On February 12, 2015, the Office of the Privacy Commissioner of Canada released a research report entitled Privacy and Cyber Security – Emphasizing privacy protection in cyber security activities (the “Report”). The Report explores the interconnected relationship among cybersecurity, privacy and data protection, including common interests and challenges.
The Report illustrates some of the current and growing challenges for data protection and cybersecurity including:
- the growing complexity of managing and providing security for cyberspace;
- the growing sophistication and “professionalization” of cybercrimes and hackings;
- the future focus of cyber criminals on the mobile sphere;
- the risks of “big data” and “big data” analytics to individual privacy;
- the failures of companies and organizations to prioritize breach preparedness; and
- the shortcomings of a “check the box” approach to compliance with data protection laws, and the need for effective risk management and dynamic implementation of security.
The second half of the Report addresses national cybersecurity policy and foreign policy developments. The Report cautions that as cybersecurity policies progress at the national level, security and public safety concerns may overshadow individual privacy protection. Ronald Deibert, Director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs, University of Toronto, describes this scenario as the “securitization” of cyberspace, where cyberspace becomes solely a matter of national security. To prevent this securitization, Deibert proposes a “stewardship” approach, stating that cyberspace does not belong to a particular person or group and everyone, including governments, law enforcement agencies and the private sector, has a role to play in shaping the foundation and evolution of cyberspace.
The Report states that cyberspace governance and security is a global issue, and thus requires a global collaborative response through international standards and cooperation. As cybersecurity policies continue to develop across the world, privacy and data protection authorities should ensure that they adequately protect individual privacy rights.
The Report concludes with recommendations in three key areas where an increased emphasis on privacy protection could help support and advance cybersecurity activities. The first recommendation is to build privacy values into cybersecurity policy directions. The second recommendation is to use legislation to incentivize cybersecurity preparedness and ensure accountability for personal information protection. The third recommendation is to increase cybersecurity dialogue among all stakeholders to protect individual privacy and promote responsible data stewardship.