Canada has received yet another wakeup call for privacy reform. This after Global Affairs Canada was hit with a data breach.
Privacy reform can do many things. First of all, it can create a duty to inform anyone who has become a victim of a data leak or a data breach. What it can also do is establish privacy standards for companies or governmental organizations to follow. Most importantly, it can implement a system where companies can be fined for violating any of the above by the government. In short, it solves many of the problems that the so-called “free market” has completely and utterly failed to fix. Indeed, without enforceable privacy laws, leaks and breaches are typically met with a shrug of the shoulders from the company responsible before they just move on and assume that it’s little more than a Public Relations (PR) issue that will just go away on its own once the press dies down.
This attitude by the private sector is, for obvious reasons, completely unacceptable. It’s why responsible nations have looked to ramping up fines and creating new privacy standards for companies to follow. Europe did just that clear back in 2018. Is the GDPR (General Data Protection Regulation) perfect? No. Is it a massive improvement over the existing system? Most assuredly yes. Since 2018, Europe has been getting the private sector to tighten its protection of personal information. It has been on the road to refining those laws since 2018.
Yet, after more than 5 years of success, even though the GDPR set a new golden standard for respect to privacy for the rest of the world to follow, the Canadian government has inexplicably continued to refuse to treat privacy reform seriously. It isn’t really a partisan issue, either. As far back as the 2019 election, privacy reform received broad party support. Then, when the 2021 election rolled around, privacy reform, once again, received broad party support. What’s more, privacy reform is something that is broadly supported by the Canadian public as questions keep popping up during election time of when the heck privacy reform is finally going to happen.
To pour salt in the wound, Canada has had numerous wakeup calls as well. There was the Cambridge Analytica scandal that broke in 2018. When Canadian privacy laws failed, multiple privacy commissioners stepped out of their roles as commissioners and into their roles as private citizens and filed a lawsuit against Facebook. That saga, at least for Canada, ended in 2023 when a judge dismissed the lawsuit, signalling that unlike the rest of the developed world, the Canadian system concluded that nothing untoward happened with that fiasco. It was an extremely loud wakeup call for the government to finally get off their rear ends and do something about privacy reform. Instead, the government simply hit the snooze button.
In 2019, there was the infamous Desjardins data breach that managed to affect more than 100% of their customer base. You’d think that the government would heed that wakeup call. Unfortunately, the Canadian government, once again, hit the snooze button.
In 2021, there was the massively high profile Newfoundland hack. Maybe then, the federal government would treat privacy reform seriously. Yet, the Canadian government, once again, hit the snooze button.
In 2022, there was the high profile Tim Hortons privacy scandal. Maybe then, the Canadian government will treat privacy issues seriously. Nope, no dice. The government simply hit the snooze button.
In 2023, there was the high profile Home Depot privacy scandal. Maybe, finally, Canadians will have enough and the government will finally heed the wakeup calls. Once again, the Canadian government hit the snooze button.
The real question here is what the heck does it take for the Canadian government to treat privacy reform seriously? Now, here we are in 2024 and we, once again, see yet another wakeup call with yet another massive privacy scandal. News has surfaced that says that Global Affairs Canada has become the latest victim of a massive breach that went completely undetected for a whole month. From the CBC:
Canadian authorities are investigating a prolonged data security breach following the “detection of malicious cyber activity” affecting the internal network used by Global Affairs Canada staff, according to internal department emails viewed by CBC News.
The breach affects at least two internal drives, as well as emails, calendars and contacts of many staff members.
CBC News spoke to multiple sources with knowledge of the situation, including employees who have received instructions on how the breach affects their ability to work. Some were told to stop working remotely as of last Wednesday.
CBC News has also seen three internal emails sent to Global Affairs staff.
“Forensic work has also progressed to help us understand the scope of the data breach,” one email said. “The work is ongoing, but early results suggest that many (Global Affairs Canada) users may have been affected.”
Another email said the internal systems were vulnerable between December 20, 2023 and January 24, 2024. It informed anyone who connected remotely using a SIGNET (Secure Integrated Global Network) laptop that their information may be vulnerable.
The “compromised” system was the virtual private network (VPN) staff use to access Global Affairs’s Ottawa headquarters. The VPN system was managed by Shared Services Canada, the GAC notice said.
As you can tell from the leadup, I’ve been through this song and dance far too many times to have any hope that this latest privacy scandal will make a difference in this sorry situation. All I see the government doing is reaching out and hitting the snooze button on privacy reform, once again.
Indeed, the Canadian government loves to talk a big game about how privacy reform is a top priority for them. After years of dragging their feet, they finally tabled Bill C-27 back in 2022. Yet, despite the tabling, the Canadian government continued to drag its feet on the law with vague promises of this law being a “top priority“. We last checked in back in December where things were at and things were still moving at a snails pace on that front.
Just to add insult to injury, the Canadian government shoe-horned in some privacy reforms into a budget bill. The bill passed. What were those reforms? The ability for political parties to have more unfettered access to your personal information for election purposes. As they say, actions speak louder than words. In this case, the government only cares about privacy reform if it affects their bottom lines. For anyone else, you’re on your own.
With the current bill seemingly destined to die on the orderpaper when the next election is called, it seems like it’s almost a sure thing that we will enter into a third election with people asking where privacy reform is. We’ll, once again, have all of the political parties pretend to support it. When the election is over, the government will shelve the bill for years and only bring it forward when they feel it is politically advantageous to do so. Otherwise, unless something dramatically changes, the government will just keep hitting that snooze button.