The time to prepare to meet soon-to-be-enacted Canadian data privacy regulations is now. Around the world, the awareness of the need to protect the privacy rights of individuals, including the access, transparency, and security of personal information has never been higher. The stakes are high, and urgency is needed to better protect the data organizations – commercial and governmental – are entrusted with to handle with care.
First, let’s take a peek around the corner at what’s to come, then, while we’re at it, briefly recap some of Canada’s existing privacy laws.
CPPA: Anticipated New Canadian Data Privacy Law
While an exact date has not yet been set (although expected sometime in 2021), Canada’s proposed Digital Charter Information Act (DCIA) and its associated CPPA (Consumer Privacy Protection Act) and Personal Information and Data Protection Tribunal Act (PIDPT) will serve to provide more transparency and control around how data that contains personal identifiers can be used.
The new legislation would both replace and add more muscle to the country’s current PIPEDA, which governs how the private sector handles consumer data. The proposed law would provide more stringent consumer protections, simplify the consent process, and deliver more clarity around third-party service provider roles. This beefier CPPA, if adopted, would be one of the strictest privacy laws in the world and is currently being likened to California’s privacy regulations as well as to the EU’s GDPR.
While the CPPA would establish a new private sector privacy law, the PIDPT Act would establish a tribunal to hear recommendations and appeals from the Office of the Privacy Commissioner and create a more efficient enforcement process.
The impact of this Act will be felt by organizations and their customers or consumers. The DCIA would give substantially more protections, transparency, and control around consumers’ personal information and organizations themselves would face higher financial consequences for non-compliance with the law. Fines for violations could be as high as five percent of revenue or $25 million, whichever is greater, for serious infractions.
Bill 64: Pour Les Organisations Quebecoises
Organizations and businesses doing business in and with Quebec should pay attention to Bill 64. This Act proposes significant changes to Quebec private sector and public sector privacy law and seeks to amend provincial privacy standards. It is substantially more stringent than the CPPA and discussion around interoperability for businesses operating at a national level have been leveled. A detailed account of the bill’s proposed amendments can be found here.
A few of the major changes to Quebec’s current privacy law framework includes new enforcement tools, including substantial monetary penalties for breaches, new private right of action for individuals, breach reporting requirements, and new requirements around outsourcing and transfers outside of Quebec. New accountability rules center around establishing a privacy officer role, an obligation to establish and implement governance policies, privacy assessments, and privacy by design requirements.
How to Stay on Top of Privacy Law Changes
As organizations like JD Supra and others have advised, organizations should stay abreast of anticipated law changes and compliance obligations, such as:
- Sign up for privacy law alerts
- Designate a separate compliance team
- Keep a log detailing how laws overlap and differ
- Create policies to outline workflows surrounding how data containing personal information is handled
- Ensure various organizational teams are made aware of how to manage data
- Establish privacy programs to promote a uniform process to handle privacy matters where global laws coincide
Refresh Your Canadian Privacy Law Knowledge
While the proposed privacy law is still working its way onto the official books, it’s wise to brush up on the privacy laws already in force to ensure your organization is doing all it can to protect the personal data entrusted to it.
Privacy Act
This Act is key to Canada’s overall privacy framework. It applies to how the federal government can collect, use, and disclose personal information. In addition, the right to access and correct information held about oneself by the federal government is covered here.
PIPEDA
This current privacy law covers most Canadian businesses handling personal information and is basically centered on acting in good faith when it comes to securing and using personal information. It would be replaced by the newer legislation described above. It addresses how provincial and territorial private-sector businesses and organizations protect personal data (asking for and securing consent, giving individuals the opportunity to view and amend information, and how personal data is stored and disposed of).
FIPS 140-2 or Federal Information Processing Standard
FIPS 140-2 lays out the formal security requirements for governmental data use and requires that any software solutions used by the government, or its trading partners, must use the cryptographic standard FIPS 140-2 when exchanging personal data for security. To meet FIPS validation, software must:
- Secure data in storage (at rest) via encryption and sanitization
- Limit access to data through robust role-based user access
- Safely transmit data through approved protocols, such as FTPS, HTTPS, or SFTP
The CSE Act
Seeks to uphold and strengthen cybersecurity throughout Canada through how it collects and interprets data, providing and acquiring foreign intelligence information, protecting data important to Canadian government entities, actively responding to and disrupting foreign interference, and supporting federal law and security agencies through technical and operation assistance.
Payment Card Industry Data Security Standard (PCI DSS)
This standard is mandated by credit card companies to help ensure the security of credit card transactions. It is designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment with firewalls, password protection, and encryption for data at rest and in transit.
Layered Data Security Solutions from HelpSystems Help with Compliance
Data security is both a mindset and a coordinated, concrete set of software solutions designed to comprehensively protect data transmitted at all stages of its journey. HelpSystems offers a robust portfolio of comprehensive data security solutions to help meet the upcoming Canadian data privacy laws as well as those currently in place.
Layered protection can be applied to data throughout its journey for end-to-end security. Ideally, these layers should include solutions that can understand and classify your data, detect and prevent leaks, and secure and protect data both at rest and in motion, such as:
- Data Classification: A data security strategy that starts out by classifying, identifying and prioritizing the data needing protection forms a solid foundation for protecting personal data privacy.
- Digital Rights Management (DRM): DRM can help organizations prevent costly intellectual property exposure and data breaches by protecting the data no matter where it ultimately travels, internally, externally, with suppliers, partners, customers, and more. It adds additional protection to cover any gaps left by DLP or classification solutions.
- Secure File Transfer: Organizations using secure managed file transfer tools to transfer files outside of and within their systems get the advantage of strong encryption protocols, automation, and control for end-to-end security and compliance as data is protected at rest and in motion with a centralized platform.