Please see Privacy Part I to learn about the basics of privacy law, personal information, handling personal information, and how to assess if your business is complying with the privacy laws. If your business handles any personal information (including anyone’s name or email address), you should be thinking about your privacy responsibilities now.
Privacy laws in Canada are not all the same: some apply to all organizations that engage in commercial activities (including charities and not for profits when they sell, barter, or lease membership lists, for example), while others do not have a commercial requirement to be applicable, and some are limited to just one type of personal information (such as personal health information).
In this blog, we focus on how privacy laws apply to businesses, and specifically, to businesses that collect, use or disclose personal information in the course of a commercial activity. It does not matter what size your business is. What matters instead is: whether or not you handle personal information, and if you do, whether you are handling it in accordance with privacy laws.
Today’s blog was co-written by Karen Yamamoto, a commercial lawyer in Montreal specializing in privacy and technology law and the Co-Founder of Executive Counsel Group – Linkedin: https://ca.linkedin.com/in/karen-yamamoto-905ba9a
1) What is the risk to my business if I don’t comply with Canada’s privacy laws? Are there penalties?
If you wait to comply with privacy laws, penalties may be imposed for violations. The penalties for privacy law violations differ based on jurisdiction and the type of offence. For example, under current Quebec and federal privacy laws, the maximum penalties range from $10,000 to $100,000 depending on the circumstances. In fact, privacy laws are in the process of being overhauled, and some of the proposed changes could see penalties go as high as 5% of global revenue or $25 million Canadian for serious violations.
2) Example of violations of privacy laws.
Here are three examples of how small or medium businesses could violate privacy laws:
Jane is the owner of an architectural firm in Saskatchewan and hired Armanda, an HR consultant, to handle the recruitment of new junior architects for the firm; Armanda reviewed resumes of several people through her consulting business’ email system.
Armanda had just copied a policy that applied to a business totally different from her own. Jane then asked Armanda what specific steps Armanda’s business took to protect personal information, and what Armanda would do if a job applicant withdrew their consent regarding the use of their personal information. Armanda was only able to say, “we keep all client information confidential.”
Is Armanda’s approach enough? Unfortunately, no. She does not have an applicable policy, she seems to confuse confidentiality with privacy, and she does not seem to understand that once consent has been withdrawn, she is generally required to stop handling the personal information of a person.
b) Not obtaining a “meaningful consent” when required: The small tech company who shared a mailing list.
A small tech company in Ontario collects personal information from users including name and sensitive banking information. Express consent is obtained (via an opt-in “click” on its website) to collect and use the information for the purpose of “providing the software product”.
The tech company also shares this information with affiliate business partners (for joint marketing efforts). But their website does not mention this.
Consent remains key under Canadian privacy laws. This Ontario company breached privacy laws. You cannot get “meaningful consent” if you don’t tell people what you are really doing with their personal information. “Meaningful consent” means that individuals understand:
- What personal information of theirs you are collecting;
- With whom you are planning to share the personal information;
- Why you are collecting their personal information; and
- The risk of harm to the individuals and other consequences of the collection, use or disclosure of personal information to which they are consenting.
c) No data breach reporting process in place: The Dentist’s office that did not report a breach.
A dentist’s office in Manitoba gets hacked. Only one individual’s personal information (financial and sensitive medical information) was accessed. Given that security was tightened immediately after the incident and only one person was involved, the IT administrator decided nothing further was required to be done. The dental clinic had no data breach reporting process in place and as a result, IT did not inform anyone else of the breach.
Actually, the dental business could face penalties. Why?
Because in most provinces, an organization must record any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of security safeguards or from a failure to establish those safeguards. If there is a real risk of significant harm to an individual because of the breach, notice would have to be provided to the individual and the applicable Privacy governmental authority and in some cases, other organizations. Failure to do all of these things
could result in penalties.
- Did you get proper consent from the individual whose personal information you have?
- Have you trained your employees on the proper handling of personal information?
- Do you have a process or system to record all data breaches?
- Do you have proper contracts in place? For example:
- With employees: to ensure that they will protect the information that they handle?
- With suppliers: to ensure that they will (for example):
- protect the information you share with them, in the same way you would;
- use the information only for the permitted purposes; and
- allow you to audit them to ensure compliance.
- you may violate copyright laws by copying someone else’s work!
- someone else’s policy may not be in compliance with the privacy laws of your jurisdiction.
5) I want to do the right thing. How do I actually know if my employees and company systems are adequately protecting Canadian privacy laws?
“Doing the right thing” here depends on the facts of your situation. A company that only collects a customer’s name and phone number will have very different obligations compared to a company that collects, uses and shares sensitive personal health and financial information via a third-party platform provider.
“Doing the right thing” usually involves a due diligence privacy audit to identify any gaps and risks. If identified, you may then need to obtain special software, implement more robust safeguards, create policies and processes and/or train staff.
6) At this stage in my business, I don’t think I can afford to hire someone to do an assessment of my business data privacy needs and risks. Are there any DIY options?
There are excellent free resources for businesses available on the Internet. A good first step would be to do a self-assessment for privacy law compliance using tools such as the one on the Canadian Privacy Commissioner’s website: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pipeda_sa_tool_200807/.
7) What is GDPR? I keep hearing about it.
GDPR is a big topic and is beyond the scope of today’s blog. It stands for the General Data Protection Regulations.
The short answer: If your business is handling the personal information of individuals in the European Union, and at least one of the 3 scenarios below applies to your business, then GDPR may also apply to your business. In that case, meeting the standards of Canada’s privacy laws may not be enough.
GDPR would likely apply to your business if:
- You are established in the EU and process personal information in the context of your business activities;
- You process personal information in connection with your offering of goods and services (even without charge) to individuals in the EU, for example, through your website or mobile app; or
GDPR is considered to be the toughest set of privacy laws in the world. However, as we noted above, some privacy laws in Canada are under review and could follow in the footsteps of the EU and GDPR and create one of the strictest data protection regimes in the world. Stay tuned!
8) Additional resources
There are many elements of privacy that an SME should be aware of including: how to obtain consent, how to train your employees and when to report data breaches to authorities.
If you have any questions, reach out to Karen Yamamoto, an experienced Privacy lawyer, directly at firstname.lastname@example.org.
Amee Sandhu has been a business lawyer in Ontario for 20 years. She created Lex Integra Professional Corporation in 2019 and focuses exclusively on business law and corporate ethics.
The purpose and contents of this blog is to provide information only, and it does not constitute legal advice. Reading this blog does not create a solicitor-client relationship between the reader and Amee Sandhu, Lex Integra, or any of the guest lawyers who co-write these blogs.
It is recommended to engage (hire) a lawyer if you require or are interested in legal advice.
Connect with Amee