Canada’s recently-appointed privacy commissioner is still not saying what he thinks of the government’s latest attempt to update the federal privacy law covering the business sector.

In the annual report to Parliament filed Thursday by the Office of the Privacy Commissioner (OPC), Philippe Dufresne said he welcomes the introduction of Bill C-27, formally called The Digital Charter Implementation Act, 2022, which includes the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act.

But Dufresne — who was appointed in June — said he won’t reveal his position until Parliament debates the bill. So far, the House of Commons committee on ethics, privacy and access to information hasn’t set dates for hearings.

The CPPA is aimed at updating the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets the data protection rules for federally-regulated industries and for provinces that don’t have their own private-sector privacy laws. It would create a new tribunal to hear requests from the privacy commissioner to levy heavy fines for firms that violate the CPPA.

The Artificial Intelligence and Data Act is new legislation forcing businesses deploying “high impact” AI technologies to use them responsibly. An AI data commissioner will enforce regulations.

Reform of federal privacy laws is long overdue, Dufresne said. He repeated the OPC’s long-time call for any new legislation to recognize privacy as a human right.

However, with a minority, it isn’t clear if Prime Minister Justin Trudeau and his government have the will to pass a privacy overhaul. In the previous Parliament, the government failed to get behind or amend the first version of its proposed Consumer Privacy Protection Act. That version was heavily criticized by the privacy commissioner at the time, Daniel Therrien. The new proposed law contains some changes.

The annual report covers the commission’s work enforcing PIPEDA and the federal Privacy Act, which covers federal institutions, for the 12-month period ending March 31st. Although outside that reporting period, the report notes that in May, the OPC, and federal and provincial privacy commissioners called on legislators to develop a legal framework that clearly and explicitly establishes the circumstances in which police use of facial recognition may be acceptable.

The report notes that during the past year

— the OPC and three provincial privacy commissioners found Tim Horton’s violated federal and provincial privacy laws with the location tracking capability of its mobile app;

–the OPC pushed Rogers Communications to change its voiceprint biometric authentication program, Voice ID, used when customers call the support centre and access to their accounts is needed.  Unknown to customers, Rogers collected voiceprints in the background on calls before seeking customers’ consent. Rogers promised to obtain express consent from individuals for voiceprints; to more clearly inform customers of their ability to opt out; and to delete voiceprints upon opt-out;

–the OPC upheld the complaint of a truck driver that his employer, Trimac Transportation Services Inc., had installed a dash camera in his vehicle that continuously recorded audio and video without his consent. The OPC found that continuous recording, particularly when drivers were off duty and not driving, was not necessary to meet Trimac’s goals of safety and protecting equipment. Trimac agreed the audio recording function will be active only when a driver is on-duty or driving. Viewing of video clips will be limited to those who need to know;

The OPC handled 463 reports of breaches of federal department security controls, most of which concerned the loss (278) or unauthorized disclosure (132) of personal information.

The majority of the breach reports (93 per cent) were due to human error, which includes email and mailing errors, mishandling of data/records using an inappropriate shortcut or workaround, and losing or misplacing information, “suggesting that the institution may have had policies or security procedures in place that were not being followed or enforced,” the report said.

“These types of breaches underscore that it is not enough to have policies and protocols in place to protect information, but that they also need to be implemented and followed faithfully to be effective,” the report said. “It is key that personal information is properly managed throughout its lifecycle, from collection, to use, to disposal. To this end, employee awareness and engagement is crucial.”

The OPC continues to suspect there is under-reporting of cyber-attacks, including malware and phishing attacks, by public sector institutions. It noted the commission received only five reports in 2021-2022 of cyber attacks, down from nine the previous year. And of those five, three involved private-sector service providers to federal institutions. One involved the hack of a U.S.-based third-party contractor used by both the Canada Border Security Agency (CBSA) and U.S. Customs and Border Protection which saw approximately 9,000 photos (of the 1.4 million stolen) of licence plates of travelers driving into Canada released on the dark web.

The OPC investigation found inconsistencies in the way the CBSA managed licence plate information, and a lack of security measures, including adequate contractual clauses to ensure the CBSA’s private sector partner was properly protecting the information in its care.

Meanwhile, mandatory private sector reporting of data breaches dropped during the 12-month period to 645 incidents. These affected at least 1.9 million Canadian accounts. The OPC suspects there is still under-reporting of private sector breaches.

The leading cause of breaches involved unauthorized access, usually by external threat actors.

The post Federal privacy commissioner silent on proposed new privacy act for businesses first appeared on IT World Canada.

Leave a Reply