Language selection

Search

Letter to the President of the Treasury Board regarding important privacy issues

November 8th, 2021

The Honourable Mona Fortier, P.C., M.P.
President of the Treasury Board
90 Elgin Street Floor 8
Ottawa, Ontario K1A 0R5
president-presidente@tbs-sct.gc.ca

Dear Minister:

Please accept my congratulations on your re-election and your appointment as President of the Treasury Board. Our offices work on many common issues, and I look forward to a fruitful engagement between your secretariat and my office.

The September 20, 2021 election took place in the context of an unprecedented health crisis, and Canadians have placed their trust in you to decide which direction the post-pandemic economic recovery will take. Given the importance of data in today’s economy, this recovery will need to include a strategy that promotes responsible technological innovation while respecting privacy. As the public service employer and Minister responsible for policy relating to privacy, digital services and open government, you will be directly involved in the development of this strategy and in finding an appropriate balance between government transparency and privacy. I would like to take this opportunity to contribute to your deliberations on these matters by drawing your attention to the most important issues.

I was very encouraged by the thoughtful and comprehensive consultation paper on modernization of the Privacy Act published by the Department of Justice in November 2020, which demonstrates the seriousness of the government’s intent for meaningful reform. As noted in my Office’s submission from last March, I believe the consultation document proposes substantive changes that represent significant strides toward a federal public sector privacy law in step with modern data protection norms. I hope this remains a priority and that we will see a bill tabled soon in Parliament.

Public sector and private sector privacy reforms are linked, as evidenced by the many privacy issues that came up in the Government’s use of digital technology in response to the pandemic. Better regulating public-private partnerships by establishing common or similar principles in both public and private sector privacy laws would enable organizations active in both sectors to operate in a more homogenous regulatory environment.

I share the opinion of a number of representatives of the Canadian technological innovation sector that a reform of federal privacy legislation is necessary in order to stimulate innovation and economic growth in Canada. For example, the Canadian Chamber of Commerce recommends the creation of a digital ecosystem that fosters both data protection and innovation.Footnote 1 The Council of Canadian Innovators is calling for the creation of a more sophisticated digital infrastructure that allows businesses to prosper and that operates in tandem with the government’s digital policy infrastructure.Footnote 2

While there is agreement on the need to rethink the legal framework surrounding the data economy, there is no consensus on how to go about it. Some people fear that robust regulation will hinder innovation. Others, including Jim Balsillie, Chair of the Council of Canadian Innovators, believe that the opposite is true: that such regulation will result in a more dynamic and competitive market. The experience of innovation leaders such as Germany and South Korea demonstrates that legislation that effectively protects consumers’ rights increases their confidence and stimulates the digital economy.

I would also like to point out that in their April 28, 2021, statement, G7 Technology Ministers committed to putting the needs of an open and democratic society at the centre of the technological innovation debate. Following the ministerial meeting, my G7 counterparts and I attended a roundtable on the free flow of data, where we agreed to strengthen our cooperation with respect to the regulation of the key data protection issues in order to build a responsible digital economy. The Ministers’ statement rightly highlights the fact that building a digital ecosystem based on the values of our society is the best way to win public trust and to stimulate a sustainable and inclusive economic recovery.

Addressing privacy as a fundamental human right is the clear solution. Technology and innovation do not, in and of themselves, run counter to privacy; we must simply consider innovation and privacy together, like two sides of the same coin, beginning at the design phase. Of course, the regulation of digital space is not limited to the issue of privacy; I am aware of what will need to be done to address online harms and to enhance competition regulation. Nevertheless, I believe that these reforms would be mutually beneficial and that modernization of privacy laws would have a positive impact on many of these related issues.

The elements of a sound legislative reform are clear. I have shared my recommendations related to the Department of Justice’s consultation on the reform of the Privacy Act and commented in detail on the shortcomings of the former Bill C-11. I believe that it is possible to make substantial amendments to this Bill within its current structure, without having to start over. Please allow me to briefly summarize the five key issues that I have suggested should be addressed by legislative reform.

The first issue concerns the legitimate use of personal information: how do we authorize the use of data to allow for responsible innovation while protecting the rights and values of citizens? User consent must not be the only method for protecting privacy: it is both too lax and too restrictive in that it could be invoked to authorize an objectively unreasonable use of personal information or to unduly limit use that is in the public interest. The solution is to authorize the use of personal information for legitimate commercial interests, but within a legal framework founded on the recognition of rights. In this way, use of personal information that is incompatible with our rights and values would be prohibited. This type of provision would give public and private organizations the flexibility necessary to use personal information for new purposes, unplanned at the time of collection, that exist within a range of knowable purposes, and subject to regulatory oversight. It is well documented that the laissez-faire regulatory approach that characterizes consent-based systems primarily benefits the major multinationals in the data economy, to the detriment of local or emerging businesses. Far from hindering economic growth, judicious regulation of the collection and use of personal information could in fact result in greater competitiveness in this sector and assist the start-up of new Canadian businesses.

The second issue concerns the consideration of privacy as a fundamental human right, required for the exercise of the rights to liberty and equality as well as democratic rights. The Supreme Court of Canada has given privacy legislation quasi-constitutional status, and it is time for this status to be codified in the relevant legislation. The current legislative framework is inadequate: the principles of privacy depend essentially on the adoption of best practices and are not enshrined in law, which prevents them from being enforced as a legal obligation. It is no longer enough for businesses to self-regulate: it is time to adopt a responsible legislative framework. Recent allegations that Facebook failed to follow the advice of its own employees to deprioritize harmful content illustrate why many organizations in the data economy cannot be relied on to adequately self-regulate. What is important is that legislation authorize the use of personal information when it serves the public interest, for legitimate purposes or the common good, but within a framework founded on respect for rights. By providing individuals with the right to recourse, federal privacy legislation would institute a legal framework that is both flexible and predictable, thereby promoting responsible innovation.

The third issue, as previously discussed, concerns the need to have common privacy principles in both our public and privacy sector privacy laws. With these sectors interacting even more frequently, common principles would help to mitigate accountability gaps in situtations where the two sectors interact. My office has recommended that federal privacy laws include principles of necessity and proportionality. The need for coherence between our two federal laws was recognized by the Department of Justice in its recent proposals for modernizing the Privacy Act and will be fundamental to ensuring a comparable level of privacy protection is provided to Canadians regardless of which sector they are dealing with.

The fourth issue that I wish to bring to your attention concerns the interoperability of privacy laws with provincial and international jurisdictions. As I have pointed out for several years in my annual reports to Parliament, Canada has fallen behind on privacy. A comparison table developed by my office shows that federal laws overlook a number of privacy measures adopted by our trading partners (European Union, United Kingdom, New Zealand, Australia, California). Similarly, some provinces are in the process of adopting legislative reforms, including, in some cases, recognizing the right to privacy as a fundamental human right. In the absence of modern federal legislation, the gap between the protections offered between provinces could be a source of confusion for Canadians and lead to additional costs for businesses.

The fifth issue relates to the need for quick and effective recourse. Some organizations take their privacy obligations seriously, but not all. It is important that legislation not benefit the offenders. Penalties must be proportional to the financial gains that businesses can make by disregarding privacy. Otherwise, organizations will not change their practices; minimal penalties would represent a cost of doing business they are willing to accept in order to generate profits. The proportional nature of penalties is also an advantage for smaller enterprises. This enforcement regime must be complemented by a clear obligation for organizations to meet an objective standard of responsibility, defined in the legislation. Given the opacity and complexity of business models based on data, my office should have the legislative authority to proactively inspect the measures put in place by organizations to comply with this standard. This will allow us to move from the current regime of self-regulation to a regime of demonstrable accountability.

In conclusion, I would like to reiterate my commitment to responsible innovation. Privacy and the regulation of the data economy are issues that the biggest Canadian innovators care about, and forthcoming legislative reform must be seen as an opportunity to create a legal regime that supports innovation by both business and government while protecting the rights of Canadians. As I begin the last year of my term as Privacy Commissioner, I hope that I will have the opportunity to discuss these important matters with you. To this end, I would be pleased to meet at your convenience.

Sincerely,

(Original signed by)

Daniel Therrien
Commissioner

Date modified: