Is Your Enterprise Prepared for Bill C-11, Bill 64 and the others?

CBR Original ContentCyber Insurance/LawEnterprise SecurityPrivacyCyber Innovations
Written By Luigi Tiano

21-Oct| Written by Luigi TianoAssurance IT • Laval, QC

2021 will be a year to remember for many reasons! Unprecedented technological innovations have resulted in a rapid digitalization of our everyday lives. As a result, the amount of data being captured and handled related to individuals has grown at exponential rates.

Because of this, the Canadian privacy legislative landscape is about to change. Legislation relative to how personal information is collected and handled is being given a comprehensive and timely overhaul. The Canadian and Quebec governments have acted with conviction to step up their protection of private and personal information. They mean business!

Part of the reason we are seeing a rise in government intervention, is because legislators in Europe and North America have been working to change the legal framework that applies to personal information. Europe led the way in 2016 with the General Data Protection Regulation (“GDPR”), and California followed suit in 2018 with the California Consumer Protection Act (“CCPA”).

In November 2020, the Canadian Minister of Innovation, Science and Industry introduced Bill C-11. Bill C-11 is the Digital Charter Implementation Act, 2020, which proposes to replace the Personal Information Protection and Electronic Documents Act (PIPEDA) with two new private sector laws; The Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act. An important note. This is a federal legislation applying to all provinces and territories except B.C., Quebec and Alberta.

Ironically, it was Quebec, who tabled their version of the Bill first on June 12, 2020. Quebec’s Bill 64 is an Act to modernize legislative provisions with regards to the protection of personal information.

If both Bill C-11 & Bill 64 is news to you, rest assured you are not alone! We guarantee that you will be hearing more about these and related topics in the upcoming months. Many questions come to mind when discussing this upcoming data privacy legislation. Questions stemming both from the individual and enterprise perspective.

If you are a Canadian based business in the private sector, then you need to pay attention. If your company holds personal information, then you should also bookmark this blog and the rest of the links shared below.

In this blog, we review

  • Bill–C11 & Bill 64

  • Which businesses are potentially impacted?

  • What these Bills mean to the individual?

  • How can you prepare your business for this new legislation?

Ready?

What is Bill C-11?

Bill C-11 was presented by the Minister of Innovation, Science and Industry on November 17, 2020. This is established to enhance and remodel the Consumer Privacy Protection Act (the "CPPA") and the Personal Information and Data Protection Tribunal Act (the "PIDPTA"). This bill is replacing it with these private sector legislations: The Consumer Privacy Protection Act, CPPA and the Personal Information and Data Protection Tribunal Act.

The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. It also contains an expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million.

What Will be Changed?

At the federal level, C-11 will result in many changes to the regulatory structure for the protection of personal information. It recommends that people be granted additional rights, while corporations be subjected to new responsibilities, primarily to increase openness and transparency. Here is a quick rundown of the major changes:

  • Modifications to the individual consent requirements

  • Enterprise will need to adopt a privacy management program and accountability of organizations and associated service providers

  • Increased rights to individuals related to handling of their data

  • Increased enforcement measures for organizations not following the law

What is Bill 64?

Because I was born and raised in “la belle province”, I can say it! For those who have not noticed, we do things slightly different in Quebec. Quebec presented Bill 64, An Act to update legal measures relating to the protection of personal information in the National Assembly on June 12, 2020. Bill 64 stands for, An Act to Modernize Legislative Provisions Regarding Personal Information Protection.

This Bill is provincial; therefore, Quebec’s Bill 64 will contain slight differences from the federal and other provincial bills that may come before or after it. As per the ministry, once it is approved, the Bill would increase the accountability of provincial ministries and agencies, commercial firms, political parties, promoting openness, improving data privacy, and strengthening user consent. The proposed modifications are based on what is being adopted in other Canadian jurisdictions and the European Union, but they are still a distinctively "made in Quebec" attitude to data privacy. Many people want all of Canada's privacy laws to be fully harmonised, but this has yet to happen and as why know, may never happen. Here is a PDF from the National Assembly explaining Bill 64 for Quebec.

Some of the major changes to expect

Here is an overview of the major elements that will change once Bill 64 is in place:

  • Enterprises to adopt governance rules for the protection of personal information

  • Notification required when personal information has been breached

  • More severe legal and monetary punishments to the enterprise

  • Exception for business transactions - Obligation to delete personal data upon request

  • New consent exclusions - Outsourcing and cross-border movement of data

  • How personal information is used for commercial or charitable reasons

How Can Your Enterprise Prepare?

In terms of preparing for these new and rather tough legislations, there are few things you can do before it’s too late. Start preparing today! Work with your internal experts, compliance team, privacy committee or whomever inside your organization is assigned to address privacy. Your key team players need to understand the impact of Bill C-11 and Bill 64 and your organization’s marketing practices. Although the Bills in their current form may be altered, preparing your organization will be helpful for when the Bills becomes legislation, avoiding potential fines.

Another interesting program, we are recommending clients, is CyberSecure Canada Program. CyberSecure Canada is relatively unknown, however extremely valuable when considering a safer enterprise. The CyberSecure Canada program is designed for small and medium-sized businesses. By implementing this program into your “preparation plan”, it will allow your suppliers and clients to know you are a reliable business partner and ready for the new upcoming privacy policies! The program assists businesses in implementing certification standards so that they can safeguard their businesses, customers, and partners against cyber breaches. To learn more about the program, you can take a look at the information sheet here.

Lastly, enterprises should be ready to publish yearly transparency reports as well as their law enforcement guidelines. The Privacy Commissioner should have the authority to prescribe the templates used and compel certain types of enterprises to create said reports. The goal of publishing law enforcement guidelines is to explain how enterprises receive and process requests from government agencies. This is primarily to assess the appropriateness of how enterprises interact with government agencies and to correct situations where enterprise guidelines conflict with our Canadian legislations.

Here is a comparison chart of Bill C-11 and Bill 64 if you are interested in seeing a more in-depth description.

What Does This Mean For The Individual?

The Bill substantially overhauls the legislation, addressing numerous privacy challenges that occur with technology today. This means that individuals will have greater power, and enterprises who breach privacy will face far harsher consequences.

When should the Bill become law?

As stated in a public email from Mr. Chris Warkentin, M.P. Chair of Standing Committee on Access to Information, Privacy and Ethics, he believes that the Bill, as written, is a step back because the provisions intended to give individuals more control actually give them less. He also mentions this is because the increased flexibility given to enterprises to use personal information without consent does not come with the increased accountability one might expect.
As of the Mid July 2021, despite much anticipation, the Bill seems to be stuck in the legislation process. Many critiques have been made and the support needed to move this forward has not come through yet. This is one of the major reasons why the provinces, like Quebec, Alberta, BC and Ontario are proposing their own Privacy Bills.

https://www.retailcouncil.org/privacy/overview-of-bill-c-11-the-digital-charter-implementation-act-2020/
https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading
https://www.ic.gc.ca/eic/site/062.nsf/eng/00119.html
https://www.lexology.com/library/detail.aspx?g=2fe7c3f8-0a10-4a69-a731-376738f9ad0c
https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020

Luigi Tiano

VICE PRESIDENT OF SALES & MARKETING AND CO-FOUNDER • ASSURANCE IT • LAVAL, QC

https://www.linkedin.com/in/luigitiano/
Previous

Twitch, Breached. A Hacktivism Reboot?
Next

Anything but Ordinary - Critical Reasons why your Government Customer isn’t Typical when it comes to their Data and Information