It’s lucky 13 for Data Privacy Day!
Today, Tuesday, January 28, marks the thirteenth official commemoration of the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
Since that time, however, it seems like nothing but bad luck for privacy and privacy advocates.
Trust in the safety and security of our online activity is understandably lower; the tally of hacks, breaches and violations of personal information and corporate data is significantly higher.
In just the past year alone, some 28 million Canadians were affected by a data hack, breach or accident of some kind. Sometimes, millions of incredibly valuable medical, financial and other personal records were stolen in a single incident (see Equifax, LifeLabs, StatsCan or Desjardins, among many others).
Then there’s Norton, the global Internet security company, and it’s 2019 mid-year report documenting more than 3,800 publicly reported breaches, exposing 4.1 billion records – a 54 per cent increase in just one year! It could be more evidence supporting those who say privacy is dead, or those who feel that a day for privacy is just not long enough.
# # #
Discussing data privacy does not have to be a downer.
There’s the fun and enlightening approach recommended by Ryan Berger, a lawyer with Lawson Lundell LLP, who says you can make a game of it! In his recent column, How To Party With Your Employees: Celebrate Data Privacy Day, he serves up some games, quizzes and other ideas for having fun while learning about data privacy.
Whether playing or not, good luck to all!
# # #
But 2020 could be a pivotal year for the protection of personal information worldwide and here in Canada. New European laws protecting consumer data and new California codes protecting children online are influencing legislators in this country, where new legislation at both the federal and provincial level promises to bring greater protection for online activities, increased user control over personally identifying data, and more significant penalties for entities that misuse that data.
New rules and regulations to protect the online activity and personally-identifying data of all Canadians are called for as part of the country’s new Digital Charter, which not only calls for “a new set of online rights” but also enhanced powers for the Privacy Commissioner to enforce those rights.
The Privacy Commissioner’s office, of course, participates in Data Privacy Day activities, and one of Commissioner Daniel Therrien’s cohorts will be speaking on a TED-talk style video stream from San Francisco called “Data Privacy Day 2020: A Vision for the Future”. There will be screenings held here in Canada.
Therrien’s vision for the future of privacy in Canada was carefully laid out in his Annual Report to Parliament, tabled last month.
Privacy, he noted, cannot be seen simply as a matter defined by commercial terms and conditions found on websites or mobile contracts. It is a basic human right and it is important that government helps protect and defend that right: individuals should not be left on their own in the fight to protect their online data from misuse or abuse: technical rules to protect data, legislation that defines privacy, and penalties that can deter even the biggest multinational companies should be in place. Self-monitored industry codes and ethical commitments do not cut it.
Therrien acknowledges the sharp, cutting double-edge of today’s data-driven technologies:
“For good and bad, [they] are a disruptive force. They open the door for innovation and economic growth, but they have been shown to be harmful to rights, including privacy, equality and democracy.”
Therrien’s focus on privacy as a human right may put him at odds with those seeking a more balanced weighting between personal rights and business opportunities (there’s that sharp double-edge again): while the concept of consent is an important one, it may not be the best guiding principle for the future of privacy.
As Therrien suggests, privacy protection should be first and foremost in the hands of government regulators (like himself), empowered by strong legislation and the ability to levy meaningful penalties on individuals or businesses or government organizations that do not protect other people’s data appropriately.
It’s easy to find examples of why he thinks that should be so: Therrien highlighted a decade-long Canada/Facebook/Cambridge Analytica saga in his report, and how his office’s revealing investigation of that scandal “ended with the social media giant’s deeply disappointing decision not to implement recommendations aimed at correcting serious privacy deficiencies.”
That disappointment highlights the urgent need for legislative reform, he said, to give him the right to inspect the privacy practices of businesses to either verify accountability or assess much-needed penalties when the accounting cannot be made.
Right now, the remedy for all those significant breaches and hacks of Canadians’ personal data seems to be class action lawsuits. But under proposed new privacy legislation, Canadians who are victims of personal data privacy breaches could be eligible for compensation by law, without the need for expensive private legal action.
Unfortunately, there is no timeline for Canada’s Digital Charter or new privacy legislation to take effect. And so the hacks and breaches and data violations will continue.
While the idea of proactive inspections of privacy procedures is a good one (much like proactive inspections of a restaurant’s cleanliness and kitchen safety), and a privacy inspector’s ability to table binding orders for compliance would also mirror food safety parameters, it is the ability to impose significant penalties (with compliance or non-compliance determining operating license status) on data gathering, collating and enriching companies that may best have the desired impact.
# # #
Here’s another privacy game you can play: how many safety tips must you follow to protect your personal data and online privacy?
Some say there are seven such suggestions.
Some say twelve steps to safety.
Others note five. How about 66? As many as 131?
No, there’s only three.
Perhaps there is just one: Don’t.
-30-
The day has come.
Facebook Inc. will pay a $9 million penalty, plus an additional $500,000 for the costs of a recent investigation by Canada’s Competition Bureau, in which the Bureau concluded that Facebook made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger. Facebook disagreed with the Bureau, but it is not contesting its conclusions for purposes of the agreement.
There may be more days like this to come: The Competition Bureau says it will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies.
https://www.mondaq.com/canada/privacy-protection/963088/competition-bureau-brings-big-stick-to-privacy-claims-95-million-penalty-for-privacy-claim
Who is the enforcement power behind Canada’s privacy laws? The Privacy Commissioner himself says he needs more legal teeth to be that power, so if not the Office of the Privacy Commissioner of Canada, what agency has the power to protect our privacy?
A major announcement presents a potentially powerful answer:
An official from Canada’s Competition Bureau has apparently confirmed that it will take action against organizations that make false or misleading statements about their data collection activities.
The Competition Act is tougher than the Privacy Act when it comes to powers of enforcement or penalty for violations thereof: up to $15 million for each order against an organization, and up to $1 million per order for an individual.
There is no date or timeline associated with the reports about the Competition Bureau’s stated intention, but for many, that cannot come too soon.