On December 10, 2019, the Privacy Commissioner Canada released its Annual 2018–2019 Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
This is a powerful document that discusses several key topics, one of which includes advice to Parliament regarding proposals for privacy law reform for respecting rights and restoring trust in government and the digital economy. Not only is there a discussion of what has transpired in the past year with respect to both the Privacy Act and PIPEDA, but there is also a set of appendices providing further information about the investigation process, substantially similar legislation, and statistical tables with details about the Privacy Act and PIPEDA. There is also a helpful infographic at the beginning of the report that sets out privacy by the numbers. Given the density of this document and this audience, my discussion will be confined to providing a brief review of the past year in respect of PIPEDA.
As you may recall, the Office of the Privacy Commissioner investigates complaints, monitors compliance with its recommendations, collaborates with other organizations, deals with privacy breaches, and provides advice to businesses. Over the past year, the Office of the Privacy Commissioner accepted 380 PIPEDA complaints; it resolved 178 through early resolution and 104 through standard investigation. Yet, there is a growing backlog of complaints that are older than 12 months, which represents an increase of about 16 percent. Additionally, the top sectors with complaints include: financial (75 or 20 percent); telecommunications (48 or 13 percent); services (41 or 11 percent); Internet (37 or 10 percent); and transportation (37 or 10 percent). Also, the top concerns in complaints were about access to personal information (110 or 29 percent), use and disclosure of personal information (69 or 18 percent), and consent (64 or 17 percent).
Here are a few topics that were discussed in the report:
- The Office of the Privacy Commissioner conducted a joint investigation with the Office of the Information and Privacy Commissioner for British Columbia to look into the Cambridge/Analytica scandal. The Office of the Privacy Commissioner found Facebook’s decision to not implement its recommendations “deeply disappointing”. The joint investigation revealed that Facebook committed serious contraventions of Canadian privacy laws. As a result, the Privacy Commissioner will be applying to the Federal Court to seek a binding order to force the company to take actions to correct its privacy practices. Some of the problems that were identified include: there were superficial and ineffective safeguards and consent mechanisms that led to a third-party app’s unauthorized access to information of millions of Facebook users (some information was used for political purposes); there was a failure to obtain meaningful consent from the users and the friends of users; there was no oversight with respect to the privacy practices of apps on the platform; and there was lack of responsibility for personal information at Facebook and an attempt to shift the responsibility to the apps on the platform and also the users
- The Office of the Privacy Commissioner conducted investigation into the massive breach at Equifax (a credit reporting agency). Due to a series of security deficiencies, there was a massive global data breach affecting about 143 million people worldwide (including 19,000 Canadians). Essentially, hackers gained access to the system by exploiting a known vulnerability in a software platform. For about 77 days, the attackers were able to operate within the system undetected – what is most troubling is that the company knew about this vulnerability for more than two months, but failed to fix the problem. Given the amount of sensitive information involved, there were 19 complaints made against the company after the breach. Several deficiencies were uncovered, some of which included: inadequate vulnerability management to prevent attacks through known vulnerabilities; inadequate network segregation to reduce the scope of access and harm in cases of a breach; inadequate implementation of basic information security practices; and a failure to adopt oversight mechanisms to accurately assess the security risks and ensure there was an adequate security program for protecting sensitive information. There were some serious issues involving Canadians obtaining products such as credit monitoring reports or fraud alerts from Equifax Canada, and then learning that their personal information had been transferred to the parent company in the United States. The Privacy Commissioner found that the transfer was inconsistent with obligations to obtain meaningful consent from individuals before disclosing personal information to a third party (for the consent to be valid, individuals had to be provided with clear information about the disclosure when the third-party was located in another country, and of the risks). Unlike Facebook, Equifax has taken some measures to improve their security and accountability programs, and has entered into a binding compliance agreement
- There has been a significant increase in the number of breach reports in the past year. In fact, breach report numbers have increased by almost 500 percent. What is most important to know is that organizations must report any breach that meets the reporting threshold, regardless of the number of individuals affected. The majority of the breaches involved unauthorized access, meaning they were done by malicious actors or employees snooping. Employee snooping and social engineering hacks have been some of the main causes for the breaches resulting from unauthorized access. See my blog on the topic of breach reporting here.
- The Office of the Privacy Commissioner created a Business Advisory Directorate in 2018. This was created to help businesses better understand privacy implications of new technologies and business models before they are deployed in the marketplace, or assist them in assessing privacy implications of their current practices. The main purpose is to become more proactive, address privacy issues upfront, and resolve matters cooperatively outside of formal enforcement. In this way, costly and time-consuming investigations can be avoided and future privacy risks can be mitigated. This past year, the Office of the Privacy Commissioner provided guidance, met with privacy of users from various commercial enterprises, and explained best practices for businesses regarding obtaining meaningful consent. Some examples of projects that would fall in this category include the Apple Maps Project, and the Sidewalk Labs’ Quayside Project in Toronto
What can employers take from this report?
This report contains a great deal of helpful information for understanding how things work under the Privacy Act and PIPEDA. For example, Appendix 3 provides an excellent visual of the investigation process relating to early resolution and standard investigations. It is important for organizations to remain informed, and there are plenty of topics to learn about, such as breach reporting. Likewise, organizations can become more familiar with the newly created Business Advisory Directorate for the purposes of proactively dealing with privacy issues in conjunction with the Office of the Privacy Commissioner of Canada.