Privacy Commissioner's Call for Increased EnforcementIn its Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA), the Office of the Privacy Commissioner (OPC) has repeated its previous calls for reform to privacy legislation. In short, according to the OPC, Canada's privacy laws do not provide a sufficient level of protection for privacy rights. Call for Increased Regulatory EnforcementIn support of its position that the privacy laws are outdated, the OPC refers to the gaps highlighted by recent investigations into large-scale breaches (Facebook and Equifax), as well as the pandemic and the corresponding shift toward a digital economy. In connection with the pandemic and privacy, the OPC refers to issues created by virtual health services, video conferencing and contact-tracing applications. With this increased reliance on technology, comes privacy issues. The key elements of the OPC proposed reform include the following:
As noted by the OPC, these elements are present in the privacy legislation of many of Canada's trading partners. It is reasonable to expect that Parliament will heed the repeated calls by OPC (and others) for privacy law reform. This is particularly so given federal government's announcement of the Digital Charter in 2019, which included a plan to modernize Canada's privacy legislation to address the evolving privacy issues with the transition to a digital economy. The context in which the OPC issues these recommendations includes expected scrutiny by foreign regulators of Canadian equivalency of protections for international data flows. This is of particular concern given the recent decision by the Court of Justice of the European Union (CJEU), which invalidated the EU-U.S. Privacy Shield Framework. More than 5000 U.S. companies relied on the E.U-U.S. Privacy Shield Framework to transfer and process data from the EU to the United States. The CJEU held that EU residents' data privacy rights are incompatible with the United States approach to data privacy in the context of national security. Cybersecurity Threats in the Private SectorThe OPC Annual Report includes some interesting numbers that provide some visibility into the state of cybersecurity and privacy issues in Canada:
Time for Organizations to PrepareCanadian organizations should get their house in order as it concerns privacy and management of personal information. While Canadian organizations have not faced the same regulatory scrutiny on privacy and data security issues experienced in the United States, it is reasonable to expect that the mandate of the OPC will evolve and such scrutiny will soon be an inescapable issue for Canadian organizations to address proactively. Being prepared for cybersecurity risks and regulatory compliance with privacy and data security obligations is not only about having the right technology. Technology will not protect you against an employee clicking on a malicious link. Nor will it protect you against a hostile insider, or a third-party processor that suffers a breach. Technology has nothing to do with whether an organization is using personal information for an improper purpose or without the required consent. Being prepared means having a thorough understanding and analysis of the risk profile to your organization from the collection, use and disclosure of personal information, and a comprehensive plan to manage that risk. Organizations should base this analysis on an assessment of issues such as (but not limited to) the following:
A risk management plan designed to address an organization's specific risks and vulnerabilities should include the development of policies and protocols to address the risks that are unique to the organization, having regard for its specific operational structure. Ignoring the risks associated with management of personal information does not make them go away. It makes them more expensive to deal with. For assistance on regulatory compliance and data management issues, please contact the Bennett Jones Privacy and Data Protection group. Authors
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs. For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com. |