Canada’s privacy laws get a rewrite with an eye to security and data protection.
--
How foreign influences are pushing for tighter laws.
by Geoff Green, Myntex Inc. President and CEO
You’ve probably heard of the New York Times Rule, also known as the Front Page of the Newspaper Test. It says, “Don’t do anything you don’t want posted on the front page of the New York Times.” That’s a tall order to live by. But you need to think about what you circulate online and how your reputation may be impacted if your trade secrets or personal information was leaked.
If you want to protect your privacy, everything — from emails to texts and instant messages, phone calls, documents and images — needs proper device encryption to prevent it from being hacked.
Cryptography in the crosshairs
Many countries have anti-encryption policies in their privacy regulations. Companies increasingly are forced to create a covert way to bypass normal authentication or encryption, designed to give law enforcement access to their servers to fight crime.
Business owners and individuals everywhere want guarantees for their personal privacy and data security. But it’s difficult to find a truly secure and transparent data encryption service provider; one that doesn’t sell your data to third parties in exchange for a free app or do unencrypted back-ups on its servers.(Read the fine print!)
In America, several states have laws in place that affect consumer rights or business obligations. Across the country, many states have attempted to pass data privacy legislation, which infringes on personal information rights.
Myntex Inc. is based in Calgary, Alberta, Canada — where there is greater digital privacy freedom than in most other countries.
Canada’s privacy laws haven’t had a major overhaul in 20-years. Currently, there are two federal acts. The Privacy Act relates to a person’s right to access and correct their personal information held by the government including ID numbers; age; ethnic origin; race; religion; marital status; financial information; education; employment; medical history — even your DNA!
The Personal Information Protection and Electronic Documents Act applies to private-sector organizations across Canada that collect, use or disclose personal information during commercial activity. Consent is the cornerstone of PIPEDA, which allows individuals to protect their privacy by exercising control over their personal information. Unless the personal information crosses provincial or national borders, PIPEDA does not apply within Alberta, British Columbia and Quebec. Last year, the feds introduced the Digital Charter Implementation Act, Bill C-11, with a new Consumer Privacy Protection Act replacing parts of PIPEDA.
In Alberta, the Personal Information Protection Act is the guiding policy. Like PIPEDA, PIPA is consent based and allows organizations to collect personal information for reasonable purposes. However, with changes looming on the national front, privacy legislation in Alberta is being re-examined through online public surveys and targeted focus groups to strengthen privacy protections.
If Canada’s Digital Charter is passed it will make significant changes to data privacy laws. Critics say it favours tech business over the privacy of consumers. The CPPA brings with it the Personal Information and Data Protection Tribunal to work with the Privacy Commissioner, who would be able to recommend fines or force an organization to stop collecting data. The penalties could be enormous with up to 5% of an organization’s global revenues, to a maximum of $25 million, for the most serious offences. Aside from administering these penalties, the PIPDT will hear appeals from the Office of the Privacy Commissioner.
International standards vary greatly when it comes to encryption. Canada is facing pressure from Europe’s General Data Protection Regulation. The EU thinks Canada is lagging in this regard.
The GDPR stipulates the personal data of EU residents must have an “adequate level of protection” and this includes access to personal data by law enforcement and national security authorities.
Bill C-11 contains key provisions relating to cross-border data transfers. It sets out the scope and makes it clear it will apply to personal information “that is collected, used or disclosed interprovincially or internationally by an organization.”
Canada’s new Privacy regime is not the only way the government looks at data. Bill C-59 came into effect in 2019, creating the National Security and Intelligence Review Agency, the Communications Security Establishment and a new Intelligence Commissioner. These changes were to address national security issues and strengthen the Anti‑terrorism Act.
The Five Eyes Alliance
Critics felt the new powers given to the Canadian Security Intelligence Service didn’t go far enough and they want more protection for children as illustrated by WePROTECT. Canada and its Five Eyes intelligence sharing counterparts — Australia, New Zealand, the UK and the United States — plus India and Japan issued a statement on end-to-end encryption and public safety.
As Canadians are going to the polls (September 20, 2021) it is uncertain whether the Digital Charter will be implemented in its current form, if at all. The contents are likely to be changed significantly during the second and third parliamentary reading. Regardless, the trend to reform privacy laws in Canada will continue and data mobility will figure prominently as a priority.
Rights and Freedoms
Will Canadian companies be forced to create a backdoor to their encrypted systems? Not without changing the Charter of Rights and Freedoms, which is entrenched in our Constitution and protects the privacy of individuals as well as businesses.
Specifically, this right is protected in the Charter under Section 8: Everyone has the right to be secure against unreasonable search or seizure. While the law is continuing to evolve under Section 8, there are tests for determining if there is a violation of this right.
As noted by Chris Parsons, senior research associate of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, “You can’t have it both ways. You either want strong encryption or you want backdoors.” Parsons went on to note the same backdoor would be able to access the communications of the Prime Minister, journalists and security officers. It can’t only target bad actors.
As unlikely as it is that Canadian firms will be required to proactively accommodate law enforcement access to their servers, the federal government continues to try influence business to move in this direction. Businesses and the general public need to continue to advocate for our right to privacy and the consequences of policies that try to erode them.
