Failure to report breaches could mean big fines
After more than three years of legislative fine-tuning, Canadian businesses will be required as of today to alert their customers and the federal privacy watchdog if there’s a danger that personal information under an organization’s control has fallen into the wrong hands.
Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.
But there are warnings that Canada’s privacy office — an arms-length Parliamentary body — will be handicapped by a lack of resources and its limited powers under the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Privacy commissioner Daniel Therrien says his office needs about six more people to analyze the new flood of breach reports that will start to flow. Without additional funds, the office will only be able to take a superficial look at most reports.
“We will focus on those with the greatest harm. . . . And when we see gaps in the posture of organizations, we will recommend they improve safeguards,” Therrien said in an interview.
But under the current law, the Office of the Privacy Commissioner can only advise organizations to make changes. The OPC has no authority to order corrective changes or issue fines — an enforcement power that Alberta’s privacy watchdog has had since 2014.
And since PIPEDA is full of imprecise language that require notifications “as soon as feasible” after a “real risk” of “significant harm” has been detected, there’s a danger that some incidents will be reported too slowly or not at all.
“That’s not our domain,” Therrien said. “It will be up to the Justice Department to decide whether or not to prosecute. . . . If they do, the fines are fairly hefty.”
Therrien isn’t satisfied with having just an advisory role and has asked repeatedly for additional investigative and enforcement powers, as well as a $12-million increase to his office’s $24-million annual budget.
MP Peter Kent, the Conservative critic for access to information, privacy and ethics, said Therrien has the support of an all-party Commons committee that deals with privacy issues.
“How much more capacity does the privacy commissioner need? I don’t know. But I think there’s general agreement on the committee that his powers need to be contemporized,” Kent said.
In other words, they need to be strengthened given the rapid changes in technology and resources available to multi-billion-dollar enterprises such as Facebook and Google, he said.
“PIPEDA, today, is barely adequate,” Kent said. “We’re really only scraping the surface of a very rapidly changing threat to privacy.”
In a separate but related development, Therrien said Wednesday that he’s investigating Statistics Canada’s request for private banking information on 500,000 Canadians.
However, that probe is being done under the Privacy Act, which applies to the public sector, rather than PIPEDA.