Language selection

Search

A Data Privacy Day Conversation with Canada’s Privacy Commissioner

Remarks at the University of Ottawa’s Centre for Law, Technology and Society

January 28, 2020

Ottawa, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you for that introduction and thank you to the Centre for Law, Technology and Society for organizing this event. It’s a privilege to be here to mark Data Privacy Day with all of you.

As Professor Martin-Bariteau mentioned, I am no stranger to this campus.

I have memories, and this will date myself, of Dean Gérald Beaudoin's laughter and an encounter with one of my sports heroes, Ken Dryden.

A rights-based privacy law

But this is 2020, not 1980.

As students examining how technology affects society, you know that, for good and for bad, data-driven technologies are a disruptive force. While they bring great benefits for individuals and open the door to innovation, economic growth, important advances in health care and protection of the environment, they have too often been shown to be harmful to rights.

We see these violations of rights every day. Everyday there are stories in the media about data breaches, misuse of biometrics, surveillance through geolocation, personal assistants, discrimination in AI systems, online hate, misinformation in the democratic process. It is trite to say but law, to say the least, has not kept up with technology.

These are not just media stories. At my Office, we receive thousands of complaints every year from people who believe their privacy rights were violated. And on average, 80% of them are right. By this I mean that, upon investigation, we find 80% of complaints to be well-founded.

In that context, a key question is: What is the role of law, and democratically elected government, if not to protect citizens in the face of harmful conduct?

Of course it is, but for a long time, people said: what harm? Technology is so cool, it gives us access to so many things, who cares if I give up a little bit of privacy? In any case, I have nothing to hide. What harm could possibly happen to me?

Well, we now know: privacy violations lead to loss of freedom, democracy, equality and even physical security.

My predecessors and I have for a long time called for reform of privacy laws. This was ignored for an equally long time, I think because privacy is such an abstract concept. Now it has become real. And government has promised to act.

The question is no longer whether privacy laws should be modernized, but how.

Because data-driven technologies have been shown to be harmful to privacy and other rights, I think the starting point to law reform should be to give privacy laws a right-based foundation.

A central purpose of the law should be to protect privacy as a human right in and of itself, and as an essential element to the realization and protection of other human rights.

Currently, Canada’s federal privacy laws are narrowly framed as data protection statutes.

As such, PIPEDA and the Privacy Act codify a set of rules for how organizations and federal government institutions are required to handle an individual’s personal information.

Privacy is much broader than data protection – although data protection seeks to participate in the protection of privacy.

Neither of the statutes I cited formally recognizes privacy as a right in and of itself.

International context

The right to privacy is an internationally recognized right. Both the Universal Declaration of Human Rights and ICCPR (the International Covenant on Civil and Political Rights) provide that all persons have the right to be free from “arbitrary interference” with their “privacy, family, home or correspondence” and further the right to the protection of the law against such interference.

Canada is a signatory to both the UNDHR and the ICCPR and therefore has obligations under international law to protect privacy.

While freedom from interference with privacy has traditionally been used to refer to protection from state interference (say in a law enforcement or national security context), the UN Human Rights Committee has adopted a broader interpretation.

It has said that the ICCPR requires states to protect individuals from interference with their privacy not just by the state but also by other persons - legal and natural. Therefore, it can be applied to interference by private entities. Surveillance capitalism of course comes to mind.

Privacy goes well beyond privacy policies. Too often, privacy is seen through the lens of website terms and conditions leading to a less than meaningful form of consent. This narrow view puts people at a distinct disadvantage when faced with organizations with immeasurably more knowledge and power. Indeed, technical rules in place to protect personal data, such as consent, access and transparency, are important mechanisms for the protection of privacy, but they do not define the right itself.

Privacy is nothing less than a prerequisite for freedom: the freedom to live and develop independently as a person, away from the watchful eye of a surveillance state or commercial enterprises, while still participating voluntarily and actively in the regular, day-to-day activities of a modern society such as socializing, reading the news, getting information about health issues or simply buying stuff.

It is that right, not the right to consent or not based on 30-page unintelligible privacy policies, that the law needs to protect.

Using data protection laws to protect privacy

As I noted earlier, the Privacy Act and PIPEDA are data protection laws. If these laws are to meaningfully protect the broader right to privacy, this goal needs to be reflected more explicitly in the formulation of our data protection statutes.

To that end, my latest annual report, tabled in December, suggests the adoption of model preambles and purpose statements, one for each Act, as a means to entrench privacy in its proper human rights framework.

These texts offer a means to bridge the gap between data protection and privacy.

They would serve to provide guidance as to the values, principles and objectives that should shape how the data protection principles in both federal Acts are interpreted and applied.

For instance, consent that might otherwise be considered meaningful and valid under the relevant PIPEDA principle could be found invalid under our proposed purpose clause which provides that the processing of data must respect the fundamental right to equality.

Conversely, a medical research use based on consent whose validity may be questionable as potentially not sufficiently informed could be made lawful under the purpose clause providing that privacy rights must be balanced with what the public interest requires, and the preambular clause which says that responsible processing of data can serve public interests such as health care.

Here I would like to pause and offer my thanks to Professor Teresa Scassa for her work with my office on law reform, and on a rights-based approach to privacy in particular. She was a very important contributor to the development of our position.

Ensuring the law remains relevant despite technological changes

Now the main benefit of a rights-based privacy law is of course to protect privacy in all its breadth and scope, as a fundamental human right and as prior condition to exercise of other fundamental rights.

But I also said at the outset that laws have difficulty keeping up with technology. The pace of technological developments is exponential and it is simply not possible for the law to be amended at the same speed.

This is an argument advanced by industry and government for a principles-based privacy legislation, but it also lends support for a law that defines privacy in its broadest and true sense.

Technical protections, such as defining what information is required for meaningful consent, are often ineffective as they are regularly overtaken by developments in technology. However, the values that underpin the right to privacy are unlikely to change significantly over time.

Defining privacy in its full sense, in accordance with its underlying values, would ensure it continues to be protected, regardless of technological changes.

Now, I’m not saying that this would mean the law would become relevant forever, but the point is that if the law is drafted with a view to protect fundamental values and principles, it is likely to be more effective and more relevant for a longer period. There will, of course, need to be amendments from time to time based on the evolution of technology, social norms, and legal norms.

Innovation

With the prospect of a new law around the corner, we are hearing some voices in the business community raising concerns about the impact on innovation.

A rights-based law is not an impediment to innovation. To the contrary, good privacy laws are key to promoting trust in both government and commercial activities.

You may have read in the news from Davos that Microsoft CEO Satya Nadella was quoted saying something along the lines of: If there is one thing that would be an impediment to innovation and economic growth in the fourth industrial revolution, where data is the principal factor of production, it would be not to deal with the problem of trust that consumers and citizens have in the way in which their data is protected.

We agree. Innovation is not viable without trust; a strong and competitive economy is not sustainable without trust; and trust requires the effective protection of rights.

Our goal is to see the adoption of democratic conditions for responsible innovation that serves the public good.

We took care to ensure that the language of our proposed PIPEDA preamble and purpose clauses acknowledged the legitimate interest of organizations to collect, use and disclose personal information for appropriate purposes. This would assist in giving the proper weight to rights on the one hand and legitimate business interests on the other.

Our proposals also include exceptions to consent which would facilitate use of innovative technologies where consent is not possible, for instance in some situations involving AI.

Actually, today my Office is making public a consultation document on how the law should be framed to govern artificial intelligence.

We note that AI systems present a significant challenge to all PIPEDA principles, notably data minimization, purpose specification and openness, and that AI has been linked to discriminatory uses.

We make several proposals for a new law, in line with our rights-based approach, and seek comments from experts in the field as to whether these proposals are practical and would result in the responsible development and implementation of AI systems.

We think it is time that the governance of AI moves from ethical considerations to enforceable rules of law.

Division of powers

A brief word on an argument we sometimes hear in relation to our rights-based approach, namely that it may fall outside the authority of the Parliament of Canada as encroaching on the jurisdiction of provincial legislatures over property and civil rights.

We respectfully disagree with that view. In our opinion, jurisdiction over property and civil rights essentially extends to the provinces' jurisdiction over private law. Civil rights in the sense of s.92(13) of the Constitution Act, 1867 must be distinguished from civil liberties of the kind protected by the Canadian Charter of Rights and Freedoms. Professor Hogg has expressed such a view in his writings, although not explicitly in relation to privacy. We think privacy is a civil liberty, not a civil right in the private law sense.

Privacy is also one of those crosscutting values that does not fall within the exclusive jurisdiction of any single level of government. That much is clear. We see laws that protect privacy both provincially and federally. As a result, the constitutionality of any privacy statute will depend upon the underlying area or subject matter that is regulated. In the case of PIPEDA, the subject matter is commercial activities – it is concerned with trade as a whole, rather than a particular industry – and Parliament has jurisdiction over this under the trade and commerce head of s.91.

Conclusion

Canada used to be a leader in privacy protection. Today, the world is passing us by.

In its early years, the Internet was seen and promoted as an instrument for freedom. Now we see more clearly that it brings very important benefits, but also very grave risks to our values.

It is time to put values and rights at the heart of our privacy laws.

Thank you. I would welcome your comments and your questions.

Date modified: