Exploring Federal Privacy Breach Notification in Canada
By Ron De Jesus, CIPP/US, CIPP/IT, CIPP/EU, CIPP/C
Canada’s lack of federal regulation to address breaches of personal information is unexpected, given the overall maturity of its national data protection regime. Individual provinces have tackled breach notification in various forms, most notably within the province of Alberta, which enacted amendments to its Personal Information Protection Act (PIPA) in 2010 to address incidents involving the “loss of or unauthorized access to or disclosure of the personal information.” Meanwhile, other breach notification requirements promulgated at the provincial level—ie., within Ontario, New Brunswick and Newfoundland and Labrador—apply only to personal health information. The resulting legal landscape for notifying individuals or relevant privacy authorities following breaches of personal information is a patchwork at best. Yet change is imminent, as federal and private-sector Canadian organizations subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will soon be expected, under proposed amendments to the act by Bill C-12, to report “material” breaches to the federal privacy commissioner.
Breaches and PIPEDA
PIPEDA, Canada’s existing national privacy law, passed in 2000, generally applies to the personal information collected, used and disclosed by organizations involved in commercial activities. In its current form, the act does not generally obligate organizations to notify individuals of breaches involving their personal information, nor does it appear to require notification to any relevant federal authority in the event of a breach. The act does, however, include requirements around adequately safeguarding personal information through the use of physical, technological and organizational measures. Many have opined that, quite obviously, the absence of “appropriate” controls results in breaches and should trigger consequences as a contravention of the act’s security safeguards requirement. Yet while the act fails to directly address breach notification, the issue has not been wholly ignored.
The Office of the Privacy Commissioner of Canada (OPC) issued privacy breach guidelines in 2007 and encourages organizations to notify the office or appropriate provincial privacy commissioners of “material” breaches of security safeguards that involve personal information—determining whether a breach is “material” involves, among other considerations, assessing the sensitivity of personal information and the number of individuals affected. According to the latest figures available from the OPC, the number of commercial breaches voluntarily reported between 2008 and 2011 has remained somewhat steady—about 58 breaches per year, on average. Not surprisingly, the number of private-sector breaches reported to the Alberta Information and Privacy Commissioner totaled just over 150 within the two years breach notification became mandatory in the province. The findings appear to confirm that Canadian organizations, whether federal or public, and whether required to or not, are indeed notifying the relevant authorities of significant privacy incidents. At the time of writing, the Human Resources and Skills Development Canada notified the OPC of the loss of an external hard drive, affecting over half a million clients and 250 employees, and the OPC has announced it is investigating.
“Obviously, there are some organizations that will disclose in the event of a breach, either because some of the affected individuals are in jurisdictions with disclosure requirements or because they feel it is required given the impact of the breach”, says Michael Geist, a law professor at the University of Ottawa and a member of the Privacy Commissioner’s Expert Advisory Board. “Yet it seems likely that many other incidents go unreported given the lack of a legal requirement to do so,” he adds.
Attempts to amend PIPEDA to include mandatory breach notification requirements started with Bill C-29, introduced into the House of Commons in May 2010. The bill included specific amendments requiring organizations to notify both affected individuals—based on whether the breach constituted a “real risk of significant harm to the individual”—and the privacy commissioner, based on whether the incident constituted a material breach. Although the bill later died on the Order Paper in March 2011, it was reintroduced as Bill C-12 in September of the same year.
Both versions of the bill have been criticized for their apparent “lack of teeth,” most notably by Canadian Privacy Commissioner Jennifer Stoddart, who, under the proposed changes, would be left without the authority to impose fines and orders on companies who experience breaches. According to notes released from the OPC, Stoddart’s opinions on the bill as drafted aren’t favorable, lamenting that “[m]any international data protection agencies now have, or will soon have, much stronger enforcement powers than exist in Canada.”
The omission from Bill C-12 becomes more noticeable when compared against the powers currently held by the Alberta information and privacy commissioner who, under the province’s PIPA, can order an organization involved in a breach to notify affected individuals, or when compared against the authority of the US Federal Trade Commission, which demonstrated the capacity of its order-making powers through the “trifecta” of enforcement actions it took against three popular social media companies in 2011.
“[T]he absence of any order-making power is a serious drawback,” says Ann Cavoukian, information and privacy commissioner of Ontario. “While we use it as a last resort, order-making power plays an important role in motivating compliance with privacy legislation.” Geist adds that “the security breach rules [of the current bill] are weak, with no penalties for compliance.”
Suggested amendments to PIPEDA have also come from outside the government. Public interest organizations, including the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and the Public Interest Advocacy Centre (PIAC), have advocated for changes to the act from as early as 2007. CIPPIC’s white paper, “Approaches to Security Breach Notification,” makes the argument for amendments to PIPEDA that would “provide for mandatory notification of security breaches when certain types of personal information are exposed to unauthorized access as a result of a security breach.” Similarly, PIAC’s report, released in January of last year, makes the case for an “‘Alberta model modified’" data breach law at the federal level,” and proposes, among other recommendations, that audit and order-making powers be granted to the privacy commissioner.
The reintroduction of a national breach notification requirement in the form of Bill C-12 is a step, however slight, in the right direction. Attaining consensus among multiple stakeholders while considering both the evolving privacy expectations of consumers and the complex needs of Canadian businesses is a key challenge. The obvious flaws with the current draft of the bill, especially with respect to the lack of enforcement powers, also need to be addressed—and fast. In a recent development at the time of writing, Canada’s New Democratic Party introduced a private member’s bill (C-475) in response to the stagnancy of the federal government’s current efforts at privacy breach notification reform. Although received with enthusiasm, the bill has been met with mixed reviews.
And while Canada may seem behind the curve when compared to the framework of breach notification laws already instituted in the U.S., one of its privacy regulators is advocating for a more practical solution. “[A]chieving an effective approach to breach notification is certainly important, but quite frankly, my preference is breach avoidance,” offers Cavoukian. “A proactive/preventative Privacy by Design (PbD) approach...can address the risk of harm to individuals before privacy intrusions or breaches can take place.” While many consider implementation of PbD principles into the design and development of new systems or processes an effective practice for proactively addressing privacy breaches, the need for requirements and appropriate consequences for companies that experience a breach is apparent, especially as the likelihood of an incident involving personal information has evolved from a “what if” scenario to an expected business reality.
“I don't think there is much disagreement on the need for a mandatory security breach disclosure system,” says Geist. “The challenge is in the details—who discloses and when—and in getting the government to move forward with privacy reform.”
Author’s Note: Special thanks to Dr. Ann Cavoukian and Dr. Michael Geist for their unique perspectives and contributions to this article.
Ron De Jesus, CIPP/US, CIPP/IT, CIPP/EU, CIPP/C, CISSP, is a manager with PwC’s Data Protection & Privacy practice and is based in New York. He has extensive experience assisting clients with their obligations under global privacy laws, and has helped build privacy programs for leading financial, retail and pharmaceutical companies.