When a cloud privacy breach occurs in Canada, what happens? In some cases, businesses are subject to mandatory breach notification requirements. This means that a privacy breach - whether as a result of a hacker, a lost USB or some other human error - must by law be reported to the commissioner and to affected individuals. Ontario has implemented mandatory breach notification under its Personal Health Information Protection Act. In Alberta, organizations subject to the Personal Information Protection Act (PIPA) are required to report a breach to the commissioner “without unreasonable delay” where a “reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure”.
The “real risk of significant harm” requires some analysis in the event of a breach and the Alberta commissioner’s Mandatory Breach Reporting Tool (PDF) has been released recently, to assist organizations determine if they are required to report a breach under section 34.1 of PIPA. This area of law may be changing further: a private members bill was recently introduced in Parliament to implement mandatory data breach reporting in the federal personal information protection law.
Here’s a recent case that illustrates the pitfalls of a cloud privacy breach in Canada:
In the recently released decision relating to WhatsApp (Report of Findings: Investigation into the personal information handling practices of WhatsApp Inc.), the Canadian and Dutch privacy authorities investigated WhatsApp Inc. a US company operating “WhatsApp Messenger”, a cloud-based cross-platform mobile messaging app allowing the exchange of messages for iOS, BlackBerry, and Android platforms.
The Commissioner launched an exhaustive review of the privacy aspects of the service after complaints regarding WhatsApp’s information-handling procedures, including the collection of more information than was necessary, the potential for privacy breach, the lack of encryption.
While the story generated damaging headlines, WhatsApp did work with the Commissioner to resolve many of the privacy concerns.
This investigation also shows the extent to which international privacy watchdogs will work together to launch an investigation that concerns personal information that crosses international borders.
The privacy lessons are clear: get advice on privacy implications of the cloud-based service, and don’t underestimate the importance of well-drafted privacy policies and user terms. Cloud service providers should also take time to understand the breach notification protocols that would apply in the event of a privacy breach.