Written By Ruth Promislow, Stephen Burns, Michael Whitt and Kate Rusk

In its Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA), the Office of the Privacy Commissioner (OPC) has repeated its previous calls for reform to privacy legislation. In short, according to the OPC, Canada's privacy laws do not provide a sufficient level of protection for privacy rights.

Call for Increased Regulatory Enforcement

In support of its position that the privacy laws are outdated, the OPC refers to the gaps highlighted by recent investigations into large-scale breaches (Facebook and Equifax), as well as the pandemic and the corresponding shift toward a digital economy. In connection with the pandemic and privacy, the OPC refers to issues created by virtual health services, video conferencing and contact-tracing applications. With this increased reliance on technology, comes privacy issues.

The key elements of the OPC proposed reform include the following:

• define privacy as a human right;
• putting an end to self-regulation;
• empower the Privacy Commissioner to make binding orders and impose consequential administrative penalties for non-compliance; and
• proactive privacy inspections by the OPC to ensure demonstrable accountability.

As noted by the OPC, these elements are present in the privacy legislation of many of Canada's trading partners. It is reasonable to expect that Parliament will heed the repeated calls by OPC (and others) for privacy law reform. This is particularly so given federal government's announcement of the Digital Charter in 2019, which included a plan to modernize Canada's privacy legislation to address the evolving privacy issues with the transition to a digital economy.

The context in which the OPC issues these recommendations includes expected scrutiny by foreign regulators of Canadian equivalency of protections for international data flows. This is of particular concern given the recent decision by the Court of Justice of the European Union (CJEU), which invalidated the EU-U.S. Privacy Shield Framework. More than 5000 U.S. companies relied on the E.U-U.S. Privacy Shield Framework to transfer and process data from the EU to the United States. The CJEU held that EU residents' data privacy rights are incompatible with the United States approach to data privacy in the context of national security.

Cybersecurity Threats in the Private Sector

The OPC Annual Report includes some interesting numbers that provide some visibility into the state of cybersecurity and privacy issues in Canada:

• Increased breach reports: In 2019-2020, there were 678 breach reports affecting an estimated 30 million Canadian accounts. This is more than six times the number of reports received the year before breach reporting became mandatory.
• Use of investigation powers: The OPC increased its use of formal investigation powers, including site visits, requiring testimony under oath, and issuing summons for appearance when formal investigations were required.
• Complaints by industry: 50 percent of all complaints to the OPC in 2019-2020 came from three areas of the Canadian private sector: 19 percent from the financial sector; 17 percent from telecommunications; and 14 percent from the sales and retail sector.
• The OPC received an increased number of breach reports from telecommunications companies regarding unauthorized access of customer’s accounts through SIM swaps. These are a result of malicious actors using social engineering to take over a customer’s phone number and gain access to their phone calls and text messages.
• Type of attacks: Roughly half of the reported breaches involved unauthorized access by malicious actors or insider threats, often as result of employee snooping or social engineering hacks. Insider threats include both malicious and inadvertent conduct. Failure of staff to properly verify identity of individuals led to serious breaches through unauthorized access to customer accounts.
• Phishing and Social Engineering Threats: Targeted social engineering campaigns involving phishing and impersonation schemes continued to be a leading cause of breaches reported to the OPC.

Time for Organizations to Prepare

Canadian organizations should get their house in order as it concerns privacy and management of personal information. While Canadian organizations have not faced the same regulatory scrutiny on privacy and data security issues experienced in the United States, it is reasonable to expect that the mandate of the OPC will evolve and such scrutiny will soon be an inescapable issue for Canadian organizations to address proactively.

Being prepared for cybersecurity risks and regulatory compliance with privacy and data security obligations is not only about having the right technology. Technology will not protect you against an employee clicking on a malicious link. Nor will it protect you against a hostile insider, or a third-party processor that suffers a breach. Technology has nothing to do with whether an organization is using personal information for an improper purpose or without the required consent.

Being prepared means having a thorough understanding and analysis of the risk profile to your organization from the collection, use and disclosure of personal information, and a comprehensive plan to manage that risk. Organizations should base this analysis on an assessment of issues such as (but not limited to) the following:

• scope of personal information collected;
• legislative regime(s) that govern the collection, use and disclosure of the information;
• categorization of the information based on sensitivity levels;
• purposes for which personal information is collected and whether those are permitted purposes under the applicable legislation;
• whether meaningful consent is obtained from data subjects to collection, use and disclosure of their information;
• operational, technical and physical safeguards in place to protect the information;
• employees who have access to personal information vs. employees who require access;
• how personal information is accessed and transmitted, both in the office and remotely, and corresponding risks to the information;
• protocol for providing customers/clients with access to their records;
• whether physical protections to premises have adapted to evolving technologies and risks;
• employee response rate to simulated phishing attacks;
• issues covered by employee cybersecurity training vs. specific key risks to organization;
• specific risks associated with employee error (e.g., providing one client with sensitive information intended for another);
• what personal information is transferred to third parties for storage and processing and how the risk of an attack against that third party is managed;
• whether there is an incident response plan which has been tested through simulated code-red scenarios with the incident response team.

A risk management plan designed to address an organization's specific risks and vulnerabilities should include the development of policies and protocols to address the risks that are unique to the organization, having regard for its specific operational structure.

Ignoring the risks associated with management of personal information does not make them go away. It makes them more expensive to deal with.

For assistance on regulatory compliance and data management issues, please contact the Bennett Jones Privacy and Data Protection group.