Legal departments ramp up frameworks to avoid stringent fines
Lawyers are bracing for significant change as Canada’s privacy regime is set for an overhaul this year at the federal and provincial levels. Anticipated changes include the federal Bill C-11 — also known as the Digital Charter Implementation Act — which introduces new powers and penalties for breaching individual digital privacy rights. Organizations in Quebec are also keeping an eye on Bill-64, which will overhaul the province’s private sector regime and give new powers to privacy regulators to impose administrative monetary penalties.
“The biggest overhaul going on with our Canadian privacy laws is really multi-enforcement action as well as the development of new tribunals,” says Karl Schober, senior associate, privacy and cybersecurity group, and transformative technologies and data strategy practice at Dentons LLP. “A lot of clients that have global obligations may not have put Canada first as an area of risk for compliance obligations, but that is going to change.”
The proposed Digital Charter Implementation Act is a replacement for the existing Personal Information Protection and Electronic Documents Act. It will include the heaviest fines among G7 countries for privacy laws, raising the stakes for legal departments in Canada.
“It’s a bill that proposes to modernize private sector privacy by enhancing the transparency of personal information held by businesses and also imposing new potentially onerous sanctions for non-compliance,” says Eloïse Gratton, a partner and national co-leader, privacy and data protection practice group at Borden Ladner Gervais LLP. “Businesses that perhaps did not take privacy seriously will have no choice but to start paying attention.” Organizations will need to have a privacy program in place, including privacy training for employees and guidelines on outsourcing, says Gratton.
The prospect of hefty fines is concerning for insurance giant Sun Life — not so much for the financial impact but for the potential damage to the brand image — so avoiding such fines is critical.
“Trust in our brand is everything. We’ve got a privacy program, which we’ve been maturing more and more every year, so now it’s about seeing what else we can document, what else we can show from a due diligence perspective and what else we can do in terms of monitoring and testing,” says Suzanne Morin, vice president, enterprise conduct, data ethics and chief privacy officer at Sun Life.
Morin’s team takes managing private information for employee and client health benefits very seriously. Sun Life is careful to ensure it only collects information when it is strictly needed, keeps it only as long as required and shares it only with those who need it. The Canadian-based global company uses PIPEDA as its base standard and tweaks it in other jurisdictions where necessary.
“One thing we never forget as a global organization is that you create your standard, but you still have to make accommodations for local differences and cultural differences, so a consistent application of these programs doesn’t mean it’s exactly the same everywhere,” says Morin.
Sun Life follows extensive privacy practices, including creating a global privacy impact assessment framework that provides consistent application of the assessment processes and reporting worldwide. It also allows visibility in any project that touches personal information internally or through a third-party vendor. Sun Life also uses a privacy risk compass and applies client data principles across the organization.
According to Gratton, with stricter enforcement looming, in-house counsel should be conducting an inventory of their practices.
“This data-mapping exercise is to make sure you have visibility on exactly what types of personal information is collected and how it’s shared within the business, with service providers and outside the company to make sure they can adapt internal processes procedures and update their external-facing policies,” says Gratton.
Tighter rules will bring new requirements when outsourcing personal information, so maintaining an inventory of service providers that may be processing this information will be critical, Gratton says. There is also a requirement under Bill C-11 to document the purpose of all data.
“Regulators want to make sure that businesses are quite transparent as to what they are doing,” says Gratton. “Sometimes, the data-sharing arrangements that you have with service providers or as a consortium of a few businesses can become quite complex.”
It is essential for in-house counsel to raise awareness to ensure that specific projects that warrant a privacy impact assessment are escalated to the privacy team right from the start, not after making business decisions, says Gratton.
Schober says problems sometimes arise when organizations onboard new technology without informing in-house counsel and, therefore, miss doing a privacy impact assessment. Given a recent influx of new telehealth services for employees amid the pandemic, employees must ensure that foreign health service providers adapt their processes for Canadian privacy laws.
“A lot of health service providers are coming from the U.S. It’s important to review agreements and assess these new vendors and ensure the platforms are managing sensitive health information of employees appropriately for Canadian privacy laws,” says Schober.