Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the 2021-22 Main Estimates

May 10, 2021
Ottawa, Ontario

Opening statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Good morning chair and members of the committee.

Thank you for the opportunity to appear before you to discuss the 2021-22 Main Estimates. With me today are Deputy Commissioner, Compliance, Brent Homan; Deputy Commissioner, Policy and Promotion, Gregory Smolynec; and Deputy Commissioner, Corporate Management, Daniel Nadeau.

As was the case for many organizations, last year was one of transition as we quickly shifted to adapting our processes to continue serving Canadians during the pandemic. It was also a year of transition on the budgetary and legislative fronts.

Increased funding

Our office received a permanent increase of 15% in the 2019 federal budget to address the most urgent needs of the OPC pending legislative reform. This allowed our Office to expand our policy and guidance functions, to enhance our advisory services for organizations and to address pressures resulting from new mandatory breach reporting requirements in the private sector.

We also received temporary funding to help us reduce a very large part of our investigative backlog of complaints older than a year. We met and even surpassed our target and reduced the overall backlog of complaints by 91%.

Over the past year, we completed an extensive update on our guidance to federal institutions on privacy impact assessments. We released guidance on protecting privacy during a pandemic, as well as a contextual framework for government institutions to protect privacy in the context of COVID-19 initiatives. Consistent with this framework, we reviewed and advised the government on the COVID Alert app. Following a public consultation, we released key recommendations for regulating artificial intelligence.

We have also drafted a number of highly relevant guidance documents, including on the Internet of Things, on biometrics and on facial recognition. We relaunched our Privacy Guide for Businesses. We completed our first breach records inspections report.

In addition to guidance, we analyzed and provided recommendations for legislative initiatives. This included a submission on the statutory review of the Access to Information Act, another submission on the modernization of the public sector Privacy Act and finally, we analyzed and drafted our response to Bill C-11, the federal government’s proposed new private-sector privacy legislation.

While the injection of funds helped us to reduce our backlog and to increase our capacity, there is still a very significant gap. Given the marked acceleration of digitization caused by the pandemic, we continue to struggle meeting the demand in guidance, advisory work and to assist our investigators to address complaints filed by concerned Canadians.

In the government’s Fall economic update, funds were allocated to support the implementation and enforcement of Bill C-11. This is of course welcome. However, now that we know the extent of our new responsibilities under this legislation, we believe additional funding will be required.

The role of the OPC under reformed laws

Bill C-11 imposes several new responsibilities on the OPC, including the obligation to review codes of practice and certification programs, and give advice to individual organizations on their privacy management programs. It should be noted that these are non-discretionary activities, meaning that every time an entity or organization will seek our advice or approval, we will be required to provide our considered opinion.

We welcome the opportunity to work with businesses. In recent years, I have restructured my office towards a greater proactive approach to guide and engage with organizations toward compliance with their privacy obligations. We created the Business Advisory Directorate and the Government Advisory Directorate to engage proactively with private and public sector organizations, on a voluntary basis, on privacy risks of a high impact nature. This has only increased during the pandemic, as businesses and government adapt to our new reality and the challenges it brings.

One of the OPC’s roles is to investigate complaints alleging violations of the Act. However, it is not our only role and, in order to be an effective regulator, we must be able to be strategic in our enforcement and advisory activities, applying a risk-based approach.

As we explain more fully in the submission we have prepared on Bill C-11, we are concerned that with the non-discretionary nature of our responsibilities under that bill, we will not be able to both serve complainants and organizations and focus on harms to Canadians in general. The issue here is not primarily financial, although in our view additional resources will be required. The OPC should have the legal discretion to manage our caseload, respond to the requests of organizations and complaints of consumers in the most effective and efficient way possible, and reserve a portion of our time for activities we initiate, based on our assessment of risks for Canadians. Such discretion is enjoyed broadly by domestic and international regulatory partners both within and outside the privacy protection sphere. One needs only look to resource intensive investigations into breaches and risks such as Desjardins, Clearview Facial Recognition, and Facebook Cambridge Analytica—that is being pursued now before the Federal Court—to appreciate how our finite resources can be quickly encumbered.

Another option could be ensuring the OPC’s role of approving codes of practice and certification programs be conditional on the payment of a cost recovery fee to ensure we have the capacity for this task, as well as for our other priorities.

No regulator has enough resources to handle all the requests it receives from citizens and regulated entities. It is important my office have the flexibility to allocate our resources in ways that will offer the most benefits for Canadians and adjust our activities to address these new and emerging trends.

In addition to these changes brought by C-11, proposals made by the Department of Justice in its recent consultation on modernizing the Privacy Act would also see significant changes to our role in the public sector, of which we are largely supportive. This includes a new public education mandate, the power to issue guidance to Government institutions, a role in issuing advance opinions, overseeing pilot projects, and greater discretion to publish compliance outcomes, among others. Justice’s proposals also include an enhanced compliance role for our Office, such as expanded proactive audit powers and a form of order-making.

We have already begun to plan for these eventualities.

Closing

As we look to the future, it will be important that modern privacy laws are capable of addressing risks to privacy posed by new technologies, while also providing for an effective regulator. This would include providing adequate financial and legislative resources to my office to protect Canadians’ privacy rights.

I look forward to working with Parliament on improving the legislative proposals to ensure our modern privacy laws adequately recognize and protect the privacy rights of Canadians, while promoting responsible innovation.

Thank you. I welcome your questions.