Chantal Bernier, National Practice Leader, Privacy and Cybersecurity, Dentons Canada LLP Former Interim Privacy Commissioner of Canada
C-11, An Act to enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act, is arguably so balanced and pragmatic that it is reasonable to expect it will become law, essentially as is, before the end of 2021 – barring an election. It will apply to all businesses across Canada, except to provincial businesses in Alberta, British Columbia and Québec where provincial privacy laws apply to the private sector.
So we may have no more than a year to get ready. It is time to turn to compliance assurance with CPPA through five main measures.
1. Develop a breach response plan
The unprecedented penalties instituted in C-11 – from an administrative monetary penalty of up to $10 million or 3 percent of global annual revenue to a fine of up to $25 million or 5 percent of global annual revenue – are not for failing to safeguard information. Failure to safeguard personal information is a contravention of the CCPA, subject to penalties. In relation to breaches, however, the heaviest fines apply to failure to report a breach to the Office of the Privacy Commissioner of Canada (OPC) or to notify individuals, where there is a real risk of significant harm, as well as failure to record security incidents.
The heaviest fines therefore are related to failures in governance mechanisms set up to make all the right decisions should a breach occur: what should the escalation process be if a breach is suspected or detected to ensure diligent response? Who should be part of the breach response team to be effective? How will “real risk of significant harm” be assessed in your organisation? Who should make the assessment and who will make the decision to report or notify? Who will you call as service providers, for example, to proceed to the forensic investigation and remediation?
All these questions must de addressed in advance. While detailing with a breach is not the time to set up the response process.
2. Adopt a privacy management program
The current Personal Information Protection and Electronic Documents Act (PIPEDA) is essentially reproduced in CCPA in relation to the development and implementation of privacy management programs. Procedures must be implemented to protect personal information, mechanisms must be set up to address requests and complaints, staff must be trained on the organisation’s privacy policies and material must be developed to explain the organisation’s privacy compliance policies and procedures.
But CPPA adds a clincher: the OPC will have the power to request access to an organization’s privacy management program and the organization would have to comply. So, make sure you have the components adopted:
Your privacy management program should also include a new feature: guidance to your staff, marketing and product development particularly come to mind, on what would constitute an “appropriate purpose”, as proposed in CPPA, to process personal information in your business.
3. Designate an individual responsible for internal privacy compliance in your organization
This obligation already exists in PIPEDA, but as privacy management programs have gained in importance, so has the urgency to designate the right person to ensure privacy compliance in your organization. The choice must be carefully thought through. The position must be of a sufficiently high level to exercise authority in the organization. While the person does not have to be a privacy expert, they must be supported in that regard. Many organisations choose their general counsel as the individual responsible for privacy compliance and it is a natural choice since it is a matter of legal compliance. The decision, however, ,must be grounded on what truly works best for each organisation. .Positions responsible for the management and protection of personal information, such as of Chief Technology Officer, Chief Information Officer, or Chief Information Security Officer, cannot cumulate assurance for privacy compliance as that would constitute a conflict of interests.
4. Review your privacy policies and consent forms
The proposed CPPA prescribes specific content for consent forms and privacy policies to support meaningful consent. Consent forms and privacy policies should therefore be reviewed to ensure they meet the requirements proposed in the CPPA. . This includes the new obligation to provide a “general account” of your automatic decision-making, systems, as applicable. An “automatic decision-making system” refers to “any technology that assist or replaces the judgment of human decision-makers”. The use of artificial intelligence, for example, so helpful in so many contexts, must be the object of a narrative to make public.
5. Engage your entire organization in privacy compliance
Your staff is your first line of defence. Ensure you socialize the privacy management program and create a culture of privacy compliance n your organisation. As we have seen in so many high-profile breaches, no technological measure can compensate for human vulnerabilities.
Other measures are also advisable, such as considering developing a code of practice to be approved by the OPC; or getting privacy compliance certification; or exploring the potential of the use of de-identified information. But the five measures above are musts and the stakes are high. So, it is time to get ready.