After eight years at the helm of Canada's privacy regime, the time has arrived for Privacy Commissioner of Canada Daniel Therrien to pass the reins. The longtime civil servant will leave his post June 3, allowing him the opportunity to speak candidly for the first time about the state of Canadian privacy during his keynote speech at the IAPP Canada Privacy Symposium 2022.

Instead of reflecting on what was or could have been during his tenure, Therrien provided unfiltered thoughts on the gray areas around Canada's existing and proposed frameworks for federal privacy law and how the narrative can change for the better. Therrien explained how comfort and "myths" are the leading culprits for why the state of Canadian privacy "is one of uncertainty."

"It does not have to be that way. But it reflects human nature: excited by what is new, but comforted by what is known. In all kinds of human activity, there is resistance to change," Therrien said. "Still, I find it surprising to see so much resistance in a field as innovative as the digital economy."

The reality of moving forward

Canada is still working under the Personal Information Protection and Electronic Documents Act, which was enacted in 2001. The latest attempt at privacy reform, the proposed Consumer Privacy Protection Act under Bill C-11, materialized in 2020 before being cleared off the table in 2021 when Canada's federal election was called. Therrien and panelists at proceeding CPS 2022 panels indicated the Canadian government has full intentions to raise a new privacy reform bill this year. "It has been promised in 2022 in the private sector and hopefully it will follow soon thereafter in the public sector," Therrien said.

Despite the legislative appetite to once again prioritize privacy legislation, meaningful reform isn't assured if stakeholders have their say. Therrien approached reform under the thinking that technology "is neither good nor bad" and "depending on how you use it and regulate it, it can bring important benefits or huge risks." He's also long advocated for a framework that institutes a rights-based approach, similar to the EU General Data Protection Regulation, but made clear that "does not mean a carbon copy of the GDPR." Ultimately, he'd like to see something that produces "fewer recitals" and "fewer consent pop-ups."

Therrien did not shy away from addressing industry players' opposition to the rights-based approach, which was the result of perceived negative impacts on business models.

"They say that a made-in-Canada approach has been good for the country and that a rights-based approach would hurt innovation," Therrien said, citing studies that dispel the claims. "Countries governed by the GDPR like Germany, and others with similar laws like South Korea, are ahead of Canada. The idea that a rights based law would impede innovation is a myth. It is simply without foundation. In fact, the reverse is true. There can be no innovation without trust, and there is no trust without the protection of rights."

He added that the time has arrived for all stakeholders to engage in "a more balanced conversation, not one based exclusively on interest," citing past instances of the OPC being "met with silence when we try to understand a certain commercial reality." Those real conversations are coming with Therrien indicating the OPC has plans in the "not too distant future" to consult stakeholders on the best methods to prepare appropriate regulatory guidance once the private-sector proposal is tabled and passed. 

A potential path

The need for privacy reform is clear and present, with Therrien saying PIPEDA "has not been effective in producing consumer trust, at least in the past several years." While Bill C-11 had the looks of a meaningful update, Therrien said the bill "would have given consumers even less control over their personal information, and organizations more control."

So the question remains, what's considered a more suitable path? Therrien and the OPC outlined their thinking behind key components in recent updates to the regulator's recommendations for federal reform. Those suggestions advocated for a rights-based framework that modernizes compliance requirements and boosts enforcement powers while placing greater emphasis on regulatory interoperability and corporate accountability. 

"A made-in-Canada approach that would be too different from what is becoming the international gold standard would not be in the interest of Canadian business," Therrien said. "To the contrary, interoperable laws are in Canada’s interest. Such laws help reassure citizens that their data are subject to similar protections when they leave our borders. They also mean that Canadian businesses can operate abroad and use the personal information of non-Canadians in a way these clients can trust."

The accountability piece would only stem from "true regulation," which Therrien characterized as requiring "objective and knowable standards" that can be adopted and enforced to "ensure organizations are truly accountable."

"While disruptive technologies have many benefits, what does not need disruption is the idea that democratic government must maintain the capacity to protect the fundamental rights and values of its citizens," Therrien said. "That capacity is lessened when organizations have almost complete liberty to set the rules under which they will interact with their clients, and where they can set the terms of their accountability."

Noting that he's "generally an optimistic person," Therrien said his hopes for seamless adoption of an effective law covering the areas his speech delved into is "less than I would like."