compliance with the new provisions of the law in general and to monitor for data breaches. Doing so will help you avoid problems in the first place – and if a problem does occur, you should be able to identify it and report it quickly, which will help you avoid penalties.
If this sounds a bit like the European Union’s General Data Protection Regulation (GDPR), you’re right. Canada and others (notably several states in the U.S.) have used GDPR as a model for the monitoring and enforcement of data privacy.
