A hacker found an unexpected loophole in the province’s new data privacy laws that allow companies to store user data indefinitely and collect a lot of it without consent.
The Ontario government has just updated its data protection act to include a new section that allows companies to keep data indefinitely without consent, which is the new standard for protecting personal data, such as your browsing history.
“There are now four different categories of data that can be retained and used in connection with the services,” said Bill Horsfall, the director of communications for the Ontario Information and Privacy Commissioner (OIPC).
“So it’s not just the browsing history, but it’s the information you’ve shared with other services, it’s other data that’s being accessed, it can be used to build profiles of individuals that are already stored.”
Data retention and use of the information Privacy is not just about keeping your information private.
Horsdale explained that companies can also use the data to build their profiles, which are based on past behaviour and interactions with customers, and which can be shared with law enforcement agencies.
“In the past it has been possible for companies to use that information in order to identify individuals that have made specific criminal or other inappropriate purchases, to try to identify those individuals that were at fault for crimes, for any other reasons, so that we can identify those that are at risk of future criminal activity,” Horsville said.
Hacking Ontarians’ computers “The data retention rules are intended to ensure that all of the data is kept up to date,” Harsdale said.
“It’s also meant to ensure the public have a right to access the information.”
The new data retention law, which took effect on June 30, 2017, will only apply to data collected by a company with an “intent to disclose or otherwise use,” as defined in the law.
Companies that don’t have an intent to disclose, but that want to collect, will have the right to do so.
“We are also giving companies the option of using data collected for the purposes of providing services or other products and services to the public without having to obtain the consent of the consumer,” said Horsland.
“That’s important for privacy purposes because it allows people to be informed about what they are being asked to do.”
Horsdown said the OIPC is working with companies to make sure they comply with the law, as well as how to keep users informed of what their data is being used for.
Companies have until June 30 to provide information on their plans to comply with privacy rules.
Ontario’s privacy commissioner has received complaints about companies that are using the information without consent to build profiling profiles.
Ontario privacy commissioner Bill Harsfall.
(CBC News) “In our experience, the majority of privacy commissioners that we’ve met have been pretty open and receptive to the concerns that companies have expressed,” Hardson said.
Ontario is the only province in Canada that does not have a law that sets a specific data retention time limit, and companies that don\’t follow the rules will be subject to fines.
“This is a situation where the law is designed to protect people, not corporations,” Honsfall said.
The Privacy Commissioner is currently conducting a review of how the new data protection rules will impact Ontarians.
The review is being led by the Ontario Public Interest Research Group, an independent research and advocacy group.
“The OIPP has the responsibility to ensure we’re keeping Ontarians informed of the privacy implications of their actions, whether that’s by making sure that companies are complying with privacy legislation, or by making that information available in an open, accessible, and accessible manner,” Holes said.