New privacy rules target data breaches, fraud
Privacy commissioner would get new enforcement powers under Digital Privacy Act
Businesses will face steep fines for not reporting data breaches and Canada's privacy commissioner will get new enforcement powers under proposed updates to Canada's federal privacy laws.
"Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats," said Industry Minister James Moore in a statement as he introduced the Digital Privacy Act this week.
The bill proposes "important improvements" to the Personal Information Protection and Electronic Documents Act, the legislation governing how the private sector handles personal information.
The bill would:
- Require businesses and organizations to track data breaches — events in which personal information might be lost or stolen — and report them to consumers and the privacy commissioner if they pose a "real risk of significant harm to an individual," for example, if they could lead to identity theft. Non-compliance would be punishable by fines of up to $100,000.
- Give new powers to the privacy commissioner to help uphold privacy laws. Specifically, the commissioner will be able to negotiate voluntary but binding compliance agreements with organizations that commit to taking action on privacy violations. The commissioner and private complainants would also be able to ask the Federal Court of Canada to order compliance or award damages to someone harmed by a privacy violation up to a year after an investigation. And the commissioner will have more flexibility to release information about non-compliant organizations if it is in the public interest.
- Require businesses and organizations to "communicate clearly" when obtaining consent for collecting and using their personal information; and to consider whether their target audience, such as children, can understand the consequences of sharing their information.
- Allow for the sharing of personal information without explicit consent to help protect individuals from harm, such as seniors suspected of being financially abused or to detect and prevent fraud.
- Make it easier for businesses to collect, use and share information to manage employees, conduct due diligence when buying another company, or process insurance claims.
'Good first steps': NDP
Charmaine Borg, digital issues critic for the NDP, said, "overall, these are good first steps."
Borg, MP for the Quebec riding of Terrebonne-Blainville, added, "We have been pushing for these measures and I'm happy to see them introduced."
However, she said she would have liked to see the legislation go a bit further.
In particular, she said, she was disappointed that consumers and the privacy commissioner only need to be notified of a data breach "if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual." Borg called that "a little bit of a high threshold."
She also doesn't like the fact that organizations have to evaluate the risk for themselves. While most large companies have a privacy officer, the evaluation "might be a little hard for mom-and-pop shops who are affected, but who might not have the privacy expertise to make that assessment themselves."
She had previously proposed in a private member's bill that data breaches be reported to the privacy commissioner if they posed a potential risk, and the commissioner's office would use their expertise to determine if consumers should be notified.
Borg thought the proposals regarding privacy agreements and new enforcement powers for the privacy commissioner were also good steps forward, although she would have liked them to have been "a little stronger."
The office of the privacy commissioner of Canada has long advocated for updates to Canada's privacy laws, including some of those in the new bill.
Interim Privacy Commissioner Chantal Bernier said at first glance, the bill contains "some very positive developments," especially with regard to mandatory data breach notification, new penalties, and "provisions that will make it easier for my office to ensure that companies carry through on commitments they have made during investigations."