Preparing for Canada’s proposed privacy legislation

Chris Pitcher, head of cyber for Arch Insurance Canada, answers key questions on the proposed Bill C-27 and how organisations can best position themselves for success.

What is Bill C-27, and how can Canadian businesses leverage their compliance with this proposed legislation to manage risk and remain competitive?

Bill C-27 is Canada's proposed legislation aimed at modernising privacy laws and maintaining its adequacy status with the EU's General Data Protection Regulation. The bill addresses modern data collection practices, seeks to better protect against breaches and misuse, and safeguards vulnerable demographics including minors. By aligning with global data protection standards, Bill C-27, if brought into law, will allow Canadian businesses to remain competitive while leveraging their compliance in partnership with insurance providers to manage risk in this new landscape.

What are the new requirements under Canada’s updated privacy legislation, and how do they impact data handling practices?

The proposed privacy laws introduce multiple mandates aimed at strengthening data handling practices, including a call for robust privacy management programmes, transparent data collection and usage, and new and expanded powers of enforcement for the Office of the Privacy Commissioner (OPC). The impact of these proposed requirements on data handling practices could be profound for organisations that handle personal data, especially those that have not adhered to, or have fallen short of, any strict provincial requirements they may already be subject to.

How will the changes in privacy legislation affect the existing cybersecurity measures and insurance policies of businesses?

With heightened privacy regulations, existing cybersecurity measures must be re-evaluated and, where necessary, fortified at regular intervals to ensure ongoing compliance. This may require investment in advanced technologies, skilled personnel, and continuous training and monitoring. The changes also underscore the need for incident response plans that minimise damage and restore operations quickly.

We anticipate these proposed legislative changes will create a surge in demand for cyber liability insurance as businesses seek to mitigate the financial risks associated with data handling. The bill as drafted would allow the OPC, with expanded powers, the ability to levy substantial fines, up to the higher of C$10mn or 3 percent of the organisation’s gross global revenue – and organisations may face increased litigation risks. This has the potential to put more focus on insurance policies as a tool to shoulder additional exposure from a liability perspective in Canada.

Insurance providers may revise coverages, limits, and exclusions in response to the new legislation, and businesses may need to demonstrate adequate data privacy and cybersecurity controls to secure coverage.

How will the regulation of AI under the new legislation impact businesses, and what insurance considerations arise?

The proposed Bill C-27 emphasises the legal responsibilities of “persons”, which is defined to include trusts, joint ventures, partnerships, unincorporated associations, and any other legal entities (such as corporations) within the lifecycle of AI systems.

Under this legislation, companies will be obligated to maintain records regarding their AI systems and, where a system is a “high impact system” (a concept yet to be defined by regulations), to publicly disclose the rationale behind the decision-making processes of their AI systems.

Traditional liability coverage is also expanding to accommodate the unique risks presented by AI, such as errors in decision-making, data misuse, and the inadvertent creation of biased algorithms. Businesses must therefore ensure their AI systems conform to regulatory expectations and engage with insurance providers to secure adequate and relevant coverage.

What are the potential legal exposures for businesses under the new legislation, and how can they mitigate these risks?

The proposed legislation would enable individuals affected by contraventions to initiate legal action, emboldening individual claims and creating potential for class-action suits. To mitigate these risks, one of the keys for businesses will be meeting the standard of informed consent, honouring data deletion requests, and maintaining meticulous documentation.

Overall risk management strategies can include developing comprehensive privacy policies, conducting regular data protection impact assessments, ensuring transparency in data handling, and adopting a defence-in-depth cybersecurity approach. Businesses should also review their insurance policies to identify gaps and ensure adequate coverage.

What steps should businesses take to help ensure compliance with the proposed legislation and to maintain insurability?

To navigate the proposed updates to Canadian privacy legislation, businesses should consider prioritising the following:

Implementing a privacy management programme

Establishing a comprehensive privacy management programme involves constructing or refining data protection policies, incident response strategies, and consent procedures involving data subjects. Additionally, attention should be given to data retention and disposal, setting clear protocols to minimise risks associated with data storage and to reduce the likelihood of exposure. Data should not be kept beyond the timeframe required to fulfil the purpose for which it was originally collected.

Regular audits and cybersecurity updates

Continuous monitoring through regular audits is an important part of identifying and addressing vulnerabilities within cybersecurity protocols. This vigilance extends across all facets of the organisation's digital assets and data handling practices. Equally important is the enforcement of stringent data management and cybersecurity standards upon third-party partners to control supply chain risks. Documenting these efforts provides tangible evidence of an organisation's commitment to compliance, which is important for both insurers and regulatory bodies.

Employee training and organisational awareness

To maintain compliance, businesses must invest in continuous education programmes that impress upon employees the significance of data protection standards. All employees should be aware of the organisation's privacy policy and their own role in safeguarding private information.

Developing a strong compliance framework

Under the proposed legislation changes, many businesses will need to pivot towards a more sophisticated compliance framework. This will involve an understanding of the legal mandates as well as a proactive approach to implementing them effectively within their organisational structure. Tenets of a strong, compliant framework could include, but are not limited to:

With the proposed Bill C-27 on the horizon, many organisations in Canada are likely to require new risk management solutions to maintain cyber resilience. Visit Arch Insurance’s website or contact our dedicated team for personalised assistance with any inquiries.