With no global standard for data privacy, laws outside U.S. differ in scope
Europe, Canada rules put premium on personal privacy, play catch-up on data-breach notification
By Byron Acohido, ThirdCertainty
As a partner at the Canadian law firm Borden Ladner Gervais, Éloïse Gratton advises her clients on legal, practical and ethical ways to protect an individual’s privacy while conducting business nationally and internationally. She has testified before Canada’s House of Commons and other federal bodies and conducted training workshops attended by judges and members of the Parliament.
ThirdCertainty sat down with Gratton just after she appeared on a privacy panel at CyberScout’s Privacy XChange Forum. Here’s the gist of that conversation. The text has been edited for clarity and length. (Full disclosure: CyberScout sponsors ThirdCertainty.com.)
ThirdCertainty: Europe and Canada are oriented toward preserving privacy for the individual; in America, not so much. Can you frame how that plays out in global commerce?
Gratton: I would say in Europe and in Canada, we’ve been a little bit ahead on the data-protection front, so we probably have laws that are a little bit more stringent. Yet we’re a little behind on everything that has to do with security-breach notification. In the States, it has been mandatory for quite some time. In Europe, it will be mandatory with the upcoming General Data Protection Regulation in May 2018.
Related video: How ‘Privacy Shield’ came about
In Canada, there’s one province where, if the breach triggers significant harm for the affected individuals, it’s mandatory to notify. So in Alberta, that has been a legal requirement since 2009. In coming months, this will also become a federal legal requirement to notify upon a security breach taking place. So we’re following the U.S. on this issue.
ThirdCertainty: Cyber threats continue to evolve so rapidly; can regulators keep up?
Gratton: Yes, the threat is evolving, so at the end of the day, organizations need to ensure that they are ready for the new threats. We’ve seen it recently in Canada with the Ashley Madison hack. So you have to have a breach-incidence response plan and make sure employees are trained, so that they’ll know exactly what to do. Upon a breach taking place, privacy regulators in Canada will look at (a few) things. They’ll look to see that the company had the proper governance structure. Did they have proper policies? Did they have a breach response plan? Did they have the proper contractual provisions when they outsourced some of their services, such as to a cloud service provider? And they’ll look at the technological component. Was the company using state-of-the-art encryption and technology tools?
ThirdCertainty: What did we learn from the Ashley Madison hack?
Gratton: Ashley Madison is a website for individuals who are married and want to have extramarital affairs, so it’s very sensitive information. If you sign up for these services, you certainly don’t expect your contact information to be made available. So the Ashley Madison website was hacked, and then, it was a form of extortion. The hackers said, ‘Change some of your services, otherwise we’ll expose the identities of all your users.’ In the end, they did just that, so all the users were exposed. There were a lot of lessons relevant for any business that has operations in Canada.
ThirdCertainty: In terms of taking care of sensitive data?
Gratton: Absolutely. For instance, (privacy regulators) felt the company did not have proper technology tools to avoid a hacking, and they did not have the proper policies. Moreover, they had an issue with the fact that the company was using some form of security seal on their website, so that users felt really confident signing up. At the end of the day, this seal was meaningless. So they felt it was misleading users and probably affecting consent of people signing up on the site.
It was a joint investigation involving the Canadian privacy commissioner and the Australian privacy commissioner. Another concern was the fact that the website was charging users to have their account information deleted, so they said, ‘Well, if you do that, it has to reflect your own cost as an organization. It has to be reasonable, and you need to let people know ahead of time. This will cost you X amount of dollars.’
ThirdCertainty: It seems like regulations lag behind the pace of innovation in the marketplace.
Gratton: Definitely. Privacy laws and data-protection laws will always be technology neutral. At the end of the day, it’s up to the organization to make an assessment of the type of information they collect, of the risks and the type of measures that that they should be implementing to make sure they protect the data they’re managing.
ThirdCertainty: So what general guidance do you give to your clients?
Gratton: Be pro-active, and definitely follow the type of guidance that is issued by privacy commissioners following security incidents. So once there’s a complaint or there’s a security incident, privacy regulators will investigate and issue guidance, such as the investigation report that was issued in the Ashley Madison case. Other companies should now know, ‘OK, we can’t charge to have an account deleted, or if we do so, we have to inform users or customers ahead of time. We shouldn’t keep data for too long, we shouldn’t put fake security seals on our websites.’
ThirdCertainty: If I’m a company that hasn’t been paying close attention to privacy, where can I start?
And another thing to keep in mind is you have to make sure your employees are aware of these policies and that they are properly trained. If there is a security breach, privacy regulators will look for that. They’ll look to see if the employees were aware of the policies of the organization and that they received proper training.
Read more stories related to data privacy:
Consumers becoming more protective of their privacy
Fair or foul? New forensics tools raise privacy concerns
15 million reasons to have a website privacy notice
Devil is in the details for Canada’s data breach disclosure law