Canada's Federal Privacy Commissioner has submitted the 2023-2024 Annual Report to Parliament, covering a number of interesting trends observed over the past year.

One of the most insightful revelations is that the number of reported cyber attacks that resulted in privacy breaches remained the same, yet the number of actual victims more than doubled. There's a lot to unpack there, and technology adoption trends are definitely part of the answer, but the report contained a lot more interesting stuff.

Here are 9 other fine points that stand out for me:

  • 90% of Canadians are at least somewhat concerned about identity theft, and around half are extremely concerned.
  • "Two separate Privacy Act investigations underscore need for stronger security safeguards "
  • 1 in 10 Canadians say that they trust social media to protect their privacy
  • Canadians spend an average of 6 hours and 18 minutes online per day
  • 91% of Canadians believe that at least some of what they do online or on their smartphones is being tracked by companies or organizations.
  • 75% of young people find that the technical language of social media terms of service is hard to understand and feel that a take-it-or-leave-it approach forces them to choose between social exclusion or signing up at the cost of their privacy.
  • 12% of Canadian businesses report collecting personal information from minors;
  • 73% say that they use age-appropriate language to explain their privacy policies
  • 27% say that they carry out PIAs before offering tools or products that are aimed at young people.

The sweeping report went on to say that "the number of reported cyberattacks resulting in privacy breaches increased by 13%. In 2023-2024, 321 (46%) of all breaches that were reported to the OPC were identified as cyber incidents, while 278 cyberattacks were reported in 2022-2023."

To me, it is increasingly unclear what is meant by "cyber", particularly as that term is both abused and over-utilized these days. One thing we do know is that every privacy breach is first and foremost a security incident.

The report went on to indicate that "in 2023-2024, private-sector organizations reported 693 breaches to the OPC, affecting approximately 25 million Canadian accounts, compared with 681 breaches the previous year, affecting approximately 12 million accounts."

That's a lot of security breaches, not to mention violations of privacy.

To make my point I cite just 3 of the key updates made in the report, referring to significant privacy situations from the past year (hint, they all started as security incidents):

  • CRA breach demonstrates the importance of proper authentication processes
  • Breach at IRCC reinforces importance of procedures to protect personal information.
  • Confusion between employees with the same name results in systemic privacy breaches.

The expansive report is titled "Trust, innovation, and protecting the fundamental right to privacy in the digital age" and it constitutes an interesting read in its entirety, even as it clearly illustrates the reality that there is no privacy without security.