People are growing more and more concerned over the use of their personal data by companies online. And they should be. Breaches of personal data are becoming more of a regular occurrence, and governments around the world are trying to introduce legislation to protect data.
Consumers get concerned when they see headlines like LifeLabs reveals data breach, possibly affecting up to 15 million Canadians. And they should be, as that is almost half of the Canadian population who have given up their personal information to one of the biggest laboratories in Canada. In many cases, consumers don’t feel as though they have a choice: if you need bloodwork, you get sent to Lifelabs. On the other hand, businesses should be concerned when they see headlines like this: Lifelabs Data Breach, the Largest Ever in Canada, May Cost the Company Over $1 Billion in Class-Action Lawsuit. An investigation is still ongoing by The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia.
There are many people calling on Canada to further strengthen PIPEDA (Personal Information Protection and Electronic Documents Act) and privacy regulations. Canadian Privacy Commissioner Daniel Therrien urges Parliamentarians to adopt rights-based privacy laws to better protect Canadians in his annual report. Therrien suggests the starting point to legislative reform is to give new privacy laws a rights-based foundation. The purpose of the law should be to protect privacy as a human right in and of itself and as an essential element to the realization and protection of other human rights. Former BC Privacy Commissioner Elizabeth Denham also says Canada’s laws need to move into the 21st Century. Now Britain’s information commissioner, Denham says, information and privacy commissioners need more power, and that PIPEDA needs to be reformed.
GDPR (General Data Protection Regulation) has some of the toughest privacy standards in the world, with the highest fines for non-compliance. CNBC reports that GDPR has generated 114 million euros ($126 million) in fines since it was introduced almost two years ago. The biggest fine under GDPR so far was handed out by the French data protection regulator. The CNIL fined Google 50 million euros last year for alleged infringements of GDPR relating to transparency and a lack of valid consent rather than a data breach. Britain's Information Commissioner's Office could top that amount. Last year it announced notices of intent to impose fines on British Airways and Marriott International, collectively amounting to about £282 million, but those penalties are yet to be finalized.
Data privacy regulations aren’t going to go away. In fact, expect countries around the world to strengthen legislation or for those that don’t have privacy standards, to implement them. California’s privacy law (California Consumer Privacy Act (CCPA)) came into effect earlier this year: it’s possible that the U.S. may look at implementing nation-wide legislation depending on how things go in California. Suffice it to say, if you do business anywhere in the world, you need to take consumer privacy seriously.