So what is Bill C-11?
Bill C-11 or the Digital Charter Implementation Act, was introduced in November 2020 and proposes significant updates to Canadian privacy laws. The bill will update the ways companies will need to manage consent and for the safe storage/protection of personal information. The bill’s second reading was in March 2021 and it is expected to pass into law in late 2021.
Will your NFP be impacted?
Yes, these amendments will align Canada with international privacy laws (e.g. Europe’s GDPR) and ensure Canadian organizations can continue to work with global donors/funders/partners. It is vital that we get this right for the security of Canadians, as it’s the first time in decades digital privacy laws, in particular, are being updated. Nonprofits rely on brand trust to secure funding and so any law that addresses donor privacy and trust will be important.
What do we need to know about Bill C-11?
- It is expected that Bill C-11 will require organizations to not only have privacy management programs in-house but to also be accountable for how third-party service providers manage privacy/data on their behalf.
- It is expected that penalties for mismanagement of personal privacy data will be significantly increased/added. Of course, this goes hand-in-hand with strengthened enforcement and oversight. The legislation proposes between 3 – 5% of revenues or $10 million as monetary penalties for non-compliant organizations.
- It is expected that there will be new language that gives consumers stronger controls over their personal data. This would include asking for their data to be disposed of or withdrawing consent.
- It is expected that the law will address how automated systems, algorithms or AI use data as technology replaces the judgement of human decision-makers. This will require organizations to be transparent and communicate about any systems they use that might draw upon data. Some systems anonymize data at the time of collection in order to reduce or eliminate the risk of impacting privacy rights.
- And that privacy policy language must be easier for consumers to understand / access.
- And it is expected the bill will also modernize the copyright act.
Should the bill become adopted, there will be a 12- to 18-month period to allow the bill to come into force so that organizations have time to meet the new requirements, regulations can be developed, and the new governing Tribunal can be established (along with the necessary changes at the existing Privacy Commission processes). Teams should ensure they include in their 2022 planning the work they will need to undertake to adapt policies, processes and technologies to comply.
nb: Canada’s Personal Information Protection and Electronic Documents Act or PIPEDA, has been Canada’s law since 2000, governing how private sector organizations collect, use, disclose and safeguard personal information.
Current Information on the proposed bill: https://www.parl.ca/LegisInfo/en/bill/43-2/C-11?view=progress
August 2020 Post – Can Donor Trust in NonProfit Privacy Protection be Restored?