It’s shaping up to be a busy summer for data privacy developments in North America. Not only did the US demonstrate a potential roadmap towards bipartisan support of federal privacy legislation when lawmakers published a discussion draft, and follow-up amendments, to the proposed American Data Privacy and Protection Act (ADPPA), but the Canadian government also introduced new federal privacy legislation – the Digital Charter Implementation Act, 2022 – in Parliament which could bring about sweeping changes to the country’s private sector privacy law, PIPEDA.
With momentum gathering behind tougher data privacy measures, the direction of travel in North America seems clear: more robust GDPR-like privacy measures, with more powerful enforcement mechanisms, are coming down the pike in the US and Canada as part of a global push towards modernizing privacy laws to keep up with the pace of digital transformation. It’s therefore a matter of when, not if, companies doing business in North America should prepare for that changed regulatory environment. Data-driven companies can try to get ahead of these regulatory changes now – or they can inefficiently retrofit their operations later on as they try to play catch up when the changes come into effect.
So, whether your company is based in North America, or it’s based elsewhere but has operations in the US or Canada, here’s what you need to know…
Canada seeks to strengthen data protection and trust in the digital economy
Modernizing and extending Canada’s federal data privacy legislation has been top of mind for quite some time, so it would come as no surprise to see new regulations taking effect before any further movement in the US. In June of 2022, the Canadian government introduced the Digital Charter Implementation Act, 2022, which is essentially a three-part law focused on:
- Increasing Canadians’ control over their personal data and how it is handled (Consumer Privacy Protection Act – CPPA)
- Introducing a tribunal to enforce the CPPA (Personal Information and Data Protection Tribunal Act)
- Identifying, assessing and mitigating risks of harm and bias in AI systems (Artificial Intelligence and Data Act)
These laws, taken together as one Act, would significantly strengthen the country’s private sector privacy law and enforce new rules around data-led innovation. The simple idea being that, as technology continues to evolve, the privacy of Canadians should be protected at all times, while still allowing business innovation to flourish by laying out defined boundaries for responsible data use.
How would Canada’s new privacy bill impact business?
If passed, the Digital Charter Implementation Act, 2022, would hold companies accountable for data practices and issue impactful penalties for non-compliance. Here are five specific takeaways to be aware of:
- GDPR-like distinction between de-identified and anonymized information: The Act makes a distinction between “de-identified” data and “anonymized” data, clarifying that “de-identified” data is personal information (subject to some exceptions) and offers instances where de-identified information may be used to re-identify an individual. However, organizations may use “deidentified” personal information without consent for internal research, analysis and development purposes. Helpfully, the term “anonymize” is defined as “to irreversibly and permanently modify personal information” to the extent that it is impossible to re-identify individuals according to “generally accepted best practices”, with anonymized data not being subject to CPPA regulations.
- Establishing measures for AI: Organizations using anonymized data for their AI systems will have to establish measures for how their data is anonymized and have a record showing the management and use of that anonymized data.
- Responsibility for risk assessment: If companies are responsible for a high-impact AI system, they will be required to establish measures to identify, assess and mitigate risks.
- Accountability and safeguards: the Act outlines specific guidance on when exactly an organization “controls” personal information. In such cases, it not only requires the organization to consider the sensitivity of the information, but states that they must protect this information through physical, organizational and technological security safeguards.
- Penalties for non-compliance: Monetary penalties for non-compliance will be up to 3% of gross global revenue or $10 million (whichever is greater) or up to 5% of gross global revenue or $25 million (whichever is greater) for serious breaches.
What’s the latest in the US?
On June 6, 2022, US lawmakers published a bipartisan bill which, if passed, would override recently enacted state laws to become the all-encompassing federal data privacy law. While the full scope of the proposed American Data Privacy and Protection Act (ADPPA) sits at the center of much debate right now, what businesses should be looking at closely is the evident parallelisms with both the proposed Canadian legislation and the GDPR. Pointing to cross-continent alignment, the draft echoes that:
- Companies must have a clear basis for all processing of personal data and an evidence-based defense for certain uses of personal data or for uses of certain more sensitive data.
- There would be a mechanism to ‘switch off’ the legislation with de-identified or anonymized data if reasonable technical measures have been taken—and if a number of outlined stipulations have been publicly committed to.
- The Federal Trade Commission (FTC) would be given further powers to enforce the legislation; this would require businesses to implement a number of operational changes to ensure compliance. In addition, companies would need to be able to demonstrate how they address privacy risk and have an auditable trail of compliance to support their approach.
Why privacy technologies will play a pivotal role in the future of business
If we are to learn anything from the data-driven leaders that tackled GDPR head-on, it’s that privacy can fast become an enabler or growth and innovation when you harness the power of privacy-enhancing technologies to future-proof data strategies. For example: scrapping manual and error-prone privacy processes for software that can automate and standardize auditable risk assessments right across your business is just one way to get data moving around quickly and safely. Utilizing intelligent de-identification software to make data available to developers or analysts ensures speed to insight while also enabling you to confidently demonstrate that effective technical measures are woven into data processes. And investing in advanced anonymization solutions enables you to essentially ‘switch off’ regulations, such as the Digital Charter Implementation Act, 2022, the ADPPA or GDPR, to drill into data that would otherwise be off limits.
GDPR-inspired modernization sets the standard
Since shaking up the EU in 2018, the GDPR has set the global standard for the protection of personal data. Four years on, it is clear to see how the GDPR has revolutionized data-centric business, so it’s logical that North America would follow suit with a more aligned approach to data protection that would benefit international business and facilitate innovation in a highly connected global market.
Much like the EU, Canada and the US seem set on holding companies accountable to more stringent data protection practices to curb consumer concerns over tracking and surveillance. As such, they are outlining new ways of working with data that stem from the data minimization principle and a privacy-by-default approach to business operations.
So… how can you prepare for change without feeling overwhelmed?
If your business hasn’t already taken steps to address the unfolding privacy developments in the US and Canada, or tracked how these proposed laws play into a wider pattern of change, now is the time to look at globalizing your approach towards responsible data use. Without doubt, we will continue to see commonalities in privacy laws on a global scale as countries seek to align international standards to support market access for businesses operating under their jurisdictions.
Whether or not you have someone responsible for privacy within your organization, the time to look towards a trusted privacy partner is now. Privacy technology providers, like Trūata, can help you to understand the impact of privacy laws on your organization and to implement a plan of action that keeps you focused on analytics while the privacy concerns are seamlessly taken care of.
To start the conversation and address your specific pain points, contact us today to engage with one of our experts.