Force firms to disclose data breaches, report urges
As Ottawa mulls whether to update Canada’s existing privacy laws, one consumer rights group argues the proposal doesn’t go far enough.
Bill C-12, which went through first reading in the House of Commons three months ago, would change the Personal Information Protection and Electronic Documents Act (PIPEDA) to require Canadian companies to report incidents involving the theft or loss of personal information. Currently PIPEDA does not require disclosure of data breaches and Alberta is the only province to have mandated such a requirement.
In a report published this week, the Public Interest Advocacy Centre (PIAC) criticized the bill, claiming it provides “excessive discretion to organizations that have had a data breach, allowing them unilaterally to characterize the breach as non‐harmful to consumers.” “In so doing, organizations gain the benefit of a largely unreviewable decision in the face of a manifest and undeniable conflict of interest. The result is likely to be a vast under-reporting of serious data breaches, which puts consumer welfare at excessive risk,” the report said.