Privacy Commissioner of Canada Daniel Therrien believes the country is having a crisis of trust. Canadians want to safely enjoy the benefits of technology; however, privacy laws in their current iteration do not go far enough to protect citizens’ rights, according to the commissioner.
That's why Therrien has called for a revamp to Canadian privacy legislation within the Office of the Privacy Commissioner of Canada’s “2018-2019 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act.” In the report, Therrien states new privacy laws should focus on the rights of citizens.
“Given that privacy is a fundamental human right and a necessary precondition to the exercise of other fundamental rights, such as freedom, equality and democracy, the starting point of reform should be to give privacy laws a rights-based foundation,” Therrien said during a news conference on the report. “In other words, new privacy laws should reflect fundamental Canadian values.”
The OPC proposes elements it believes rights-based legislation should contain, such as “a recognition in law of the quasi-constitutional nature of privacy legislation,” and to ensure enforcement actions are effective.
It also recommends privacy should be defined in its broadest sense, “which means to make explicit that a central purpose of the law should be to protect privacy as a human right in and of itself, and as essential for the realization and protection of other human rights,” the report states.
Therrien was keen to point out that a rights-based law would not be an impediment to innovation. In fact, the commissioner said strong privacy laws can help to restore trust — currently in short supply — in commercial activities. He said even leading tech officials have called for responsible legislation that balances privacy and innovation, citing Microsoft CEO Brad Smith as one example, who has called for “a new wave” of privacy protections to protect human rights.
“If the president of Microsoft thinks we need rights-based privacy laws, I assume he is not too concerned with risks to innovation,” Therrien said.
The OPC report also reflects on where Canada’s laws stand in comparison to other global privacy rules. While the country was once a leader in privacy protections, Therrien said the world has passed Canada by. If the government waits too long to tackle the situation, it could end up leaving an impact on the country’s economy.
“New privacy bills in the United States include several of the elements I recommend for Canada,” Therrien said. “And there is a risk that Canada’s adequacy status under EU law will not be renewed in 2020, which would jeopardize Canadian trade.”
Therrien said the days of private sector self-reform must come to an end, adding it's untenable for tech companies to treat OPC orders as “mere opinions,” a point Therrien has made several times in the past. To ensure tech companies adhere to privacy rules, he said his office must have enhanced enforcement powers, such as the ability to issue binding orders, as well as “consequential but proportionate” penalties for noncompliance.
“The law should no longer be drafted as an industry code of suggested best practices that companies are free to adopt, but rather as a set of enforceable rights and obligations,” Therrien said. “We need enforcement mechanisms that offer quick effective remedies for people whose privacy rights have been violated and that help to ensure ongoing compliance.”
The OPC’s annual report also touched upon Statistics Canada's data-collection practices. The agency investigated a proposed pair of Statistics Canada's data-collection projects, one that involved the collection of credit histories and another that would have had the agency collect line-by-line financial transaction information from banks without customer consent.
The OPC received more than 100 complaints about the plans; however, the agency found Statistics Canada did not violate the law since it agreed to suspend the projects. The commissioner complimented Statistics Canada for working with the OPC to ensure the projects are done properly should they proceed.
“To their credit, Statistics Canada accepted, after some discussion, to suspend their project and work with us to limit the amount of information they would collect and analyze to still produce sufficiently reliable statistics but with” less data, Therrien said. “That’s what I call a challenge that turned into a good opportunity.”
Should Canada’s privacy laws remain unchanged, is it possible another Statistics Canada situation pops up but with a worse outcome? Therrien hopes it isn’t the case. The commissioner said ideally other agencies would talk to the OPC before they start similar projects to learn how they can mitigate privacy risks. Of course, Therrien said the best way to take on this issue would be to update privacy laws altogether.
“Yes, there is a risk that this will happen again, particularly in other departments, but if they take the lessons from the Statistics Canada exercise, that is less likely to happen. And what would ensure that it doesn’t happen would be to amend the law.”
