Contact Us

 

DataStealth Blog

Data Privacy In Canada

By Lindsay Kleuskens • June 28, 2021

Between the financial, ethical, and social costs of leaked or insecure consumer data, there is no doubt that keeping online environments secure is a top priority for most organizations. By investing in proper cybersecurity measures and staying up to date with current and upcoming data privacy legislation, organizations can reduce the cost and risk of using consumer data while keeping their consumer’s information safe.

However, as more Canadian Bills are passed to Law, the standards of data privacy continue to rise- along with the cost of their penalties.

To help your organization be proactive and keep your consumer’s information safe, this article will provide a brief update about current and coming Canadian Data Privacy laws.

THE PERSONAL INFORMATION AND ELECTRONIC DOCUMENTS ACT (PIPEDA)
PIPEDA is a Canadian Federal Law that demonstrates how for-profit organizations should use, collect and disclose the personal information of their consumers. It includes 10 principles

  1. ACCOUNTABILITY
    Organizations must delegate one person to ensure PIPEDA compliance.
  2. IDENTIFYING PURPOSES
    Organizations must choose and outline why they are gathering a specific kind of data.
  3. CONSENT
    Businesses must seek express or implied consent from consumers when gathering personal information.
  4. LIMITED COLLECTION
    Businesses may only collect necessary consumer information and may only use it in a manner that is consistent with how the user consented for it to be used.
  5. LIMITED USE, DISCLOSURE AND RETENTION
    Organizations should create policies to ensure they only use consumer information for reasons the consumer consented to.
    Retention of consumer information should not exceed the necessary period to execute the stated purpose of collection
  6. ACCURACY
    Any personal information collected should be. precise, complete and updated as deemed necessary for the stated purpose.
  7. SAFEGUARDS
    Information collected must be safe from unauthorized access, theft, copying, or modification.
  8. OPENNESS
    Organizations must inform users how their data is being gathered, stored and processed.
  9. INDIVIDUAL ACCESS
    If an individual requests access, businesses must inform the user about the type of data collected about them, how it was utilized and which third parties have access to the information.
  10. CHALLENGING COMPLIANCE
    Organizations must delegate one person to ensure PIPEDA compliance.

BILL C-11
An act to enact the consumer privacy protection act and the personal information and data protection tribunal act.

MEANINGFUL CONSENT
Consumers must have the plain language needed to make informed decisions about their data.

DATA MOBILITY
Consumers have the right to transfer their information from one organization to another.

DISPOSAL OF INFORMATION AND WITHDRAWAL OF CONSENT
Individuals have the right to ask organizations to dispose of their personal information and withdraw their consent to using their data.

ALGORITHMIC TRANSPARENCY
When organizations use algorithms or AI, they must disclose how they are used to make predictions, recommend content or make decisions to consumers.

DE-IDENTIFICATION
Users have the right to ask organizations to delete any of their personally identifiable information.

BILL 64 (QUEBEC)
An act to update and modernize the legal frameworks surrounding individuals' personal information and privacy rights. The Bill also aims to more closely align Quebec's data privacy laws with those of other jurisdictions (ie. PIPEDA, GDPR).  Key Features :

CONSENT
Consent is required in clear, simple language for each specific purpose.

DESIGNATION OF A DATA PROTECTION OFFICER
Organizations must delegate one person to ensure the enterprise complies with and implements policy to enforce the privacy requirements of Bill 64.

DATA GOVERNANCE AND ACCOUNTABILITY
Organizations must create and implement
policies outlining how the company uses consumer data. This information also must be freely available to the public.

PRIVACY BY DESIGN
When offering a technological product or service, companies must keep collected consumer data in the "highest level of confidentiality by default." Consumers should not have to interfere for their data to be given the highest level of security.

PROFILING
Any enterprise collecting personal information through the technology a consumer uses must inform the person of the enterprise's use of this technology and allow the user to deactivate the function at their discretion.

DATA PORTABILITY
Individuals have the right to request a copy of the information an organization has about them in writing.

MANDATORY NOTIFICATION OF BREACH
In the case of a privacy breach, organizations must promptly notify both the CAI (Commission d’accès
à l’information) and the individuals whose data may have been compromised.

THE COST OF NON-COMPLIANCE

DESJARDINS
In May 2019, finance company, Desjardins, notified the Office of the Privacy Commissioner of Canada of a security safeguard breach that affected almost 9.7 million individuals in Canada and globally. Already an unfortunate incident for the organization, further investigations revealed that although Desjardins had many protection policies in place, they had failed to adequately implement these policies, and were in violation of PIPEDA Principle 4.5: Limiting Use, Disclosure, and Retention.

According to CBC, the breach cost the financial co-operative $108 million, in addition to a devastating blow to their brand reputation and customer relations.

GDPR PENALTIES
Although Quebec's Bill 64 is yet to come into practice, many of its principles closely resemble Europe's GDPR. Their penalties are likely to be similar as well. Despite being introduced just three years ago in May 2018, the EU has wasted no time in ensuring GDPR compliance, with penalties totalling over $191 million in 2020. Notable penalties include:

British Airways: fined $26 million after a breach compromised 400 000 customers data, including login details, payment card information, and personal information.

Marriott: fined $23.8 million after the hotel chain's guest reservation database was breached, exposing 383 million guest records, including personal information and payment card information.

UNSEEN COSTS
While the financial penalties for non-compliance to security standards such as PIPEDA, Bill C-11, and Bill 64 may be steep, they are small in comparison to the damage a breach has on brand impact.

Following a breach, some studies report that 65% of consumers lose trust in the business. More than 4 out of 5 of those consumers reported not wanting to deal with companies involved with breaches in the future.

Although compliance with security standards is an important legal matter for organizations, the implications of non-compliance also hold heavy social pressure.


Is your organization struggling with compliance? Let's chat about how you can meet compliance and data privacy requirements with DataStealth.

Contact Us

DataStealth Overview