Annual Report: Commissioner stresses importance of international cooperation
GATINEAU, Quebec, June 9, 2015 —Privacy concerns know no boundaries in an increasingly globalized world and international cooperation is quickly becoming the new normal when it comes to tackling these issues effectively, Privacy Commissioner Daniel Therrien says.
After a landmark year for international collaboration among privacy enforcement authorities, the Office of the Privacy Commissioner of Canada (OPC) made global partnerships for privacy protection the focus of its 2014 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.
“The digital economy has created a borderless world when it comes to commerce, but it also means more and more personal information is being shared across jurisdictions,” Commissioner Therrien says.
“Whether addressing a massive privacy breach involving a multinational corporation or cracking down on a website with questionable privacy practices impacting citizens the world over, it is clear that privacy guardians cannot operate in silos. Coordinated action can provide more consistent approaches and more effective enforcement.”
The following are some examples of cross-border investigations and other activities based on information sharing and jointly coordinated activities in 2014.
Putting a price on privacy
Romania-based website Globe24h.com was the subject of 27 complaints to the OPC for republishing legal decisions, allowing them to be indexed by search engines, and demanding a fee for them to be removed.
The decisions involve everything from divorce and custody hearings, to bankruptcy, human rights, labour relations and immigration matters. The legal records are drawn from multiple jurisdictions, including Canada, and could be easily searched online.
An OPC investigation found that while the documents are public, in pre-digital times, individuals would have had to visit a courthouse or archives to access the sensitive information which, according to one complainant, included a court finding that could render the pardon he was seeking completely ineffective.
While the OPC managed to get most of the offending material related to complaints removed at no cost, serious concerns remain over the company’s business model, which amounts to the monetization of personal information by essentially extorting payment for its removal.
Enforcement efforts are ongoing and the OPC has entered into a cooperation arrangement with the Romanian data protection authority in an effort to resolve the matter.
Insufficient safeguards lead to international breach
Adobe strengthened its security safeguards after the personal information of some 38 million customers worldwide, including more than one million Canadians, was compromised by hackers.
The changes follow a data breach investigation conducted in cooperation with international counterparts in Ireland and Australia.
The investigation raised serious concerns about outdated software and inadequate password management practices that, for example, did not encrypt password hints. The OPC was pleased that Adobe adopted numerous changes to enhance privacy and better protect its customers’ personal information from unauthorized access.
A not-so-clean sweep
The second annual Global Privacy Enforcement Network Privacy Sweep focused on mobile app transparency. In total, 1,211 apps were assessed by 26 privacy enforcement authorities around the world. The Sweep found that many apps were seeking access to large amounts of personal information without adequately explaining how that information would be used.
The Sweep also resulted in a follow-up initiative in which many of the participants signed on to an open letter urging app marketplaces, such as Google Play and the Apple App Store, to make it mandatory for mobile app developers to post links to privacy policies prior to download if they are going to collect personal information.
A major initiative in 2014 was the acceptance of the Global Cross Border Enforcement Cooperation Arrangement by 55 data protection authorities from around the world. Endorsed during the 36th International Conference of Data Protection and Privacy Commissioners in Mauritius last fall, the arrangement, which is slated to come into effect in the fall of 2015, is aimed at fostering more coordinated approaches to addressing cross-border privacy issues.
It meets an urgent need for data protection authorities to be able to share confidential information, thereby enabling greater collaboration and more joint investigations.
2014 Complaints and breaches to the OPC
The OPC accepted 402 complaints under PIPEDA, considerably more than the approximately 250 new files received in an average year.
Compared with 2013—and discounting the 170 complaints received about Bell’s Relevant Advertising Program that year which were rolled into one Commissioner-initiated investigation—new complaints increased by more than 50 percent. Notwithstanding the increase, the average time it takes to complete an investigation has continued to decrease. The average treatment time was 4.8 months in 2014.
Meanwhile, 44 data breaches were reported to the OPC in 2014. More than a third involved the financial sector, followed by the Internet sector and the insurance sector.
The overall number of breach reports was down from 60 in 2013, but since breach reporting under PIPEDA is currently voluntary, it is difficult to tell if this signifies a change in the number of actual breaches. The OPC welcomes proposed amendments in Bill S-4, the Digital Privacy Act, which seeks to implement mandatory breach notification.
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.
- 30 -
For more information, please contact:
Tobi Cohen, Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.
Report a problem or mistake on this page
- Date modified: