Desire to Enhance Data Sovereignty and Tire of Regulatory Requirements
In Canada, recent changes to PIPEDA bring more pressure to companies that falter in their cybersecurity, requiring firms that suffer a data breach to inform the Privacy Commissioner of Canada in many situations. That change first came in 2018, the same year that companies serving customers in Europe also had to begin complying with the Global Data Protection Regulation (GDPR) enforced by the European Union. We are seeing signs that firms are finding regulatory compliance more difficult with the added challenges posed by the pandemic.
Seven in 10 workers say they are familiar with PIPEDA in general, and 59 per cent are aware that PIPEDA now requires commercial organizations to disclose data breaches. That awareness has grown from just 42 per cent in 2018, when the change to the legislation was first made. The Office of the Privacy Commissioner of Canada (OPC) released statistics on data breach reports in October 2019 after its first year of implementing the requirement. OPC received 680 breach reports, six times the number it received compared to one year earlier, when reporting was voluntary. The reports show that 28 million Canadians were affected by a data breach, and that the most common cause of them was unauthorized access at 58 per cent of all breaches.
It will be interesting to see what the data looks like if OPC releases an update looking at its second year of mandatory reporting of data breaches. More organizations are storing the personal information of customers, employees, supplies, vendors, or partners in 2020, with 66 per cent saying they do so this year compared to 59 per cent saying they did in 2018. Slightly more organizations experienced a data breach in the past year, with one-quarter saying they had at least one breach compared to just 15 per cent one year ago. Also, 38 per cent admit they don’t know if they had a data breach.
Despite more organizations storing personal information and experience breaches, they are much less likely to report a data breach to authorities this year. Only 36 per cent say they reported a breach to a regulatory body, down from 58 per cent doing so in 2019. Only 31 per cent reported a data breach to law enforcement, also down from 37 per cent last year. Four-four per cent that experienced a data breach say they informed their customers of it, down from 48 per cent last year. Organizations are more likely to report a data breach to their management and senior leadership, with half doing so this year compared to just 40 per cent doing so last year. Similarly, 34 per cent informed their board of directors of, up from 21 per cent one year ago.
The reported non-compliance with PIPEDA doesn’t bode well for the future of privacy legislation in Canada. If companies are already wary of the tougher data breach reporting and willing to risk the penalties associated with the abdication of their responsibilities to file a report rather than face the certain regulatory hammer of making a report, future modernization of the privacy act could be difficult to enforce. Privacy Commissioner Daniel Therrien has called upon the government to update PIPEDA to give his office order-making powers, meaning they could fine companies that don’t comply with PIPEDA. At present, OPC must take non-compliant organizations to federal court to ensure enforcement.
The Federal Government released a discussion paper in the spring indicating its intent to enhance the OPC’s enforcement and oversight roles. There are also provincial efforts underway to strengthen commercial privacy laws in Ontario and Quebec. Fifty-four per cent of IT workers say they are concerned about changes to PIPEDA this year, which is consistent with last year’s report, but up from 38 per cent being concerned in 2018.
New privacy concerns were raised by a slew of popular mobile apps this past Spring. Apple’s beta release of its new mobile operating system, iOS 14, included a privacy feature that notified users when an app read the contents of their clipboard. The surprising thing is just how common it was for apps to snoop on the clipboard – this was far more than just a TikTok issue. Google Chrome, The New York Times, The Wall Street Journal, and Bejeweled are just a few of the popular apps that take a peek, reports MobileSyrup.
Four in 10 organizations say they use a mobile app for customers, suppliers, or partners. For those that do use one, 47 per cent of private sector apps track GPS or other location data, and 41 per cent are collecting data from users’ clipboards. Public sector mobile apps are less likely to collect this data, at 35 per cent collecting location data and 25 per cent collecting clipboard data.
Seventy per cent of IT workers say their organization has a formal data retention policy and 43 per cent say they’ve made policy or process changes to how it handles customer data specifically because of new PIPEDA requirements.
With a U.S. presidential election just around the corner, many IT workers are thinking about whether their data is exposed to the prying eyes of American intelligence or law enforcement agencies. The concept of data sovereignty, the idea that a nation should remain in control of its own data by storing it within their own jurisdiction, received more attention in July after a Court of Justice of the European Union voted to strike down the EU-US Privacy Shield. That sent many firms that do business internationally back to the drawing board to map out their data flows and put in place new contracts that would allow them to keep doing business. It may be that in order to maintain good business relations with the European Union, Canada will have to do more to demonstrate its own privacy laws are on par with recent legislation adopted in Europe and show it is able to operate outside of the reach of American jurisdiction.
CIRA advocates for a more resilient and secure internet infrastructure in Canada through increasing the number of Internet Exchange Points (IXPs) available. When major internet service providers form peering connections with IXPs on Canadian soil, less internet traffic is diverted south of the border. Interconnecting through these hubs also improves speeds, latency, and saves money.
Given that context, it’s no wonder that about seven-in-10 respondents are worried about the flow of data through countries other than Canada, up from 49 per cent in 2018 and about on par with last year. Six in 10 are concerned about the flow of data through the U.S. in particular, also up from 49 per cent in 2018.
Perhaps with data sovereignty in mind, 80 per cent of organizations say they choose Canadian firms to provide outsourced services. Three-quarters of IT workers agree that it is important for Canadian organizations to store customer information in Canada.
Almost as many agree that there are important benefits to keeping local Canadian internet traffic within Canadian borders. The biggest perceived benefit to keeping data flows north of the border are improved information security (65 per cent) and to mitigate geographically-sourced malicious attacks (46 per cent).