The devil is in the details, is an old saying. When it comes to laws, it might be “the devil is in the regulations.”
Regulations, which are proclaimed by federal and provincial governments after closed door discussions, are often the real power behind laws, spelling out the when and the how of what has to be done.
And in the case of the just-proclaimed federal Digital Privacy Act, the crucial regulations aren’t out yet.
As a result the new obligation for organizations covered by federal law to disclose data breaches to victims doesn’t come into effect yet. That’s caused one privacy lawyer to say the Harper government looks silly.
“It seems to me pretty foolish to put in place a law where very important details depend on what’s in the regulations, without having the regulations in place,” David Fraser of the Halifax-based McInnes Cooper law firm, said in an interview Thursday.
“It seems to me pretty problematic to enact the law without the regulations.”
On the other hand, Toronto-based communications and privacy lawyer Ken Engelhart — until recently the senior vice-president of regulatory affairs at Rogers Communications — doubts the changes will cause big problems for organizations. “Most big companies notify customers and the privacy commissioner anyway when there’s a breach even through they don’t have to,” he said.
The changes largely codify that, he said, although organizations might increase reporting just to be sure they’re onside the law.
At the moment only Alberta has a mandatory reporting law, which affects organizations in that province. Mandatory breach reporting under PIPEDA would put more clarity into the number and size of breaches in this country, which has been hard to estimate. Once source figured from news reports that last year at least 276,000 records were breached.
The act, which amends the Personal Personal Information Protection and Electronic Documents Act (PIPEDA), has a number of provisions for organizations covered by federal law including mandatory notification to victims and the federal Privacy Commissioner when personal information has been lost or stolen.
Those that cover up a data breach, or that deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000.
But the legislation doesn’t detail when consumers have to be told — When the organization suspects there’s been a breach? When it confirms there’s been a breach? And what if it wants to hold back notification to help its own investigation and not tip off attackers? (Note there is a provision that if a law enforcement or government agency asks disclosure can be withheld to help an investigation).
The new law says organizations have to keep records of every breach of security safeguards involving personal information under its control. Again, exactly what is to be recorded isn’t spelled out.
Answers to those and related questions will have to wait for those regulations. In the meantime the data breach requirements aren’t in effect, although the rest of the charges are.
Industry Canada said the government will be consulting the private sector and the Privacy Commissioner before announcing the regulations.
The government said the changes also mean
–Companies need to use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online;
–Businesses can now sharing of information when it is in the public interest, such as to detect financial abuse or to communicate with the parents of an injured child;
–The Privacy Commissioner of Canada gets improved powers to enforce compliance.
The changes “will protect the personal information of Canadians online,” Industry minister James Moore said in a release. “It will hold companies to account when Canadians’ personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats.”
Privacy Commissioner Daniel Therrien said in a statement that the new breach reporting requirements “will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach.”
What might the data breach regulations include? Fraser noted the European Union has proposed organizations have to notify victims within 24 hours of detecting a breach, which he says is “insane. In the first 24 hours you don’t have solid information about what has happened, what has been disclosed, who has it been disclosed to, was it inadvertent?” There is a risk that incomplete information would be sent to the privacy commissioner, he said.
The other important provisions of the act are now in force. These include allowing businesses to share personal information for investigating a breach of an agreement or a contravention of the laws of Canada or a province. A lot of Canadians might have problems with that, Fraser said. “For example, it would theoretically allow an Internet service provider to hand over customer name and address information without a court order in the event of an alleged copyright violation.”
A number of observers worry the section will be used by copyright owners such as film, music and book producers to prosecute people who put material on Web sites they believe violate their rights.
University of Ottawa cyber law expert Michael Geist told a parliamentary committee earlier this year that this section “runs counter to court decisions from the Canadian courts, which have sought to establish clear limits and oversight over such disclosures, as well as the spirit of the Supreme Court of Canada’s Spencer decision, which ruled that Canadians have a reasonable expectation of privacy with such information.”
Fraser also said the new legislation does specify that it doesn’t apply to what is called business contact information, as opposed to personal information. It’s “a sensible thing to do,” he said. For organizations that only do business-to-business work, it removes a lot of what they had to do to comply until now with PIPEDA, he explained.
While the new federal changes to PIPEDA still delays mandatory breach notification, that doesn’t let organizations in Alberta off the hook. They have to comply with that province’s privacy law which does have mandatory breach notification provisions.