TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | In annual report, Therrien makes familiar call for legislative reform Related reading: Therrien calls for rights-based privacy laws in annual report

rss_feed
GDPR-Ready_300x250-Ad

Privacy Commissioner of Canada Daniel Therrien has called for an update to the country's federal privacy laws for years. It was a main talking point of the Office of the Privacy Commissioner of Canada's "2018–2019 Annual Report," and a year later, Therrien found himself making the same plea to the federal government.

But the world is nowhere near the same place it was when the OPC published its annual report last December. The COVID-19 pandemic has upended just about every aspect of everyday life. To respond to this global emergency, governments have attempted to set up contact-tracing systems, telemedicine appointments have skyrocketed, and children have moved to remote learning.

These developments have brought forth a new wave of questions around privacy and data use. For Therrien, they are the latest examples of situations Canada would be able to better navigate with modernized privacy legislation and are the main focus of the "2019–2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act."

The report highlighted the OPC's work since the start of the pandemic, from the release of its assessment framework to helping public institutions ensure health initiatives respect privacy laws to its consultation on the COVID Alert contact-tracing application.

The OPC's review of the app found it met the principles laid out in its assessment framework. Therrien said it was evidence the federal government can implement respectful privacy practices "when it wants to." While the app may have cleared the OPC's standards, it also shined a light on the divide between Therrien and the federal government.

"During our discussions about COVID Alert, government officials made the remarkable statement that current federal privacy laws do not apply to this app," Therrien said during a news conference on the report's release. "This assertion certainly gives one pause. An extremely privacy sensitive initiative is defended by the government of Canada as not subject to its privacy laws. Privacy is considered by the government as a good practice, but not a legal requirement. How long can this go on?"

Another COVID Alert issue raised in the report is whether participation is truly voluntary. Therrien said employers should not force employees to disclose information on the app as a screening measure, nor should any third party seek to have users reveal data for any purpose.

The federal government has addressed this potential issue, but Therrien does not believe they have gone far enough, exposing yet another blind spot in the country's federal privacy laws.

"In Canada, it’s unclear whether the law would prohibit organizations from compelling the disclosure of information in the app and thus circumventing its voluntary nature," Therrien said. "To address this, the government said it would strongly discourage such actions, but it would not go further. Other countries have legislated to ensure similar apps are completely voluntary, so this is another hole in our laws."

There also has been plenty of concerns about telemedicine and remote learning. Therrien acknowledged there is plenty to like about these leaps in technology as long as everyone remains cognizant of the problem areas.

"The main concern that I have is this huge acceleration of digitization that we see with the pandemic, which offers great benefits, but increases the risks," Therrien said. "Do you want your conversations with your doctors to be available to companies and used in a profile that will affect your future life? Obviously, the answer is no. Do we want the information of our children collected by companies for purposes that have nothing to do with education and used to build profiles and for commercial purposes? Again, the answer is no."

While the annual report focuses on Canadian law, the report placed the laws of other countries under the microscope, particularly trading partners.

An infographic compares the Personal Information Protection and Electronic Documents Act to the California Consumer Privacy Act, Brazil's General Data Protection Law and the EU General Data Protection Regulation, as well as laws in South Korea, Singapore, Japan and Australia.

The chart showcases which laws have a private right of action, defines privacy as a human right, and addresses whether regulators have rulemaking authority and the power to administer monetary fines.

Of the six categories listed, PIPEDA doesn't have a single box checked. Therrien said the infographic is indicative of a trend he has pointed to before: Canada was once a leader in privacy legislation, but it has been left behind. 

"These jurisdictions have understood that strong privacy laws promote trust in data-driven technologies. It’s more than time for Canada to do the same," Therrien said.

Therrien also said the lack of federal legislative movement has left provinces "weary" and motivated them to take matters into their own hands. Quebec tabled proposed updates to its private sector privacy laws in June, and two months later, Ontario launched a consultation seeking public input on "creating a legislative framework for privacy in the province’s private sector."

Modernizing privacy legislation isn't always about what a country can gain, but also what they could lose. Therrien said an upgrade to PIPDEA is likely needed to maintain its adequacy status with the European Union, and the decision might be coming sooner rather than later.

"Our understanding is that the European Commission will make a decision about the adequacy of Canada’s laws in the not-too-distant future. I don’t know the exact time timing, but it’s going to be fairly short," Therrien said. "There is a risk that Canada would no longer be found adequate. They were found adequate around the year 2000, but that status is, I think, at risk if Canada does not move, so that in itself should be a factor for the federal government to act."

The commissioner has once again made the call for a new approach to privacy laws in Canada. Given the current state of the world, Therrien addressed a question that could be applicable to plenty of situations in 2020: How much of a priority should privacy law reform be as the country battles COVID-19?

Therrien knows public health efforts are at the top of the list. It doesn't mean a PIPEDA overhaul should be ignored. In fact, it might just be the perfect time for the federal government to take the deep dive.

"Of course, there are many priorities that governments need to deal with during this crisis, but there have been many commentators that have said the pandemic gives everyone a chance to build on a better foundation," Therrien said. "The better foundation in 2020 during the Fourth Industrial Revolution includes adequate privacy laws."

Photo by sebastiaan stam on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.