Amidst that flurry of GDRP-related messages and emails about new website privacy policies you received leading up to May 25, you may have missed the fact that even more new regulations concerning data protection are coming.
May 25 was the date the General Data Protection Regulation came into effect in the European Union; any company or corporation that collects or stores the private data of European citizens must comply with the GDPR. That includes Canadian companies, be they start-up or multi-national: any company that collects data on an EU citizen must comply with the new rules. Stiff fines are the alternative.
And while the GDPR regs are said to be among the most stringent data privacy and protection rules in the world, Canadians are facing their own new set of rules. Make that new sets of rules.
On July 1 and November 1 this year, and again on January 1, 2019, separate data protection guidelines, guidances and regulations come into effect.
Canada’s Privacy Commissioner, Daniel Therrien, framed the new privacy guidelines with a serious warning: “We need to change our approach to privacy protection,” he said when speaking at the 10th annual International Association of Privacy Professionals (IAPP) Canada conference in Toronto last month. “The scale and pace of technology and their use are significantly preventing people from protecting their privacy.”
One reason people cannot protect their own privacy is that they are not aware or do not understand or have not read about how their data is being used.
That speaks to the issue of consent, a powerful concept that should not be taken lightly these days. Much like the GDPR itself, which stresses the importance of user consent, one set of new Canadian guidelines is all about obtaining meaningful consent: users must be given the information they need to clearly understand how their data will be used, and they must agree to that use.
The guidelines address several main elements that go into an informed consent process, starting with the need to give users clear choices to accept or reject any collection, use or disclosure of data that’s not absolutely necessary to provide a product or service. So there’s no need to get a customer to fill out a self-appraisal personality test just to get access to their social media page.
Even when a consumer does provide consent, the type of data collected should still be limited, the guidance stipulates, to purposes that a reasonable person would consider appropriate.
Therrien provided an example of inappropriate use, citing his office’s report about Bell Canada’s Relevant Ads Program. That program used a customer’s credit score information to coordinate delivery of targeted advertisements, and such data use was considered inappropriate.
Consent must also be obtained when making major changes to privacy practices, particularly changes to described uses of collected data, and individuals must be allowed to withdraw consent (subject to some contractual restrictions) should they so desire.
Each individual should also be able to control the level of data detail they consent to share or disclose. Any risk of harm and other possible consequences of data sharing must be clearly described to the user so that the consent they are asked to give is truly informed.
The Office of the Privacy Commissioner of Canada (OPC) will be applying this new consent guidance starting January 1, 2019.
Commissioner Therrien also announced at the IAPP conference the release of new guidelines on inappropriate data practices, and he described six “no-go zones” that his office considers outside the bounds of existing privacy rules such as PIPEDA.
Of course, the no-go zones include unlawful data collection, but also the use of data for profiling or discriminatory treatment, or that could cause significant harm.
The alarming trend in some corporate environments to request or require a person’s social media password for employee screening purposes is another no-go, as is the surveillance of an individual through that individual’s own digital device. (The latter point being more and more relevant these days, impacted as it is by new developments in smartphone tracking and long-standing issues in workplace monitoring.)
The OPC will begin to apply its new guidance on inappropriate data practices on July 1.
Then, on November 1, data breach provisions in PIPEDA will include new details specifying how a security breach must be reported to the Commissioner’s Office, how individuals affected by the breach must be notified, and the record-keeping requirements concerning the breach.
Describing his office and the new sets of data privacy protections it is enacting as “proactive”, Therrien also noted that the OPC will be acting on two key programs to support the new rules: one centred on privacy promotion and education for Canadians, and the other on compliance rights and responsibilities for Canadian companies.
Therrien said the OPC will soon name two deputy commissioners to help lead the programs.