There was a flurry of activity in the privacy legal arena in 2020. Gartner projected at the end of this past summer that 65% of countries will have national privacy laws by 2023. For example, many predict the U.S. will have a federal privacy law in the coming years following California’s lead; we saw India analyze a sweeping data protection bill that will likely come into force in 2021; Brazil’s LGPD came into force in September 2020; and China unveiled its draft Personal Data Protection Law in October 2020.
Currently only 10% of countries have comprehensive privacy laws, and Canada is one of them. In Canada alone, we saw the federal government announce on November 16th, 2020 its plans to modernize Canada’s Privacy Act. This statute came into force in 1983 and applies to the federal government and federal public sector institutions. It is extremely outdated, and finally the Department of Justice is ready to make its overhaul a priority. After 35 years of technological advances and social change, how federal institutions use, share and store personal information has changed dramatically. A public consultation period to obtain the views of Canadians on ensuring a strong, but flexible approach backed by meaningful governance and oversight will end on January 17, 2021.
We also saw the introduction of Bill C-11 on November 17th, 2020. This long awaited legislation to reform Canada’s private sector privacy law, PIPEDA, will involve creating a new quasi-judicial tribunal to rule on appeals from Federal Privacy Commissioner decisions, and PIPEDA itself would be replaced by a new act, the Consumer Privacy Protection Act (the CPPA). The CPPA does not just map directly to the GDPR, but provides a Canadian-style upgrade to the law, in particular maintaining PIPEDA’s best practice privacy principles. The CPPA does add new individual rights such as the right to know about automated decision making and the right to portability (having one’s personal information transferred from one entity to another, which will likely first impact telecom and banking sectors). The CCPA also adopts GDPR-like enforcement with fines up to $25M or 5% of global gross revenues, whichever is greater.
Since regulations under the CPPA would still need to be drafted and we can expect to see further consultations on Bill C-11, it may be 18 months or more before the CPPA is in force. Compliance will be a significant cost centre for organizations so there will be opposition, especially in the post-COVID business recovery period, but I believe this law will come to fruition at some point in 2022 given international pressures. I highly recommend businesses to consider implementing effective privacy management programs now – this will be mandatory under the CPPA, but is also certainly expected by regulators today, and significantly reduces the risk of a privacy breach.
Provincially, in 2020 we saw the introduction of a GDPR-like Bill 64 in Quebec, calls to reform the B.C. Personal Information Protection Act, and consultations in Ontario to determine whether the province should introduce its own private sector law. We also saw amendments to health privacy laws such as PHIPA, whereby under Bill 188 fines were doubled in March 2020, and the Ontario Information and Privacy Commissioner can now levy monetary penalties against those who contravene the law. All of this in a country that is relatively small population-wise.
Back to the global front for a moment, over the past three years I have worked with many organizations situated in Canada or the U.S. on compliance with the EU General Data Protection Regulation (GDPR) due to the extra-territorial impact of this law. It’s becoming increasingly important to take the GDPR seriously. We’re now starting to see regulators issue significant fines under laws that implement the GDPR, signalling a no-nonsense message that any grace period organizations have felt they may receive is certainly over. For example, just three weeks ago on December 10, 2020, the French Data Protection Authority announced combined fines of 135 million euros against Google and Amazon for alleged cookie violations.
A clear understanding of your organization’s data map and transborder data flows is becoming increasingly important as the privacy rules pile on. We can expect this trend towards rapid-fire regulation and significant fines to continue into 2021. Buy-in from the top, resulting in an investment in privacy compliance and data security initiatives, will help organizations avoid privacy mishaps and meet their data handling obligations effectively.
To discuss the privacy laws that apply to your business and what this means for your operations, contact PRIVATECH. Wishing you all the best for a great start to 2021!