Statement

Remarks by Privacy Commissioner of Canada regarding his 2016-17 Annual Report to Parliament

September 21, 2017
Ottawa, Ontario

The Privacy Commissioner of Canada, Daniel Therrien, made the following statement during a press conference at the National Press Theatre in Ottawa.

(Check against delivery)

---

My annual report, tabled in Parliament this morning, focuses on privacy protection in the private sector and whether individual consent, which currently is the foundation of our federal privacy law, continues to be up to the task of protecting Canadians’ rights.

Last year, my office launched a consultation on the challenges facing consent. The context for our review of the consent model is the digital revolution, which is so significant that many have described it as the fourth industrial revolution.

That revolution has brought us important benefits and it is and will continue to be a major contributor of economic growth. Few of us would like to go back to the pre-digital age, but no one has agreed to give away their privacy on the basis of 50-page privacy policies written in legalese most lawyers don’t understand.

Canadians have told us privacy policies are broken. They want better information to exercise their right to give or withhold consent meaningfully. They want to know with whom their personal information is being shared, what information is being collected and for what purpose, and what the risks are, if any. They also expect their rights to be enforced by a regulator with strong powers, including the authority to impose fines where warranted.

Their fear that they are losing their privacy is real and they expect concrete, robust solutions to restore their confidence in technology as something that will serve their interests and not be a threat to their rights.

After one year of consulting consumers, industry and other expert stakeholders, I have come to the view that, while consent remains central to personal autonomy, other mechanisms are also needed.

It is clear, for example, that Canadians need to be supported by an independent regulator with the legislation and resources necessary to properly inform citizens, guide industry, hold businesses accountable, and sanction inappropriate conduct.

Canadians do not feel protected by a law that has no teeth and businesses held to no more than non-binding recommendations.

I am calling for amendments to the federal private sector privacy law to provide for order-making powers and the ability to impose administrative monetary penalties.  This would bring Canada in line with many of its provincial and international counterparts — such as the U.S. and many European countries.

However, my office won’t wait for legislative changes; we will begin to act immediately to improve privacy protections for Canadians.

For example, we are updating our guidance on online consent to, among other changes, specify four key elements that must be highlighted in privacy notices and explained in a user-friendly way. We will also issue guidance on prohibited practices or “no-go zones”, such as using personal information knowing it will cause significant harm the individual.

We will also shift towards a proactive enforcement and compliance model rather than a reactive, complaints-based ombudsman model. To that end, you can expect to see us launching more Commissioner-initiated investigations focused on chronic or sector-specific problems.

Ultimately, we will use this proactive enforcement model to require organizations to demonstrate their accountability, that is to say how they have taken measures to protect users’ privacy.

Throughout our consultations, we often heard that corporate accountability needs to take a larger place in privacy protection, as the consent model is under strain with new technology. While we believe consent continues to have an important role, we agree that the weight given to accountability should increase. Accordingly, organizations should be able to demonstrate accountability on demand as a means to ensure privacy is respected.

Through proactive enforcement and demonstrable accountability we will achieve greater compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) than we do currently under our ombudsman model.

I’ve focused my remarks on the consent section of the annual report because it’s such an important issue for privacy rights in Canada.

Of course, the report addresses many other important issues such as our investigations of the Phoenix pay system; RCMP use of IMSI catchers, and the Mydemocracy.ca website. It also describes the findings of a number of national security reviews

I would be pleased to answer your questions about these or other issues of interest from our annual report.