My weekly technology law column (Toronto Star version, homepage version) notes that privacy officials have long warned about unseen consumer privacy risks, yet the issue has rarely generated significant political attention in Canada with potential reforms languishing for years without action. Recent high profile privacy incidents involving two of the world’s most popular consumer electronic companies – Apple and Sony – could help change that as millions of Canadians awaken to the privacy risks associated with undisclosed tracking and security breaches.
Apple ultimately acknowledged that it was collecting the location information even when consumers opted-out of the iPhone’s location services functionality. The company promised a software update that would respect user opt-outs and would cease backing up the location information on their computers.
The Sony incident involved one of the largest consumer security breaches in history. Six days after shutting down its PlayStation Network due an â€œexternal intrusionâ€, the company began advising more than 75 million account holders that their personal information, including user profiles, birthdates, passwords, purchasing history, and credit card information, had been stolen.
The sheer scope of the security breach may be unprecedented since Sony appears to have stored all this information together (thereby allowing for easy linkages), much of it without encryption. Given the need to reissue credit cards and safeguard against identity theft and other misuse, the ultimate cost of the breach could run into the hundreds of millions of dollars.
While both companies were at pains to declare their concern for user privacy â€“ Apple characterized itself as â€œone of the leaders in strengthening personal information security and privacyâ€ and Sony noted that it â€œtakes information protection very seriouslyâ€ â€“ lax security safeguards and delayed public notifications provide little reason for consumer confidence.
Indeed, it has become increasingly apparent that consumers must be the frontline guardians of their own privacy by rotating passwords, only providing personal information that is strictly necessary for the services they use, and opting-out of unnecessary disclosures to third parties.
Even with such measures, risks from security breaches and poor privacy practices remain a reality. Countering these risks requires tough regulation and enforcement so that companies prioritize consumer privacy and face serious consequences when failures occur.
Yet on the legislative and enforcement front, much more can be done. Canada still does not have a mandatory security breach disclosure requirement, so the Privacy Commissioner of Canada learned about the Sony breach through news reports. Moreover, Sony’s decision to sit on the information for days without informing the public carries no legal consequences under Canadian law.
In stark contrast to the U.S., privacy lawsuits are also relatively rare in Canada. Within days of the Sony security breach disclosure, a California lawsuit seeking class action status was filed arguing the company did not take â€œreasonable care to protect, encrypt, and secure the private and sensitive data of its users.”
Apple’s failure to respect user opt-out requests from collecting geo-location information similarly raises few ramifications under Canadian law. Although the Privacy Commissioner could launch an investigation, there is no real prospect of penalties or fines under the current law. Canadians may expect better of Apple and Sony, but the law has thus far failed match those privacy expectations.