The digital revolution has created a whole host of new questions regarding privacy, consent, and data protection. Globalization and the internet have brought the world closer than ever before, most notably for communications and international commerce. Canada and the United States, though close allies and mutually dependent trade partners, have vastly different approaches to privacy law, some apparent and some less so. How can businesses operating between these two nations comply with the laws of each and keep pace with a rapidly evolving area of law? We asked Peter Stockburger and Kirsten Thompson of Dentons to compare and contrast new privacy developments in Canada and the US and address some of the challenges they pose for companies.
How have American and Canadian jurisdictions approached privacy law reforms in recent years? Given the global nature of the internet, how have these changes affected companies operating internationally?
Canada: Canada has had private sector privacy laws of general application for 20 years. Many of these laws (provincial and federal) are being revised. The two driving forces behind such reforms have been:
(a) the need for Canadian privacy laws, although “technology neutral”, to keep pace with rapid and unanticipated developments in technology (e.g., internet of things, artificial intelligence); and
(b) the desire to maintain Canada’s “adequacy” status under European Union (EU) law, which allows personal data to be transferred to Canada from the EU without the need for additional measure such as Standard Contract Clauses.
The recent proposed changes to Canadian privacy laws are generally neutral for companies with international operations; if they are compliant with the EU’s General Data Protection Regulation (GDPR), they will likely be largely compliant with modernized Canadian privacy laws. However, Canada is introducing significant fines and penalties in its modernized privacy laws, so companies’ risk has materially increased.
US: Data privacy laws and regulations in the US have historically been sectoral around areas such as financial services and healthcare. This trend is beginning to trend at the state level, with the passage of laws such as the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA) and the Virginia Consumer Data Protection Act of 2021 (CDPA). These new laws focus on providing consumers affirmative rights over their data and imposing more strict restrictions around how that data can be collected, used, and shared by covered organizations. The US is also seeing increased development around the use of biometric information and artificial intelligence. As organizations increasingly move to cloud-based systems, and the geographic lines begin to blur, keeping track of these shifting standards in the US, especially as it relates to the global data privacy landscape, is increasingly becoming a business-critical task.
Do data protection regulations differ substantially depending on whether the data comes from an individual or a corporate entity? Are there different standards depending on whether the service provider is customer-facing or B2B?
Canada: Canadian privacy laws apply only to natural persons (however, the situation can become less clear in the case of sole proprietorships, where the distinction between the individual and the business is blurred). Under current laws, an organization which collects the personal data is the accountable organization, and remains responsible for the personal information it transfers to service providers. It must be able to demonstrate that it has appropriate contractual language in place and that it exercises their contractual rights to audit, inspect, etc.
US: Generally, yes there is a distinction. Under the CCPA, for example, B2B data is largely exempt. That said, under the data breach notification laws, B2B data may still be covered if it relates to an individual who is a resident of the particular state at issue. Thus, while B2B data may be subject to less restrictions and obligations under the newer data privacy laws being passed at the state level, such as the CCPA, CPRA, and CDPA, they still may cause issues and security requirements as it relates to cybersecurity more broadly.
Companies and apps have seen increased scrutiny from regulators and a rise in litigation from consumers over their privacy controls (or lack thereof). How do the approaches of American and Canadian courts and legislation compare to one another in dealing with these concerns?
Canada: Canada is a challenging jurisdiction for privacy defendants and litigants. On the one hand, Canada does not generally see damage awards in the millions of dollars; typically, settlement is achieved and it is usually in the order of hundreds of thousands of dollars. In addition, it was only last month that the first privacy action in Canada actually made it to trial on the merits. On the other hand, defendants in Canada may find themselves fighting class actions in several provinces at once, as Canada does not have multidistrict (MDL) provision. In addition, unlike in the US, the certification stage is less of a material step – the bar for certification in Canada is so low that almost everything is certified. However, some recent cases suggest the Courts may be interested in applying more rigour here, especially in the privacy context. In Quebec, Canada’s French-language, Civil law jurisdiction, the combined effect of consumer protection laws and the Quebec Charter, plus a low bar for certification, make it a favoured jurisdiction for plaintiffs’ counsel to commence an action.
In addition to common law privacy torts, and privacy statutes, a number of Canadian provinces have statutes which create a statutory tort, actionable without proof of damages.
US: Historically, data privacy enforcement and lawsuits have largely focused on the aftermath of a data breach wherein it would not be uncommon to see regulatory investigations by the Federal Trade Commission (FTC) at the federal level or states attorneys general. It is also not uncommon to see lawsuits, including class actions, against organizations alleging failure to maintain reasonable security, breach of contract, negligence, etc. Increasingly, those lawsuits and regulatory investigations are turning toward other areas of data privacy law such as the CCPA. Although we have not yet seen an enforcement action under the CCPA (and it’s too early for any such enforcement actions under the CPRA and CDPA), we have seen the CCPA used as the underpinning for tort and contract claims in lawsuits arising out of a data breach. And the CCPA also provides a private right of action in the event of a negligent data breach, allowing for statutory damages.
US data privacy litigation is also increasing in the areas of biometric information (e.g., Illinois), website tracking / wiretapping, and data scraping. With more states adopting stricter data privacy laws, this increase in litigation will only continue.
What are the major challenges for companies seeking to navigate the maze of different privacy standards? Is a one-size-fits-all approach preferable, or should different strategies be employed in different jurisdictions?
Canada: Within Canada, privacy harmonization for companies has not be difficult as federal and provincial laws are very similar. However, this may change. For instance, the proposed privacy law in Quebec, Bill 64, took a marked departure from Canadian law and the GDPR in respect of data localization within Quebec, and requirement for granular consent. Globally, companies generally take one of two approaches to managing their privacy operations:
(1) comply with the GDPR and use that as the global standard, and either accept the risk of local non-compliance or achieve local compliance for items that are critical (e.g., personal liability for directors or officers for privacy violations of the company). This has the benefit of being uniform and cost-efficient; or
(2) develop a regional approach, with similar jurisdictions having similar privacy programs. This is more costly to develop and administer, but allows companies to benefit from greater leeway in data handling that may be available in some jurisdictions, which may permit a greater variety and scope of business and business development efforts.
US: In the US, one of the major challenges is determining whether an organization will only address the state data privacy laws as they crop up (i.e., California and Virginia), or whether they will take a more omnibus approach to privacy and look to implement more holistic solutions. As more states come online with their own version of a data privacy law, organizations should seek to be nimble in responding to the regulatory change and have policies and practices in place that can be adjusted as needed.
Another major challenge is getting a handle around vendors and third-party management. Oftentimes, an organization is as vulnerable as its vendors. It is therefore critically important to have full visibility into one’s vendors, including their contracts, to be able to determine where vulnerabilities may exist and where contracts may need to be tightened. Of course, if there is a federal data privacy law that pre-empts the state laws, that will ease compliance obligations.
What are some of the best practices that clients can use to protect their data and those of their customers or partners? Are there any hidden costs or subtle obstacles that you have observed that might not be obvious to firms aspiring for security and compliance?
Canada: One of the biggest issues is that US companies often assume that the Canadian privacy regime is just like the US regime (which until recently only had sector-specific privacy laws), and they just roll out their US programs into Canada. This almost always puts them offside Canadian privacy laws, and in violation of Canada’s anti-spam law (which, unlike the US’s CAN-SPAM Act, is opt-in and not opt-out).
Companies also often do not understand that the Province of Quebec has its own unique linguistic and legal approach and complying with the requirements in common law Canada may, in fact, put them offside a number of Quebec laws.
Companies should retain qualified counsel to assist them with their Canadian operations. In terms of best practices, companies should invest in a Canadian gap analysis to determine where they need to focus compliance efforts, and take steps to introduce the necessary privacy management program.
US: In the US, one of the best ways organizations can look to protect data in their possession is to ensure the security practices they employ line up with what is considered “reasonable” in the jurisdictions in which they operate. In California, for example, the Attorney General opined as late as 2016 that “reasonable” baseline security may mean alignment with the CIS Controls. Other organizations follow a NIST framework, or the ISO framework.
It is important for the organization to examine which framework makes the most sense for the organization’s industry and posture, and to reasonably secure the personal data in their possession. This may include increasing access controls, stepping up encryption, or ensuring that an organization’s vendors are engaging in best practices around the data they store.
How have the laws surrounding digital consent evolved over recent years in Canada and the US? How do you see it developing in the near- and long-term?
Canada: All jurisdictions in Canada have electronic commerce acts, which essentially declare electronic documents/signatures to be the equivalent of printed documents/ ‘wet ink’ signatures (with some notable exceptions), where required by law. In the common law context, unlike the US, there is very little law regarding digital consents (or digital contracts). The reality is that business practices have rapidly outpaced the development of the law, and digital commerce – including digital consent – is commonplace.
However, it is worth noting that some Canadian laws have specific form/substance requirements for consent: Canada’s anti-spam law has very specific requirements about the manner in which consent must be obtained, the language that must be used, and how consent must be documented, with significant penalties for a failure to comply. Canada’s privacy regime requires that consent be “meaningful”, which requires certain information be provided, “plain language” readability, accessibility, and in some cases, granularity of consent.
US: Despite the increasing changes in the US data privacy landscape, the US remains, in large part, a transparency jurisdiction. This means that consent is generally not considered a gatekeeping requirement to collect and use data. There are, of course, a number of exceptions to that general rule (most notably including minors, and where new data uses may be contemplated).
Consent, however, does play an important part in the US data privacy regulatory landscape. Under the CCPA, for example, consent may allow the organization to exempt a particular data flow from the definition of “sale.” Consent may also be required under the new CPRA and Virginia law in the event of a new data usage not contemplated by original notices. And consent is important with other types of privacy laws and regulations in the US, such as those dealing with minors. Organizations should therefore map their regulatory obligations and build in consent where it makes sense from a business risk perspective.
Do you have any other insights on helping clients navigate the privacy law landscape post/during COVID?
Canada: The Canadian privacy landscape is undergoing a significant shift, and the next two years will see changes to the Quebec privacy law, the British Columbia privacy law, and Canada’s federal privacy law. In all cases, there will be a move towards harmonization with Europe’s GDPR, at least in principle. In its most recent Budget, the Canadian government announced millions of dollars allocated to various digital initiatives.
While many of these initiatives are government-focused (e.g., digital accessibility to government services), many will impact businesses. For instance, the Budget allocated funds ($17.6 million over five years, starting in 2021-22, and $3.4 million per year ongoing) to the establishment of a new Data Commissioner who "would inform government and business approaches to data-driven issues to help protect people’s personal data and to encourage innovation in the digital marketplace." This is in addition to the already existing Privacy Commissioner.
US: The data privacy landscape in the US is rapidly changing. At the state level, dozens of states have introduced new privacy bills in this legislative session. Whether and to what extent those bills pass remains an open question. There are numerous bills pending at the federal level. Data privacy and cybersecurity compliance will increasingly become a business-critical function in the US, so it is important to map your data now, understand your existing obligations, and think strategically about how to position yourself for future changes in the law.
***
Kirsten Thompson is a partner at Dentons in Toronto and leads the Transformative Technologies and Data Strategy group, which focuses on privacy, cybersecurity and data management. Kirsten’s practice has a particular concentration in data-driven industries and disruptive technologies, and she is a leading practitioner in areas such as Fintech, digital identity, Open Data/Open Banking, vehicle telematics and connected devices and infrastructure, Big Data/data analytics applications and enterprise data strategy.
***
Peter Stockburger is a partner at Dentons in San Diego and is a member of the Firm’s global Employment and Data Privacy & Cybersecurity Groups. His practice focuses on the unique intersection between cybersecurity, data privacy, employment law and complex litigation. Peter regularly advises clients on a range of cutting-edge legal issues, including global data privacy compliance, cybersecurity resiliency and preparedness, trade secrets, and privacy and security litigation. Peter is a frequent speaker and author in the areas of privacy, cybersecurity, and employment law, including with groups such as the NATO Cooperative Cyber Defence Centre of Excellence in Tallin, Estonia and the US Cyber Institute at West Point.