Massive data breaches and intrusions into personal information have people buzzing about what's worse: getting scooped up in government collection of metadata from electronic communication, or having their private and financial information stolen by hackers who break into huge data banks at department stores where they have shopped.
That debate turns on whom you trust least. Governments have far greater power over the lives of individuals, but the routine collection of numerous bits of much more personal information by the private sector leaves consumers vulnerable in deeply intimate ways, and open to identity theft, which can send daily life into intractable turmoil.
In reality, Canadians, as with their American counterparts, are wondering how they can possibly keep safe financial and personal information that is increasingly amassed electronically — browsing websites, purchasing online, debit or credit card transactions. All of which is stored in massive data banks and secured only by the integrity of commercial anti-virus software and firewalls.
The issue of privacy protection and regulation of data collection has taken on new import with the development of smart appliances that can be controlled by mobile electronic devices, such as smartphones. Regulating the thermostat, home alarm system or turning on the slow cooker all become bits of detail fed into private data banks capable of plotting patterns of individual behaviour.
And it is not only what commercial businesses do with that trove of information.
Target shoppers last fall discovered how vulnerable they were in the data-bank world when the retailing giant fell victim to a malicious software attack. The financial and personal information of up to 110 million customers was hacked. Recent news reports indicate the hackers have continued to hit other retailers in the U.S.
It is a wake-up call for Canadians. Consumer protection and privacy legislation in the U.S. demands privacy breaches at commercial operations are reported quickly to authorities. State by state, legislation compels consumer notification, although the rules are not standard and are often open to interpretation.
In Canada, notification to authorities and consumers is voluntary — a huge hole in privacy law privacy commissioners have said must be fixed for meaningful protection of personal and financial information.
Former federal privacy commissioner Jennifer Stoddart, in a farewell report last fall, again called for Canada's privacy legislation to be updated.
She noted Canada is far behind other nations fighting to keep up with the advance of electronic communication and data collection, which has edged into the field of facial recognition. Yes, your mug can be captured electronically in the aisle of a grocery or department store and become one more nugget in the trove of marketing information.
Under the Privacy Act, the privacy commissioner’s office monitors breaches of government departmental data. It does the same for the activities of commercial entities under the Personal Information Protection and Electronic Documents Act in seven provinces, including Manitoba, and the territories (the remaining three have their own commercial privacy laws).
Under both acts, however, reporting of breaches is voluntary.
The discussion reaches beyond what gets collected, when and whether consumers — from the preteens posting on social media to moms managing the bank accounts — can opt out of data tracking and storage.
It is about the limits of intrusion into private information, how it is stored with personal identifiers and shared, and how to protect individuals from new tracking devices that cannot be turned off by the computer user.
Further, Canada’s privacy laws contain no penalties for transgressions or repeat offences. The privacy commissioner can only make recommendations, and non-compliance must be referred to the Federal Court.
There is no compelling reason reporting of privacy breaches is not mandatory.
Privacy legislation, however, is in need of an overhaul that should be led by debate on how to curb commercial intrusion into the lives of individuals and thereby contain the threat hackers will plunder finances and steal identities.
» A version of this editorial ran recently in the Winnipeg Free Press.