News release

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Privacy Commissioner denounces slow progress on fixing outdated privacy laws

Numerous crises show new tools are required to protect Canadians

NOTE: News conference with the Commissioner will be held in Ottawa at 1:30 p.m. ET today. Details follow below.

OTTAWA, September 27, 2018 – Commissioner Daniel Therrien warns privacy concerns are reaching crisis levels and is calling on the federal government to take immediate action by giving his office new powers to more effectively hold organizations to account.

“Unfortunately, progress from government has been slow to non-existent,” says Commissioner Therrien, whose annual report to Parliament was tabled Thursday. “Not only are the privacy rights of Canadians at stake, so too is our democracy and other fundamental values.”

Numerous privacy crises over the last year, including the Equifax breach and Facebook Cambridge Analytica matter, have captured global attention and thrust a much-needed spotlight on privacy issues.

While these incidents ought to be a ‘wake-up’ call to government, its response was to launch a national digital and data consultation to ensure trust in the digital economy is maintained. It also failed to address the lack of privacy laws governing political parties.

“There’s no need to further debate whether to give my office new powers to make orders, issue fines and conduct inspections to ensure businesses respect the law,” Commissioner Therrien says.

“It’s not enough for the government to ask companies to do more to live up to their responsibilities. To increase trust in the digital economy, we must ensure Canadians can count on an independent regulator with the necessary tools to verify compliance with privacy law.”

Noting that Parliamentarians have repeatedly supported both private and public sector reform in committee, he says Canadians simply cannot wait years for known deficiencies in privacy laws to be fixed.

The Facebook/Cambridge Analytica matter underscores how easily democracy can be undermined. Meanwhile, the reputational harm and discrimination that can occur when organizations make inferences about individuals based on information that may be inaccurate or taken out of context can have far reaching repercussions on one’s well-being and employability.

Government inaction has other consequences, he says. New guidelines for obtaining meaningful consent and guidance on inappropriate practices for organizations issued by his office last spring were met with a warning from some industry groups. They said they may not follow the advice as they found it too prescriptive and potentially outside the Commissioner’s legal authority.

“If my Office had order making powers, our guidelines would be more than advice that companies can choose to ignore,” Commissioner Therrien says. “They would become real standards that ensure real protection for Canadians.”

The 2017-18 annual report outlines the work of the Office of the Privacy Commissioner of Canada (OPC) as it relates to both the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law and the Privacy Act, which applies to the federal public sector. 

It covers important initiatives over the last year, including key investigations, work on reputation and privacy, new consent guidance as well as work on national security and Bill C-59.

In his report, Commissioner Therrien also reiterated calls for the government to increase his office’s resources.

“My office needs a substantial budget increase to keep up our knowledge of the technological environment and improve our capacity to inform Canadians of their rights and guide organizations on how to comply with their obligations,” he says. “Additional resources are also needed meet our obligations under the new breach reporting regulations that come into force in November.”

Under the regulations, companies will be required to report all privacy breaches presenting a real risk of significant harm. While imperfect, Commissioner Therrien calls the regulations “a step in the right direction.”

“The significance of that step, however, is greatly reduced by the government's failure to give us any resources to analyze the reports we will receive, provide advice on how to mitigate risks and verify compliance with the regulations,” he says. “As a result, our work will be somewhat superficial,” he says.

As breach notification regulations come into force on the private sector side, serious concerns have also emerged about the federal government’s ability to prevent, detect and manage privacy breaches within its own institutions.

An OPC review of privacy breach reporting by federal government institutions found thousands of breaches occur annually, and while some go unreported, others likely go entirely unnoticed at many institutions. Information technology safeguards for new systems are not always sufficient and front-line workers in particular don’t fully grasp what constitutes personal information or their obligations under the Privacy Act.

The OPC shared its insights with the Treasury Board Secretariat (TBS), which is responsible for issuing direction and guidance to government institutions with respect to the administration of the Privacy Act, its regulations and related policies. TBS has committed to review its privacy policies, tools and training for employees and take steps to raise awareness.

About the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as a guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law.

Related content

• 2017-18 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act
• Commissioner's statement

- 30 -

News conference details:

Privacy Commissioner Daniel Therrien will hold a news conference to discuss the annual report.

Thursday, September 27, 2018, 1:30 p.m. ET

National Press Theatre, 150 Wellington Street, Ottawa

Journalists in Ottawa who wish to attend the news conference in person and who are not members of the Canadian Parliamentary Press Gallery will require accreditation from the gallery in advance. For more information, contact Pierre Cuguen at pierre.cuguen@parl.gc.ca.

Journalists outside of Ottawa may email communications@priv.gc.ca for information on how to join the news conference by telephone.

For more information:

Tobi.Cohen@priv.gc.ca 819-994-5689

 

NOTE: To help us respond more quickly, journalists are asked to please send requests for interviews or further information via e-mail.