After close to three years, the government is finally pushing through regulations that require companies to tell Canadian consumers when their personal information is compromised.
The Digital Privacy Act became law in August 2015, but several of its provisions were not immediately implemented and have languished on the books pending official authorizations needed to bring them into force.
Privacy advocates have for years called on the government to implement those provisions, which set out new requirements for what information companies must provide both to consumers and to the privacy commissioner when their databases are breached, and how quickly they must disclose their failure to protect private information.
The government issued calls for consultations on the regulations last fall but successive reports of consumer data breaches in recent months involving major companies, such as Uber, Under Armour, Hudson Bay Co. and Facebook, appear to have given the government a kick in the pants to actually implement the new rules.
According to an order-in-council published last week, as of Nov. 1, 2018, companies will have no choice but to tell consumers when there is a risky breach of their personal information — and they will have to do it quickly.
What kind of information must be shared?
The language in the breach notification provisions of the bill targets two kinds of notifications: those for consumers and those for the privacy commissioner.
First, it sets out clear rules for how companies must inform Canadians when their data is compromised and there is a “real risk of significant harm.”
The benchmark for measuring that will be whether the breach of personal information poses a risk of bodily harm, humiliation, damage to reputation or relationships, loss of employment or professional opportunities, financial loss, identity theft, negative effects on credit record or damage to or loss of property.
WATCH BELOW: Steps to protect yourself after a data breach
Under the new rules, organizations must notify consumers “as soon as feasible after an organization determines that a breach has occurred.”
While that will likely lead to questions over what constitutes “feasible,” the regulations are expected to put pressure on firms like Uber, which revealed in November 2017 it had waited a whole year to disclose that it had been hacked and then paid the hackers US$100,000 to get rid of the personal data they obtained.
The provisions coming into force in November 2018 will require organizations to issue notifications to affected users that contain:
- A description of the circumstances of the breach;
- The day on which, or period during which, the breach occurred;
- A description of the personal information that is the subject of the breach;
- A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
- A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
- A toll-free number or email address that the affected individual can use to obtain further information about the breach; and
- Information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
That notification will have to come directly to the affected individuals via email, mail, telephone or in person — except for three circumstances when the company can issue indirect notifications.
If the cost of issuing direct notifications would be “prohibitive,” if it could cause further harm to the affected individual, or if the organization does not have contact information for affected indivual, the organization can either post a “conspicuous message” on its website for at least 90 days or place an advertisement “likely to reach the affected individuals.”
What must be shared with the privacy commissioner?
The provisions also contain rules for when organizations must come clean and tell the privacy commissioner about a breach.
Under the regulations, a report of a breach must come in writing and will have to contain a description of the breach and the cause if it is known, an estimate of the number of people at risk of significant harm by the breach and what personal information was compromised, a description of what the company is doing to resolve the breach and reduce the risk of harm, plans for how it plans to reach each of the affected individuals, and a contact person who can answer further questions from the privacy commissioner about the breach.
WATCH BELOW: Should companies be penalized for data breaches?
The privacy commissioner can then use that information to conduct an investigation into the breach and will also prepare an annual report to Parliament on how the rules are being applied and followed.
Companies will also have to keep a record of breaches for two years, which experts say is generally the limit for bringing civil claims in Canadian courts.
The result could be more cases of Canadian consumers suing companies that fail in their responsibility to keep personal information secure.
“For example, based on the breach notification experience in the United States and Canada, the risk of litigation and class actions in the wake of a data breach may be increased following a notification,” reads an analysis of the regulations prepared last year by the Canadian law firm Fasken Martineau DuMoulin LLP.
“Violations of the breach notification provisions may lead to offences and fines and potentially factor in to civil litigation.”
Why do this now?
Data breaches and digital harvesting of user data have become commonplace in recent years, but revelations of a massive data scandal at Facebook late last month put front and central the issue of user privacy and what individuals should be entitled to know about how their data is being used.
“People care more than they ever have before,” said Ann Cavoukian, the only person to have served three terms as Ontario’s privacy commissioner and now a distinguished expert-in-residence at Ryerson University’s Privacy by Design Centre of Excellence.
“Part of it is after Edward Snowden, which was five years ago and that’s been building up, but also these massive data breaches in the last few years and now with the Facebook debacle, people are getting outraged and they’re getting very, very concerned about this.”
Cavoukian pointed to studies over the last several years by the Pew Research Center which show privacy is consistently being rated as a top concern by more than 90 per cent of their respondents, noting the statistics suggest an undeniable trend of growing user fears about how their information is being used by governments and organizations.
The Facebook data harvesting scandal is proof of those concerns, she said, as well as the growing calls for stronger regulations to protect consumer privacy.
Facebook came under fire and became the target of international privacy investigations after it became known it had allowed the political consulting firm, Cambridge Analytica, to access the personal data of 50 million users.
WATCH BELOW: Mark Zuckerberg vows to do ‘full forensic audit’ following Facebook data breach
The firm has also been linked to attempts to influence an election in Nigeria.
It took him several more days after that to bow to demands that he testify before the U.S. Congress on the matter.
The Canadian privacy commissioner is investigating how Facebook may have allowed the personal information of Canadian users to be harvested as part of that and is also investigating the breach of some 57 million accounts revealed last year by Uber.
Uber revealed in March that 815,000 of those compromised accounts belonged to Canadian users and drivers.
It only agreed to inform Canadians who had had their data breached after the Alberta privacy commissioner ruled that is must do so, but said it planned to appeal the ruling, given that it did not believe the breach posed any real or significant harm to users.
Alberta became the first and only province to implement mandatory disclosure rules for private-sector organizations in 2010.