Canada is set to introduce tougher data privacy rules, joining a growing list of countries giving new rights to consumers and holding companies to account.
In May, Canada’s federal government launched its Digital Charter; 10 broad principles intended to guide future legislative changes, including plans to modernise the country’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act.
These include principles on the security, transparency, and portability of data, as well as rights around the consent, access to and control of data. The principles also promise strong enforcement and accountability of data protection and privacy laws.
The government says Canadians want more transparency in how their data is collected and used. Research by the Department of Innovation, Science and Economic Development concluded that existing consent-based models are inadequate and that people want greater control over their personal data.
It also found that many Canadian companies, in particular small to medium enterprises, have difficulty understanding how best to comply with existing data and privacy legislation, and that changes to PIPEDA must consider emerging privacy norms internationally.
The Canadian government is planning to compile a discussion paper to examine the proposed changes to PIPEDA, including issues surrounding consent, enforcement, transparency, and data mobility.
Canada has already taken steps to toughen its data protection laws. Last year, the government introduced mandatory breach reporting regulations, which require companies to inform Canadians if their private information has been lost or stolen, and if they have been placed at risk of harm.
They must report these breaches to the Office of the Privacy Commissioner of Canada – which recently received a commitment for additional funding – and maintain records of all data breaches for at least two years.
The government will now examine options to strengthen the enforcement powers of the commissioner, and increase collaboration with other key enforcement bodies on privacy, competition, and the broader data economy.
International Trend
Canada is not alone in modernising its privacy laws. Singapore recently announced plans to strengthen its breach notification and privacy laws, while California, Brazil, and Australia are all looking to mirror aspects of the EU General Data Protection Regulation (GDPR).
In May, Singapore’s Personal Data Protection Commission (PDPC) launched a number of initiatives, including a public consultation on the proposed data portability provisions, as part of a review of the country’s Personal Data Protection Act (PDPA).
The consultation is the third under the ongoing review of the PDPA and follows the publication of a data portability discussion paper launched in February 2019.
Singapore also proposes to amend their Guide to Managing Data Breaches, introducing more stringent thresholds and timescales for reporting a data breach. The changes would require organisations to complete an investigation into a suspected data security breach within 30 days and to notify the authorities of the incident within 72 hours of completing their assessment.
Australia recently announced changes to the country’s data protection laws, including increased enforcement powers for the country’s data protection and privacy regulator, the Office of the Australian Information Commissioner (OAIC).
The move, which follows the introduction of a mandatory breach notification regime in 2018, will mean higher penalties for companies that breach data protection laws, making it easier for the OAIC to pursue investigations and respond to breaches.
Elsewhere, Brazilian legislators approved the creation of the country’s first data protection authority (known as the ANPD) in June. The move follows the passing of the Brazilian General Data Protection Act (also known as LGPD) in August 2018, which will introduce tough privacy and data protection laws in August 2020. The new laws closely follow the GDPR.
Convergence
The purpose of this legislative redirection is to increase the rights of consumers when it comes to data protection and privacy law. A number of countries are now introducing new rights around consent, data portability, and the subject's right to have their personal data deleted. At the same time, international regulatory co-operation on data and privacy is increasing.
Singapore says its latest proposals are intended to align the PDPA with a “global push towards data portability” with other jurisdictions that are implementing or planning to implement data portability in their respective data protection regimes. The PDPD said that alignment is needed to keep pace with progressive global developments and strengthen international recognition of Singapore’s data protection regime.
In May, Hong Kong and Singapore’s data protection authorities agreed to cooperate on personal data protection. Under the agreement, the two will share best practice guidelines and information on data breach investigations. Already the cooperation has resulted in a jointly developed guide for information and communications technology systems.
Privacy Insurance
Privacy risks are increasing and can be covered under a standalone cyber insurance policy. However, many cyber insurance policies are triggered by a data breach, not a breach of data protection or privacy laws.
Some fine tuning of triggers, therefore, may be required to ensure the consequences of increased privacy regulation are covered by insurance.