Privacy Commissioner of Canada Daniel Therrien believes the question about whether privacy legislation should be amended is in the past. It is no longer should the country's privacy laws be amended, but what is the best way to do so, and with the announcement of the country's Digital Charter, the commissioner said the federal government seems to agree.
Therrien covered the latest development during his keynote speech at the IAPP Canada Privacy Symposium here in Toronto. The commissioner also announced his office will suspend its consultation on trans-border data flows in its current form.
Therrien said his office is currently examining the proposals laid out in the Digital Charter. While the Charter covers a lot of ground, the proposal still leaves "a number of question marks." The commissioner cited the exemption for consent for "standard business practices" as one of those gray areas, adding that he is not averse to exemptions for consent, but questions about how privacy will be protected in those instances still remain.
A revamped privacy law should remain tech neutral, principle based and crafted in a manner to keep it from going out of date, Therrien said.
"I do think that modern privacy legislation should start by defining privacy in its proper breadth," Therrien said. "This, I think, would ensure that it will endure over time despite the certainty of technological developments."
A revamped version of the Personal Information Protection and Electronic Documents Act should be drafted as a real statue and not be an industry code of conduct. Principle-based legislation can be created to resemble more classic forms of a statue, which can be done in the case of new Canadian privacy law by looking at examples on the provincial level.
One of the 10 principles listed out in the Digital Charter is an emphasis on real accountability. Accountability is an important principle as it is currently framed; however, he pointed out, it is not sufficient enough "to protect Canadians from companies that claim to be accountable but actually are not."
Therrien has called for more enforcement authority throughout the years and did so again as he discussed accountability and the ability to dole out fines.
"This is why it is important for a regulator to proactively inspect the practices of organizations," Therrien said. "Where consent is not practical, and organizations are expected to fill the void through accountability, these organizations must be required to prove accountability upon request."
The commissioner admitted even should his office receive fining authority, it still may not be sufficient. He pointed to Facebook's ability to put away upward of $5 billion for potential fines from the U.S. Federal Trade Commission as an example.
The Digital Charter announcement has also changed the OPC's course on its trans-border data flow consultation. Since a new PIPEDA would address trans-border data flows, his office has needed to adjust its course.
"It appears the law will change, hopefully quickly, but perhaps not quickly. In that context, I suggested that we at the OPC would suspend the current consultations, not with a view to ending them," said Therrien, who added his office now plans to focus on how to approach those data flows in the short term under current law but also in the long-term under future legislation.
Therrien emphasized that all the work done on the consultation has not been in vain, as work on trans-border data flows is far from finished.
"No need to write to us at this point, your work is not lost," Therrien said. "We need to regroup at the OPC and confirm our new approach, which we will confirm soon."
While much of the future of Canadian privacy law is up in the air, Therrien shared some good news for his office in the interim, announcing his office may receive a 15% increase in its budget from the federal government, as well as temporary funding to assist in a backlog of PIPEDA and Privacy Act complaints.
When the temporary funding expires in 2021, Therrien estimates the OPC will have fulfilled 90% of the 200 complaints currently filed. On top of the PIPEDA and Privacy Act complaints reside reported data breaches. Since the mandatory breach notification rule went into effect in November, Therrien said the number of reported incidents has increased fivefold.
Prior to any form of funding, the OPC has only been able to review the breaches on a superficial level. Therrien expects the OPC will be able to thoroughly review those cases with more resources at its disposal.
There will be no shortage of action in the upcoming months and years. Regardless of where Canadian privacy legislation falls, Therrien has a view of where the country is going, which includes a framework that bolsters innovation while respecting the rights of citizens.
Change is coming to Canada, he said, and the goal is to find the best way to allow Canadians to participate in the digital economy with the confidence that their rights will be upheld.
If you want to comment on this post, you need to login.