Modernizing federal privacy laws to better protect Canadians
Remarks at a federal Access to Information and Privacy community meeting
March 9, 2020
Ottawa, Ontario
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Introduction
As you know, we are living in an era of great technological advancement. Technology means data, and the most telling data—not to mention the most valuable data—are often personal data.
This new reality triggers an increased workload for you. Not only do you have to deal with complex PIAs, but many of you are also dealing with an increase in access requests. All of this is against a backdrop of limited resources.
I want to acknowledge that you are facing a difficult situation. But this is also an exciting time. Technology challenges our understanding of the world and forces us to question our fundamental values.
For good and for bad, data-driven technologies are a disruptive force. While they bring great benefits for individuals and open the door to innovation, economic growth and improvements to government services, they have too often been shown to compromise fundamental rights and freedoms.
We see evidence of these violations every day, reading about them in media stories about data breaches, misuse of biometrics, surveillance through geolocation, discrimination caused by bias in AI systems, and online spread of misinformation interfering in the democratic process. The law, to say the least, has not kept up with technology.
Today I would like to share some thoughts on new challenges to privacy.
I will start with an overview of how modernized federal privacy laws could go a long way in better protecting Canadians in this context.
Then, I will provide an overview of my office’s recently concluded investigation into Statistics Canada. That case serves to illustrate the need to consider fundamental privacy principles at the development stage of new initiatives, and also to demonstrate why some current policy requirements deserve to be elevated to legal requirements.
Finally, I will say a few words about our recently redesigned PIA expectations guide, which we launched last week. I was pleased to hear it is generating a positive response in the community, and that it is generally seen as a practical tool.
Human rights framework
Privacy has shifted from being an abstract concept to a very real concern. In the wake of the Facebook / Cambridge Analytica scandal and a string of massive data breaches in the financial sector, we see that privacy issues can have concrete repercussions on our lives.
Privacy violations can lead to loss of freedom, democracy, equality and even physical security.
It has been clear for a very long time that privacy laws need to be modernized. The only question now is: How should they be modernized?
Given that data-driven technologies have been shown to be harmful to privacy and other rights, the starting point to law reform should be to give privacy laws a right-based foundation.
Privacy has long been recognized as a fundamental right – most recently in the United Nations Secretary General’s blueprint for human rights.
A central purpose of privacy laws should be to protect privacy as a human right in and of itself, and as an essential element to the realization and protection of other human rights.
Currently, Canada’s federal privacy laws are narrowly framed as data protection statutes. As such, the Personal Information Protection and Electronic Documents Act (or PIPEDA) and the Privacy Act codify a set of rules for how organizations and federal government institutions are required to handle an individual’s personal information.
Privacy is much broader than data protection – although data protection seeks to participate in the protection of privacy.
Neither of the two federal statutes formally recognizes privacy as a right in and of itself.
If these laws are to meaningfully protect the broader right to privacy, this objective needs to be reflected more explicitly.
To that end, my latest annual report suggested the adoption of model preambles and purpose statements, one for each Act, as a means to entrench privacy in its proper human rights framework.
Such provisions could bridge the gap between data protection and privacy.
They would serve to provide guidance as to the values, principles and objectives that should shape how the data protection principles included in both federal Acts are interpreted and applied.
The main benefit of a rights-based privacy law is of course to protect privacy in its full breadth and scope, as a fundamental human right and as prior condition to exercise of other fundamental rights.
It is also important to note that the pace of technological developments is exponential — it is simply not possible for the law to be amended at the same speed.
The momentum of innovation in the digital age is an argument advanced by industry and government for a principles-based privacy legislation, but it also lends support for a law that defines privacy in its broadest and truest sense.
Technical protections, such as defining what information is required for meaningful consent, are often ineffective as they are regularly overtaken by developments in technology. However, the values that underpin the right to privacy are unlikely to change significantly over time.
Defining privacy in its full sense, in accordance with its underlying values, would ensure it continues to be protected, regardless of technological changes.
I am not suggesting a rights-based law would ensure it remains relevant forever. My point is that if the law is drafted with a view to protect fundamental values and principles, it is likely to be more effective and more relevant for a longer period. There will, of course, need to be amendments from time to time based on the evolution of technology, social norms, and legal norms.
Privacy challenges and solutions
To put this in perspective, I will turn now to an issue examined by my office where government’s use of more data and more processing power puts Canadians’ rights at risk, and where the legal framework appears ill-suited to meeting the challenge.
Our investigation into Statistics Canada’s collection of individuals’ financial information as part of new statistical projects serves as concrete examples of some current challenges to privacy. As well, it highlights what my office is doing under the current framework to protect Canadians, and how stronger privacy laws could provide more meaningful protection for individuals.
I also chose this example because it highlights how my office can work with federal institutions to achieve positive outcomes for Canadians.
Statcan investigation
The Statcan story began in the late fall of 2018, when media reports stated that the organization was proposing to collect detailed information about Canadians from banks and credit reporting agencies, and that, in some cases, the collection had already begun. All of this had occurred without individuals’ prior knowledge or consent.
Not surprisingly, this prompted a strong reaction. We received more than 100 complaints related to the collection of individuals’ credit history, and about the proposed collection of individuals’ financial transaction and account balance information.
The two initiatives at issue were:
- first, the Credit Information Project, under which Statcan had collected credit data from 24 million Canadians, going back to 2002, from a credit reporting agency; and
- second, the Financial Transactions Project, under which Statcan was planning to collect financial transaction information and account balance information from financial institutions. The project proposed to collect the date, value and line-by-line descriptions of all transactions for each individual in their personal accounts.
Canadians told us they were deeply troubled by these initiatives. Their concern was justified given the scale of the proposed collection. The personal information at issue had the potential to paint an incredibly detailed portrait of an individual’s lifestyle, consumer choices and private interests, including lawful choices individuals would not want the government to know about.
Clearly, both projects were privacy invasive.
Due to the old age and inadequacy of Canada’s laws to deal with 21st century privacy issues, our investigation did not find legal violations. However, we found that the two projects as originally designed did not meet the principles of necessity and proportionality, which are not part of Canada’s federal law currently but are adopted as government policy and, of course, are legal principles in many jurisdictions across the world and in a number of Canadian provinces.
Working in accordance with necessity and proportionality means organizations should only pursue privacy-invasive activities and programs where it is demonstrated that they are necessary to achieve a pressing and substantial purpose and where the intrusion is proportional to the benefits to be gained.
To help guide organizations in assessing these issues, we ask them to frame their analysis with a four-part test:
- Is the measure demonstrably necessary to meet a specific need? Is it rationally connected to a public goal that is pressing and substantial? Is there empirical evidence in support of the initiative?
- Is it likely to be effective in meeting that need? Was it carefully designed to achieve the objective in question?
- Is the loss of privacy proportional to the need? The more severe the impact on privacy, the more clear and important the goal should be.
- Is there a less privacy-intrusive way of achieving the same end? Have reasonable steps been taken to ensure that the minimum amount of personal information is collected?
As I mentioned earlier, in our view, neither part of this test was satisfied in the case of Statcan. In particular:
- Statcan described the objectives of the two projects in terms that were too general to satisfy the first part of the test. For instance, they referred to their overall legal mandate and the drivers behind the need to adopt new means of data collection, as opposed to demonstrating a specific and pressing public policy purpose.
- Because the objectives were not defined with sufficient specificity, we were unable to determine that all of the personal information Statcan sought to collect (including the intrusive line-by-line financial transaction information requested) was necessary.
A specific and pressing public policy purpose might have been, for the Credit Information Project: to provide valid statistical information to support policies directed at addressing vulnerabilities in Canada relating to personal finances, especially household debt, interest rates, and developments in the housing market.
Or, for the Financial Transactions Project, to produce valid statistical information across household groups and to support specific economic and social policies such as anti-poverty policies targeted at vulnerable populations, and policies to pre-emptively mitigate the effects of economic recessions.
If the purposes of the two pilot projects had been defined with this level of specificity, it would then have been possible to determine the volume and granularity of personal information required to achieve them. Without this, necessity and proportionality were not respected.
We asked Statcan to work with our Office to redesign the projects to better respect the principles of necessity and proportionality.
Not only did they agree, but we are now working together to develop and implement policies and procedures aimed at incorporating necessity and proportionality more broadly into the agency’s statistical methods.
We are now in the preliminary stages of this endeavor. We anticipate there will be challenges along the way for complex and novel issues in the statistical realm.
But we also look forward to the innovative solutions that will emerge, demonstrating how privacy can strengthen statistical products that support evidence-based programs and policies for the benefit of citizens.
There are positive lessons for all government institutions to draw from this experience.
Indeed, we hope this experience will encourage all departments to fully consider privacy issues as they work to align their activities with the federal government’s aim to make more strategic use of the data it collects.
The Statcan investigation highlights the importance of assessing and addressing privacy risks prior to implementing initiatives that involve the use of data holdings, in line with the federal government’s overall data strategy. This would include undertaking a PIA and consulting early with my office.
This last part is critical. Consultation with my office’s Government Advisory team early during the development stage of sensitive programs allows privacy concerns to be identified and advice to be provided based on the complete picture of a program.
The investigation also supports the recommendation our Office has made for several years that the law be amended so that the collection of personal information by federal institutions should be governed by a necessity and proportionality standard.
Although not a legal requirement in the current federal law, the Treasury Board of Canada Secretariat (TBS) Directive on Privacy Practices requires that federal institutions only collect personal information where it is “demonstrably necessary” for its operating programs or activities.
Many other jurisdictions both in Canada and abroad have already adopted a necessity standard as a legal requirement. Canada should follow suit and update the Privacy Act to include this standard.
Expectations: a way to integrate privacy by design principles
I spoke a moment ago about the Government Advisory Directorate. We established this directorate approximately two years ago, when we reorganized the entire Office in order to adopt a more proactive approach to protecting privacy.
We have been providing advice and recommendations to federal institutions for a very long time, often in the course of reviewing the privacy impact assessments (or PIAs) that they send us.
The establishment of the Government Advisory Directorate makes it easier for us to provide support within the PIA process, as well as upstream.
The basis for our advice and recommendations can be found in the document Expectations: OPC’s Guide to the Privacy Impact Assessment Process. As I said earlier, we just launched a new version of this reference document, redesigned to make it more practical.
The guide includes a procedure for evaluating a program or activity from a privacy perspective, with instructions for each phase of the evaluation.
For the risk assessment phase, the guide contains a list of factors that should be taken into account, as well as a roadmap for high-risk programs.
The roadmap for high-risk programs includes a series of questions that will help you perform a more in-depth analysis of the privacy impacts of these programs.
These questions have been specifically designed with high-risk programs in mind, but they are worthy of consideration at the start of any project given the Government is asking departments and agencies to rethink their way of doing things to make the most of “the power of data,” to borrow an expression from the Data Strategy Roadmap for the Federal Public Service.
The questions for high-risk programs will help you use the four-part test I mentioned earlier: necessity, effectiveness, proportionality and minimal intrusiveness.
In addition, you will find relevant questions for initiatives that rely on the use of new technologies such as artificial intelligence in general and automated decision-making.
We have also included in the guide a section that describes 11 privacy principles.
For each one, the guide provides a definition followed by questions to identify risks, as well as examples of possible mitigation measures.
To go back to the Data Strategy Roadmap for the Federal Public Service, your institutions are being asked to innovate, particularly in the way they collect data.
Making innovative use of technology to improve service to Canadians is a laudable goal, but it is important to not lose sight of certain principles in the pursuit of this goal, such as limiting collection.
The questions to consider should help you identify real risks, such as collecting personal data that is not necessary for the delivery of the service in question, or collecting personal data for no specific purpose.
In the current context, assessing potential privacy risks is more important than ever. Done properly before an initiative is implemented, PIAs help ensure legal obligations are met and privacy impacts are addressed or mitigated.
Conclusion
In closing, I would like to point out that the principles set out in Expectations are sometimes legal requirements, but they are often Treasury Board policy or directive requirements.
Reporting breaches—and conducting PIAs—are still to this day policy requirements and not legal obligations.
We are pleased that federal departments and agencies are following Statcan’s example and working with us to include privacy at the design stage of their initiatives.
That being said, upholding fundamental rights should not depend on the goodwill of public servants.
A modern, rights-based legislative framework that puts the right to privacy in its proper human rights context is the best way to protect Canadians’ privacy.
The Government says that protecting Canadians’ personal data is a priority and that an update of the legislative framework is required. It seems as though PIPEDA, the private sector legislation, will be amended first. Hopefully, the Privacy Act will follow shortly thereafter. Given the growing integration of the public and private sector systems, both acts should be reformed at the same time and should adopt similar principles.
I will now be pleased to answer your questions.
- Date modified: