As much of the world has heard, Uber has had a data breach that affected people worldwide. Now, after several demands from a number of levels of Canadian governments, Uber finally disclosed that 815,000 Canadians were affected by this breach, resulting in the Canadian Privacy Commissioner opening a formal investigation into the breach.
Uber has said that only names, emails and mobile phone numbers were taken by the hackers and that no credit card information, bank accounts or dates of birth were compromised.
Unlike the U.S. and U.K., Canada has no laws in place requiring Uber to disclose data breaches and under the license agreement with the city of Toronto, the city council had to vote in order to demand information on the breach.
The Privacy Commissioner “gave little detail in announcing the formal investigation, noting confidentiality provisions under the Personal Information Protection and Electronic Documents Act (PIPEDA)”.
PIPEDA entitles individuals to certain protections for personal information that is collected in the course of commercial activity. “Personal information” is broadly defined by PIPEDA, and includes any information about an identifiable person (s 2). “Commercial activity” is also broadly defined and includes:
any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists (s. 2).
These sections form the basis of the protection of personal information under federal law. When a complaint is filed with the Commission, PIPEDA confers wide-ranging investigative powers to the Commissioner to investigate alleged breaches, make corrective orders to organizations, and assign penalties if a breach is found.
Luckily, to address the lengthy process required to obtain information from businesses such as Uber, Federal privacy laws are being developed that would require businesses to disclose if a data breach occurs. Under the revision, the Privacy Commissioner would be limited to issuing a maximum fine of $100,000 for not disclosing a breach.