Appearance before the Committee on Institutions of the National Assembly of Quebec regarding Bill 64, An Act to modernize legislative provisions as regards the protection of personal information
September 24, 2020
By videoconference
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Thank you for inviting me to discuss Bill 64, which modernizes Quebec’s privacy laws.
There is a pressing need to modernize legislation in this area. Many years of digital revolution have disrupted our society’s habits, our activities and our rights. Your Bill is extremely timely.
The need to reform our legislation
The disruptive effects of information technologies are not all negative. These technologies are at the heart of the fourth industrial revolution and they will help improve services to the public.
The current pandemic highlights the importance of science, data and technology for crisis management. It is greatly accelerating the digital revolution, which in my opinion furthers the case for immediate reform of the legislative framework.
Information technologies can serve the public interest.
However, they also pose major risks to privacy. Data breaches affected 30 million Canadians last year. There is increasing talk about the existence of surveillance capitalism – this, a few years after the Snowden affair. More recently, the Cambridge Analytica scandal has highlighted the risks for democracy.
The use of telehealth during a pandemic has undeniable advantages, but when it involves privately owned platforms, there is a risk for the confidentiality of health information. Remote learning presents similar risks.
Legislation needs to be modernized because the public no longer trusts that new technologies are being used in a way that respects their privacy. Surveys conducted by our office indicate that some 90% of Canadians are concerned about this issue.
A rights-based approach
Privacy is a key value of democratic societies and a right protected by the Quebec Charter of Human Rights and Freedoms. In our view, the starting point for reform should be to ensure that privacy laws recognize the fundamental nature of that right and implement it in a modern, sustainable way.
To be clear, legislation should allow for responsible innovation that serves the public interest and is likely to foster trust, but prohibit using technology in ways that are incompatible with our rights and values.
This is the approach I put forward in last year’s annual report to the Canadian Parliament, which included detailed proposals to reform federal privacy legislation.
A number of elements contained in Bill 64 are consistent with those proposals.
For example, the Bill includes provisions that address profiling and protect the right to reputation. It subjects political parties to the private sector act.
In my previous annual report to Parliament, I recommended that the fundamental nature of privacy rights be recognized in the preamble and purpose statements of federal legislation governing the public and private sectors. In a report released in 2015, the Quebec Commission on Human Rights made a similar recommendation for Quebec’s public sector act. I encourage you to adopt that recommendation.
The role of consent
Among other things, Bill 64 seeks to increase citizens’ control over their personal information. The rules regarding consent are therefore improved.
I support these improvements, having myself two years ago increased the requirements set out in my office’s guidelines for obtaining consent.
That being said, it is essential to state that in 2020, privacy protection cannot hinge on consent alone.
Simply put, it is neither realistic nor reasonable to ask individuals to consent to all possible uses of their data in today’s complex information economy. The power dynamic is too uneven.
In fact, consent can be used to legitimize uses that, objectively, are completely unreasonable and contrary to our rights and values. And refusal to provide consent can sometimes be a disservice to the public interest.
Bill 64 sets out some exceptions to consent, for instance in the context of research, or when personal information is used for purposes that are consistent with the purposes for which it was collected. These are steps towards a more realistic approach, but we must be careful. For example, the exception for consistent purposes could be interpreted too broadly, allowing for all sorts of uses.
That is why other data protection models take into account the limits of consent and try through other means to serve the public interest and protect privacy simultaneously.
The European model is one example. In Europe, data can be used when it is necessary for the performance of a task carried out in the public interest or for the purpose of the legitimate interests pursued by a business or public entity, while respecting basic rights.
I will note that in Quebec, a business must have a serious and legitimate reason to collect personal information. This concept is akin to the “legitimate interests” found in European law.
In my opinion, the European approach merits consideration, among others. What matters is that the law allow for uses of personal information in the public interest, in the pursuit of legitimate purposes or for the common good, within a rights-based regime. This regime should require businesses and government departments to be transparent and to demonstrate accountability to the regulating authority.
Direct enforcement powers
Adopting adequate privacy legislation is not sufficient in itself. Laws must be enforced through quick and effective mechanisms. In many countries, this is done through granting the regulatory authority with the power to issue orders and impose significant monetary penalties.
Such legislation does not seek to punish offenders or to prevent them from innovating. It seeks to ensure greater compliance, an essential condition of trust and respect for rights.
It must be said that many businesses and organizations take their privacy obligations seriously. However, not all of them do so. It is important that legislation not benefit the offenders.
Penalties must be proportional to the financial gains that businesses can make by disregarding privacy. Otherwise, organizations will not change their practices; minimal penalties would represent a cost of doing business they are willing to accept in order to generate profits.
The proportional nature of penalties is also an advantage for smaller enterprises.
The provisions to that effect in Bill 64 are excellent and it is important that they be retained.
The importance of compatibility
The last point I would like to address is the importance of interoperability between the laws of different jurisdictions.
Canada and Quebec are major economic partners with Europe and the United States. It is vital for the data that supports trade to travel outside our borders, without infringing upon the rights and values that we broadly share with our partners.
Interoperability between laws helps to facilitate and regulate these exchanges. It also helps to reassure citizens that their data are subject to similar protections when they leave our borders. And finally, it also benefits organizations by reducing compliance costs.
Several witnesses have warned you against adopting a law that would be stricter than the GDPR or other statutes within our economic zone.
My suggestion would be not to shy away from using the GDPR as a source of inspiration, but to avoid going beyond it, unless you deem it necessary for specific provisions. I would be pleased to expand on this at your request.
Conclusion
In closing, I welcome Quebec’s efforts to bring its privacy legislation into the 21st century. Other jurisdictions have also taken initiatives in this regard, but you are leading the way. Let us hope that others will follow. Indeed, the time has come for urgent action.
- Date modified: