Canada's Privacy Watchdog Wants the Power to Go After Companies Like Equifax
Image: EPA/Justin Lane

Canada's Privacy Watchdog Wants the Power to Go After Companies Like Equifax

The OPC wants to do something, but it can't.
September 21, 2017, 4:20pm

After credit giant Equifax publicly announced it had been hacked, leaking the personal information of 100,000 Canadian customers, many in the country are wondering how to make sure this doesn't happen again. Unfortunately, Canada's federal privacy watchdog can't actually enforce privacy legislation—it can only make recommendations.

The Office of the Privacy Commissioner's annual report to parliament, which was released on Thursday, unequivocally states that Canadians need a federal privacy watchdog with some real teeth.


"Consumers clearly expect stronger enforcement in all forms, including orders, fines and audits," the OPC's report, which doesn't mention Equifax, states. Further, the report states that the OPC's lack of power is out of step with international partners like the US, "who are able to impose financial penalties, which serve as an important incentive for organizations to comply."

Read More: Canada's Privacy Watchdog Is Investigating Equifax

The OPC largely takes a reactive approach to investigations right now, looking into privacy breaches after it receives complaints. Indeed, after the recent Equifax hack the company was not in contact with OPC at all until the office received complaints and reached out. The office wants to take a more proactive approach to investigations going forward, the report states.

Right now, industries in Canada largely self-regulate when it comes to complying with privacy law. And this suits corporations just fine. The OPC's report states that consulted "organizations" felt that giving the OPC enforcement powers would be too expensive and onerous for them and that the fear of public backlash in response to a poorly-handled privacy breach is enough to make them stay in line.

But we've already seen through Equifax's bungling of its own breach response—the hack itself occurred months before the public was notified, and Canadians waited more than a week longer than Americans to find out how many people here were affected—that self-regulation may not be enough to protect Canadians' privacy.

The OPC has long asked for more power in order to protect Canadians, and despite the protestations of data- and money-rich corporations, it might be time to give it to them.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.