After 3 Years of GDPR Enforcement, Canadian’s Can Only Look on in Envy

Last month, Europe’s privacy pride and joy, the GDPR, turned three years old. Canadian’s can find themselves looking on in envy of this law.

Europe’s General Data Protection (or GDPR) turned three years old last month. Freezenet was there when it was initially passed back in 2018. Back then, the legislation proved to be far from universally acceptable to people. Some were condemning the legislation as overly broad and burdensome. Others hailed this as a whole new standard for respect to privacy. Still, even back then, we knew that the problem of data leaks and breaches was huge.

Companies around the world, especially large companies, frequently viewed privacy issues as something to internally dismiss. Leaks and breaches were frequently buried or hidden from public sight. This left security researchers to blindly hunt for evidence that information had been stolen or compromised. Once a compromise was discovered, it sometimes proved difficult to determine the origin of the compromise. Even then, when a company was found to be negligent in their activity, the fines wound up being mere pocket change anyway. It left the obvious impression that the laws need changing because companies were (obviously) not going to regulate and police themselves on such matters.

So, in a cynical world where many figured nothing was ever going to change on this front, something surprisingly did. Europe unveiled the GDPR with promised fines of up to 4% of global annual turnover. What’s more is that failure to self report within a short period of time of becoming aware of a security incident could also see a company facing fines as well. While the legislation faced resistance, it ultimately passed.

In the time since, if you figured that actual enforcement of privacy issues would be a massive undertaking, you are very much correct. In the months that followed, reports of incidents skyrocketed into the tens of thousands. Over in the UK, reports of incidences quadrupled under the GDPR. By February of last year, the number of reports went over 160,000.

On the one hand, the GDPR highlighted, in spades, that the issue of security incidences is massive. What this law did clearly was to push this issue out of the shadows and well into the open. While we knew the problem of security incidences was large, the numbers even took us off guard. In fact, the number of incidences wound up being a rater large problem for those on the enforcement side of things. Problems of enforcement quickly became apparent with officials frequently finding themselves completely overwhelmed with the problem. This led to large backlogs where the process of enforcement wound up taking much longer than initially anticipated. Suffice to say, the GDPR became a victim of its own success. In fact, critics seized on this issue and pointed to the underwhelming number of fines handed out.

Still, blockbuster fines were, in fact, handed out over the last three years. The BBC offers the top 5 fines handed out:

Since its launch, hundreds of millions of euros worth of fines have been handed out by information commissioners around Europe.

Offences have included retailers misrepresenting the way they use CCTV cameras to monitor employees, and companies not complying with the “right to be forgotten” law.

The legislation replaced older data protection laws, and while it was drafted in Europe, regulators can fine organisations anywhere in the world which target or collect data in the EU.

1. Google (€50m/£43.2m)

2. H&M (€35.3m/£32.1m)

3. Tim – Telecom Italia (€27.8m/£24m)

4. British Airways (£20m)

5. Marriott International Hotels (£18.4m)

These days, reception of the GDPR has been fairly positive. From IAPP:

The EU’s General Data Protection Regulation took effect three years ago today, elevating awareness of privacy and data protection from boardrooms to living rooms and setting a standard for countries and jurisdictions around the world.

“Broadly, it’s been really good. It’s been good for the privacy profession, it’s been good for individuals who are at the heart of the GDPR, it’s driven an acceleration of privacy program maturity and privacy technology development, and for privacy professionals it’s been an amazing opportunity,” said BNY Mellon Global Chief Privacy Officer Kirsten Mycroft, CIPP/E, CIPM.

The IAPP released a “GDPR at Three” infographic showing 47% of companies self-report as fully GDPR compliant while more than 630 enforcement actions have been taken to date, totaling 283 million euros in fines. Among the largest fines over the past year were the $57 million fine France’s data protection authority, the Commission nationale de l’informatique et des libertés, issued against Google and the $41 million fine Hamburg, Germany’s DPA, the Commissioner for Data Protection and Freedom of Information, issued against clothing retailer H&M.

The GDPR’s enforcement provisions enabling fines up to 4% of annual global turnover for violations “got everybody’s attention. Such penalties would definitely get a board’s attention,” Northrop Grumman Corporation Corporate Privacy Executive John Kropf, CIPP/E, CIPP/G, CIPP/US, said, adding the GDPR was the “first comprehensive privacy law that had real teeth in it,” highlighting for companies “the importance of privacy in the global legal landscape.”

While some of the commentary we’ve seen said that there are areas that could see improvement in the law, you can’t help but get a sense that this problem of data security is finally being tackled to some degree. As a result, it seems that the viewpoint that this law has ushered in a new era of respect for privacy largely won out over the long term. Some European’s might be asking if GDPR, despite its flaws, really is the gold standard for privacy laws in the world. Well, we can offer a Canadian perspective on this.

Indeed, there was a time when Canadian’s could feel pride in how aware of privacy issues we all were. In fact, Canada created a privacy commissioner to look out for Canadian’s best interest when it comes to personal privacy. This office represented a new era of respect for personal privacy and was considered by many as a first around the world. This office was formed in 1977. This, of course, was well in the era where a personal information breach of significant proportion would involve loading a filing cabinet into the back of a pickup truck. A significant leak, at the time, might look more like a large company not properly shredding documents and having these documents found in a dumpster randomly in an alley.

Of course, Canada doesn’t just have a federal privacy commissioner. There are also privacy commissioners at the provincial level as well. So, on the surface, it sounds like Canadians are well protected when it comes to security incidences.

To be fair to the commissioners, many Canadians who are aware of the workings of these offices do view these commissioners in high regard. They have a long history of raising awareness of personal privacy and have issued reports about various topics and companies surrounding compliance with the laws. In fact, knowledge and awareness was a big element in Canada’s most well known privacy law, PIPEDA which received royal assent in the year 2000.

Naturally, at that time, the concept of a company having hundreds of millions of accounts leaked or stolen was nothing more than an unlikely scenario dreamed up by those with little more than wild imaginations. To highlight how quaint the issues surrounding privacy were back in the day, in 2011, when Sony had their Playstation Network hacked, the news of 70 – 77 million credit cards being stolen was nothing short of mindblowingly stunning. These days? If the number is less than 100 million, it’s generally a medium to medium large sized incident.

So, with that in mind, you can’t help but sigh in despair at the remedies section of the Wikipedia entry of PIPEDA:

The Act does not create an automatic right to sue for violations of the law’s obligations. Instead, PIPEDA follows an ombudsman model in which complaints are taken to the Office of the Privacy Commissioner of Canada. The Commissioner is required to investigate the complaint and to produce a report at its conclusion. The report is not binding on the parties, but is more of a recommendation. The Commissioner does not have any powers to order compliance, award damages or levy penalties. The organization complained about does not have to follow the recommendations. The complainant, with the report in hand, can then take the matter to the Federal Court of Canada. The responding organization cannot take the matter to the courts, because the report is not a decision and PIPEDA does not explicitly grant the responding organization the right to do so.

PIPEDA provides, at section 14, the complainant the right to apply to the Federal Court of Canada for a hearing with respect to the subject matter of the complaint. The Court has the power to order the organization to correct its practices, to publicise the steps it will take to correct its practices and to award damages.

That’s… it. That is the remedies you can find in PIPEDA. Some people might think I’m exaggerating when I say that the power that the privacy commissioner has is to write a strongly worded letter. Yes, there are no fines the commissioners can levy against companies that violate privacy laws. No, a company doesn’t have to follow the commissioners recommendation. It’s literally a strongly worded letter.

Really, in retrospect, it’s something of a miracle that this massive loophole didn’t get severely exploited in any big obvious way until 2019. Following complaints about Facebook, Canada’s privacy commissioners from BC and the Federal level ordered Facebook to change its ways in how it handles privacy issues. This happened during the height of the Cambridge Analytica scandal – and it was related to it as well. The office then eventually followed up with Facebook to see if the recommendations they had laid out were followed through. They found that they were either not followed through, or not followed through sufficiently. So, they issued a scathing strongly worded letter in response.

Facebook’s response? Pound sand. They said that they think they are doing a great job on the privacy of their users and disagreed with the report. End of story. This marked the moment that the commissioners realized they were squaring off with a company willing to test the limits of their powers. Unfortunately, that letter was, in fact, the limits of their powers. Among other things, not wanting to let Facebook set a bad example, the commissioners stepped out of their roles as commissioners and separately sued Facebook. This seemingly because they really didn’t have any other options at that point.

If anything, the incident proved clearly that something needed to change in Canada’s privacy laws. It was no longer sufficient to use strongly worded letters to name and shame companies. The privacy laws need teeth. While this loophole was clear, European’s were already celebrating the passage of the GDPR. The question was, will the Canadian government finally get their act together and reform privacy laws?

Things did start looking promising. While the news in Europe was pouring in over tens of thousands of breaches were actively being investigated, Canada went into a full blown federal election in 2019. The party leaders, during the national debates, were unanimous in their perspectives: strengthening privacy laws needs to be a priority.

After the elections, Justin Trudeau made his famous “sunny ways” comments while walking towards the parliament buildings. Expectations were high that privacy reform was going to happen. After an apparent year of delay, Canada finally introduced Bill C-11. The law featured reforms that would allow privacy commissioners to actually levy fines against companies. It was a bold new strategy not really seen before in Canada. This as debates in the Europe involved whether or not existing fines are enough and whether enforcement was sufficient.

While the bill was largely supported (some questioned whether the fines go far enough given that some companies would actually be exempt), things started slowing down for the legislation. Lobbyists were pushing hard to have the government abandon its push to finally implement some kind of fine system for privacy violations. With few debates on the legislation and a lack of motivation to finally bring the bill into committee, the Innovation Minister took heat for this and, in turn, simply blamed the opposition for the slow pace of the legislation. The criticism didn’t seem to phase the lack of movement on the legislation, though, as it continued to stall. This was back in March of this year.

Now, with no more sitting days in the House of Commons, and speculation that an election is going to hit, Bill C-11 is now destined to die on the order paper. If a new election happens, then the bill will have to be re-introduced. As a result, as Europeans ask whether or not the GDPR has enough enforcement power, Canada is stuck with a complete lack of enforcement power outside of strongly worded letters and a privacy law that became law 21 years ago. Even with something as motivational as a recent security incident at Facebook, the legislation remains stalled – making the incident look like yet another missed opportunity.

As hundreds of millions of euros in fines come down across Europe for GDPR violations, Canadian’s are left with a law that still has no fines involved. Companies are free to not care about Canadian’s personal information and the worst that can come from it is a strongly worded letter. Canadian’s, as a result, are left suffering the consequences of no law enforcement on this front. So, if European’s are wondering how good they have it, Canada can offer a pretty stark contrast. We’re still waiting for laws that could legally allow authorities to issue fines of any kind for violations of privacy laws. Canadian’s can only dream of having the kind of debates European’s are having about their privacy laws now.

Drew Wilson on Twitter: @icecube85 and Facebook.

2 Trackbacks and Pingbacks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: