Canada lagging in data breach law

The United States, Australia, Britain, France, Germany, Ireland and Spain either have — or are planning — stiffer enforcement measures to penalize organizations for breaches resulting in exposure of personal information, says the comparison released under the Access to Information Act.

The newly disclosed documents show the office of Privacy Commissioner Jennifer Stoddart prepared the analysis last June for deputy Industry minister Richard Dicerni.

Accompanying notes to brief Stoddart for a meeting with Dicerni suggested she tell him a federal bill intended to better manage data breaches “is beginning to look dated.”

“Many international data protection agencies now have, or will soon have, much stronger enforcement powers than exist in Canada,” say the notes.

“I am no longer certain I can provide wholehearted support for the legislation as currently drafted.”

The notes also recommended she push Dicerni for his views on how the legislation could be amended to ensure organizations could be properly sanctioned for lapses.

Industry Minister Tony Clement introduced Bill C-12 more than a year ago — the government’s long-awaited response to a parliamentary review of the privacy law governing businesses. However, it has made little progress in the House of Commons.

The bill would amend federal privacy law covering the private sector to require organizations to report data breaches to the commissioner’s office and to notify people affected if there is a “real risk of significant harm” to the individuals.

However, Stoddart would have no ability to fine an organization and no order-making powers.

She has said publicly this would mean hauling an unco-operative company to court to ensure they notify their customers about a breach — a process that could take months.

In 2011, Stoddart’s office was notified of 64 breaches, up from 44 in 2010.

If the bill becomes law, there will be a three-fold increase in the number of breach notifications, according to an analysis commissioned by the privacy commissioner.

But Stoddart argues the proposed law will need more teeth to keep pace with the expanding digital universe and the threat from cyber-criminals and hackers.

A spokeswoman for Stoddart said Monday that when Parliament considers C-12, the commissioner will have “a number of comments” and expects to present proposed changes.

“We have seen numerous high-profile breaches involving large numbers of records,” say the notes drafted by her officials.

They point to 2011 lapses involving companies Sony and Epsilon, each affecting tens of millions of people.

In contrast to the federal proposal, Alberta’s privacy commissioner — who operates under provincial legislation — can order an organization to notify customers of a breach.

The U.S. Federal Trade Commission, meanwhile, has levied large fines including US$10 million in civil penalties and US$5 million in consumer redress against data broker ChoicePoint Inc., the privacy commissioner’s office notes.

In Britain, the information commissioner’s office fined the Surrey County Council $192,000 for failing to secure information about the mental and physical health of adults and children.

Other, little-noticed provisions of Bill C-12 would also make it easier for Internet service providers, e-mail hosts and social media sites to voluntarily share personal information about customers with police — possibly including private security firms.

The legislation could also effectively impose a gag on the Internet companies, preventing them from telling customers their personal details have been shared.

— Jim Bronskill