Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Study on Review of the Privacy Act
November 1, 2016
Ottawa, Ontario
Opening Statement by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Introduction
Thank you once again for your invitation and decision to conduct this important study on the review of the Privacy Act.
I would also like to thank all those experts who have testified before you thus far.
With me today are Patricia Kosseim, Senior General Counsel, and Sue Lajoie, Director General, Privacy Act Investigations.
Reiteration of the need for reform
As you have heard from many expert witnesses, the 33-year old Privacy Act is woefully out of date.
Over the past few years in particular, technological developments have been revolutionary, making the collection, use and sharing of personal information by governments much easier.
Subject to a few clarifications, I therefore maintain my recommendation to amend the Act under three themes: legal modernization, technological innovation and need for transparency.
Order-making powers
Looking back over the testimony provided to the Committee thus far, I would make a few observations.
Many witnesses have asserted, particularly from the provinces, that there is much to be said for a regime of privacy protection that includes binding orders issued at the conclusion of certain investigations.
In my appearance last March, I indicated that the current ombudsman model needs to be changed as it often leads to delays. Furthermore, under the current regime, departments do not have a strong incentive to make complete and detailed representations at the outset and the current model does not therefore result in a timely, final remedy.
I said I was not seeking order-making powers at that time and that other alternatives should be considered, including the “hybrid” model used in Newfoundland and Labrador.
I did indicate, though, that I would further research the question and reflect on the implications such a change would have for my Office.
The ombudsman model has been in place since the OPC's inception in 1983. This means in part that I can be both a privacy champion, as well as investigating complaints.
These are both vital roles in the protection of privacy and I was concerned that legal reasons would force me to choose one over the other.
Specifically, the concern was the courts deem that I would not be able to adjudicate complaints impartially if I am also a privacy advocate.
After careful review, we have concluded that there indeed are legal risks with one body having both adjudicative and promotion functions, but these risks are likely the same under the hybrid model.
Importantly, our review also led us to conclude that these risks can be largely mitigated through a clearer separation of adjudicative and promotion functions within the OPC, a structure that exists in many provinces.
It is important to understand that there would be some costs to such a separation. However, we have not yet quantified these.
Since legal risks and mitigation measures are the same under the hybrid model, in my view the order-making model is preferable as it provides a more direct route to timely final decisions for complainants.
Therefore, as I wrote to the Committee in September, I now recommend that the Act be amended by replacing the ombudsman model with one where the Privacy Commissioner would be granted order-making powers.
Balancing rights to privacy with right of access and Open Government
In this Committee’s report on Access to Information Act reform, several recommendations appeared which were consistent with the policy to promote open and transparent government.
I agree completely with this policy – as a cornerstone for public trust and accountability - but suggest it should be pursued in a way that protects privacy.
As I have mentioned several times, the Access to Information Act and the Privacy Act are to be seen as a seamless code, and changes to one Act must consider the impact on the other.
Changes to the way in which access and privacy rights are balanced under the current legislation should be carefully thought through, including any changes to the definition of personal information and changes to the Access to Information Act's public interest override.
In my view, these changes should be considered in the second phase of Access to Information Act reform.
I was therefore happy to see that ETHI's report in June on access, if I read it correctly, did not recommend changes that would affect that balance.
Risks if reform is not pursued
There will be real consequences if Canada does not modernize its privacy legislation.
In the public sector, these consequences include:
- risks of data breaches that are not properly mitigated;
- excessive collection and sharing of personal information which may affect trust in government;
- more specifically, trust in online systems may undermine the government's efforts to modernize its services and coordinate its digital communications with Canadians.
Some governments have already moved forward to strengthen their privacy protection frameworks — most notably the European Union.
There is a risk that, if European authorities no longer find Canada’s privacy laws essentially equivalent to those protecting E.U. nationals, commerce between Canada and Europe may become more difficult.
This is what happened to the U.S. when the Safe Harbour agreement was found invalid by E.U. courts.
Additional Remarks
The Federal Court recently considered the Privacy Commissioner Ad Hoc mechanism that my Office created to provide for independent review of complaints against my own Office.
This was needed when the OPC itself became subject to the Privacy Act with the adoption of the Federal Accountability Act in 2007.
In assessing the independence of this mechanism, the Court noted that this was a question more appropriately addressed by Parliament.
I would therefore invite the Committee to consider this issue.
We have added this to our revised list of recommendations.
Conclusion
Again, I wish to thank and congratulate the Committee for undertaking this critical work, which I hope will lead to a modernized law that protects the privacy rights of all Canadians.
We believe that the recommendations we put before you in the spring, with the addition of order-making power, all of which have since been echoed and supported by many witnesses, will greatly improve and modernize the law.
We hope the Government will see fit to take action on all of these facets of the Act.
However, since the government has confirmed its intention to amend the Access to Information Act in two stages, we would ask that the following recommendations to the Privacy Act, at a minimum, be part of phase one:
- an explicit necessity threshold for the collection of personal information, so that the easier collection made possible by new technologies is properly regulated in a way that protects privacy;
- an obligation to safeguard personal information and a breach notification provision made explicit in the Act, to ensure the risk of data breaches is properly mitigated;
- a requirement for written information-sharing agreements with prescribed minimal content, to improve transparency; and
- amendments consequential to phase one amendments to the Access to Information Act, including replacing the ombudsman model by one where commissioners are given order making powers, to ensure individuals receive timely final decisions to their complaints.
I would be happy to take your questions.
- Date modified: