The Government of Canada has proposed a revamp of Canadian privacy laws, which will strengthen user rights in today’s increasingly digital world and put private companies further under the regulatory spotlight.
On November 17, the Minister of Innovation, Science and Industry, introduced Bill C-11, the Digital Charter Implementation Act, 2020. If passed, this Bill will overhaul the federal government’s approach to regulating privacy in the private sector and will cause “one of the biggest shakeups in Canada’s privacy law,” according to Vishal Kundi (pictured), CEO of BOXX Insurance - a Toronto-based MGA that provides small and midsized enterprises (SMEs) with solutions to protect themselves from cyber threats.
The proposed Bill brings Canada’s privacy law more in line with Europe’s stringent General Data Protection Regulation (GDPR). Kundi summarized: “It aims to make it simpler for consumers to control how companies use their personal information. There will also be stricter rules around what companies can and cannot do with people’s information without their consent, and crippling penalties for those firms that fall short of the regulations.”
The “crippling penalties” Kundi referred to include administrative monetary fines of up to 3% of global revenue, or CA$10 million for non-compliant organizations. The draft legislation also contains an expanded range of offenses for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue, or CA$25 million. The government described these penalties as the strongest among the Group of Seven (G7).
BOXX’s privacy breach counsel and advisor, Imran Ahmad, cyber partner at Blake, Cassels & Graydon LLP, noted that the new bill (along with Quebec’s proposed Bill-64) represents “a major overhaul of Canada’s privacy landscape”. He said the changes are “deep” and will impact how organizations not only collect and process data, but how they respond to cyber events, including those affecting the personal information of Canadians.
The proposed ACT would require private companies to implement a privacy management program that includes policies, practices and procedures designed to ensure compliance with the Consumer Privacy Protection Act (CPPA). Companies will also have to provide the Commissioner with access to those policies, practices and procedures upon request.
“This will require organizations to invest in privacy compliance,” said Ahmad. “Organizations must also provide plain-language explanations about the processing of personal information, both in connection with obtaining valid consent and to meet transparency requirements under the CPPA. Consumer facing privacy policies will need to be understandable and in line with internal data processing practices.
“PIPEDA (The Personal Information Protection and Electronic Documents Act) was already a consent-based regime. The new Act codifies guidance from the privacy commissioners, who have made clear that their approach to consent would mirror that taken under the GDPR. It also removes the burden of having to obtain consent when it would not provide any meaningful privacy protection.”
The proposed legislation places significant onus and risk on Canadian businesses, and should be incorporated into their cyber risk management practices and insurance decisions. If companies fail to comply, there could be an uptick in privacy-related claims under cyber insurance coverages. Neal Jardine, cyber practice leader at Crawford & Company (Canada) Inc., said he saw this claims trend following the introduction of stiffer privacy legislation in places like the USA, Europe and Australia.
He told Insurance Business: “In Canada, the introduction of PIPEDA in 2018 did not have the same immediate impact as the penalties and powers were relatively modest, but the introduction of the Digital Charter will escalate the risk and completely changes the landscape. The Privacy Commissioner’s expanded powers, their intent to impose huge financial penalties, and consumers’ new private right of action following a regulatory investigation should make all firms and their risk advisors take a look at their risk tolerance and cyber coverage.”
When GDPR was introduced in Europe, there was speculation as to whether the insurance market would cover the potentially high penalties that could be imposed. So far, underwriters have taken a mixed stance on this, with coverage varying on a policy by policy basis. With the suggested fines in Canada being the highest in the G7 nations, at a maximum of CA$25 million, Jardine said he expects to see the same differences in underwriters’ policy language, combined with requests for higher limits from businesses. He added: “Underwriters will need to assess each risk, the business cyber controls, potential penalties, and how egregious the non-compliance is before the insurance coverage will respond.”
If companies suffer a data breach involving the personal information of Canadians, they will face much greater scrutiny around compliance under the proposed Act, and regulators will probe the adequacy of controls and security measures they had in place prior to the data breach. According to Joseph Khunaysir, president of Jolera, and senior security advisor to BOXX, this greater regulatory scrutiny “could lead to potentially lengthier investigations and bigger penalties for those that the Commissioner felt were not adequate.” He added: “It also means greater attention needs to be given to how quickly and effectively firms respond to a privacy breach. In our experience, it’s not always the hack that cripples the company, but how they respond to it.”
Another change proposed under the new Digital Charter would give individuals whose data was breached the right to go before a tribunal and request damages. According to Kundi, this could once again lead to increased defence costs and damages, as every consumer involved in a breach would have the right to appear before the tribunal. Kundi commented: “There is little doubt that the proposed regulation will have an effect on insurance limits as we see more involvement from the Privacy Commissioner and the effects of their increased ability to investigate. More businesses need to consider purchasing greater limits of cyber insurance in light of this change.”