The Liberal government has promised to give businesses 18 months to get ready if and when Parliament passes its recently proposed changes to the federal privacy law covering the private sector.
However, the chief privacy officer for one of the country’s biggest firms warned organizations not to be complacent.
“From an operational and implementation perspective that [18 months] has to be the bare minimum because there is so much to digest,” Deborah Evans of Rogers Communications said Thursday during a webinar sponsored by the Canadian branch of the International Association of Privacy Professionals. “Every time I read the legislation I come back to something new.”
The House of Commons and the Senate still have to debate the proposed Consumer Privacy Protection Act (CPPA, also known as C-11), which can take months, before it is passed. Committee meetings haven’t been scheduled yet. So the 18 additional months before its provisions come into effect may seem like a lot of time.
And, Evans noted, many firms already follow similar processes under the current Personal Information Protection and Electronic Documents Act (PIPEDA).
However, she added, the CPPA requires these processes to be documented, which may take a lot of time to set up.
“There is a lot that businesses have to consider when they’re implementing this,” Evans said. “The biggest operational challenge for me is allowing enough of a window to do that. We have complex legacy systems that will have an impact. There have been a lot of commentators saying, ‘This will be terrible for small and medium businesses,’ but people sometimes forget is that in a large organization things are actually harder to implement because we are so complex. We make our CAPEX [capital expenditure] decisions several quarters in advance. [At Rogers] we have already made our CAPEX spending plans through 2021, and that hasn’t taken into account these changes. That will be a big challenge for any organization.”
For example, she said, S.7 of CPPA says firms are accountable for the personal information they hold, and S.9 says every organization must implement a privacy management program that includes the organization’s policies, practices and procedures around the collection, use and disclosure of personal information.
“The challenge is making sure it is sufficiently detailed and appropriate in the event the Privacy Commissioner comes to inspect the program.”
S.12 says a firm may collect, use or disclose personal information “only for purposes that a reasonable person would consider appropriate in the circumstances,” Evans explained. The proposed act defines the factors to be taken into account for what is reasonable, but it also requires uses and disclosures to be documented. And if there is a new use for personal information beyond what a customer originally agreed to, additional consent must be obtained.
Evans said she wants to avoid using the term there may be some “administrative complexity” to what the proposed law asks. “I don’t want to use the word ‘burden,’ because it would be silly for an organization the size of ours to say there will be a burden. It’s administrative work. There are some things to be put in place. There are some system upgrades I’m going to have to make in my program in order to document some of these to the level I would feel comfortable in the event that the privacy commissioner wants to look at anything.
“It’s about balancing the legal obligation, your risk assessment, Privacy by Design — bringing all those things together and making sure you have documented [processes] and have the right systems in place to manage that program.”
If a firm hasn’t already done so, she added, it has to do a data inventory so it knows where personal information is being held. That’s because CPPA gives consumers the right to ask to see what a company holds on them, to demand the information be deleted or to withdraw their consent for their personal data to be used. And firms have to decide how it will respond to those requests — manually or through an automated software system. Spreadsheets likely won’t work. Compiling a data inventory isn’t a quick job, Evans warned.
It’s not that the proposed law requires things that are unreasonable, Evans repeated, but there will be what she called “operational challenges.”
Like PIPEDA, the CPPA applies to firms covered by federal legislation (like airlines and banks) and in provinces that don’t have their own private sector privacy law.
Panel moderator Constantine Karbaliotis, counsel for nNovation, an Ottawa law firm focussing on privacy and data protection, recalled a lot of Canadian organizations put off preparing for the 2018 start of the European Union’s General Data Protection Regulation (GDPR) to the last minute. “It behooves us to start thinking about this sooner than later.”
This is a minority government, he acknowledged, and it could fall at any time. And the COVID-19 pandemic means other priorities could take up Parliament’s time.
However, he pointed out that all parties in 2019 election campaign agreed PIPEDA needed to be updated. “I don’t think parties will want to be seen to getting in the way of a law protecting consumers,” he said. And PIPEDA needs to be changed to bring it closer to GDPR. The EU has to decide if Canadian privacy laws are similar to the GDPR for organizations that transfer personal data between the two jurisdictions, and, Karbaliotis said, trade with Europe is important.
For these reasons, he believes the CPPA will likely be passed in the current session.
He called the CPPA “well-balanced” between the demands of the GDPR and the toughest privacy legislation in U.S. states and hopes any private sector concerns can be addressed when the legislation goes to parliamentary committees for discussion.