Privacy by design in Quebec
Should the province's privacy bill become law, businesses will have to assess how they handle personal information to bring their policies in line with more onerous requirements.
It is one of the odd paradoxes of Canada that it can be both leader and laggard. Take privacy by design. It was a former Ontario privacy commissioner, Ann Cavoukian, who developed the concept in the mid-1990s, but the EU would be the first to take the lead in incorporating it into law when it adopted its General Data Protection Regulation in 2016.
At last, Quebec has now introduced a new bill to update its legislation governing the protection of personal information in the private sector. The legislation needs an overhaul to adjust to accepted international standards for data protection.
Better yet, the proposed bill introduces privacy by design requirements, though it is unclear at this stage what changes will be made to the bill, tabled last month before the National Assembly.
If adopted in its current form, a business that collects personal information to offer a product or service would have to ensure the highest level of “confidentiality by default” of that information “without any intervention of the person concerned.” Privacy by design entails a proactive approach to protecting personal information. It implies that personal information is, by default, protected as part of the conduct of daily business rather than a reactionary response to incidents.
Critics charge that incorporating privacy as part of the business structure is disruptive to the profit motive, as its principle aim is not to generate revenue, but rather to prevent loss. But the intention here is in no way to inhibit business. The idea is that investing in sound privacy controls and monitoring allows companies to operate seamlessly without any hindrance to their business.
In practice, privacy by design requires close collaboration among various teams in a company, including legal counsel, information technology and security specialists, as well as department heads in marketing or HR, who are responsible for housing personal information. And all must have support from the C-suite or other relevant stakeholders.
To operationalize privacy by design effectively, businesses typically need to implement a series of changes to their existing privacy controls.
A good place to start is conducting a privacy audit. That way, the business can re-evaluate its current processes and expose any gaps. That will likely include the previous or new collection, use and retention of personal information processes that should be reviewed to prevent unauthorized access or loss. Conducting risk assessments and mitigating potential threats demonstrate good faith to consumers and regulators.
Some relevant questions to ask include:
- Are we collecting more information than is needed?
- Do we have appropriate physical, administrative and technical controls to protect this information to minimize the risks of privacy incidents?
- Do we have consistent data retention schedules and destruction policies that comply with legal obligations?
- Do we have a consent mechanism in place for marketing purposes?
- Do we have systems in place to timely answer various customer requests and complaints?
As a company undergoes changes to its existing handling of personal information, it will have to re-evaluate itself asking the same questions.
It is also good practice for a company to review contractual provisions with third parties if privacy processes such as collection, use and retention of personal information are outsourced to ensure they are held to the same requirements. Businesses that use vendors remain accountable towards consumers and regulators for the data they collect to offer their products or services. They must therefore cover all bases to mitigate and respond to legal issues should they arise.
On the home front, businesses should ensure a privacy-first mindset and train their employees and contractors and expect the same of their third-party vendors. With ransomware and spear-phishing on the rise since the pandemic, employees should receive regularly-scheduled privacy training to minimize the possibility of unintended breaches or data loss. On their own, privacy policies are documents that contain requirements which employees may not retain or prioritize in their daily work. Proactively engaging employees through training has been shown to decrease incidences of data loss.
By the same token, privacy by design implies that businesses are fully transparent in their privacy practices towards consumers and accountable. They must show that they are able to comply with the contents of their privacy notices. To this effect, before any amendments to the Quebec privacy legislation are adopted, it would be prudent to have in place an individual responsible for privacy matters. Often called a Chief Privacy Officer, or CPO, this senior member of management ensures compliance with relevant privacy laws, processes and related policies, and acts as a point of contact for consumer inquiries, requests or complaints. The CPO is charged with putting in place an appropriate framework to interface with consumers.
An additional incentive for businesses to incorporate these measures is to avoid the hefty fines contemplated by the bill. The provincial information watchdog, la Commission d’accès à l’information, or CAI, is likely to be conferred with new powers to impose on businesses that are found liable for certain legal violations fines of up to 25 million dollars or 4% of their annual turnover of their previous fiscal year, whichever is greater.
The proposed amendments and the inclusion of privacy by design is a welcome development, and the timing could not be better, as the pandemic has heightened the risk and incidences of bad actors gaining valuable information from unsuspecting and vulnerable users. The impact of privacy controls on business could not be clearer. In a recent Cisco survey, average spend on privacy by businesses in all major industries and a mix of all sizes was US$1.2 million and average benefit, US$2.7 million. Over 70 per cent of respondents believe the use of data controls have allowed them to operate efficiently and to build loyalty and trust with consumers. In the UK for instance, GDPR-related investments have paid off with 62 per cent of consumers feeling more comfortable sharing their data with these laws in place.
Adopting privacy by design is no panacea to protect personal information, but it will help build a business’s reputation, offer a competitive advantage and establish accountability towards consumers and regulators. Whether or not the notion makes the final cut of the legislation, Quebec businesses are encouraged to incorporate it as part of their business practices.