This article is more than 1 year old
D.O.Eh: Here's the new privacy law Canada can't really enforce
Commissioner doubts ability to carry out data breach rules
The Canadian government this week will be enforcing a strict new privacy law, with the term "enforcing" up to interpretation because the regulator says he can't enforce it.
America's hat says the Personal Information Protection and Electronic Documents Act will be going into effect with the new data breach reporting rules on November 1 for all companies who do business in the Great White North.
In short, the rules say that companies are now going to be responsible for any potential loss of their customers information. The responsibility to spot and report data loss will be put on the business, with the looming threat of fines and possible referral for criminal charges to companies that sit on incident reports.
With the law in effect, companies of all sizes will be required to report to both customers and the government any exposure or loss of customer information when they have reason to believe someone could be harmed as a result.
"Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach," the Canadian Privacy Commissioner's Office said of the rules.
How harmed are you?
The "real risk of significant harm" portion will be where the law becomes open to interpretation, though as a guideline the commissioner's office says that in general companies should weigh both the sensitivity of the data and the probability it would be misused.
While the regulation talks a big game, actually enforcing it will be a challenge.
Even in explaining the new rules, Canadian Privacy Minister Daniel Therrien said that, thanks to a lack of resources, when it comes to carrying out the law his office will have about as much authority as an LNAH linesman in a chippy game.
"[Therrien] has raised concerns that the reporting requirements fall short in that, for example, they don’t ensure that breach reports to his office provide the information necessary to assess the quality of organizations’ safeguards," the commissioner's office said
"As well, the government has not provided the Privacy Commissioner’s office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office’s work will be somewhat superficial and the regime will be less effective in protecting privacy."
It is never a good thing when the body charged with carrying out a law admits they will have a hard time being able to enforce it in the field. Until Canada can figure out a way to solve the problem, companies may find the new data breach law ineffective, frustrating, and inconsistent in its enforcement. ®
Biting the hand that feeds IT
