With Bill C-27 adopted at second reading in the House of Commons on 24 April, we are another step closer to a new federal private-sector privacy law by the end of 2023. No matter its size, this new law will affect every business in Canada.

All private sector businesses in Canada must comply with the Personal Information Protection and Electronics Document Act (PIPDEDA) or a similar provincial law to protect the personal information collected from employees and other individuals for business purposes. Enacted in 2000, PIPEDA has been long overdue for a major update and overhaul.

Bill C-27 – Background

In 2000, less than 7% of the world was online, and there were 740 million cell phone subscriptions worldwide. Today, more than half the global population has access to the internet, and there are now more cell phones than people, with numbers estimated to be at more than 8 billion. Apple introduced the iPhone in 2006, which started the smartphone trend. We now can’t live without a phone that allows us to text, check email, surf the internet, take pictures, listen to music, post social media updates, play games, and access other applications.

This technology has its benefits but has also made our personal information more vulnerable to identity theft and other risks. We gave away a lot of our personal information without understanding the consequences. Some companies used our information for other purposes or shared and sold it to other companies. Some did not have adequate safeguards to protect them from people with malicious intent. Meanwhile, governments and politicians were slow to enact or update privacy laws to keep pace with new technologies and risks.

The passing of Bill C-27 will strengthen Canada’s privacy sector privacy law. PIPEDA will be replaced with the Consumer Privacy Protection Act (CPPA) to ensure that the personal information of Canadians will be more protected and businesses have clear rules to follow as technology continues to evolve. Significant changes include:

• increasing control and transparency when organizations handle personal information;
• establishing stronger protections for minors;
• ensuring that Canadians can request disposal of their information when it is no longer needed;
• providing the Privacy Commissioner of Canada with broad order-making powers; and,
• establishing significant fines for non-compliant organizations.

C-27: Changes Your Business Should Be Aware of

British Columbia’s private sector organizations will need to comply with the CPPA until our provincial law catches up. The two main critical changes proposed in the CPPA that you need to know about and prepare for are:

1. Mandatory privacy management programs. Every organization must implement and maintain a privacy management program that includes policies, practices and procedures.
2. Fines for non-compliance. Every organization that knowingly contravenes the law or that obstructs the Commissioner in the investigation of a complaint, in conducting an inquiry, or in carrying out an audit is either:
   • Guilty of an indictable offence and liable to a fine not exceeding the higher of $25,000,000 and 5% of the organization’s gross global revenue
   • Guilty of an offence punishable on summary conviction and liable to a fine not exceeding the higher of $20,000,000 and 4% of the organization’s gross global revenue

Fines are based on the financial year before the one in which the organization is sentenced.

It is now a priority to ensure you have a privacy management program in place by the time the CPPA is enacted. If you do not have one, I recommend you get started by reading Getting Accountability Right with a Privacy Management Program jointly developed by the Offices of the Privacy Commissioners of Canada, British Columbia and Alberta.

Being an accountable and compliant organization has many benefits. Those who have already implemented privacy management programs have:

• reduced internal risk through privacy policies, practices and training;
• mitigated or avoided external risk through risk assessment tools and service provider management;
• improved physical, administrative and technical safeguards;
• gained trust through more effective external communication; and,
• developed a strong privacy culture.

Marilyn Sing, CIPP/C

Principal Consultant, IPP Consulting

To help small businesses ensure they have an effective privacy management program that meets regulatory requirements, Marilyn has developed a set of ten online courses. Each course provides:

• guidance for a program control or component;
• templates and tools to customize for your business; and,
• up to an hour of privacy consulting.

The consulting time covers review and approval of practical course assignments and answering any questions you may have about meeting compliance. For more information: https://www.privacyoffice.ca/privacy-training/

Small Business BC is Here to Help

SBBC is a non-profit resource centre for BC-based small businesses. Whatever your idea of success is, we’re here to provide holistic support and resources at every step of the journey. Check out our range of business webinars, on-demand E-Learning Education, our Talk to an Expert Advisories, or browse our selection of business articles.