Manufacturers of the coming Internet-connected automated cars are “clueless” about the privacy implications of the technology to drivers, warns a leading privacy expert.
“They’re so excited about what it can do and all the information it can collect that questions about who is getting that information, is it going any where else, can law enforcement access it, will it be shared with other parties — they don’t have answers to that,” complains Ann Cavoukian, director of Ryerson University’s Big Data and Privacy Institute.
She made the comment in an interview Wednesday on the eve of the 11th annual International Data Privacy Day, officially Jan. 28. Because that’s Saturday, some organizations are running events and commenting this week, looking back at privacy incidents in 2016 and ahead to 2017.
While the situation isn’t bad here they warn the public and private sectors not to be complacent.
“I think we’re in very good position” on privacy in Canada, says Cavoukian.
Many Canadian businesses are aware of the heightened public concern about privacy and fears of loss of control of personal information held by enterprises and governments, she said. In fact Cavoukian regularly advises businesses to loudly let customers know they take data privacy seriously, and how they do it.
Customers will consent to secondary use of data if they have a trusted business relationship with the organization.
But she worries about the the misuse of personal data collected from so-called smart devices, from watches to cars. “I am sure the information is being widely distributed, and they [manufacturers and application developers] don’t have the controls in place. It’s all about unintended consequences that people have to be concerned.”
Customers have to ask before they buy, she said.
David Fraser, a privacy lawyer with the Halifax firm McInnes Cooper, isn’t sure small and medium-sized Canadian firms “are up to speed in the way that they should be” on privacy.
Most of the headline cases privacy commissioners deal with involve large enterprises – banks, insurance companies, telcos and the like who have resources (lawyers, compliance officers) to adequately handle privacy issues. Most SMBs don’t, he said.
In Canada 2016 was was relatively quiet, said Fraser.
A growing number of class action lawsuits relating to privacy and data breaches have been filed across the country, he said. A few have been quietly settled. The rest are either certified or in the process of being certified but haven’t yet come to trial, he noted. Several deal with issues like a lost hard drive where there’s a question of how much damage a plaintiff has suffered.
But there’s also been a “significant growth” in the number of class-action and criminal cases involving employees allegedly improperly snooping through sensitive corporate files.
A headline 2015 Ontario court privacy decision on allowing a person to sue another for allegedly putting an explicit video of them on the Internet –so-called ‘revenge porn’ – was overturned and is now back in court, leaving that issue temporarily unresolved.
One thing to look for this year, Fraser said, is how the Trudeau government will move after public consultations on national security policy, which may translate into privacy-related legislation.
In many ways, Cavoukian and Fraser said, 2017 is going to be more eventful than last year for several reasons:
–Ottawa is expected to release proposed regulations for reporting data breaches to the federal privacy commissioner and to potential victims for organizations coming under PIPEDA. In an email Thursday the department of Innovation said draft regulations will be published early this year, with the final regs set sometime after that. However, there could also be a transition period before the regulations actually come into effect’
–organizations that sell products and services into Europe will have to prepare to comply with the European Union’s General Data Protection Regulation (GDPR), which comes into effect May 25, 2018;
The federal information and privacy commissioner will release the results of two public consultations:
–on whether organizations are properly getting consent for personal information they collect from customers and partners;
–and on whether Internet service providers should do more to protect people who say their reputation has been damaged by others online.
Looking back it’s not easy to assess the state of privacy in Canada in the past 12 months. Examining reported data breaches is an uneven metric because there is no consistent reporting authority.
What can be said is the biggest reported Canadian breach in 2016 was the 45 million records exposed at Toronto-based VerticalScope, which operates hundreds of technology, automotive and sports discussion forums. The company is controlled by the parent of the Toronto Star.
Also, the federal privacy commissioner reported that the number of material data breaches suffered by federal departments increased 16 per cent to 298 for the 12 month period ending March, 2016, compared to 256 the previous year.
Meanwhile CBC news reported that as many as 70,000 managers had excess and unneeded access to the personal details of all 300,000 federal employees enrolled in the new and problem-filled Phoenix pay system.