The Office of the Privacy Commissioner of Canada and the Office of Information and Privacy Commissioner of Ontario both released their annual reports this week.
Since I’ve highlighted a handful of Ontario initiatives recently, I’m focusing these notes on a few takeaways from the OPC's work in the 2023-24 fiscal year. I do suggest, however, that you take the time to read both annual reports. Read strategically, I think these resources can give you a good sense of what the regulators are prioritizing and how that might affect you in your day-to-day work.
When reading the OPC’s annual report, which I found super easy to read, the one thing that struck me is that the office seems to be a busy bunch.
It accepted 1,113 complaints related to the Privacy Act and additional 446 complaints filed pursuant to the Personal Information Protection and Electronic Documents Act. On top of that, they received 561 public-sector privacy breach reports and 693 private-sector breach reports. That’s already more than three per day, but the office suspects organizations continue to under-report failures in security safeguards.
Here are a couple of other notable breach stats:
- Despite a similar number of PIPEDA breaches compared to the previous year, twice as many Canadian accounts were affected by breaches in 2023-24 (25 million accounts vs 12 million accounts in 2022-23).
- Breach reports showed that third-party service providers, particularly IT and software providers, were targeted more frequently by threat actors.
The OPC took the occasion to highlight various findings as well, including those related to the Aylo matter.
Aylo is the parent company of Pornhub and the OPC concluded the company failed to take adequate steps to ensure that the people appearing in their adult-oriented site consented to being there. It was quite the litigious investigation, with Aylo bringing a judicial review application in an attempt to bar the OPC from publicly releasing its report.
Lastly, I’ll briefly mention that Privacy Commissioner Philippe Dufresne seems to be living up to his promise of more domestic and international collaboration. He’s even created a new directorate for international, provincial and territorial relations, headed by Miguel Bernal-Castillero.
They cite at least a dozen or more examples of collaborative efforts taken in the past year, including several key joint investigations with provincial counter parts.
So there's a little summary, but It would probably be good to read the whole thing. If you look closely, you will even see a tiny little picture of yours truly in there, in one of the crowd shots. Let me know if you spot the Kris Klein version of “Where's Waldo?"
Have a great weekend and hope to see many of you in Toronto next week at the IAPP Canada Privacy Symposium!
Kris Klein, CIPP/C, CIPM, FIP, is the IAPP's managing director for Canada and a partner at nNovation.