Building confidence and trust

Canadian governments are working on legislation with the goal of balancing data privacy and protection without sacrificing innovation.

The acceleration of the digital economy and proliferation of remote work and business operations amid the pandemic has underscored the need for, and concern around, data protection and privacy.

A number of federal and provincial data privacy and protection regulatory initiatives are underway in Canada in order to modernize and strengthen privacy laws in a way that balances the rights and protections of people and companies, with the drive for innovation that is key to economic growth and prosperity.

“Canada needs to keep pace with other countries that are taking aggressive action to support trust and privacy,” the federal government stated late last year after tabling Bill C-11, its proposed new private sector privacy legislation.

The federal government states that the European Union and the United States have new privacy and e-protection laws and that its proposed legislation “is an important step in ensuring Canadians can trust that their data is safe and their privacy is respected, while allowing innovation that promotes a strong economy.”¹

Concurrently, companies are being encouraged to be proactive in increasing their data and privacy controls to keep pace with the changing legislation at home and abroad.

Holly Shonaman, RBC’s Chief Privacy Officer, says data and privacy regulations aim to protect personal information and ensure that it is being used in ways that individuals reasonably expect.

“Companies that can demonstrate compliance will be able to build trust and confidence with clients,” she said, adding that privacy programs and tools will need to be assessed against the new regulatory requirements.

A look at the proposed legislation in Canada

The Digital Charter Implementation Act, 2020 (Bill C-11) was introduced on November 17, 2020, to establish a new privacy law for the private sector. 

Companies that
can demonstrate
compliance will be
able to build trust
and confidence
with clients

It would enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act, replacing the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA). The Bill proposes to overhaul federal privacy law and incorporates aspects of individual rights and privacy requirements which are similar to those found in the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act.²

If passed, the government says the Act would “significantly increase protections to Canadians' personal information by giving Canadians more control and greater transparency when companies handle their personal information.” It would also include “significant new consequences for non-compliance with the law, including steep fines for violations.”³

The Bill's three main components are:

1. Giving people more control over their personal information, including the right to request deletion of their personal information, and the eventual right to transfer their personal information to another firm

2. Clarifying the rules around using and protecting “de-identified information” (when direct identifiers, such as a name, are removed from personal information)

3. Giving the Office of the Privacy Commissioner broad order-making powers, including the ability to force a company to comply with CPPA requirements and the ability to order a company to stop collecting or using personal information. The Privacy Commissioner would also be able to recommend fines in the event of non-compliance.⁴

In a separate process, the government is also consulting on changes to modernize the Privacy Act, which is the federal legislation that regulates how federal public sector institutions collect, use, disclose, retain, and dispose of the personal information of individuals. An online public consultation is open on these changes until February 14, 2021.⁵

Various provinces are also working to modernize their privacy laws including a new proposed law in Quebec, and privacy framework reviews which are underway in British Columbia and Ontario.

Shonaman says organizations like RBC are advocating with federal and provincial governments “to seek as much coordination, consistency and harmonization as possible.” For example, in Canada, she says there is a long-standing test of what kind of privacy breach must be notified to the regulator and impacted individuals.

Given the key role of data
in the digital economy,
it will be important to
resist fragmented
approaches that create
complexities and
inefficiencies

“The breach notification test in the Quebec legislation uses different language, so we need to determine if the legislators mean the same thing or whether the variance is deliberate,” she says. “It's been long established that, where the provincial and federal legislation is substantially the same, compliance with one law will result in compliance with both laws. But when laws are developed independently, it requires a company to determine a compliance approach that will meet clients’ expectations across Canada.”

Shonaman says the complexity of the legislation is compounded for an organization like a bank, which is federally regulated, but has certain provincially regulated subsidiaries in its corporate structure.

“Given the key role of data in the digital economy, it will be important to resist fragmented approaches that create complexities and inefficiencies and undermine the effectiveness of the broader policy goals of promoting innovation while ensuring that consumers are protected,” she says.

The impact on innovation

The government’s policy intent behind the new legislation is not to hinder innovation and, in fact, states that some changes will support it. For instance, it notes the proposed Bill will simplify consent, since the use of personal information in the digital economy is core to the delivery of a product or service and “consumers can reasonably expect that their information will be used for this purpose.”

At present, it states organizations need to seek consent for such uses, “making privacy policies longer and less accessible and creating burden.” It says the legislation would “remove the burden of having to obtain consent when that consent does not provide any meaningful privacy protection.”

It also says the new legislation would help ensure the use of “data for good,” noting that greater data sharing and access between the public and private sectors “can help to solve some of our most important challenges in fields such as public health, infrastructure and environmental protection.” The government says the new legislation would allow businesses to disclose de-identified data to government institutions (under certain circumstances) “for socially beneficial purposes.”

The new legislation will also help organizations understand their data privacy and protection obligations and demonstrate compliance.⁶

Shonaman believes the Bill shows the government's commitment to balancing the rights of individuals with the data management needs of Canadian companies. “It supports innovation by recognizing that consent is not required for all uses of data, that de-identified information can be used for research and development, and also supports the use of personal information by service providers as long as they are fulfilling the purpose for which the data is collected,” she says.

“The proposed right to audit companies can also be seen as supporting innovation because you have a stronger regulator who can more effectively ensure all companies are playing by the rules,” adds Shonaman.

Ensuring companies are “future-ready”

For companies, data privacy is “the new strategic priority,” according to a Forrester white paper commissioned by IBM, which calls on businesses to sharpen their internal controls and keep pace with emerging data privacy regulations.

It notes that customers are more aware of their privacy rights due to the growing number of government regulations in place or in progress around the world. “As firms face a growing list of data protection regulations and customers become more knowledgeable about their privacy rights, developing a data privacy competence has never been more important,” the paper states.

We've been evolving our program, practices and risk appetite

“Sustained compliance delivers a number of benefits, but firms with reactive and siloed privacy tactics will fail to capitalize on them. Some have begun to address the need for more mature data protection controls and strategies, but many lag behind.”⁷

RBC has been at work for many years to evolve its risk management practices to be “future-ready,” says Shonaman. “Given the strategic imperative to derive valuable insights from data, the enactment of significant privacy legislation in Europe and the United States, and heightened public awareness and scrutiny on how personal information is used, we've been evolving our program, practices and risk appetite,” she says, with a goal to ensure RBC continues to use personal information in accordance with regulatory and client/employee expectations.

For example, she says RBC already assesses data initiatives from “an ethical/reputational risk perspective”, even if they are acceptable under the law. In addition, “we ensure our program incorporates the principles of all material privacy laws around the world,” Shonaman says.

The long-term benefits of data privacy

The IBM paper states that organizations with “well-rounded strategies that commit to data privacy for more than just compliance stand to realize a number of benefits, including enhanced customer trust.”⁸

Building and maintaining customer trust is more critical than ever in today's society, particularly given the growing interest and attention being paid to organizations' environmental, social, and governance performance.

Data privacy and protection, which falls under both the social and governance categories, is critical to protect the information we share online. It is also important to ensure that our digital economic growth happens responsibly in a way that protects the rights and freedom of people and organizations.