The other day I got a 2019 prediction from TrustArc CEO Chris Babel. He said that managing privacy will be the new normal, like securing data or paying taxes. “Privacy will continue on a similar path as the evolution of cybersecurity. Like with security, a standard of constant privacy will become the new normal,” he said.
I think Babel’s theory is spot on because of all the new regulations being introduced or passed this year. GDPR. California’s Consumer Privacy Act. Colorado Protections for Consumer Data Privacy law. Vermont’s data broker law. And as of Nov. 1, Canada’s new data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), went into effect.
What PIPEDA Does
PIPEDA is similar to other privacy laws in that organizations “must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.” Personal information—including identifiers such as name and age, medical records, financial data and even opinions and evaluations—that is collected under a commercial activity (business transactions, fundraising activities or memberships, for example) falls under PIPEDA protection. Personal information collected for government or by an employer are not covered.
Penalties are much lighter for PIPEDA than other privacy regulations. Data breaches are to be reported to the Office of the Privacy Commissioner (OPC). Failure to report a breach to either the OPC or to the affected customers or no record of total data breaches is kept can cost organizations fines as much as $100,000.
One thing that makes PIPEDA stand out from other privacy regulations with a national or global scope is that it may not cover all of Canada.
“Questions remain about the extent to which the PIPEDA rules will be applicable in British Columbia, Alberta and Quebec, which have enacted privacy laws that apply within those provinces and supplant the application of PIPEDA in many cases,” Alex Cameron, head of the privacy and cybersecurity group at Canadian law firm Fasken, wrote in a blog post for Data Center Dynamics. Also, he added, organizations that already meet the standards of GDPR and any U.S. laws may be covered enough to not have to worry about PIPEDA.
Playing Catch-up to Other Countries
One of the complaints in the United States is that we were slow to adopt privacy regulations. While there are federal industry-based compliances such as HIPAA and PCI, there have been no all-encompassing privacy regulations. Security and privacy experts I’ve spoken with over the past year have credited GDPR with spurring a movement of sorts in the United States.
However, even though Canada has a law that is actually implemented and online already, there are those who felt the country had fallen far behind other countries in its efforts and that PIPEDA, as it stands now, isn’t enough.
In a report to Parliament in September, Daniel Therrien, privacy commissioner of Canada, called for stronger privacy laws that will ensure protection for citizens when organizations fail, and he also wanted to see more transparency and accountability around personal data.
“The report also believes federal departments and agencies are under-reporting data breaches,” IT World Canada reported. “They are required to notify both the office of the privacy commissioner (OPC) and Treasury Board of all ‘material’ breaches. In 2017-18, the OPC received 286 public-sector breach reports. However, almost one quarter of those were from a single—unnamed—institution whose reports were delayed by a year.”
Yet, others believe that PIPEDA’s data privacy protections will make this law stronger than California’s law and put it on par with GDPR. And there is hope that PIPEDA will provide another layer of security to American privacy behaviors.
Many Canadians Unaware of Privacy Efforts
The law appears to be flying under the wire in Canada, too. A survey conducted by the Canadian Internet Registration Authority found that 38 percent of business respondents were unaware with PIPEDA, even though 59 percent said they store customer information and 40 percent had suffered a cybersecurity attack.
“The CIRA also found that only 54 percent of small businesses provide cybersecurity training to their employees, despite the fact that phishing attacks—the most common form of malware among respondents—are designed to directly exploit employees,” Mobile Syrup reported. This means that a lot of personal consumer information is going to at risk, especially if organizations aren’t meeting PIPEDA standards.
Because of the trade partnerships between the United States and Canada, we’ll have to keep an eye on this new law to see how it ends up influencing privacy behaviors here. As Babel stated, privacy is going to be our normal. It will be interesting to see how 2018’s privacy regulations dictate cybersecurity efforts globally in 2019.