Failure to report Canadian privacy breaches could mean big fines after Nov. 1
Privacy Commissioner Daniel Therrien on Power Play on Thursday September 28, 2018. (CTV News)
TORONTO -- After more than three years of legislative fine-tuning, Canadian businesses will be required as of Thursday to alert their customers and the federal privacy watchdog if there's a danger that personal information under an organization's control has fallen into the wrong hands.
Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.
But there are warnings that Canada's privacy office -- an arms-length Parliamentary body -- will be handicapped by a lack of resources and its limited powers under the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Privacy commissioner Daniel Therrien says his office needs about six more people to analyze the new flood of breach reports that will start to flow. Without additional funds, the office will only be able to take a superficial look at most reports.
"We will focus on those with the greatest harm. . . . And when we see gaps in the posture of organizations, we will recommend they improve safeguards," Therrien said in an interview.
But under the current law, the Office of the Privacy Commissioner can only advise organizations to make changes. The OPC has no authority to order corrective changes or issue fines -- an enforcement power that Alberta's privacy watchdog has had since 2014.
And since PIPEDA is full of imprecise language that require notifications "as soon as feasible" after a "real risk" of "significant harm" has been detected, there's a danger that some incidents will be reported too slowly or not at all.
"That's not our domain," Therrien said. "It will be up to the Justice Department to decide whether or not to prosecute. . . . If they do, the fines are fairly hefty."
Therrien isn't satisfied with having just an advisory role and has asked repeatedly for additional investigative and enforcement powers, as well as a $12-million increase to his office's $24-million annual budget.
MP Peter Kent, the Conservative critic for access to information, privacy and ethics, said Therrien has the support of an all-party Commons committee that deals with privacy issues.
"How much more capacity does the privacy commissioner need? I don't know. But I think there's general agreement on the committee that his powers need to be contemporized," Kent said.
In other words, they need to be strengthened given the rapid changes in technology and resources available to multi-billion-dollar enterprises such as Facebook and Google, he said.
"PIPEDA, today, is barely adequate," Kent said. "We're really only scraping the surface of a very rapidly changing threat to privacy."
Liberal MP Nathaniel Erskine-Smith, who is a vice-chair of the Commons privacy committee, has sponsored a bill to give the privacy commissioner power to audit an organization and to issue fines of up to $30 million.
But such private member's bills often don't advance through Parliament to become law.
Ale Brown, who provides privacy advice to North American companies in a range of industries through her Vancouver-based firm Kirke Management Consulting, thinks Canadian businesses are generally unprepared for the new rules.
"The businesses that are ready have been ready for a long time. They take personal data safeguarding seriously and they've had procedures in place. So it's not a big change for them.
But Brown said that a lot of businesses haven't done anything to get ready for the new PIPEDA requirements, and thinks part of the reason is the federal privacy commissioner's limited enforcement powers.
"In my experience, what I have found, is that companies do something when they see their bottom line threatened."
Norton Rose Fulbright partner Ryan Berger, who heads the law firm's Canadian privacy and cyber security team, said a major motivation for businesses is the risk of being sued by those harmed by a privacy breach.
"I think before the change in the law and after the change in the law, that is the most substantial risk to organizations."
Berger said the new breach notifications required under PIPEDA will raise awareness but "there's going to be a lot of organizations in Canada that don't realize that these new rules are going to apply to them."