Canada’s existing privacy regulations – including federal law and province-specific legislation in Quebec, British Columbia and Alberta – can’t keep up with changing technology and are due for an update, said panellists at an Insurance Bureau of Canada regulatory affairs symposium.
What’s more, Quebec recently passed Bill 64, which INQ Law partner David Goodis described as the province’s version of Europe’s General Data Protection Regulation. He added Ontario is also said to be exploring its own privacy legislation.
Goodis expressed hope that any changes, including expected federal replacement legislation for Bill C-11 which timed out with the recent election call, take a harmonious approach.
Panellists said the industry will watch areas in any legislative proposals that could impact specific ways insurers use data.
One of those, they said, surrounds how ‘permanent and complete disposal of personal information’ is defined. It’s important because insurers keep personal data for long periods of time, both to comply with regulations and because clients might not require coverage from a policy until years after it’s been sold.
“What personal information do you hold? Where are you holding it? Why are you keeping it for as long as you do?” Goodis asked. “These are all things that will have to be examined.”
Requests to destroy information will require companies to find ways to satisfy legislative requirements without jeopardizing the integrity of their backups.
“A customer says, ‘I’m going to dispose [of] my information,’ not only must you do it, but you must reach out to the service providers to … get confirmation from them that they have done it as well,” Goodis said.
Panellists also expect the next-generation federal privacy bill to give regulators the ability to levy fines for data breaches.
“There are really no provisions for fines in Canada,” said Paul Krpan, vice president, assistant general counsel and privacy officer at Northbridge Financial Corp. “Europe has the ability for their privacy regulators to levy massive fines … in the many, many millions of dollars.”
Meanwhile, Goodis said Bill C-11 had included language requiring that companies provide customers with information about automated-decision systems and how they’re used.
For insurers, those uses include assessing and determining risk. Goodis expressed concerns about insurers’ ability to meet future disclosure requirements without giving away proprietary information.
And, he added, it could be problematic if rules covered the use of AI to detect fraud.
“If I have to disclose how this algorithm or system is being used for fraud prevention, then that might have the perverse effect of allowing people to subvert the system and improve [their] technique for perpetrating fraud,” he said.