Jade Buchanan, a technology and privacy partner with McCarthy Tétrault in Vancouver, has worked on some of the largest data breaches in Canadian history, which have involved ransomware and other types of data-breach attacks. He also has extensive experience with complex data-sharing agreements, regulatory compliance, and responding to inquiries from privacy commissioners.
On this episode of A Little Privacy, Please!®, Jade walks us through the evolution of the Canadian data privacy landscape, from PIPEDA to CPPA.
Watch this episode of A Little Privacy, Please!
Can you talk to us about PIPEDA and what that law entails?
It’s on its way out—we’re going to lose the entire “PIPE.” PIPEDA passed as the Personal Information Protection and Electronic Documents Act, so why privacy and electronic documents go together was just an issue of convenience at the time. The little “EDA” is going to end up on its own as the Electronic Documents Act, and we’re going to have brand new privacy legislation in Canada called the Consumer Privacy Protection Act (CPPA).
Right now, it’s a fairly old piece of legislation and sometimes critiqued as not being modern. The new legislation currently before our Parliament is modernizing in that it addresses a few things like artificial intelligence, but more so than that, it introduces the possibility of significant fines. To date, we have a name-and-shame regime with the corresponding risk of class actions for invasion of privacy and negligence. Its primary enforcement has been through the privacy commissioner investigating and identifying conduct the office sees as offside.
Is Canadian privacy law heading toward GDPR (General Data Protection Regulation)?
In the big headline-grabbing ways, yeah.
We’ve got PIPEDA, soon to be the CPPA; CPPA will have fines of up to 5% of local revenue. That’s 1% higher than the GDPR, which means it’s a stronger privacy law by a full percentage point.
We also have legislation in the Province of Quebec that now does have significant fines and was very much inspired by the GDPR.
Where we haven’t gone in the full direction of GDPR is in some of the more bureaucratic requirements. For example, we don’t have anything comparable to the requirements for a full data protection addendum. You’re required to protect personal information, including your contracts, and that’s interpreted as requiring certain clauses to be in a contract. The Quebec legislation lists a few things that need to be there, but it’s not as comprehensive. Some of the other more nity-gritty obligations in GDPR just aren’t there in Canada, which is aligned with how Canadians operate. We will comply with the law, but we’re not going to do a bunch of paperwork to do it.
Is there anything else we should watch out for in the Canadian data privacy landscape?
There are two things, actually.
First, the CPPA is going to have fining power. It will also have settlement agreements where the privacy commissioner can enter into agreements with organizations the office thinks have not complied with the legislation. The government proposed a recent amendment to clarify that there can be a payment involved in that. That was interesting to me.
The second item is CASL (Canada’s anti-spam legislation). It applies to email or text message marketing and any commercial-electronic messaging. Under that legislation, fines can be up to 25 million Canadian dollars. Most enforcement has the regulator entering into compliance agreements with a payment and a compliance program where an organization will fix its policies and procedures and agree to a certain amount of oversight.
Now, you can see the settlement amount I mentioned in privacy compliance. Once you’re investigated by the privacy commissioner for a breach, there’s a good chance they’re going to expect a monetary payment if they consider your conduct meriting it.
Is there non-compliance? Is there a risk that an organization has non-complied? Is there a legitimate concern? Let’s fix it, and let’s try and keep payment minimized.