Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the 2018-19 Main Estimates

May 1, 2018
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Good morning Mr. Chair and members of the committee.

Thank you for the opportunity to appear before you to discuss the 2018-19 Main Estimates. With me today is Daniel Nadeau, Deputy Commissioner of our Corporate Management Sector, and Barbara Bucknell, our Director of Policy, Research and Parliamentary Affairs.

In the time allocated, I will discuss:

• Recent changes to our organizational structure, adopted with a view to streamlining our work and moving it towards a more proactive and hopefully impactful approach for privacy protection; and
• Growing resource pressures associated with fulfilling our mandate.

A new structure to be more effective in protecting privacy

As you know, our goal is to ensure that the privacy rights of Canadians are respected. The speed and breadth of technological advances have made achieving this goal increasingly challenging.

In the face of these difficulties, this year my Office has gone through a streamlining and forward looking re-organization exercise.  It has sought to achieve streamlining by clarifying program functions and reporting relationships. It sought to be forward looking by shifting the balance of our activities towards greater pro-active efforts, with the objective of having a broader and positive impact on the privacy rights of a greater number of Canadians, which is not always possible when focusing most of our attention on the investigation of individual complaints.

The approach, contained in our Departmental Results Framework, is explained in detail in our Departmental Plan tabled in parliament two weeks ago.

Very briefly, going forward, our work will fall into one of two program areas – Promotion or Compliance. Activities aimed at bringing departments and organizations towards compliance with the law will fall under the Promotion Program, while those related to addressing existing compliance issues will fall under the Compliance Program.

We know that a successful regulator is not one who uses enforcement as a first or primary strategy to seek compliance. Our first strategy under the Promotion Program is to inform Canadians of their rights and how to exercise them, and organizations on how to comply with their privacy obligations. Guidelines and information will be issued on most key privacy issues, starting with how to achieve meaningful consent in today’s complex digital environment.

We also want to work with government and industry proactively in an advisory capacity – to the extent our limited resources allow – to better understand and mitigate any negative privacy impacts from new technologies. By sharing information and advice during the crucial design stage of new products or services, we believe Canadians will be able to enjoy the benefits of innovation without undue risk to their privacy.

Under the Compliance Program, our strategy is to bring enforcement actions to ensure violations of the law are identified and remedies are recommended. To this end, we will continue to investigate complaints filed by Canadians, but we will also shift towards more proactive enforcement. Where we see chronic or sector-specific privacy issues that aren’t being addressed through our complaint system, we will proceed to examine these matters, for instance through more Commissioner-initiated investigations.

Resource pressures

You have previously raised the question of whether we have sufficient funds.

While we have gone to great lengths to find efficiencies and make optimal use of existing resources of approximately $25 million, the growing importance of the digital revolution means we cannot keep pace.

There is also a difficult-to-manage tension between our complaints work and our proactive work. Both are important parts of our mandate and we cannot effectively do both under current funding levels. You recognized this in your PIPEDA review report when you recommended my office have discretion to better manage its caseload.

The truth is, despite restructuring, there are insufficient resources, in particular to provide impactful advisory work. This is why I have asked the government for a measured increase in permanent funding above what is shown in the plan.

This additional funding is necessary if we are to meet planned results highlighted in the Departmental Plan. In particular, it will help us:

• Provide organizations with more policy guidance on emerging issues;
• Improve education for Canadians so they may take control of their privacy;
• Shift more towards new proactive strategies;
• Assist our overwhelmed investigators in more expediently addressing complaints filed by concerned Canadians; and
• Deal with mandatory breach reporting which comes into force in November without any associated funding and, as was the case in other jurisdictions, is expected to significantly increase our workload.

Conclusion

In order for privacy protection to be truly effective and more than a pious wish, Canadians of course need modern laws, but they also need assistance from a regulator with the authority and capacity to empower them with useful information, who can guide industry towards compliance with the law and who can hold industry accountable when it is not compliant.

We are doing what we can with the limited tools that we currently possess, but we are falling behind and need additional resources to provide Canadians with the protection they deserve.

Thank you Mr. Chair and members of the Committee. I now look forward to your questions.