Privacy enforcement has moved from concept to reality, fuelled by the European Union’s General Data Protection Regulation (GDPR) that came into effect in 2018. Since then, more than 40 sets of privacy legislation have been enacted worldwide. And that, says lawyer Vanessa Henri, associate at Fasken, creates implications for businesses.
Privacy violations can be expensive. In 2020 alone, said a report released by finance news and analysis site Finbold, by mid-August fines of more than 60 million euros have been imposed in the EU against countries violating the GDPR, with Spain the leader in the number of fines (76) and Italy holding the dubious distinction of having the biggest monetary penalties assessed against its businesses (45.6 million euros). The maximum penalties against a company under that legislation are up to 20 million euros or up to 4 per cent of the company’s global turnover for the preceding fiscal year, whichever is higher.
Although the GDPR is probably the highest-profile privacy legislation, closer to home, Quebec’s Bill 64 will make that province’s privacy laws the toughest in the country. It increases fines for breaches of the act to the greater of $25 million or 4 percent of global turnover for the previous fiscal year, has tougher breach notification requirements, and includes mandatory privacy assessments for “any information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information.” Like the GDPR, if data is to be transferred out of its jurisdiction, it must receive a comparable level of protection or it may not be transferred. It also defines additional rights for individuals around their data. Businesses of all sizes will be affected, and in case of a breach, the CEO will be held responsible.
“If 2018 has been the year of privacy legislation. 2020 has been the year of privacy engineering,” Henri says, pointing out that compliance is getting harder, especially for small and medium enterprises. During her Oct. 7 presentation at MapleSec, Henri will discuss the progress of privacy legislation and enforcement, and what companies need to think about to avoid falling afoul of the new laws.
“In 2020, it’s fair to say that science has met law in the field of privacy,” she says. “And privacy engineering has become the way to operationalize privacy.”