The laws meant to protect Canadians’ online privacy are more than 20 years old – they are often hopelessly if not helplessly out of date and out of sync with today’s online risk profile.
Without tough laws to level today’s digital playing field, data privacy and security disputes can pit people against corporations (or their own governments). The legal, financial and administrative muscle the enterprise can muster far outstrips that of most individuals.
With few protected rights, individuals online have pretty much been left to use their own best intentions to protect their data against the reach of a complex, convoluted and complicated digital ecosystem.
And while the laws that protect our privacy online may soon get much stronger, the basic advice we get to protect ourselves online is very similar to that shared 10 or 20 or more years ago. Luckily, organizations such as the Electronic Frontier Foundation and the Canadian Centre for Cyber Security regularly update the advice they share to help us avoid data loss or theft or personal information online.
(At first, avoidance may seem futile: last year alone, the Office of the Privacy Commissioner of Canada recorded increased data breaches affecting some 28 million Canadians; nearly ten million in one single hack. Major hacks in the U.S. are, well, still underway. Nevertheless, some of the best EFF and Canadian cyber safety tips are linked below.)
Passwords, Authentication and Encryption
Good online protection for yourself starts with strong, unique passwords. You should create a new (or change the default) password for every device you get and every online account you have. Just don’t use 1234, ABCD, or the word password. Nowadays, a password manager like KeePassXC can help you safely manage all those different passwords.
Two-factor authentication, when and where available, gives an added level of protection to even the best passwords: as part of your password-protected log-in, you will get a text or phone call at a prearranged number that gives you a unique one-time code that, once entered, completes the log-in.
The data you exchange with that now-safely-logged-onto website or device (including your password data, but also your charge card data if you make a purchase, your address if you want that purchase delivered, your health status if you have a virtual doctor’s visit, your company sales figures if you have a business meeting, and so on and so on) should itself be protected using some kind of encryption.
Many websites offer secure connectivity through HTTPS, the secure hypertext protocol “language” that websites speak (you can tell in the address bar of your browser; if the https://www.whatever text is visible, the connection is secure). Browser plug-ins like HTTPS Everywhere can force websites to make use of encrypted connections.
Likewise, dedicated Virtual Private Network services, or VPNs, can encrypt your data and prevent prying eyes from seeing your Internet traffic. A VPN provider is, however, a single point of contact through which all your personal data may flow, so you do need to ensure the trust and reliability of any third-party provider.
Third-parties are often the digital entities behind the corporate marketing campaigns used to promote products and make sales, and they often use tools such as online ad trackers to follow you and collect records of your activities across various websites. But ad and tracker blockers like Privacy Badger will basically send a “do not track signal” to the website you are visiting. If the site does not obey, Privacy Badger will block the trackers so they will not follow you.
Another tool specifically for Canadians to protect themselves and their families from malware, phishing and other cyber-attacks, is the Canadian Shield.
After only seven months in market, more than 100,000 Canadians have implemented CIRA Canadian Shield, an online protection service that has reportedly blocked more than 20 million malicious threats so far. Together with the functional protection provided by the Shield, a whack of simple, realistic and achievable steps to make yourself more secure online has been posted for individual’s use at GetCyberSafe.ca. Canadian not-for-profits, businesses of any size or another levels of government can find online safety and data protection information at cyber.gc.ca.
The Laws Must Change Someday
So after some 20 years of such tips and advice, after 20 years of “you protect yourself online by taking the steps you can”, some 20 years of singing the laws must change someday, there may now be some actual legislative, legal protection for our online privacy and personal data.
In what does seem to be “a genuine attempt to provide robust protection for individuals”, the Canadian government has tabled Bill C-11, its proposed new private-sector privacy legislation.
(The Bill as tabled includes two major components addressing specific digital issues and areas of privacy concern: the new Consumer Privacy Protection Act and the Digital Charter Implementation Act.)
If Bill C-11 receives Royal Assent, and there is much parliamentary debate and process before that happens, it will opens the door to powerful legal remedies and hefty new fines for infringements of the privacy laws.
That fact that big fines up to $25 million dollars may be levied in egregious cases of knowing privacy contraventions (albeit in a somewhat bureaucratic appellate process) gives the little guy some sense of balance against a larger digital corporation.
Along with the potential for legal financial penalties, the Bill includes a proposed new private right of action under which individuals may sue in provincial or federal court for damages that result from a privacy violation. When the Privacy Commissioner of Canada finds evidence of such violation, and the finding is not appealed, individuals may now bring suit within two years.
In Canada, the idea that a breach of privacy itself, in certain contexts, entitles an individual to compensable damages, can be seen as a new category of litigation, in the sense that individuals have a chance to demonstrate or articulate loss and damage in the context of collection, use or disclosure of their personal information.
Canadian Privacy Commissioner Daniel Therrien has long bemoaned the lack of teeth his office has when trying to enforce privacy laws or penalize privacy breaches. He has welcomed Bill C-11, calling it an “ambitious reform initiative” bringing “several significant improvements” to the country’s data protection landscape. However, the Commissioner notes, the Bill also raises a number of questions about its ability to effectively protect privacy in a constantly evolving digital society.
It won’t take another 20 years for the digital threat level to change; 2021 may well do that all on its own.
New threats to our personal data and private information are emerging from state, corporate and individual actors on a daily basis.
In an upcoming article here at WhatsYourTech.ca, we will take a look at our constantly evolving digital society and the new threats we all face, both to our online virtual selves and our real-world, physical selves.
# # #