On December 9, 2021, the latest annual report (the Report) from the Privacy Commissioner of Canada (the Commissioner) was tabled in Parliament. Among its recommendations, the Commissioner is calling on the Federal Government to adopt rights-based privacy laws that reflect Canada’s values and support responsible innovation.
In the Report, the Commissioner highlighted that the increasing use of digital technologies, like artificial intelligence, pose major risks to Canadian rights and values, and requires Canada to adopt a rights-based framework with respect to privacy laws.
The Commissioner stressed the need for consistency between the public and private sector privacy laws. The Commissioner drew on its investigation of Clearview AI and the Royal Canadian Mounted Police (previously reported in the the E-TIPS® Newsletter here) to highlight the increase in public-private partnerships and the use of corporate expertise to assist public bodies.
Furthermore, the Commissioner stated that Canada’s federal privacy laws must address the following issues to be fit for purpose in these modern times:
- Defining permissible uses: permissible uses of data require objective and knowable standards.
- The need for a rights-based framework: Canada’s privacy laws should recognize privacy as a human right.
- Defining corporate accountability: the accountability principle should be clearly defined and protective measures should be in place so that the accountability of organizations is real and demonstrable.
- The need for common, or at least similar, principles for the public and private sectors: common privacy principles in both the public and private sector privacy laws would help address gaps in accountability where the sectors interact.
- The need for interoperable laws, internationally and domestically: adopting a rights-based approach and interoperability between laws would situate Canada as a global leader in privacy protections.
- The need for quick and effective remedies and the role of the Office of the Privacy Commissioner (OPC): penalties for breaches of privacy should be proportional to the financial gain that businesses can make by disregarding privacy. Also, there is no need for additional layers of administrative decision-makers (e.g., the proposed Personal Information and Data Protection Tribunal) that may delay access to justice for consumers.
The Report includes important statistics on privacy breach reporting and cyber attacks during the past year:
- In the public sector, there was an 18% decline in the number of breach reports received by the OPC (280 in 2020-21 compared to 341 in 2019-20); and only 9 breaches involving cyber attacks (compared to 5 in 2019-20). The Commissioner stated that the OPC is convinced that under-reporting of privacy breaches by federal government organizations represents a systemic problem.
- In the private sector, there were 782 breach reports received by the OPC (a 15% increase compared to the previous year). The majority of breach reports involved 3 main industry sectors, with 22% from the financial sector, 14% from telecommunications and 10% from sales and retail.
- For the private sector: (i) the leading cause of reported breaches was unauthorized access (64%), which includes external actors gaining access to systems through malware, ransomware or social engineering; (ii) 28% of breaches were caused by unauthorized disclosures; and (iii) 42% of reported breaches originated from cyber attacks, involving malware, ransomware, password attacks, credential stuffing attacks, and other cyber threats.
The full report can be found here.
Summary By: Olalekan (Wole) Akinremi
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.