#CyberFLASH: New data breach notification standards should be flexible, adaptive, ITAC says


As Innovation Science and Economic Development Canada (ISED) prepares to release a second version of the country’s new data breach notification standards this fall, the Information Technology Association of Canada (ITAC) hopes the latest proposed regulations will take a flexible, outcome-based approach, while also providing a grace period to give businesses time to adjust.

“We want there to be an appropriate balance between the need to protect Canadians by notifying them of data breaches, and the costs and challenges sometimes faced by businesses in in doing so,” ITAC senior director David Messer tells ITBusiness.ca.

Since 2015, data breaches have been governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), a law passed in 1998 to regulate how non-government organizations (excluding charities and not-for-profits) were allowed to collect, use, disclose, and dispose of personal data.

Under PIPEDA’s current regulations, organizations are responsible for all personal information within their control. They must also acquire consent from anyone whose data they collect; protect the information collected from loss or theft; and report data breaches that compromise its security to both the government, through the Office of the Privacy Commissioner; and to affected individuals, so they can take the steps necessary to mitigate damage; to ensure compliance with the act.

Consumers, meanwhile, have a right to examine their personal information, challenge its accuracy, and may withdraw their consent to provide said information at any time.

Read more here

#CyberFLASH: Privacy Commissioner’s office weighs in on proposed data breach regulations

1297658073661_ORIGINALCanadian businesses that fall victim to data breaches will soon be required to notify users that their personal data has been compromised, if Canada’s privacy commissioner has his way.

The commissioner’s office recently submitted an official response to the Ministry of Innovation, Science and Economic Development regarding the new data breach notification and reporting regulations proposed for the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the June 10 document, Barbara Bucknell, the director of policy and research for the privacy commissioner’s office, wrote that “during his appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU), Privacy Commissioner Daniel Therrien expressed support for the new measures, indicating that mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.”

While the amendment’s final version has not yet been publicly released and will require government approval to become law, a draft version has been posted online since March, and companies and users alike were invited to comment until May 31.

Of course, the commissioner’s office had a few thoughts of its own regarding five key elements of the proposed regulations, and the companies facing the brunt of its impact might want to take note of them.

Read more here

#CyberFLASH: Update Canada’s privacy laws, but don’t look to Europe or the US for guidance, experts say

n-ONLINE-PRIVACY-largeEven Justin Trudeau thinks Canada needs to update its data privacy laws for the 21st century, but the recently passed E.U.-U.S. Privacy Shield probably isn’t providing the guiding light he might be hoping for, according to several privacy experts.

Instead, the current agreement highlights the need for an update: While our own federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) was deemed “adequate” by the European Commission in the early 2000s, it’s scheduled to be revisited in the near future and might not meet the E.U.’s new standards – which many privacy advocates believe don’t go far enough anyway, the University of Ottawa’s chair of Internet and e-commerce law, Michael Geist, says.

“There’s a very real possibility that the E.U. could examine the adequacy finding for Canada and raise the same kinds of concerns that came up in the context of [Privacy Shield predecessor] Safe Harbour, potentially challenging whether Canada’s existing system – given some of the things we now know about surveillance and information sharing – is deserving,” he says.

That said, “there’s still a bit of an open question as to whether [Privacy Shield itself] meets E.U. law or not,” he continues. “There was a lot of political motivation to get a deal done, but I think there remains some ongoing concerns, particularly in the privacy community, which suggests that it still could be subject to challenges.”

Approved on July 12, the agreement, which E.U. member nations must incorporate into their national laws by May 6, 2018, establishes new regulations for data transfers between the U.S. and E.U., notably by imposing limitations on the access of U.S. public authorities to European consumers’ digital information; by requiring regular updates and reviews of companies that handle personal data; and by providing a clear method of conflict resolution for E.U. residents who feel their data has been misused without their consent.

Read more here

#CyberFLASH: Canada Pits Constitution Against Right to Be Forgotten

1297658073661_ORIGINALThe right to be forgotten may never make the leap across the Atlantic from the European Union to Canada.

Our neighbors to the north are willing to talk about reputational privacy and the right to be forgotten—the concept that individuals should be able to seek removal of online links to their personal data to protect their reputation. But any attempt to significantly regulate Internet speech will run smack-dab into the brick wall established by the freedom of expression guarantee in the Canadian Charter of Rights and Freedoms, privacy professionals told Bloomberg BNA.

Canadians may not be fully in synch with the U.S. populace’s general aversion to restrictions on personal liberty, but neither do they have the Europeans citizenry’s willingness to accept a strong national governance approach to privacy.

The back-and-forth between privacy and free speech rights is highlighted by the Officer of the Privacy Commissioner’s approach to the issue. In 2015, the privacy office named reputational privacy as on of it’s top priorities. To follow up, the privacy office conducted a national consultation regarding online reputational privacy. In January, the office published a discussion paper on reputational privacy.

Privacy Commissioner Daniel Therrien isn’t ready to publicly discuss the consultation’s results or how he will respond, as the process of reviewing submissions is still underway, agency spokesman Tobi Cohen said.

Read more here

#CyberFLASH: Privacy watchdog wants to see new office enforcement muscle

1297658073661_ORIGINALCanada’s privacy watchdog says “the time has come” to change his role under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) from that of an ombudsman, who can only make non-binding recommendations, to a regulator with authority to make binding orders, and even impose fines on recalcitrant organizations.

In an exclusive interview, federal Privacy Commissioner Daniel Therrien contrasted his limited enforcement powers (“naming and shaming” privacy transgressors and, on occasion, taking them to court) with those of EU and U.S. regulators.

“In many other jurisdictions, privacy regulators have order-making powers and they can impose fines for organizations that violate privacy laws,” Therrien said. “We’ve done well in Canada without these powers, but we think that the time has come to align our laws to those of other western democracies where privacy regulators do have order-making and fine powers. We’re dealing with organizations that are extremely wealthy. To recommend that they change a practice has some effect. But to be able to make an order, and to impose fines, when warranted, I think is necessary.”

The commissioner did not disclose what level of fines he considers appropriate (“we’re not there yet,” he said).

But his endorsement of adding beefed-up enforcement powers to the federal privacy regime — which he considers “an important enhancement” and “not a revolution” — will spark debate.

“I would be quite against…giving the commissioner order-making powers,” privacy law expert David Fraser of McInnes Cooper in Halifax told The Lawyers Weekly. “That would be a revolutionary thing in Canadian privacy law, and actually would require, I think, kind of essentially burning [the office of the privacy commissioner] to the ground and starting again because…if it’s going to have the ability to levy fines, or anything else like that, you have to build in all the procedural fairness requirements. You can’t have a kind of ‘judge-jury-executioner-prosecutor’ all in one office and all in one person, particularly in light of the advocacy-for-privacy role that the commissioner takes.”

Fraser called PIPEDA, as it stands, “a made-in-Canada solution that, in fact, is a complete solution. You have a privacy commissioner whose job…not to an insignificant degree, is framed as a champion of privacy, [who] investigates. The objective is principally to resolve [privacy complaints] and because the commissioner isn’t the cops, and isn’t the judge, at least in my experience, the businesses are inclined to sit down at the table with the commissioner and the commissioner’s investigators, lay all their cards on the table, and look towards building a solution, rather than something that is more adversarial. And so in fact I think all that goodwill would pretty well go out the window, and people would kind of ‘lawyer-up’ in the classic sense. It would get very defensive and it would get very adversarial.”

Read more here

#CyberFLASH: What does consent look like in the 21st century? Canada’s privacy commissioner calls for public input

Therrien-620x250Canada’s privacy watchdog announced today that his office is seeking public input on the issue of consent in the digital age. Daniel Therrien, Privacy Commissioner of Canada, has invited submissions from groups and individuals alike — specifically mentioning IT specialists and educators — in a speech made this morning at the International Association of Privacy Professionals conference in Toronto.

Therrien said that mobile apps, smart devices, wearable technology, and the verbose privacy policies of the services we use every day are creating new challenges for the current consent model in the law. The Personal Information and Electronic Documents Act (PIPEDA) that created that model was introduced before smartphones, cloud computing, and the social networking boom, he noted.

“Gone are the days of routine, predictable, and transparent one-on-one interactions with companies,” reads the text of Therrien’s speech. “It is no longer entirely clear who is processing our data and for what purposes.”

Consumers are being saddled with an overwhelming amount of legal text when making a choice about whether to share their personal information, the commissioner says. It’s time to update how consent can be collected from Canadians under the law, and the commissioner’s office has released a discussion document outlining some options as a starting point.

Also in his speech, Therrien made an appeal to consider giving his office more authority to proactively enforce privacy legislation. Most other countries allow privacy regulators to issue binding orders to impose financial sanctions against organizations, he says, so why not Canada?

Read more here

#CyberFLASH: Canadian mobile ad tracking standards need work, industry regulators admit

computer-laptop-keyboard-852While a recent Advertising Standards Canada (ASC) report concluded the industry was successfully implementing new standards for online behavioural advertising (OBA), it also revealed a notable gap: the current lack of industry regulations regarding mobile advertising, “which is not currently encompassed under ASC’s AdChoices Accountability Program,” the report said.

Only three of the 115 privacy complaints regarding OBA, also known as Interest-Based Advertising (IBA), that ASC received from consumers between January 2015 and November 2015 involved mobile applications, but the Digital Advertising Alliance of Canada (DAAC) is planning to implement rules that will govern the mobile market before that number can grow.

“What we’re trying to do is bring the opt-out tools from the program over in the U.S. to Canadian users, to sort of fill out the program,” DAAC executive director Julie Ford says.

“Right now you might see the [AdChoices] icon here and there on a mobile device, and that’s usually bleed-over from the U.S. program,” she says. “There’s a little bit of guidance that we need to formulate around how the icon can be displayed in Canada.”

One reason it’s taken so long for the DAAC to develop Canadian OBA standards for the mobile market is that its American equivalent, the Digital Advertising Alliance (DAA), has only been covering mobile applications since September 2015, Peter White, senior vice president of ASC, says.

“It is the next area of interest in the U.S.,” he says. “But it is also a work in progress… a matter of getting everything in place to understand what is required from apps, because they are significantly different from browser-based advertising.”

Read more here

#CyberFLASH: New data breach requirements in Canada: how to best manage your risks

typing-image-genericThough recent amendments to Canada’s Personal Information and Electronic Documents Act (PIPEDA) are now in force, the federal government has yet to release regulations addressing data breach notification. Still, given the growing number of well-publicized data breaches, it’s critical for organizations to understand that their privacy policies and security safeguards are coming under greater scrutiny on all fronts. Below is a summary overview of some of the issues they need to keep in mind, as they prepare to face evolving cyber threats.

Stay tuned: the new breach notification regime

The new PIPEDA provisions require organizations to keep a record of every breach of security safeguards involving personal information under its control. The amendments also require organizations to notify both affected individuals and the Privacy Commissioner of Canada if it is reasonable to believe that the breach risks significant harm to an individual. “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Relevant factors in determining such a risk include the sensitivity of the personal information involved in the breach and the probability that it may be misused. Notification must be given “as soon as feasible” after the organization determines that the breach happened. The new provisions also give enhanced powers to the Privacy Commissioner of Canada. Failing to meet reporting requirement can carry a fine up to $100,000.

PIPEDA applies to organizations’ commercial activities in all provinces, except within provinces that have their own privacy laws, which have been declared substantially similar (Québec, British Columbia, Alberta), and subject to certain exceptions.

Though the new federal breach requirements are not yet in force, companies facing a breach ought to consult legal counsel to advise them on the best notification and reporting practices.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.