Someone in Vietnam recently hacked my son's Facebook page and took over his profile. For the past month, he has tried to have Facebook intervene and return his profile access. Unfortunately, he is making very little progress. He is upset and disillusioned with the social media giant.
That's my personal story about Facebook. As you may be aware, Facebook was also responsible for a massive user data breach earlier this year. The Office of the Privacy Commissioner of Canada subsequently launched an investigation into the company's practices. As I understand it, the investigation continues at the time of writing, although the OPC issued a couple of rulings involving Facebook. You can read them here.
My son's experience and the ongoing heightened awareness of privacy issues inspired me to write about the topic. For those of you who want to understand Canadian business' privacy obligations, you can read my article about PIPEDA here. This article focuses on individual rights rather than business owner rights. I'll also look at the horizon and provide insight into the direction we're likely heading.
To understand your privacy rights, you must first understand how the Canadian government establishes your privacy rights. The Canadian government enacted the clumsily named Personal Information and Private Electronic Document Act (PIPEDA) in 2000. Since then, Quebec, Alberta and BC have enacted provincial laws. The other provinces have not enacted privacy laws, so the Canadian PIPEDA applies until they do.
PIPEDA introduced the concept of Privacy by Design into law. Privacy by Design means that businesses must consider privacy throughout the entire process and company. The law introduced obligations to create systems to collect and protect personal information while giving individuals the right to control their personal information.
Since then, countries around the world have either introduced or strengthened their privacy laws. The EU recently introduced a new law incorporating significant new penalties for companies that breach their obligations.
With the recent news about the EU's new law, I was surprised to learn PIPEDA stacked up fairly well against the new GDPR (General Data Protection Regulation). I was surprised because PIPEDA has been around since 2000, and the news about GDPR made the new law sound like it gave EU residents significantly more protection. While differences exist, a large amount of overlap also applies to both laws.
But, to answer the question above, Canadians DO enjoy the right to be forgotten or erased from a business' database. In Canada, a business may not keep personal data when it no longer requires it, nor can it keep information if individuals withdraw their consent. So, in that sense, a company must delete personal information when the work involved to service that customer is no longer required or when an individual provides notice that he or she withdraws their consent.
Other individual rights shared by most privacy laws worldwide include the right to access your personal information kept on the company's records. Companies cannot collect data without your permission. When businesses collect personal information of low value, such as your name, it can rely on implied consent. For example, if a business needs your name to perform a service, that business can rely on your implied consent to use your name. However, if the information recorded is more sensitive, such as a driver's licence number, businesses must obtain express consent and secure that information must correspond to the sensitivity of the information.
Businesses cannot collect more information than required to supply the product or service. So a corner store selling you a chocolate bar should not ask for your phone number, address and number of dependants. If you want a more detailed account of your rights under PIPEDA, you should visit the Privacy Commissioner of Canada's webpage here.
The European GDPR provides individuals with the right to request erasure under certain circumstances. These include the right to withdraw consent and the right to demand erasure when the business is no longer required. Sound familiar? The main difference between the GDPR and PIPEDA appears to be which organizations fall under their jurisdiction. Under the GDPR, search engines are clearly included, while under PIPEDA they are not.
So Canadians, like Europeans, can force companies to remove their data. But only Europeans seem to be able to extend that right to search engines like Google and Bing.
In Canada, if you believe a business is not meeting its obligations under the act, you can complain to the Privacy Commissioner. Click here for more information on the reporting process. Essentially, the Privacy Commissioner can investigate, and if the business does not cooperate with an investigation or comply with its rulings, the OPC can apply to court and obtain orders forcing companies to comply.
Meanwhile, the GDPR imposes significant penalties on businesses that violate the regulation. The GDPR imposes two levels of fines. On the lower level, companies that violate the rules on less sensitive personal information are subject to the GREATER of 10,000,000.00 Euros or 2 per cent of their worldwide annual revenue. For upper-level fines, the GDPR imposes the GREATER of 20,000,000.00 or 4 per cent of their worldwide annual revenue. You read that correctly. These are staggering penalties. Our penalties, while not insignificant, pale in comparison.
With the increase of the value tied to big data collection, privacy laws continue to evolve to provide stronger protections. We witnessed the reduction of spam emails when Canada and other western countries implemented strict anti-spam laws with significant penalties.
Privacy laws will likely follow the same pattern. The OPC has already recommended bringing search engines under the umbrella of PIPEDA. He wants to extend the rights enjoyed by Europeans to Canadians. I suspect the Canadian government will watch the EU's penalty provisions in action carefully, and I wouldn't be surprised if our government eventually enacted similar penalties.