D.O.Eh: Here's the new privacy law Canada can't really enforce

Commissioner doubts ability to carry out data breach rules

The Canadian government this week will be enforcing a strict new privacy law, with the term "enforcing" up to interpretation because the regulator says he can't enforce it.

America's hat says the Personal Information Protection and Electronic Documents Act will be going into effect with the new data breach reporting rules on November 1 for all companies who do business in the Great White North.

In short, the rules say that companies are now going to be responsible for any potential loss of their customers information. The responsibility to spot and report data loss will be put on the business, with the looming threat of fines and possible referral for criminal charges to companies that sit on incident reports.

With the law in effect, companies of all sizes will be required to report to both customers and the government any exposure or loss of customer information when they have reason to believe someone could be harmed as a result.

"Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach," the Canadian Privacy Commissioner's Office said of the rules.

How harmed are you?

The "real risk of significant harm" portion will be where the law becomes open to interpretation, though as a guideline the commissioner's office says that in general companies should weigh both the sensitivity of the data and the probability it would be misused.

While the regulation talks a big game, actually enforcing it will be a challenge.


Hacking charge dropped against Nova Scotia teen who slurped public records from the web


Even in explaining the new rules, Canadian Privacy Minister Daniel Therrien said that, thanks to a lack of resources, when it comes to carrying out the law his office will have about as much authority as an LNAH linesman in a chippy game.

"[Therrien] has raised concerns that the reporting requirements fall short in that, for example, they don’t ensure that breach reports to his office provide the information necessary to assess the quality of organizations’ safeguards," the commissioner's office said

"As well, the government has not provided the Privacy Commissioner’s office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office’s work will be somewhat superficial and the regime will be less effective in protecting privacy."

It is never a good thing when the body charged with carrying out a law admits they will have a hard time being able to enforce it in the field. Until Canada can figure out a way to solve the problem, companies may find the new data breach law ineffective, frustrating, and inconsistent in its enforcement. ®

Broader topics

Other stories you might like

  • Governments opt for XaaS, dump datacenters in droves
    Outsource all the things! To whom? The lowest bidder of course, says Gartner

    The world's governments are eager to let someone else handle their IT headaches, according to a recent Gartner report, which found a healthy appetite for "anything-as-a-service" (XaaS) platforms to cut the costs of bureaucracy.

    These trends will push government IT spending to $565 billion in 2022, up 5 percent from last year, the analyst house claims. Gartner believes the majority of new government IT investments will be on service platforms by 2026.

    "The pandemic sped up public-sector adoption of cloud solutions and the XaaS model for accelerated legacy modernization and new service implementations," Gartner analyst Daniel Snyder said in a release. "Fifty-four percent of government CIOs responding to the 2022 Gartner CIO survey indicated that they expect to allocate additional funding to cloud platforms in 2022, while 35 percent will decrease investments in legacy infrastructure and datacenter technologies."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading

Biting the hand that feeds IT © 1998–2022