This article will provide an overview of how businesses process PI, the applicable laws, and introduce the requirements in the new Quebec privacy law, An Act respecting the protection of personal information the privacy sector (AKA Bill 64).
Am I Collecting Personal Information?
Every entity, no matter what kind of business they have, must collect a certain amount of PI to conduct normal business operations.
There is a mistaken assumption that an entity starts to collect PI when they first attract customers. This is a fallacy, because besides external customer PI, a business starts collecting and processing PI when they hire their first employee, examples of which include the following:
- Personal contact information (e.g., home address, email, mobile number)
- Salary information
- Social Insurance Number (for tax reporting purposes and issuing employment standards documentation)
- Employee performance records and review
- Banking information (payroll purposes)
- Prior employment history (e.g., job application and third-party references)
- Health information (in case accommodation for the employee must be made in compliance with applicable employment standards laws)
Do I Need to Notify Customers?
A robust notice of collection of PI should include, at minimum, the following:
- Plain, easy-to-read language that explains the PI you are collecting (this should not be overly complicated legalese)
- A list of the PI that is being collected, and the purpose (i.e., why) for collection
- Brief description of how the entity processes PI, and any disclosure of PI to other service providers or partner organizations
- The law(s) that permit you to collect the PI
- The contact information of your privacy officer, in case the consumer has questions
Additionally, an entity must consider the proportionality of why they are collecting PI. It is not always necessary to collect PI, and it is more often than not an additional risk to the enterprise if they over-collect PI. For instance, if a healthcare tech company is collecting information from patients, they must collect diagnoses, prognoses, treatment, and health care provider information, as that is absolutely necessary to deliver health care. However, if the same health tech firm starts collecting Social Insurance Numbers or information about the patient’s occupation, they must justify why it is absolutely necessary for them to have that PI.
There is no “one-size-fits-all” test to determine the necessity of collection. The only way to determine if collecting and processing PI is compliant is to evaluate your business’s practices against applicable law.
Additionally, there must be no “secondary use” of the PI being processed. This means you cannot use the PI for purposes other than the reason you advised the customer when you first collected their data. For example, it is reasonable and necessary for an online retailer to collect the credit card, home address, email address, and phone number for a customer, as these are required for payment and delivery. However, you need additional consent and / or notice if you intend to use customer PI for marketing purposes, as that is beyond the initial scope of your services and purpose of collection.
What About Consent?
There is often confusion on the difference between notice and consent. Although most entities are permitted to simply provide notice of collection of PI, it is often the case that additional consent is required. A simple rule of thumb is to look up the instances in the applicable laws where obtaining consent is a requirement, or if the purpose for which the PI is being used does not align with the original purpose for which it was collected. The following are examples of when it may be appropriate to obtain consent from the customers prior to processing their PI:
- If legislation states it is an absolute requirement before processing. These most often relate to initiatives involving health or similarly sensitive personal data.
- If other binding legal precedent requires it. For instance, US-based companies may require their European customers to consent to the storage of their PI outside the EEA, as it is otherwise a violation of the General Data Protection Regulation.
- On behalf of another person. For instance, these are required for parents of minors using social media platforms, as there are additional legal requirements to collect PI from persons under the age of majority.
- As mentioned in the previous section, for secondary purposes not related to the original transaction or purpose for collection. An entity cannot presume that their existing customer base can be contacted for marketing purposes.
No matter how your entity processes PI, you must always ensure that the following are in place:
- Ensure that your notice of collection of PI complies with the applicable laws
- Ensure that you obtain consent if you intend to collect, process, or use PI in a way that differs from the original purpose of its collection or if the law requires it
- Establish clear internal parameters about the use of PI and educate all departments on the access to and use of that PI
- If required, contact a privacy consultant to assist you with the creation of solid external and internal facing policies, notices, and consents to achieve compliance
What are the Canadian laws I should be aware of?
Generally, Canadian data privacy law can be divided into the private and public sectors. The public-sector privacy laws include the Federal Privacy Act, the Access to Information Act and the provincial Freedom of Information & Protection of Privacy Act, the latter of which there are Provincial iterations. This essay will focus only on the private-sector privacy laws that are applicable to your enterprise.
As a minimum, every entity must comply with the Federal Personal Information Protection & Electronic Documents Act, or PIPEDA. This law applies to all private sector entities that collect, use, disclose, and store PI. At a minimum, it establishes a number of governing principles that should be included in every Canadian privacy law as a default “baseline”. Known as the 10 Fair Information Principles, they are:
- Accountability: organizations must be responsible for the PI they collect and safeguard.
- Identifying Purposes: the purpose for which PI is being collected must be identified and communicated to individuals at the time of collection.
- Consent: an individual must freely provide their consent to the purpose for which PI is collected. It is presumed at law that consent is free and unencumbered, and not coerced in any way.
- Limiting Collection: organizations must collect only what they need, and not over-collect PI.
- Limiting Use, Disclosure, and Retention: organizations must have safeguards that limit how PI is used by staff, to whom it is disclosed, and how long they retain the PI. An organization is not entitled to permanent retention of PI unless there are compelling legal or other due diligence requirements that permit it.
- Accuracy: the PI must be accurate and up-to-date. This speaks to the quality of the PI.
- Safeguards: an entity must have technical and organizational measures to safeguard the PI in their custody at all times. This means having a robust security program in addition to a robust and mature privacy program.
- Openness: An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
- Individual Access: An individual has the right to request their PI from an organization, and the entity must be able to respond meaningfully to these requests.
- Challenging Compliance: An individual has the right to challenge an entity about their privacy practices. In turn, the entity should appoint someone in their organization who would be accountable for their privacy practice and respond to these requests from the public. This is often the Chief Privacy Officer, a title that is a full-time role or can be combined with other positions, such as the CIO, CISO, COO, or legal counsel. This can also be the CEO if the entity is small.
Generally, the 10 Fair Information Principles can be found in any of the Provincial Canadian privacy laws. These include:
- C.: Personal Information Protection Act
- Alberta: Personal Information Protection Act
- Quebec: An Act respecting the protection of personal information in the private sector (Bill 64)
The most recent to pass into law was Bill 64, in September 2021. Bill 64 imposes requirements that are similar in scope to the European General Data Protection Act, which will be discussed later in this paper.
Although these constitute the law of the land in Canada, there remains the struggle of updating legislation to keep up with constant changes in IT. PIPEDA has not been updated substantively since its inception in 2000, although some additional guidelines to supplement PIPEDA were released in the last few years. A legislative bill to update PIPEDA in its entirety, Bill C-11, was tabled in Parliament in November 2020 (full disclosure: this writer may have provided some consultation on this), but it did not pass due to all legislative bills being removed due to the 2021 Federal Election. It is expected that some revised form of Bill C-11 will inevitably surface, but the time frame is unknown. Similarly, there were updates to BC’s PIPA proposed in 2020, but those were shelves when Bill C-11 was first tabled.
What are the international laws I should be aware of?
There is no shortage of new data privacy laws in the ever-growing legislative landscape. If you are a Canadian entity that already has a mature privacy program in compliance with PIPEDA, Bill 64, or PIPA, the next question is whether or not foreign data privacy laws also apply to your enterprise. Additional foreign laws do not negate or override your requirements to comply with Canadian privacy legislation.
Perhaps the data privacy protection law you may encounter the most often is the EU’s General Data Protection Regulation (GDPR). First passed into law in 2016, it is considered the de facto global standard in data privacy regulation. As a matter of best practice, numerous companies opt to align with GDPR in addition to the local data protection laws in their country, although GDPR compliance is not necessarily a requirement if you are not in the EU or process PI relating to EU residents (referred to in the GDPR as “data subjects”). GDPR applies to all companies that have operations in the EU, or processes the PI relating to EU residents on a large scale. Even if a company is not processing a vast amount of PI, if an entity processes highly sensitive information relating to criminal records, they must be compliant with GDPR.
Additionally, GDPR permits PI of Europeans to be stored outside the EU if the European Commission determines that the country where the data resides is deemed to have adequate protection and formally recognized by the EU with an “adequacy decision”. These determinations are reviewed periodically by the EU to determine if those third countries where PI resides continues to uphold those privacy protection controls. The countries that are deemed to have adequate protection similar to the GDPR are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, New Zealand, Switzerland, and Uruguay. The United States formerly had similar protections which were struck down in July 2020, and transfer of PI between the US and EU is permitted only if companies can demonstrate that they have sufficient in-house controls to protect personal data. The latest country to receive an adequacy decision from the EU was South Korea, whose data protection laws were deemed to adequate in December 2021.
A number of countries have tailored their national privacy laws to align with GDPR. The most prominent recent example is the UK’s Data Protection Act 2018, which came into law as a direct result of the 2016 Brexit vote that saw the UK leave the European Union and no longer being subject to GDPR. Due to the vast amount of personal data traveling between the UK and continental Europe, having a data protection law that would be considered equivalent to the GDPR to continue with business operations is of paramount importance. The UK also introduced additional requirements for cross-border data transfer of PI during HRM the Queen’s Speech at the opening of Parliament on May 10, 2022.
If your enterprise processes or stores PI in the United States, perhaps the most comprehensive privacy laws are the California Consumer Privacy Act (passed in 2018) and the California Privacy Rights Act (passed during the 2020 General Election). Taken together, these laws provide protection to consumers and empower them with rights to hold companies storing their PI accountable. Some of the new requirements for CCPA and CPRA have legislative cohorts in GDPR, in a move that may be seen by many as concessions to the GDPR. Additionally, state privacy laws were passed within the last few years in Colorado, Virginia, Utah, and Connecticut (the most recent to have passed, as of May 4, 2022). At the time of this writing, there were active data privacy bills before Congress for the following states: Alaska, Louisiana, Massachusetts, New York, New Jersey, North Carolina, Ohio, Pennsylvania, Rhode Island, and Vermont. The challenge lays in determining which state or states would apply to your entity.
Finally, in addition to data privacy laws, there may be privacy requirements in other laws not exclusively based on privacy protection. In April 2022, luxury retailer Louis Vuitton was sued in Illinois for the alleged illegal collection of customer biometric information in their “Virtual Try-On” feature, which allowed LV clients to upload photographs of themselves so they could see if the couture suits them. The statute under which LV was sued is actually Illinois’s Biometric Information Privacy Act, which requires that prior to the collection of any biometric information (such as facial scans), an entity must first obtain consent from its clients, which the plaintiff in that lawsuit alleges the couture house failed to do.
Sometimes external business transaction may require evidence of demonstrable privacy compliance. For instance, if your enterprise is being acquired or wishes to partner with a non-Canadian company, you may be asked to demonstrate compliance with international data privacy laws like GDPR, so that you can assure your partners that you are compliant with the same laws to which they are subject. You mut therefore develop your privacy program to full maturity and ensure your practices can easily adapt to foreign privacy laws.
What are the new requirements under Bill 64?
Quebec’s Bill 64 is the first Canadian privacy legislation that has been created to mirror, or to have more closely-aligned cohorts with, the GDPR. Although the aforementioned Bill C-11 was designed to also align with GDPR, it died on the legislative table when the Federal election was called. Bill 64, being a Provincial law, was not affected, and passed into law in September 2021.
The requirements for Bill 64 will be implemented over a three-year cycle. These include the following new requirements for all entities doing business in the province of Quebec:
Appointing a privacy officer
This is a simple requirement for most organizations. Often, the role can be combined with another position if it is not yet a full-time endeavour. Usually the role of privacy officer is given to someone in IT security (such as a CIO or CISO), at the executive level (such as the CEO in a small organization), finance (e.g., CFO, or to internal legal counsel. If an entity processes considerable amounts of PI from customers, and frequently has to deal with privacy-related issues, it may make sense to hire a privacy officer on a full-time basis. Alternatively, retaining a privacy professional on a consultancy basis to provide advice on an ongoing basis would assist in this requirement, as long as the entity appoints someone internally as a privacy officer to respond to inquiries from the public or from the regulator.
Mandatory Breach Response
While most entities have an incident response protocol (IRP) within IT security to identify, triage, respond to, and resolve data breaches, an IRP may not always align with a privacy breach response protocol. Additionally, when breaches occur, they are not always reported to the regulator and / or the affected stakeholder, although some provinces mandate breach reporting if there is a real risk of significant harm to the persons whose privacy was breached.
Bill 64 would make breach reporting a requirement for entities that suffer a significant cybersecurity incident where PI was compromised. The process must include the following:
- Identifiable triggers
- Methodology (including technology) to track the life of the breach, from the incident to resolution
- Stakeholders, and their roles and responsibilities in handling the breach
- Internal record-keeping, for auditing and investigation purposes
- Risk matrix or similar methodology to evaluate the real risk of significant harm to individuals affected by the breach
- Chain of communication to determine if privacy regulator and / or law enforcement should be involved in handling the breach
- Template documentation to notify the affected person(s) and to the regulator to report the breach
While IRPs may have some of the above-note requirements in place, a dedicated privacy breach handling protocol should be created. Ideally, such a process would operate concurrently with the IRP. It is critical to appoint roles and responsibilities to ensure that both the IT security and compliance / legal teams are fully apprised of the progress of the breach, and made aware of the risks involved. This also fosters cooperation to ensure that all required teams participate in risk mitigation.
Privacy Impact Assessments / Privacy by Design
Most organizations purchase or consume SaaS solutions intended to automate their business activities as much as possible. The most common for businesses include HR software, project management trackers, payroll and invoicing processors, video conferencing solutions (particularly when the Covid-19 pandemic commenced), and direct messaging apps. While most vendors have privacy controls well in place, it is not always the case that the vendor or the solution is compliant with the local jurisdiction of the end user or customer. In particular, vendors whose solutions are compliant with their US state laws may not have accounted for the privacy concerns or requirements for the province of Quebec.
Therefore, Bill 64 mandates that businesses must conduct a privacy impact assessment (“PIA”) when software is purchased. Additionally, if an entity develops a SaaS solution, AI, algorithm, or other program, they must also complete a PIA. This requirement has been implemented to ensure that if a program is being developed where PI is involved, that the entity understands the impact to individuals whose PI they are using to power the solution. This will ensure that organizations remain ethical and compliant with the letter of the law in processing PI. This is critical because when an entity collects PI, they are permitted to do so under lawful restrictions, and may only use PI beyond that initial use if they have obtained consent from customers. This also has the added benefit of ensuring a business understands the risk to themselves as an organization, if they decide to create solutions that make more liberal and profligate use of PI.
Even beyond a PIA, Privacy by Design (or “PdB”) should be incorporated into the organization wherever possible. This can be taken to mean that the following must be put into place in an organization:
- Workflow procedures or processes supporting such any system must follow pre-set PbD requirements
- Access points into such systems need to be regulated, audited, and periodically reviewed
- All permissions to access PI must, by default, be set at a level where the least amount of PI possible is visible, without the end user having to choose those settings
- Users of any such system must be able to control the PI they wish to share or disclose
- PI should be anonymized or pseudonymized wherever possible, if it is not necessary to process it in in identifiable form
Under GDPR, a data subject has the right to request a copy of all of their PI and take it with them. in a common, machine-readable format. In Canada, the right to data portability currently exists only in Bill 64, with requirements almost identical to the GDPR.
As a practical solution, businesses have a self-serve option on their external-facing websites allowing customers to download a copy of all the PI they provided to an entity. This option exists for companies that process considerable amounts of PI (e.g., social media outlets), and is an efficient option to partially meet the data portability requirement. From a practical perspective, this means that businesses have the ability to tag the PI belonging to customers and automating the request. However, it is unclear at this time if Quebec’s right of data portability applies to any information that is derived from the PI a customer provides to an entity. In other words, the scope of the right of data portability may also include copies of any PI beyond what a customer provides to an organization.
Practically speaking, an entity operating in Quebec should have a formal workflow to accept, track, and process requests for data portability. Ideally, PI should be tagged for ease of retrieval, and your privacy officer should review these to ensure that only the PI pertaining to the customer is captured within the scope of the request. Effectively, this means that any extraneous information (such as PI belonging to another individual that was not supplied by the customer) should be removed or redacted prior to the information being sent out. While there is no formal time frame for response, it is not unreasonable to process these requests within 30 days (whether means calendar or business days is undefined at this time).
Another GDPR right that has a Bill 64 cohort is the right of erasure, where an individual can request that an entity delete their PI. Called the right of “de-indexation” in Bill 64, this means that an entity should have a formal process to review and respond to such requests. Ideally, the organization should already have tagged the data for ease of retrieval and review.
The reason for a formalized process to process deletion requests is due to the fact that the right to delete PI is not inviolate. There are perfectly valid and compelling reasons why an organization may say that they cannot delete PI, and must actually retain some PI. These include the following:
- To continue to provide goods and services: this includes contact information, payment information, and purchase history (to effect returns or to provide warranties on eligible products)
- Employment law requirements: this pertains to company employee EI only. Data may not be deleted here due to the company being compelled to retain copies of employee records for ongoing due diligence and regulatory requirements.
- Legal reasons: this includes employee data as well as any ongoing disputes or litigation that involves a customer. In these circumstances, the right to erasure cannot override an entity’s requirement to retain PI if it would be considered evidence in a court of law.
A formalized process would help to review the requests, determine what can be deleted or retained, and respond to the requester. As with the right to data portability, erasure requests should ideally be processed within 30 days (calendar or business, which is not yet defined under Bill 64).
While not enshrined in Bill 64, Quebec’s Official Language Act requires all legal notices to be written in French as well as in English. You must ensure that any notice of collection or consents are in both official languages to demonstrate due diligence.
What are the risks of not complying with privacy laws?
Currently, PIPEDA has fines of up to $100,000 for violations or invasion of privacy. However, this fine is not implemented by the regulator, and must be pursued through the courts. Therefore, an individual whose privacy was breached but who does not have the resources to litigate the matter would be hard-pressed to hold entities accountable, especially given the long times (sometimes years) for matters to get to trial.
Under Bill 64, the new fines are similar to GDPR:
- For administrative violations, fines are up to 2% of annual turnover or C$10 million;
- For penal violations (those with a criminal element), fines are up to 4% of annual turnover or C$25 million; and
- Sections 158 & 159 allow fines to be levied against individuals as well as companies: “anyone who commits an offence and is liable to a fine of $5,000 to $50,000 in the case of a natural person and of $15,000 to $150,000 in all other cases.”
The above fines can be levied by the Quebecois privacy regulator and do not need to be pursued through the courts. These fines also do not preclude anyone from commencing legal proceedings against a company for invasion of privacy, which may include class actions if a large number of customers are similarly affected by the same breach.
Finally, in addition to the above-noted fines, there is potential loss of trust or reputation to an organization, which may be incalculable as it would lead to loss of business or a drop in the company stock price. This does not include any out-of-pocket costs to mitigate damage, such as retaining IT security breach response teams, external legal counsel, crisis management firms, and publicists and marketing firms to work on the messaging to repair the damage to the corporate brand. Your insurer may not always cover these additional costs.
How can I be compliant with Bill 64 and other privacy laws?
The best way to be compliant with legislation is to ensure that you perform a proper privacy gap analysis. Here is a short checklist of items you will need as a starting point for any privacy program:
- Conduct a data inventory, with lists of your PI
- Appoint a privacy officer, or hire an external consultant, to create a privacy program for you
- Perform a privacy gap assessment to determine how your org processes PI
- Complete privacy impact assessments as a risk mitigation and due diligence exercise
- Have sufficient IT security measures and safeguards to ensure your environment is secure
- Operationalize a privacy breach response protocol
- Train your staff on privacy on a regular (e.g., annual) basis to help foster a culture of privacy awareness throughout the organization
- Create a privacy road map to compliance, including an assessment of the applicable laws and the current practices you have in place
- Consult with your legal counsel and insurers to ensure that you have sufficient coverage and risk mitigation steps in place
Some or all of the activities listed above may be more appropriate to larger rather than smaller operations. However, if even a small start-up with a handful of employees starts gathering considerable PI (especially sensitive kinds such as health or financial information), then having a privacy roadmap to compliance is a critical due diligence requirement. The size of your org does not recuse or absolve you of liability in the event of a privacy breach or a major security incident.