A pair of notable privacy developments has recently broken in Canada. The Office of the Privacy Commissioner of Canada placed Equifax on a six-year "compliance agreement" for its 2017 data breach, while the agency also launched a consultation for its plans to revise its policy position on trans-border data flows under the Personal Information Protection and Electronic Documents Act.
These stories, plus other Canadian privacy topics, were discussed at an IAPP KnowledgeNet meeting hosted by PwC in Boston, Massachusetts.
Public affairs professional Peter Kosmala, CIPP/US, moderated a panel that featured nNovation Toronto Partner Timothy Banks, CIPP/C, CIPM, CIPT, nNovation Ottawa Partner Shaun Brown, and PwC Boston Director for Cybersecurity and Privacy Roger Steltzen.
The panelists covered a lot of ground as they spoke in front of an inquisitive crowd of privacy professionals, but regardless of where the discussion went, the work of Privacy Commissioner of Canada Daniel Therrien remained a constant theme throughout the evening. Therrien has continuously sought more enforcement authority during his tenure; however, his office was given the ability to implement consent agreements with offending organizations back in 2015 when the Digital Privacy Act amended PIPEDA.
Equifax entered into a compliance agreement with the OPC after the results of its investigations were revealed. The panelists discussed why companies sign off on the “fairly onerous” requirements of compliance agreements, as Banks describes them.
Since the OPC has limited enforcement authority, Banks looked for what organizations gain from compliance agreements. The answer may simply be to avoid negative publicity.
“I think this is part of the corporate culture in Canada and the relationship the office has had with businesses,” Banks said. “There is a compliance culture with what the OPC wants … No one wants to be that organization, no U.S. parent organization wants to be the company that goes to federal court and thumbs their nose at the commissioner because of the bad press that would come in Canada.”
Should a company wish to fight the OPC and go to federal court, it certainly has the option to do so; however, Steltzen warns the process can take up a lot of time and resources, especially if the agency is not happy with answers it receives.
Since the Equifax decision was made as a result of a breach from a parent company in a different country, the conversation turned toward the OPC’s revisions of its trans-border data flow policy position. In its announcement for the consultation, the OPC touched upon the topic of consent, and it is one that Brown believes is noteworthy for Canadian businesses.
“Companies may need consent in order to transfer data across borders,” Brown said. “This would be a new and significant thing for companies to do deal with.”
Banks added that the appearance of consent in the trans-border consultation is the next evolutionary step for Canadian privacy law. Banks said there has been a strong emphasis on consent, with one of the more notable examples coming from last year's Meaningful Consent Guidelines.
While PIPEDA and consent talk filled up a good portion of the evening, discussion about Canadian privacy rules would not be complete without Canada’s Anti-Spam Legislation.
Brown cited an instance when the Canadian Radio-television and Telecommunications Commission penalized Datablocks and Sunlight Media for CASL violations. The two companies were fined a combined $250,000 for “allegedly aiding in the installation of malicious computer programs … through the distribution of online advertising.”
The bad actors injected malicious links into ads that sent victims to malware-infused sites; however, Brown noted that these parties were several steps removed from Datablocks and Sunlight. Despite the degrees of separation, the CRTC determined the two organizations did not do enough to stop the attacks from occurring.
Brown felt the ruling set a bad precedent.
“[The CRTC] have taken this hard-line approach,” Brown said. “This is concerning. It looks like to me that they are going to take the easy way out. They are going after companies with any sort of capital and saying, ‘We are going to fine you because going after the people who are really doing this is really hard.’ They are saying, ‘You are going to do our job for us and stop these bad actors yourselves.’”
Kosmala wrapped up the evening by asking the panel whether Canada will drift more toward a privacy model that mirrors the European Union or if it will find a solution that is “authentically Canadian.” Banks believes “it’s going to be a long time before we see legislative changes,” but notes that public sentiment may sway Canada toward the EU, even if the country’s laws are not altered.
Canada has become increasingly resistant to free-flowing borders, and part of the hesitation comes from the perceived way the U.S. uses data, which is why the Sidewalk Labs smart-city project has attracted so much controversy, Banks explained.
The debate around privacy is not going anywhere in Canada, as evidenced by the litany of topics covered during the 90-minute session, and privacy professionals in the Great White North can likely expect those issues to get their fair share of press with the federal elections right around the corner.