If you owned gold bars, would you keep them safe? Of course you would. Gold is valuable but so is personal data. Data may not have massive financial value at first glance, in and of itself, but it is valuable to the cybercriminal and thus to the individual this data represents.

During the first half of 2018, over 18.5 million data records were stolen every day; most of them unencrypted.

Data is the new gold. It may not seem on the surface to have the same value as gold, but to our customers, it can represent their very identity. We must now ask ourselves – what does Canadian legislation on data privacy do to help us to protect our customers?

 

Related Posts:

• FAQ: Reporting Data Privacy Obligations to the Board
• Digital Privacy Act: An Update to Canadian Data Privacy Regulations
• GDPR Compliance in Canada

 

Disclaimer: This blog article was written for general information and does not claim to provide legal advice. To understand the full context of Canadian data privacy legislation for your organization, please consult with a privacy compliance and/or legal professional.

 

The Canadian Privacy Landscape – Getting it Right?

A look at the data privacy landscape in 2019 demonstrates that nothing much has changed. In the United States, for example, a mosaic of laws, bills, and regulations exist; the debate on consolidation across data privacy legislation continuing unabated.

In fact, across the world, there are more than 25 different laws that aim to regulate the processing of personal data. These include:

• The European Union (EU): General Data Protection Regulation (GDPR): User-centric control of personal data processing
• Japan: Act on the Protection of Personal Information – Adequacy Decision: Allowing the free-flow of data between Japan and the EU
• USA: A number of legislative decisions are about to be enacted or are passed into law, including:
  • California’s Consumer Privacy Act (CCPA)
  • EU-US Privacy Shield
  • New York State Cybersecurity Requirement Regulation
• Australia: Privacy Amendment (Notifiable Data Breaches) Act 2017, which has a mandatory data breach notification scheme embedded

.

Data Privacy in Canada: PIPEDA

Canada, along with several other countries, is taking a lead on data privacy.

The Personal Information Protection and Electronic Documents Act (PIPEDA) has been compared to the EU’s GDPR. It sets out national standards for data privacy best practice. As a federal law that applies to the private sector, it brings user-centric data control into the forefront of online transactions.

PIPEDA recently extended the requirements of the act, by adding in mandatory breach notification requirements. As of November 1^st, 2018, both small and large organizations that come under the jurisdiction of PIPEDA must:

• report breaches involving personal information that pose a real risk of significant harm (RROSH) to individuals;
• notify affected individuals about those breaches (whether that is a single person or a million); and,
• keep records of all breaches.

Fines for non-compliance with PIPEDA’s breach notification requirements can be up to $100,000 CAD.

 

The Canadian Digital Charter

The Canadian Digital Charter (CDC) is a reaction to the increasing size and impact of data breaches on Canadian citizens, including the massive Equifax breach of 2017.

The report from the OPC looked at how the Equifax breach affected Canadian citizens, especially in light of the PIPEDA breach notification requirements. The report concluded that Equifax’s security program was severely lacking in terms of vulnerability management and even basic security measures.

The charter has a number of key drivers behind its creation that will ultimately inform its uptake:

• Shareholder derivative lawsuits
• Privacy class actions
• Personal liability of directors
• Regulatory compliance (e.g. the Province of Quebec)
• Publicly traded companies, an example being the Yahoo Shareholder Derivative Lawsuit against the directors which settled at $14 million USD
• Securities-fraud class actions
• Enforcement actions by regulators
• Breach of contractual agreements
• Enforcement actions by industry associations

 

A number of pieces of a privacy jigsaw puzzle are coming together in the Canadian Data Privacy Landscape and feeding into the need for a Canadian Digital Charter.

• In February 2019, the Federal government's consultation paper on the impending ’open banking initiative’ pulled out privacy as a key concern to take this innovation forward.
• A number of other planets are aligning in conjunction with the CDC. This includes the Canadian Civil Liberties Association (CCLA) suing various associated stakeholders in the Toronto Smart city project which involved a Google owned company, SideWalk Labs. The CCLA case revolving around the lack of care and respect by the project for the privacy rights of the individual.
• In April 2019, the Office of the Privacy Commissioner of Canada (OPC) launched a proposal looking at transborder data flows. As part of that consultation, submitted a memorandum. The OPC proposal, in line with the Canadian Digital Charter, will, we believe, form the basis of a new digital policy that focuses on data privacy and transparency across all Canadian commercial entities.

 

Elements of the Canadian Digital Charter

• A background paper on privacy-law reforms which would be the most significant in decades
• Robust consent mechanisms by default
• The promotion of the de-identification of data
• The promise of another major regulatory safeguard for big data analysis including informed consent for automated decision-making
• Increased user-centric control over data use
• New data-portability rights (key in open banking initiatives)

The Canadian Data Privacy Landscape is becoming a tightly woven and interconnected framework built around a robust charter. This charter works to ensure that personal data is shared in a respectful and security-enhanced, manner. 

 

Privacy, Regulations, Your Company, Your Customer

Data is the new gold, and as such, respect for the privacy and security of this commodity can be a major selling point for a business.

A report by Akamai found that 46% of consumers would ‘give a pass’ to an organization who suffered a data breach. This month, Apple released news about a new privacy-enhanced AppleID, “Sign In With Apple”.

Companies across the world are recognizing that good privacy builds better relationships. World governments too are reflecting this with laws and regulations that have nuanced angles on how the data of the individual should be treated.

Canada is leading the way in this area, focusing on the complex issues of privacy across industry and borders. The gold in our digital lives has opened a Pandora's Box that looks set to be closed but only when this debate has been satisfied for all involved.  

 

Privacy Impact Assessment

If you’d like to find out more about your various data privacy obligations, we recommend conducting a privacy impact assessment. It helps public and private entities understand, evaluate and meet their various privacy obligations such as those mentioned in the Privacy Act, PIPEDA, GDPR or any provincial/state law.

Hitachi Systems Security approaches security and privacy as interrelated concepts which must inform each other. Creating a privacy concept while meeting legal requirements involves an interdisciplinary approach with several areas of expertise.

What’s unique at is that we have three areas of expertise under one roof – cybersecurity, legal and compliance/risk management expertise. Our legal, compliance, and cybersecurity experts work hand in hand to deliver a thorough privacy impact assessment that will be actionable, intelligible and measured against all standards.