Letter to the Leader of the Conservative Party of Canada regarding important privacy issues
October 18, 2021
The Honourable Erin O’Toole, P.C., M.P.
Leader of the Opposition
Leader of the Conservative Party of Canada
House of Commons
Ottawa, Ontario K1A 0A6
erin.otoole@parl.gc.ca
Dear Mr. O’Toole:
Please accept my congratulations on your re-election. I was pleased to read in your party’s platform that you consider digital data privacy as a fundamental human right and that you would support legislative reforms to strenghten privacy protections.
The September 20, 2021, election took place in the context of an unprecedented health crisis, and Canadians rely on their elected officials to decide which direction the post-pandemic economic recovery will take. Given the importance of data in today’s economy, this recovery will need to include a strategy that promotes responsible technological innovation while respecting privacy. I would like to take this opportunity to contribute to your deliberations on this matter by drawing your attention to the most important issues.
I share the opinion of a number of representatives of the Canadian technological innovation sector that a reform of federal privacy legislation is necessary in order to stimulate innovation and economic growth in Canada. For example, the Canadian Chamber of Commerce recommends the creation of a digital ecosystem that fosters both data protection and innovation.Footnote 1 The Council of Canadian Innovators is calling for the creation of a more sophisticated digital infrastructure that allows businesses to prosper and that operates in tandem with the government’s digital policy infrastructure.Footnote 2
While there is agreement on the need to rethink the legal framework surrounding the data economy, there is no consensus on how to go about it. Some people fear that robust regulation will hinder innovation. Others, including Jim Balsillie, Chair of the Council of Canadian Innovators, believe that the opposite is true: that such regulation will result in a more dynamic and competitive market. The experience of innovation leaders such as Germany and South Korea demonstrates that legislation that effectively protects consumers’ rights increases their confidence and stimulates the digital economy.
I would also like to point out that in their April 28, 2021 statement, G7 Technology Ministers committed to putting the needs of an open and democratic society at the centre of the technological innovation debate. Following the ministerial meeting, my G7 counterparts and I attended a roundtable on the free flow of data, where we agreed to strengthen our cooperation with respect to the regulation of key data protection issues in order to build a responsible digital economy. The Ministers’ statement rightly highlights the fact that building a digital ecosystem based on the values of our society is the best way to win public trust and to stimulate a sustainable and inclusive economic recovery.
Addressing privacy as a fundamental human right is the clear solution. Technology and innovation do not, in and of themselves, run counter to privacy; we must simply consider innovation and privacy together, like two sides of the same coin, beginning at the design phase. Of course, the regulation of digital space is not limited to the issue of privacy; I am aware of what will need to be done to address online harms and to enhance competition regulation. Nevertheless, I believe that these reforms would be mutually beneficial and that modernization of privacy laws would have a positive impact on many of these related issues.
The elements of a sound legislative reform are clear. I have shared my recommendations related to the Department of Justice’s consultation on the reform of the Privacy Act and commented in detail on the shortcomings of the former Bill C-11. I believe that it is possible to make substantial amendments to this bill within its current structure, without having to start over. Please allow me to briefly summarize the five key issues that I have suggested should be addressed by legislative reform.
The first issue concerns the legitimate use of personal information: how do we authorize the use of data to allow for responsible innovation while protecting the rights and values of citizens? User consent must not be the only method for protecting privacy: it is both too lax and too restrictive in that it could be invoked to authorize an objectively unreasonable use of personal information or to unduly limit use that is in the public interest. The solution is to authorize the use of personal information for legitimate commercial interests, but within a legal framework founded on the recognition of rights. In this way, use of personal information that is incompatible with our rights and values would be prohibited. This type of provision would give public and private organizations the flexibility necessary to use personal information for new purposes, unplanned at the time of collection, that exist within a range of knowable purposes, and subject to regulatory oversight. It is well documented that the laissez-faire regulatory approach that characterizes consent-based systems primarily benefits the major multinationals in the data economy, to the detriment of local or emerging businesses. Far from hindering economic growth, judicious regulation of the collection and use of personal information could in fact result in greater competitiveness in this sector and assist the start-up of new Canadian businesses.
The second issue concerns the consideration of privacy as a fundamental human right, required for the exercise of the rights to liberty and equality as well as democratic rights. The Supreme Court of Canada has given privacy legislation quasi-constitutional status, and it is time for this status to be codified in the relevant legislation. The current legislative framework is inadequate: the principles of privacy depend essentially on the adoption of best practices and are not enshrined in law, which prevents them from being enforced as a legal obligation. It is no longer enough for businesses to self-regulate: it is time to adopt a responsible legislative framework. What is important is that legislation authorize the use of personal information when it serves the public interest, for legitimate purposes or the common good, but within a framework founded on respect for rights. By providing individuals with the right to recourse, federal privacy legislation would institute a legal framework that is both flexible and predictable, thereby promoting responsible innovation.
The third issue concerns better regulating public-private partnerships by establishing common or similar principles in both public and private sector privacy laws. With these two sectors interacting ever more frequently, common privacy principles would enable organizations active in both sectors to operate in a more homogenous regulatory environment. It would also mitigate accountability gaps in situations where the two sectors interact. My office has recommended that federal privacy laws include principles of necessity and proportionality.
The fourth issue that I wish to bring to your attention concerns the interoperability of privacy laws with provincial and international jurisdictions. As I have pointed out for several years in my annual reports to Parliament, Canada has fallen behind on privacy. A comparison table developed by my office shows that federal laws overlook a number of privacy measures adopted by our trading partners (European Union, United Kingdom, New Zealand, Australia, California). Similarly, some provinces are in the process of adopting legislative reforms, including, in some cases, recognizing the right to privacy as a fundamental human right. In the absence of modern federal legislation, too great a discrepancy in protections offered between provinces could be a source of confusion for Canadians and lead to additional costs for businesses.
The fifth issue relates to the need for quick and effective recourse. Some organizations take their privacy obligations seriously, but not all. It is important that legislation not benefit the offenders. Penalties must be proportional to the financial gains that businesses can make by disregarding privacy. Otherwise, organizations will not change their practices; minimal penalties would represent a cost of doing business they are willing to accept in order to generate profits. The proportional nature of penalties is also an advantage for smaller enterprises. This enforcement regime must be complemented by a clear obligation for organizations to meet an objective standard of responsibility, defined in the legislation. Given the opacity and complexity of business models based on data, my office should have the legislative authority to proactively inspect the measures put in place by organizations to comply with this standard. This will allow us to move from the current regime of self-regulation to a regime of demonstrable accountability.
In conclusion, I would like to reiterate my commitment to responsible innovation. Privacy and the regulation of the data economy are issues that the biggest Canadian innovators care about, and forthcoming legislative reform must be seen as an opportunity to create a legal regime that supports domestic businesses while protecting the rights of Canadians. As I begin the last year of my term as Privacy Commissioner, I hope that I will have the opportunity to discuss these important matters with you and your caucus. To this end, I would be pleased to meet at your convenience.
Sincerely,
(Original signed by)
Daniel Therrien
Commissioner
- Date modified: