Anticipated Changes to Canadian Privacy and Cybersecurity Laws Raise the Bar for Data Protection Compliance

Canadian Parliament is expected to be nearing the passage of the Digital Charter Implementation Act (Bill C-27) and the Critical Cyber Systems Protection Act (Bill C-26), laws that would simultaneously strengthen data privacy and data protection requirements in Canada and replace or amend other existing regulations, including the Personal Information Protection and Electronic Documents Act (PIPEDA). In addition to replacing PIPEDA, Bill C-27 would also introduce three new laws, including the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act (which would create a new tribunal to review findings of the privacy authority and levy penalties, and the Artificial Intelligence and Data Act, a framework to prohibit certain conduct in relation to AI systems. If bills C-26 and C-27 are passed in their entirety, (possibly as early as this fall), organizations in Canada will have little time to assess the full impacts of the new laws and implement compliance ahead of them taking effect in 2024.

What’s notable about these bills is how they could dramatically change how Canadian organizations will be required to manage and protect personal data. The apparent intent is for Canada’s official stance on data protection to closely emulate the European Union’s, under the General Data Protection Regulation, and ensure that Canada retains its “adequate” status with the European Commission. Initially, enforcement action would likely focus on data breaches — as organizations issue the required notifications following a breach, the government will have the authority to closely examine their governance and cybersecurity infrastructure to determine whether it meets established standards.

In addition to elevating Canada’s foundational data protection requirements to a similar level of rigor as GDPR, the impending laws are positioned to increase the penalties for data breaches and data privacy violations from the current maximum of CA$100,000 under PIPEDA to CA$25,000,000 or 5% of an organization’s entire global revenues, whichever is larger. General counsel and the board of directors may also be held personally liable and may be subject to fines separate from or in addition to any penalties levied against the company.

Many organizations in Canada are ill prepared to meet the stringent compliance requirements proposed in Bill C-26 and Bill C-27, putting their businesses at significant potential risk given the scale of the monetary penalties. While a portion of large organizations in Canada operate internationally and therefore may have programs in place to comply with GDPR or U.S. laws such as the California Consumer Privacy Act, countless others have not even conducted information governance, privacy and cybersecurity assessments to understand their gaps and vulnerabilities. Likewise, organizations that have not been anticipating these changes to Canadian law have likely not allocated the budget, resources or strategic planning that will be needed to quickly and effectively implement new data protection policies, processes, technology and controls.

Another critical aspect of change under these impending laws would be the addition of private rights of action. Whereas many privacy laws are enforceable only by a regulatory body or attorney general, Bill C-26 and Bill C-27 are written to provide private rights to citizens so they may take direct action against an organization for misuse or breach of their personal information. This stipulation could set a new standard for privacy compliance, as it will require organizations to apply stronger diligence to mitigate potential risk relating to individual or group actions.

Given this backdrop, and the possibility of Bill C-26 and Bill C-27 passing before the end of 2023 or in early 2024 (both bills have already completed second reading in the senate and are only waiting final tabling and subsequent signature by the governing general), there are several important considerations and steps organizations can begin to address. These include:

• Evaluate the current state of data protection, cybersecurity controls and governance across the organization and assess rigor according to NIST and other leading standards bodies. Assessment should account for nuances relating to industry, as organizations in certain sectors may have less sophisticated data controls than others (e.g., energy, manufacturing) and/or a higher volume of personal data within their systems (e.g., health care and consumer services). 
• Take a data inventory to determine what types of sensitive information is collected, stored, used, shared, etc., within the organization and how it flows between different internal functions and outside parties. Special attention should be given to personally identifiable information, personal health information and payment card industry data, all of which are focus areas of the Canadian government’s enforcement objectives. 
• Documentation of processes and all diligence steps taken to strengthen data privacy and cybersecurity. Any organization that experiences a breach will need to defensibly prove to the government that they have taken a comprehensive approach to preventing data breaches and adequately protecting personal information. 
• Consider and closely examine how company data is shared with third parties, whether those activities are in compliance with data privacy rules, and what protections third parties have put in place to prevent data breach or exposure of personal information.

Strong information governance, privacy policies and cybersecurity practices are increasingly linked to an organization’s resilience against digital risk. Soon, best practices are likely to become required under law in Canada. While some organizations may be reluctant to invest the time, resources and budget needed to implement rigorous programs, doing so helps reduce the downstream costs, regulatory penalty and legal issues that can arise in the wake of a data breach or other incident in which sensitive data is exposed.
 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.