Canada’s privacy legislation is “sadly falling behind what is the norm in other countries,” says the federal privacy commissioner.
In his annual report to Parliament, released this morning, Daniel Therrien repeated his call for the Personal Information Privacy and Electronics Act (PIPEDA) to be updated to give his office new enforcement powers, including the power to inspect or audit companies under federal jurisdiction.
“The time of self-regulation is over,” he said in the introduction to the report. “In Canada we, of course, have privacy legislation but it is quite permissive and gives companies wide latitude to use personal information for their own benefit. Under PIPEDA, organizations have a legal obligation to be accountable, but Canadians cannot rely exclusively on companies to manage their information responsibly. Transparency and accountability are necessary but they are not sufficient.
“To be clear, it is not enough to ask companies to live up to their responsibilities. Canadians need stronger privacy laws that will protect them when organizations fail to do so. Respect for those laws must be enforced by a regulator, independent from industry and the government, with sufficient powers to ensure compliance.”
He noted that in June the House of Commons Standing Committee on Access to Information, Privacy and Ethics agreed some changes to PIPEDA were urgently required. And, he added, the government has agreed changes are needed — but, Therrien added, it wants more study.
“Canadians cannot afford to wait several years until known deficiencies in privacy laws are fixed,” Therrien wrote. “Technology is evolving extremely rapidly and many new technologies disrupt not only business models but also social and legal norms. Legal protections must improve apace if consumer trust is to reach the level everyone desires.”
The allegations over Facebook and consulting firm Cambridge Analytica use of personal information is “a wake-up call,” he added. His office has launched a formal investigation into the Canadian angle.
The report also believes federal departments and agencies are under-reporting data breaches. They are required to notify both the office of the privacy commissioner (OPC) and Treasury Board of all “material” breaches. In 2017-18, the OPC received 286 public-sector breach reports. However, almost one quarter of those were from a single — unnamed — institution whose reports were delayed by a year. But in response to an MP’s question in Parliament, the government revealed thousands of breaches, including at least a half dozen large breaches concerning as many as 6,000 individuals, where institutions didn’t notify those affected or the OPC.
After the OPC concluded some material breaches go unreported “and, more importantly, others likely go entirely unnoticed in many institutions. Some staff, particularly front-line workers, don’t fully grasp what constitutes personal information and their obligations under the Privacy Act, the report says. Some institutions don’t have the proper tools to assess the risk of injury or harm to individuals, and focus instead on assessing the risk to the institution.
In response Treasury Board said it is developing an action plan to be released this fall that will set out specific actions with specific timeframes to strengthen the management of privacy breaches across the government.
Therrien is also critical that political parties don’t have to follow the federal Privacy Act. Instead, he said, political parties can define the rules they want to apply. Nor does the proposed bill C-76, which updates election processes, impose independent oversight over political parties and the way they gather personal data.
As previously reported, while waiting for more power Therrien has re-organized his office to make it easier to inform Canadians of their rights and how to exercise them, and, to help businesses, issue more guidance and information will be issued on most key privacy issues. One of them is how to achieve meaningful consent from customers and subscribers.
In May 2018 his office started its first advisory project involving Sidewalk Toronto, a smart-city endeavor between Waterfront Toronto and Sidewalk Labs, owned by Google’s parent company Alphabet.
But the office is also being more active, launching a compliance program to target systemic, chronic or sector-specific privacy issues that aren’t being addressed through our complaint system. The first investigation, started in May, is looking into the practices of six different data and list brokers.
In the 12 month fiscal year the office handled 116 data breach reports.
[MORE TO COME]