Privacy Commissioner of Canada Daniel Therrien released his annual report this week. Once again, he asked for legislative changes to both the Personal Information Protection and Electronic Documents Act and Privacy Act. This time around, they have even gone so far as to draft the preamble and purpose clauses to both laws. This little bit of legislative drafting is found at the end of the first chapter of the report that details with some specificity what the commissioner would like to see in modernized, rights-based laws.
Some ideas are not surprising. They say they require greater enforcement powers, including the power to order compliance and levy monetary penalties. At the heart of it, however, is a forceful argument to redraft our privacy laws so they clearly protect privacy as a human right. From the commissioner’s opening message: “Privacy is a concept that is contextual and sometimes difficult to define precisely, but it is nevertheless a foundational value in Canadian society, a fundamental right and, as we have seen in the recent Cambridge Analytica scandal, a prior condition to the exercise of other fundamental rights, including freedom, equality and democracy. The starting point, therefore, should be to give new privacy laws a rights-based foundation.”
Another interesting idea is the notion that an authority (maybe the OPC, but not necessarily) would have the ability to prescribe subsidiary binding rules, giving effect to the principles in specific contexts so that both individuals and commercial and state organizations have some certainty with respect to their rights and obligations. This happens in other industries, like the financial sector where the government authority, the Office of the Superintendent of Financial Institutions, prescribes rules financial institutions must abide by. These rules are more quickly changed and modernized than laws, so I guess the idea is to create some flexibility and, at the same time, add some specificity to what is legally required.
There’s also talk in the report about modernizing the approach to consent — a recognition that it is nearly impossible to always rely on consent in every situation. Instead, the notion of demonstrable accountability would pave the way to greater freedom to process personal information so long as the processing is in line with privacy as a human right. Does that sound a little bit like the GDPR to you?
There’s a fair amount more to the report, including the outcome of the Statistics Canada investigation that made headlines awhile back, so please read the article we have below. Before I sign off, I’ll just echo my support for one last thing: the need for necessity and proportionality to be included in the Privacy Act. You’ll see this as a theme in the StatsCan conclusion — which went something like: technically legal, but not good. Quite frankly, it is embarrassing that necessity and proportionality are not already in the federal law, and the commissioner’s conclusions on this point need to be acted on by the government. A government without the guiding posts of necessity and proportionality is a government that is likely to go too far.