On September 19, 2023, the Office of the Privacy Commissioner of Canada (OPC) released its Annual Report for 2022–2023. The report discussed personal privacy and the impact of emerging technologies, and noted several recent investigations, some of which include ones launched into TikTok, OpenAI (parent of ChatGPT), Home Depot, Tim Hortons, and Canada Post. Additionally, Privacy Commissioner of Canada Philippe Dufresne set out three main strategic priorities for the work of the OPC: 1) staying ahead of the fast-moving pace of technological advancement, especially in the world of artificial intelligence (AI) and generative AI; 2) protecting children’s privacy; and 3) preparing for potential law reform should Bill C-27, the Digital Charter Implementation Act, be adopted by Parliament. This is a lengthy document, and the focus of this article will be on the Personal Information Protection and Electronic Documents Act (PIPEDA).
Personal Information Protection and Electronic Documents Act (PIPEDA)
When we take a look at the numbers, we see that there were 454 PIPEDA complaints accepted, and 19 of them were well-founded. While 282 complaints were closed through early resolution, 102 were closed through standard investigation.
And when it came to data breaches, 681 data breach reports were received by the OPC. These breaches affected millions of Canadians during the year in question. This number amounted to 6% more than last year (645 breaches). The OPC believes that many breaches went unreported, or perhaps even undetected completely; this was more likely to be the case among small- and medium-sized enterprises (representing nearly 90% of the businesses in Canada). The top five sectors reporting breaches included the financial, telecommunications, professional services, sales and retail, and insurance sectors.
In the past year, the OPC found that the main breach types were unauthorized access (66%), unauthorized disclosure (25%), theft (4%), and loss (4%). More than half of ones involving unauthorized access (278), were found to be cyberattacks initiated through malware, compromised credentials, or phishing schemes that allowed bad actors access to systems. The harms to victims resulting from cyberattacks included financial loss, identity theft, and reputational harm (and of course, emotional distress). Clearly, more needs to be done to ensure that security becomes a priority among organizations. Some important security measures to take are enhancing protections for employee credentials, applying security patches as they become available, requiring two-factor or multi-factor authentication, and investing in cybersecurity to prevent unauthorized access. Further, unauthorized disclosure included things such as misdirected correspondence, mishandling of data, or a data entry error. This number was also significant, accounting for 171 reports, or 25% of all reports received.
It is worth noting here that the OPC provides PIPEDA advice and outreach to businesses—more specifically, the OPC gives practical advice, on a confidential basis, to businesses on their practices and initiatives that have a significant impact on the privacy of Canadians. I encourage businesses to consider using this invaluable resource in order to better comply with PIPEDA.
Other work of the OPC
There is a number of things that the OPC is currently working on in respect of PIPEDA. One element that I wanted to mention here is the OPC’s recent submission regarding Bill C-27. In May 2023, the OPC made a submission; the result was that the OPC provided 15 key recommendations concerning Bill C-27:
- Recommendation 1: Recognize privacy as a fundamental right.
- Recommendation 2: Protect children’s privacy and the best interests of the child.
- Recommendation 3: Limit organizations’ collection, use and disclosure of personal information to specific and explicit purposes that take into account the relevant context.
- Recommendation 4: Expand the list of violations qualifying for financial penalties to include, at a minimum, appropriate purposes violations.
- Recommendation 5: Provide a right to disposal of personal information even when a retention policy is in place.
- Recommendation 6: Create a culture of privacy by requiring organizations to build privacy into the design of products and services and to conduct privacy impact assessments for high-risk initiatives.
- Recommendation 7: Strengthen the framework for de-identified and anonymized information.
- Recommendation 8: Require organizations to explain, on request, all predictions, recommendations, decisions and profiling made using automated decision systems.
- Recommendation 9: Limit the government’s ability to make exceptions to the law by way of regulations.
- Recommendation 10: Provide that the exception for disclosure of personal information without consent for research purposes only applies to scholarly research.
- Recommendation 11: Allow individuals to use authorized representatives to help advance their privacy rights.
- Recommendation 12: Provide greater flexibility in the use of voluntary compliance agreements to help resolve matters without the need for more adversarial processes.
- Recommendation 13: Make the complaints process more expeditious and economical by streamlining the review of the Commissioner’s decisions.
- Recommendation 14: Amend timelines to ensure that the privacy protection regime is accessible and effective.
- Recommendation 15: Expand the Commissioner’s ability to collaborate with domestic organizations in order to ensure greater coordination and efficiencies in dealing with matters raising privacy issues.
It is my hope that these recommendations will play a considerable role in strengthening the privacy rights of Canadians.
What can we take from this development
In line with the Privacy Commissioner’s opening message, a great deal of important work is being done to protect and promote the fundamental privacy rights of Canadians. Just in the first year of the Privacy Commissioner’s mandate, his vision has been made clear; this vision has informed the three main strategic priorities going forward.
Given the rapid explosion of AI and generative AI, and the consequent serious risks of these advances, there is no doubt that addressing these technologies must be a critical priority in the OPC.
Likewise, in my view, it will be interesting to see if anything productive takes place with respect to Bill C-27, as there has been a great deal of stalling taking place for years and particularly since the original version (Bill C-11) was first introduced.
And lastly, children’s privacy rights need to be protected. That is, children are vulnerable citizens in society and they deserve to be protected such that they can benefit from technology and participate in online activity—safely and free from fear that they might be targeted, manipulated, or harmed in the process.
Please note that any views expressed in this article are solely the views of the author.
- The antitrust case against Google - November 17, 2023
- Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems released - October 20, 2023
- Privacy Commissioner of Canada releases Annual Report - September 22, 2023