European-Style Data Privacy and PIPEDA
On June 12, 2020, the Quebec government introduced Bill 64 - An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (the "Bill").
Compared to PIPEDA, the Canadian-level data privacy protection law, Bill 64 cranks it up a notch or two. In fact, it is much closer to the European Union's General Data Protection Regulation (GDPR) (2018) than PIPEDA.
We estimate that it will come into effect around September 2021.
Let's backtrack for a moment. As of today, PIPEDA (2004) and the Quebec Privacy Act (1993) are nearly equivalent. Quebec organizations have to comply with the Provincial law. Now that Quebec is planning to increase requirements, we can undoubtedly expect PIPEDA to follow suit within a few years, if not months.
The Bill's main objective is "to modernize the framework applicable to the protection of personal information" for various acts, including those applicable to both Quebec's private & public sectors. The Bill introduces many new privacy obligations closely related to GDPR such as:
New reporting requirements for data breach incidents
The obligation to publish governance rules associated with the handling of personal information
New data subject rights such as the right to data portability, the right to be forgotten, and the right to object to automated processing of their personal information
The obligation for organizations to ensure that default settings for their technological products and services provide the highest levels of confidentiality (privacy by design)
The responsibility for organizations to designate an individual as the person in charge of the protection of personal information
These proposed changes effectively modernize the currently outdated privacy laws for Quebec's private and public sectors. However, the most significant change brought by Bill 64 is, without a doubt, the new sanctions for non-compliance in the private sector.
This article focuses on the harsher penalties proposed by Bill 64 for private enterprises and the implications of such penalties.
European-Style Penalties? Yes, It's The Plan
Bill 64 will provide the Commission for Access To Information (the "Commission") with the ability to impose significantly higher sanctions for non-compliance. Here are the new penalties:
Administrative monetary penalties of up to $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year
Penal liabilities of up to $25,000,000 or, if more outstanding, the amount corresponding to 4% of global turnover for the prior fiscal year
To put these numbers in perspective, here are the current penalties under Quebec's current private sector Privacy Act:
Penal penalties of up to $50,000 for the first offense & up to $100,000 for a second offense
Administrative monetary penalties do not exist under Quebec's current private sector Privacy Act.
It is worth noting that the maximum fine that can be imposed by Canada's privacy law PIPEDA is $100,000 for organizations that fail to report data breach incidents.
The Commission will be able to impose administrative monetary policies for numerous contraventions, such as failure to inform data subjects about automated processing of personal information concerning them, processing of personal information in violation of Quebec's Privacy Act for the private sector, and failure to report a data breach incident properly.
On the other hand, penal penalties will be imposed on private enterprises that commit one of these offenses:
Personal information is collected, held, communicated to third parties or used in violation of the Act
Failure to report data breach incident to the Commission
Attempt to re-identify data subject without authorization where their information is de-identified
Obstruction in the Commission's investigation
Failure to comply with an order of the Commission
Penalties To Provide The Business Case To Comply
The new penalties introduced by Bill 64 are a step in the right direction to promote transparency and data subject rights regarding the use of personal information for private enterprises. Penalties under Quebec's current privacy act for private enterprises are not significant enough to push a real change in the way organizations function with regards to handling personal information, unless they operate in other jurisdictions like Europe (think Air Canada). Today, the cost of compliance is for the majority more significant than the cost of non-compliance, which is maximized at $100,000 for repeat offenders.
Complying with privacy laws is no easy task regardless of the industry, as it requires tremendous Data Governance efforts throughout organizations. When the maximum fine for non-compliance does not represent a material financial risk to your organization, it is compelling to remove the financial risk from the decision criteria to become compliant with such laws.
By September 2021, however, the maximum sanctions will be increased by 10,000% for administrative monetary penalties, while penal penalties will be increased by 25,000%! Imagine if any other cost jumped by that much in your organization, just for perspective.
Of course, Data Risks already exist in the form of what could happen to the organization's reputation: many business models rely on their customers' implicit trust to be sustainable.
Data Privacy and Data Risk Management go beyond just managing how to comply with specific law articles.
Case in point: another reason why complying with the new requirements set out by Bill 64 is crucial is that the modernization of Quebec's privacy laws will shift the consumer perception of how data privacy should be handled. After last year's colossal data breach at Desjardins, Quebec consumers are now much more aware of the importance of protecting their personal information. More and more, the concepts of Privacy By Design are becoming what consumers expect.
Based on a survey by McKinsey & Company, companies who tend to be most trusted are those who limit the use of personal information and respond quickly to hacks and breaches. Desjardins certainly did that well, offering personal identity theft and rectification insurance for all their members for free following the incident. This highlights that Data Privacy and Data Risk Management go beyond just managing how to comply with specific law articles.
Google's Penalty For Non-Compliance
Another great example demonstrating the harsh European-inspired penalties that Quebec will soon be adopting is Google's run-in with France's data regulator, CNIL, in 2019. It fined Google 50 million euros (57 million US dollars) for "lack of transparency, inadequate information, and lack of valid consent regarding ads "personalization." Wow indeed.
Now is the time for organizations to change their privacy practices
This Penalty was related to two complaints made on May 25, 2018 (the very day GDPR came into effect). The largest Penalty under the GDPR to date definitely showed that regulators were determined in following through on their pledge of pushing back against companies whose business models depended on brazenly collecting data and using it without consent for their financial benefits.
We expect nothing different on this side of the Atlantic once the amendments brought by Bill 64 come into effect in Quebec next year. Now is the time for organizations to change their privacy practices to prepare and implement the required changes set out by Bill 64. Once it comes into effect, Quebec regulators will not waste time investigating organizations and fine those that fail to implement modernized privacy practices properly.
Privacy compliance has now become a real business differentiator for modern companies. Those accused of violating data privacy rights risk significant hits to the company's reputation and consumers' trust. Quebec companies must prepare for the inception of Bill 64 as it significantly modifies existing requirements. Those who fail to do so will now face the European-style penalties that can go up to $25 million.
Prodago has been working on helping organizations integrate Data Privacy management into their existing Data Governance framework because we believe that Data Governance and Privacy both must be done "by design," not as an afterthought. Whether we look at it from the perspective of managing data risks or data protection, many of the business objectives intersect, and there is no point in doing the work twice. It is all about managing data to extract the most value out of it, without breaking the laws, incurring fines, or affecting the organization's reputation.
Because we already have mapped, in our Data Privacy Accelerator (see information below), GDPR, and Bill 64 to the detailed operating practices that will support the operationalization of compliance, for every article of the law, Prodago can quickly help in assessing your organization's readiness for Bill 64. Once the assessment is done, and gaps have been identified, Prodago's data governance platform can be used to understand the work to be done and generate a roadmap for implementing the missing privacy practices with proper accountability areas to ensure that your organization is Bill 64 ready.