“This is not good! Worlds are colliding!”
So I thought, as my Saturday night hockey TV viewing experience was rudely interrupted by a commercial promising that, “Data may be the new gold, but that doesn’t mean it should be for sale”.
Like all good advertising, though, the commercial stuck in my head. And on further reflection, it’s actually pretty significant that the things I see, as a data privacy and tech lawyer, are making their way into mainstream media viewing.
The fact is that data really is gold. The costs of many of the services we consume are now subsidized (sometimes, quite significantly) by the commercialization of the data we feed into those services.
You, me, or other consumers might not be particularly fussed about this. Data protection authorities, on the other hand, are taking great interest in how data is being commercialized, particularly where that data is capable of identifying the individual to whom it is attached.
This regulatory interest is not going away. While legislative reform in Canada has been a slow process, a fundamental overhaul of our private sector privacy laws continues to move through the legislative process.
The proposed new law, Bill C-27 (which includes the Consumer Privacy Protection Act), will bring Canada in line with so-called “third generation” privacy laws, such as the EU’s General Data Protection Regulation (or GDPR).
One of the notable aspects of Bill C-27 is its significantly more stringent enforcement regime. Unlike our current federal privacy law, penalties under the Consumer Privacy Protection Act will hurt. A lot!
The regulatory angle aside, consumer interest and expectations in privacy practices are also increasing. This stuff matters, more than ever.
What does that mean for your business?
A couple of thoughts based on what I’ve seen in the trenches.
Privacy management should be proactive, not reactive. That manifests itself in a number of ways, from the design stage all the way to day-to-day operations and retirement of products and services.
If you are calling someone like me, to respond to a privacy problem, it’s probably already too late.
We also know that significant privacy regulation is coming, and it’s only a matter of time.
While any privacy plans might be written in pencil, at least until Bill C-27 is finalized and passed by Parliament, my take-home message to you on this year’s International Data Privacy Day is to turn your mind toward your business’s information flows, and to build (or augment) a detailed inventory of everything you are doing with personal information (collection, use or disclosure).
As and when the exact contours of Bill C-27 become clearer, this will put you in a position to respond and make whatever adjustments might be necessary. It will also help you align with consumer expectations, to the extent you aren’t already so doing.
Andrew Buck is a Partner at Pitblado Law, whose practice areas include privacy, access to information and technology. Please contact Andrew for more information about this, or any other privacy, access to information or technology matter.
Partner