Commissioner Therrien makes final appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI)
June 2, 2022
Ottawa, Ontario
Opening Statement by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Introduction
Good afternoon Chair and members of the committee.
Thank you for the opportunity to appear before you to discuss some of the lessons of the last eight years and some high-level recommendations on how the law should be reformed.
The state of privacy
We are living in the fourth industrial revolution – the digital technology revolution. These technologies are disruptive.
As the pandemic has shown, there can be several benefits to this, for instance in health and education. Or even the environment. Digital technologies can indeed serve the public interest.
We have also learned over the years that the consent model means of protecting privacy has serious limitations. It is neither realistic nor reasonable to ask individuals to consent to all possible uses of their data in today’s complex information economy, for instance in some circumstances where artificial intelligence is used.
In fact, consent can be used to legitimize uses that, objectively, are completely unreasonable and contrary to our rights and values. And refusal to provide consent can sometimes be a disservice to the public interest.
During my term, however, we have also seen through investigations that these technologies can present not just potential risks to privacy, but also cause real harms.
For example, our Clearview AI investigation showed that the company used facial recognition technology in a way that amounted to mass surveillance. And our investigation into the RCMP’s use of the Clearview technology demonstrated the growing risks posed by public-private partnerships and the absence of a legal framework governing the use of such sensitive biometric data.
The Cambridge Analytica scandal, studied notably by a Grand Committee composed of previous members of ETHI and legislators from other countries, showed that privacy violations could lead to violations of democratic rights.
Finally, our investigation into Statistics Canada revealed that a government institution believed evidence-based policymaking could justify the collection of line-by-line financial records of citizens, another form of surveillance.
While disruptive technologies have undeniable benefits, they must not be permitted to disrupt the duty of a democratic government to maintain its capacity to protect the fundamental rights and values of its citizens.
What we need, then, is real regulation of digital technologies, not self-regulation.
The previous Bill C-11 would have allowed more self-regulation by giving business almost complete freedom to set the rules by which they interact with their customers, and by allowing them to set the terms of their accountability. If we draw on the lessons of the last few years, we will adopt private-sector privacy laws that allow for innovation, sometimes without consent, for legitimate commercial interests and socially beneficial ends, within a framework that protects our values and fundamental rights.
In the public sector, we also need laws that limit the state’s ability to gather information about its citizens beyond that which is necessary and proportional to achieve its objectives.
Overall, we need federal laws in the public and private sectors that are rights-based, that have similar and ideally common principles for both sectors, which are based on necessity and proportionality, which are interoperable at both the national and international levels, and which give the regulator the power to audit and enforce that it needs to ensure compliance.
I will speak more about interoperability at the end of my statement.
Adopting adequate privacy legislation is not sufficient in itself. The regulator must also have adequate enforcement powers, be properly funded and be given regulatory discretion to manage its workload to ensure it can protect the greatest number of individuals effectively within limited resources.
In July, the Privacy Act Extension Order will come into force, giving foreign nationals abroad the same right as Canadians to request access to personal information about themselves that is under the control of federal government institutions.
Government institutions, notably IRCC, project receiving a significant increase in personal information requests, which will trickle down into complaints. Based on government estimates, the OPC is likely to receive a corresponding increase in complaint volumes, almost all of which will be time limit and access complaints.
The OPC has communicated its funding needs to the government. To date, no new funding has been provided. This is a critical issue for the OPC as it requires additional funds to perform these newly mandated duties.
As for the broader financial impact of law reform, we believe, based on the experience of other data protection authorities, that our budget would need to double, approximately, if the promised new law for the private sector were similar to the former Bill C-11.
We also anticipate the expansion of advisory functions, and the obligation to reviews industry codes of practice.
We welcome these new responsibilities, as they would promote compliance with the law when programs are at the design stage. Nonetheless, we are concerned that the non‑discretionary nature of these activities and of our investigative work would deprive us of the ability to risk-manage our caseload and give greater priority to matters of higher risk.
We therefore urge you, when a bill will eventually be presented to Parliament, to give my office greater discretion to manage our caseload, by selecting its advisory and investigative files, to ensure we can protect the greatest number of Canadians effectively within our limited resources.
Not only would this allow us to operate more efficiently, we have estimated it would result in a cost savings of nearly $12 million.
As for enforcement powers, I have consistently called for quick and effective remedies, including the power to issue orders and to impose significant monetary penalties, proportional to the financial gains that businesses can make by disregarding privacy. Yet further evidence of the need for these powers was provided yesterday with the results of our investigation into Tim Hortons.
Like many other data protection authorities in Canada and abroad, the OPC should also be empowered to conduct proactive audits to verify compliance with the law. The need for this was demonstrated in spades in the recent story about the Public Health Agency’s use of mobility data obtained in modified form from private sector organizations.
In a world where innovation requires trust, an important factor of trust in the population would be the assurance that an independent expert has their back, will verify and ensure compliance with the law, and will take appropriate action to stop or correct non-compliant behaviour.
Future laws and interoperability
I would like to leave you with a few final thoughts on the future of privacy laws federally and their interoperability with the laws of other jurisdictions, domestically and internationally.
Domestically, we see that Canada’s three most populous provinces have made recent proposals towards responsible innovation within a legal framework that recognizes privacy as a fundamental right. Quebec adopted such a law in 2021. All of these provinces confer order-making powers on data protection authorities and propose to give them the authority to impose monetary penalties directly, without going through an administrative appeal, but subject to judicial review. We ask to have similar powers, in part so that all Canadians have access to quick and effective remedies if their privacy rights are violated, and in part to ensure that the OPC remains an influential and often unifying voice in the development of privacy law in Canada.
Globally, it is also essential that Canada’s laws be interoperable and not too different from international norms. Some industry stakeholders say that a made in Canada approach has been good for the country and that a rights-based approach would hurt innovation.
First, the idea that rights-based law would impede innovation is a myth. It is simply without foundation. In fact, the reverse is true. There can be no innovation without trust, and there is no trust without the protection of rights.
A made in Canada approach that would be too different from what is becoming the international gold standard would not be in the interest of Canadian business. To the contrary, interoperable laws are in Canada’s interest. Such laws reassure citizens that their data is subject to similar protections when they leave our borders. They also mean that Canadian businesses can operate abroad and use the personal information of non-Canadians in a way these clients can trust.
In closing, my message to this committee is this: continue the work that you and your predecessors have been doing on these important files. As legislators, you have the power to bring meaningful change to our privacy regime and your reports to date point in the right direction.
Remember also that our laws should protect the right to privacy in its true sense: freedom from unjustified surveillance. Thus, legislation should recognize and protect the freedom to live and develop independently, free from the watchful eye of the state or surveillance capitalism.
In other words, the law should protect our values and rights, hard-won over centuries, and should not be set aside in order to benefit from digital technologies.
It has been an honour working with all of you. Thank you for the extra time today. I am happy to answer any questions you might have.
- Date modified: