TORONTO — After more than three years of legislative fine-tuning, Canadian businesses will be required as of Thursday to alert their customers and the federal privacy watchdog if there’s a danger that personal information under an organization’s control has fallen into the wrong hands.
Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.
But there are warnings that Canada’s privacy office — an arms-length Parliamentary body — will be handicapped by a lack of resources and its limited powers under the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Privacy commissioner Daniel Therrien says his office needs about six more people to analyze the new flood of breach reports that will start to flow. Without additional funds, the office will only be able to take a superficial look at most reports.
“We will focus on those with the greatest harm. . . . And when we see gaps in the posture of organizations, we will recommend they improve safeguards,” Therrien said in an interview.
But under the current law, the Office of the Privacy Commissioner can only advise organizations to make changes. The OPC has no authority to order corrective changes or issue fines — an enforcement power that Alberta’s privacy watchdog has had since 2014.
And since PIPEDA is full of imprecise language that require notifications “as soon as feasible” after a “real risk” of “significant harm” has been detected, there’s a danger that some incidents will be reported too slowly or not at all.
“That’s not our domain,” Therrien said. “It will be up to the Justice Department to decide whether or not to prosecute. . . . If they do, the fines are fairly hefty.”
Therrien isn’t satisfied with having just an advisory role and has asked repeatedly for additional investigative and enforcement powers, as well as a $12-million increase to his office’s $24-million annual budget.
MP Peter Kent, the Conservative critic for access to information, privacy and ethics, said Therrien has the support of an all-party Commons committee that deals with privacy issues.
“How much more capacity does the privacy commissioner need? I don’t know. But I think there’s general agreement on the committee that his powers need to be contemporized,” Kent said.
In other words, they need to be strengthened given the rapid changes in technology and resources available to multi-billion-dollar enterprises such as Facebook and Google, he said.
“PIPEDA, today, is barely adequate,” Kent said. “We’re really only scraping the surface of a very rapidly changing threat to privacy.”
Liberal MP Nathaniel Erskine-Smith, who is a vice-chair of the Commons privacy committee, has sponsored a bill to give the privacy commissioner power to audit an organization and to issue fines of up to $30 million.
But such private member’s bills often don’t advance through Parliament to become law.
Ale Brown, who provides privacy advice to North American companies in a range of industries through her Vancouver-based firm Kirke Management Consulting, thinks Canadian businesses are generally unprepared for the new rules.
“The businesses that are ready have been ready for a long time. They take personal data safeguarding seriously and they’ve had procedures in place. So it’s not a big change for them.
But Brown said that a lot of businesses haven’t done anything to get ready for the new PIPEDA requirements, and thinks part of the reason is the federal privacy commissioner’s limited enforcement powers.
“In my experience, what I have found, is that companies do something when they see their bottom line threatened.”
Norton Rose Fulbright partner Ryan Berger, who heads the law firm’s Canadian privacy and cyber security team, said a major motivation for businesses is the risk of being sued by those harmed by a privacy breach.
“I think before the change in the law and after the change in the law, that is the most substantial risk to organizations.”
Berger said the new breach notifications required under PIPEDA will raise awareness but “there’s going to be a lot of organizations in Canada that don’t realize that these new rules are going to apply to them.”
David Paddon, The Canadian Press
Connect with us Facebook
CMHC defends mortgage stress test changes amid calls for loosening rules
Donor-advised fund can be used to establish charitable legacy, experts say
Nevada court orders former Vancouver man to pay back $21.7 million to investors
CMHC says Canadians debt levels hit record highs at end of last year
Markham uses Collision to put spotlight on land parcel designed for innovation hub
Do your homework before investing in a cottage
Ontario to make it easier to build secondary suites, rental housing
FOMO pushing millennials into debt
Bank of Canada’s Poloz says mortgage market should offer more product choices
Canada’s banks officially launch SecureKey’s Verified.Me digital identity network
- CMHC defends mortgage stress test changes amid calls for loosening rules
- Donor-advised fund can be used to establish charitable legacy, experts say
- Nevada court orders former Vancouver man to pay back $21.7 million to investors
- CMHC says Canadians debt levels hit record highs at end of last year
- Markham uses Collision to put spotlight on land parcel designed for innovation hub
5 Mortgage Secrets2 years ago
5 SECRETS THE BANK DOESN’T WANT YOU TO KNOW ABOUT YOUR MORTGAGE
Buying a Home12 months ago
6 Reasons to get Pre-Approved for a Mortgage Early
5 Mortgage Secrets1 year ago
THE PENALTY COVER UP Mortgage Secret 3 of 5
Finance10 months ago
When is a Variable Rate Mortgage the Smart Choice?
Credit10 months ago
What Happens to My HELOC When I Sell My Home?
Buying a Home1 year ago
3 Documents You Didn’t Know You Need for Your Mortgage Approval
5 Mortgage Secrets1 year ago
THE POSTED RATE SCAM Mortgage Secret 2 of 5
Buying a Home12 months ago
5 Steps to a Guaranteed Mortgage Approval