As U.S. lawmakers decide how best to respond to Facebook’s personal data scandal, regulators in Canada are being encouraged to do more to protect the privacy of users in this country.

“Canada already has a lot of strong legislative pieces in place to protect Canadians’ data,” said Trend Micro’s vice president of Cloud Research, Mark Nunnikhoven. “What Canada is lacking is weight behind the existing pieces.”

“The penalties for breaking Canadian trust around data are not nearly harsh enough,” he added.

Privacy concerns have been on the radar of Canadian regulators, especially in light of recent breaches.

Michele Romanow on the Facebook fallout and how tech firms use data

Michele Romanow, tech entrepreneur and co-founder of fintech company Clearbanc, joins BNN to weigh in on Facebook CEO Mark Zuckerberg's two-day testimony before U.S. Congress, concerns around privacy and the funding situation for growth-stage companies in Canada.

In the coming months, Canadian companies will be required to follow new federal rules when assessing how they handle a breach of people’s private information.

But even the new rules may not be tough enough for some.

“Under the federal law, a new part of the law [which comes into force in November], notifying the privacy commission and the affected individual(s) is mandatory where there is ‘real risk of significant harm’ from the breach,” said Peter Ruby, a technology litigation partner at Goodmans.

But Ruby said determining what the significance of that harm is may be challenging, especially since data breaches and leaks can come in many forms.

“The response is very context-specific, so there is no ‘one-size-fits-all’ solution,” said Ruby.


Finding that solution is a challenge being faced by regulators around the world.

In Europe, the EU is about to implement new privacy rules that will fall under the General Data Protection Regulation (GDPR). The new EU rules will have broad implications for the way data is gathered and used, but they also offer specific parameters around disclosing breaches.

The legislation stipulates an organization has to report a personal data breach “not later than 72 hours after having become aware of it” to the supervisory authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”

The penalty for violating these rules can be severe. Organizations can be fined up to four per cent of their global annual revenue, depending on the severity of the breach.

Some high-profile advocates argue that a similar model should be considered for Canada, including former BlackBerry co-CEO Jim Balsillie, who has been openly critical of Canada’s current approach to protecting data.

“GDPR would be a floor of what we want and then see what we want to add from there,” said Balsillie in a recent interview on BNN.

Whatever that floor may end up looking like, Nunnikhoven believes there needs to be a cultural shift not only on how data is managed, but also how it’s viewed.  

“This is why organizations really need to focus on collecting less data, strongly protecting what they do collect, and building up an internal culture that puts an emphasis on protecting the data they are trusted with.”