In the last year, there’s been much activity and framework evolutionary discussions in regards to privacy and anti-spam laws in Canada. To keep you in the loop, here’s a roundup of the five hottest topics, in my opinion, affecting marketers and brands in Canada.
- Facebook / Cambridge Analytica Scandal
- Reform progress of Canada’s Anti-Spam Legislation (CASL)
- A call to modify digital privacy rules in Canada
- The introduction of GDPR
- New incoming provisions under PIPEDA
1. Facebook / Cambridge Analytica Scandal
There are allegations that Cambridge Analytica, a data analytics firm, acquired up to 87 million profiles from U.K. based professor, Aleksandr Kogan, on Facebook users (both directly and the survey respondent’s friends), originating from a third party survey. Purportedly, this data could be used to help political advertisers target their ads better during elections.
No evidence has been presented publicly that shows this incident was a data breach or a violation of United States law by Facebook. Aside from what users directly inserted into the survey application, all identifiable data that would have been collected by the app would have been publicly provided to Facebook, to some extent, by the friends of the survey respondents.
To me, constructively, this story breaks down into two broader thoughts that deserve their own examination and discourse:
First, consent vs. informed consent. Users on Facebook likely technically provided consent (agreeing to the standard Terms of Service) but many likely didn’t understand the extent to which their data could be used. In other words, ostensibly, most users didn’t provide informed consent. More parts of the world are examining and implementing greater privacy measures to ensure consent when given is informed by the user. For instance, the European Union’s GDPR framework introduces greater requirements in handling certain user data to ensure users understand how such data will be used.
The second broad thought worth examining is Facebook’s role and responsibility in the matter, given the large backlash they received following the story breaking. Although this story squarely involved Facebook, to admonish Facebook is too narrow of a view to be constructive and appreciate the breadth of the situation at hand. There’s no evidence (at least from what’s public) that indicates this was a data breach or a violation of United States law. Further, Facebook likely was operating consistent with best industry standards, given that many of their competitors would have similar practices around the acquisition of consent and use of data. The problem an organization like Facebook (or some other group has) is if they voluntarily begin applying unilateral changes to how they manage data, and in a way that’s uncommon amongst competitors, they may become less competitive and predictably will earn less profits as a result.
Jim Balsillie, a former Chair of the Council of Canadian Innovators and founder of RIM, said this at a recent House of Commons ETHI committee meeting:
“The Cambridge Analytica and Facebook scandal is not a privacy breach, nor is it a corporate governance issue. It’s not even a trust issue. It’s a business model issue based on exploiting current gaps in Canada data governance laws.”
The Facebook / Cambridge Analytics scandal is ongoing but keeping these two broad thoughts in mind can help keep things in perspective and keep the discourse constructive on how to make a society which is becoming more data-driven, better for all.
2. Reform progress with Canada’s Anti-Spam Legislation (CASL)
In October 2017, the House of Commons INDU Committee concluded their statutory review of CASL (pursuant to s. 65 of the Act). In conclusion, the committee released a report titled: Canada’s Anti-Spam Legislation: Clarifications Are In Order. In it, it is apparent that there is much uncertainty amongst INDU members that CASL, in its current form and how it has been applied to date by government, is fulfilling its intended goals. The report further asks the government to provide a response to it.
In May 2018, Hon. Navdeep Bains, Minister of Innovation, Science and Economic Development, responded to such request issuing a 5-page letter. Here’s three takeaways:
First, Bains acknowledged that there’s an issue with CASL, writing, “…the government must now work with a diversity of stakeholders to identify concrete solutions that will ensure that the CASL strikes the right balance to achieve these goals”.
Second, Bains stated that an improved version of private right of action (PRA) will be considered, writing, “… whether awards of damages should be based on proof of tangible harm” – but such considerations being made based on ensuring the legislation is, “effective, balanced, and delivers for Canada.”
Third, Bains noted that there’s a desire to reach “clarification” to many aspects of the Act.
Bains views that there are issues with CASL in its current form and his desire to see it correctly balanced seem to be further corroborated with a response he made to a London Chamber of Commerce letter that its CEO, Gerry Macartney and me (acting as the organization’s President & Chair for the 2017/2018 fiscal year) wrote:
CASL can be improved to be easier for companies to comply with while still protecting consumers. Reformation of the Act while still protecting consumers isn’t particularly difficult at this point. Well regarded and reasonably consistent recommendations have been put forth by groups such as the Canadian Chamber of Commerce, Lighten CASL Inc., the Coalition of Business and Technology Associations (making up 13 significant associations in Canada), amongst others (full disclosure, I’ve participated to date to some degree with all three groups). Balancing the Act may be more about political courage; however, if the government tackles this topic sincerely and in the best interest of improving Canada’s economy while still protecting consumers government, consumers and our economy will fare just fine.
Efforts by certain stakeholder groups are ongoing, to better understand Bains and ISED’s next steps to “ensure that the CASL strikes the right balance to achieve these goals” and to work with the government where appropriate to help strike this important balance.
3. The Introduction of GDPR
On May 25, 2018, the European Union introduced the General Data Protection Regulation (GDPR), and as such, on the same day would replace the processor regime called, Data Protective Directive (officially Directive 95/46/EC).
The GDPR is legislation that sets out requirements for how companies collect and handle data and send correspondence with their users, digitally.
GDPR affects Canadian brands that interact with European users (e.g., prospects, vendors, customers, users on their websites, etc.).
Some key tenets include:
- Users must know the purpose for which their data is collected.
- Companies can’t collect more user information than is reasonably necessary.
- Companies can’t hold onto user information longer than is reasonably necessary.
- If a different use of data occurs other than why the company obtained the data in the first place, they must gain consent from the user.
- Users may request access to their data and have it corrected by the company. This right is considered fundamental but not absolute, meaning users can’t change their data in every case (e.g., a customer can’t get out of a legitimate contractual obligation by changing their data).
- Users have the right to have their data erased (again, this right is fundamental but not absolute in every instance).
- More sensitive data (e.g., ethnicity, political affiliations, sexual orientation, etc.) requires users to opt-in for such data to be used for business purposes.
One of the eye-openers for brands around the world is the stiff fines that GDPR can pose on companies that violate the legislation: up to $20 million or up to 4% of a company’s annual revenue, whichever is higher.
Despite GDPR being known as the most rigorous privacy regime in the world, ironically, it appears that GDPR’s stance around users opting in to commercial email lists is still less rigorous than CASL. Whereas under CASL, regulators have basically stated that nothing less than an unchecked check box is the common example in which a user must check the box to form express consent, under GDPR, companies appear to be able to use an opt-out mechanism. This means companies can provide a pre-checked check box on a form and users that don’t uncheck are considered opted in.
4. A call to modify digital privacy rules in Canada
The introduction of GDPR created much discussion amongst Canadian lawmakers as certain provisions disallow data to be transferred under regimes that aren’t materially as stringent as GDPR. In 2017, the House of Commons ETHI Committee went through an almost year-long process of reviewing PIPEDA to ensure its framework was relevant in its current form. In a February 2018 report titled, Towards Privacy by Design, that recapped this process, the topic of GDPR was cited on several occasions – the thrust of the questions being would PIPEDA, in its current form, be considered by regulators in Europe as sufficient under GDPR for data held by a European country to be transferred to a Canadian one, or should amendments be made to the legislation? The report hinted at some uncertainty to the first half of that question and tat the consensus amongst the committee was that some amendments to modify PIPEDA may need to occur (as it turns out, subsequently, Canada was added as a country where their privacy regime is adequate for the transfer of data under GDPR).
On June 19, 2018, the ETHI Committee released a sequel report titled, Address Digital Privacy Vulnerabilities and Potential Threats to Canada’s Democratic Electoral Process. Whereas the February 2018 report was written pre-Facebook / Data Analytica scandal, this report, as noted in its Preamble section on page 3, acts as a study in response to the scandal and “broader privacy implications of platform monopolies, which play an outsized role in our daily lives”.
In the report, a few of the recommendations were made including: strengthening the powers of our country’s Privacy Commission; new laws that create greater transparency for political advertising; and reforming PIPEDA to be more closely aligned with the GDPR.
5. Incoming new provisions under PIPEDA
Confirmed amendments to the Personal Information Protection and Electronics Documents Act (PIPEDA) which are sourced from the Digital Privacy Act (June 18, 2015), are set to come into effect on November 1, 2018. For clarity, some aspects of the Digital Privacy Act already previously came into effect (e.g., “valid consent”) leaving additional provisions will come into effect this November. These new provisions largely surround requirements around mandatory breach reporting and recording.
Some key takeaways for Canadian brands include:
- Mandatory reporting to the Privacy Commissioner and those affected when it is reasonable to believe a data breach “creates a real risk of significant harm to an individual.”
- Regarding the preceding bullet point, significant harm is defined in the regulation as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
- According to 10.2 (1): When businesses notify individuals of a breach, they too must notify “any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm…”
- According to s. 10.3 (1), organizations must keep “a record of every breach of security safeguards involving personal information under its control.”
A world where users are aware of how their data is used and businesses operate from a sufficient duty of care around such data is a good thing, especially with technology advancements like Internet of Things (IoT) and artificial intelligence (AI) on the brink of becoming mainstream. With regimes like GDPR, CASL and PIPEDA affecting Canadian businesses to some degree, a need for companies to stay on top of these digital privacy and anti-spam laws has become more important than at any point in our history.
The challenge law-makers face is ensuring laws don’t stifle innovation or competition like we’ve seen with CASL and to resist the urge to politically knee-jerk when mass media lament scandals like Facebook / Cambridge Analytica. Alternatively, it’s encouraged that the government remains disciplined, mindful and progressive on digging deep on these multi-layered, complex topics – the focus should always be about finding the balance between protecting our citizens while fostering Canada to be one of the leaders in the digital economy.
A great, competitive nation wouldn’t settle for anything less.