COMMENTARY: New wave of privacy regulations set to crash down on auto remarketing industry in Canada
This week, a monumental privacy regulatory change takes effect in Canada that will directly impact the remarketing operations of auto consignors and their suppliers — chiefly among them auto auctions, recovery agents, and vehicle inspectors, in addition to fleet, rental and carsharing companies.
While deleting Personal Information (PI) stored in vehicles has always been an obligation in Canada, the combination of a new sheriff in privacy town, rising enforcement cases, and, starting on Thursday, the introduction of GDPR-like regulation with big teeth means remarketers must step up their in-car PI data disposal practice or risk millions of Canadian dollars in fines.
Canadian laws like Personal Information Protection and Electronics Document Acts (PIPEDA) have been in place for nearly two decades and make it a business’s requirement to know exactly what PI, either in physical or electronic form, is in their possession (Principle 5 – Limiting Use, Disclosure, and Retention).
Quoting PIPEDA: “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” Moreover, Paragraph 4.7.5 specifies that “care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.”
Famously, about a decade ago, one consumer alerted a privacy advocacy organization that the refurbished laptop they had purchased at Staples Business Depot still contained the files of the previous owner. The case quickly spiraled from a single whistleblower to a full-fledged investigation, to the Office of the Privacy Commissioner of Canada calling the company’s data sanitization practices negligently deficient and that “if Staples is unable to remove all customer data from a particular manufacturer’s device, it is unacceptable to resell that device.” Staples ended up being heavily fined and put for years under expensive and intrusive government oversight.
If this cautionary tale does not ring a bell, it should. The vast majority of cars going through remarketing in Canada are essentially “used hard drives on wheels,” storing detailed phone records (text messages, call logs, etc.) and all sorts of other data when people (including minors) connect their smartphones. The sensors in the car themselves also save detailed logs in the car’s memory: detailed whereabouts (including the home address associated with garage codes), identifiers, remote access keys, biometrics, user profiles, and more pile up as in-vehicle tech advances. In fact, the current state of the industry is in far worse shape than Staples was.
Staples was indicted because a third of the devices tested had PI; Privacy4Cars estimates that more than four out of five cars remarketed in Canada contain PI.
Staples had a standard operating procedure to wipe and restore but the process lacked controls hence yielded poor results; most remarketers have neither policy nor a robust data clearing practice in place!
The reason why this matters so much more right now is that Bill 64 in Quebec is the first GDPR-like regulation in Canada and brings with it a smorgasbord of risk to the doorstep of our industry, especially in light of recent privacy scandals and enforcement focused on devices capturing geolocation (which cars are excellent at).
Bill 64 starts coming into effect in the Province of Québec on Thursday.
The level of compliance and protections companies must have in place is unprecedented, as are the “teeth”: fines range from $15,000 to $25,000,000 or up to 4% of global revenue, whichever is greater.
Administrative fines (i.e. technical noncompliance, even in the absence of data breaches and criminal charges) can be up to $10,000,000 or 2% of worldwide turnover.
Spoiler alert: leaving your customers’ call logs or previous destinations in the nav such as where they take their kids to school or which churches or medical facilities they go to is not allowed!
Companies also cannot use waivers (e.g., in rental or leasing contracts) or otherwise blame consumers for leaving the data behind: as we have seen in the Staples precedent, data deletion is the full responsibility of businesses that take title and custody of the electronic records stored in the cars.
Fortunately, businesses that want to comply will not be caught on their back foot. Most auctions in Canada are equipped to delete data and generate appropriate compliance record-keeping.
We started to observe suppliers requiring in their contracts with consignors that clearing PI from vehicles is a new standard or demand a waiver of responsibility if the asset owners refuse to adopt this practice. Given the crippling size of the fines we predict that this “delete or waive” practice will rapidly spread across auctions, recovery agents, and vehicle inspectors and adjusters.
Remarketing businesses should consider extending those mandatory data deletion practices beyond Quebec: as we have seen those obligations exist across the land under PIPEDA, but also Bill 64 has created momentum for other provinces to pass their similar privacy laws. Federal privacy Bill C-27 is also gaining strong traction, especially in light of the new Privacy Commissioner declarations on his will to accelerate the legislative process and protections for Canadians. If you think cars will be overlooked, think again: the topic of mobility was specifically mentioned in the nomination proceedings of the Privacy Commissioner.
Lastly, companies in our industry may be well served in taking advantage of educational resources available. NAAA auctions have access to the Privacy Pam program and the International Automotive Remarketers Alliance (IARA) recently made available its Audit & Compliance Training (ACT) Certification. Both consignors and suppliers may want to look into this tool to train their employees on the basics of compliance and especially in protections of consumer personal information.
We can’t stop the clock on the impending new privacy legal requirements coming our way on Thursday, but we can work together to properly take advantage of the tools and resources the industry prepared in anticipation of big regulatory changes and to minimize the impact on consumers and auto remarketing businesses, alike.
Andrea Amico is CEO and founder of Privacy4Cars.