Remarks by Privacy Commissioner of Canada regarding his 2017-18 Annual Report to Parliament
September 27, 2018
The Privacy Commissioner of Canada, Daniel Therrien, made the following statement during a press conference at the National Press Theatre in Ottawa.
(Check against delivery)
My annual report comes in the wake of a string of major privacy crises, including the massive Equifax breach and the Facebook-Cambridge Analytica matter. Unfortunately, these are only symptoms of a larger trend. Not only are the privacy rights of Canadians at stake, so too is our democracy and other fundamental values.
With this backdrop, a key theme of this year's Annual Report is that my office can no longer keep up with the pace of technological change. We urgently need new legislative powers and additional resources if we are to have a real impact on protecting Canadians' privacy in the 21st century.
The federal government must act immediately by giving my office new powers to make orders, issue fines and conduct inspections to ensure businesses respect the law. Parliamentarians have supported such legislative reform and Canadians expect it.
Even the government has acknowledged that these privacy crises have, in its words, "drawn attention to the risks of unconstrained access to personal information." Its response? To launch a national digital and data consultation.
The government knows "changes are required," yet progress has been slow to non-existent– far slower than the speed at which disruptive technologies are hitting the market. The end result is that the privacy of Canadians is not well protected.
For instance, while the Facebook/Cambridge Analytica matter highlighted risks to our democratic processes, the government's legislative response, Bill C-76, lacked any substance in terms of privacy protection. Unless the bill is amended, the personal information of Canadians may well be abused in the next federal election by unscrupulous actors, including hostile states.
Government inaction in modernizing laws has other consequences. Over the last year, my office took significant action to improve the privacy of Canadians. We issued new guidelines for obtaining meaningful consent and guidance on inappropriate practices for organizations.
However, these are only guidelines, not law, and some industry groups warned us that they may not follow our advice as, in their view, it is too prescriptive and potentially outside our legal authority. If my Office had order making powers, our guidelines would be more than advice that companies can choose to ignore; they would become real standards that ensure real protection for Canadians.
The government's reaction to Facebook/Cambridge Analytica was also to ask companies to do more to protect our privacy and our democracy. Under PIPEDA, organizations have a legal obligation to be accountable, but Canadians cannot rely exclusively on companies to manage their information responsibly.
To be clear, it is not enough to ask companies to live up to their responsibilities. Canadians need stronger privacy laws that will protect them when organizations fail to do so. Respect for those laws must be enforced by a regulator, independent from industry and the government, with sufficient powers to ensure compliance.
Given the opaqueness of business models and complexity of information flows in the age of data analytics, artificial intelligence and the Internet of Things, my office should be authorized to inspect the practices of organizations even if a violation of law is not immediately suspected.
In other words, trust but verify.
In order to increase trust in the digital economy, we must ensure Canadians can count on an independent third party with the necessary tools to verify compliance with privacy law.
My Office also needs a substantial budget increase to keep up our knowledge of the technological environment and improve our capacity to inform Canadians of their rights and guide organizations on how to comply with their obligations.
Additional resources are also required to meet our obligations under the new breach reporting regulations that come into force in November.
Although imperfect, these regulations, which require reporting of some breaches to my office, are a step in the right direction. The significance of that step, however, is greatly reduced by the government's failure to give us any resources to analyze the breach reports we will receive, provide advice on how to mitigate risks and verify compliance with the regulations. As a result, our work will be somewhat superficial.
That being said, we will do the best we can with the legislation and resources we have. Indeed, I am proud of the work we’ve done in the past year: the publication of new guidance on consent and reputation, the adoption of a proactive strategy for privacy protection, convincing Parliament to amend national security legislation.
Still, this is clearly not enough. We are in the midst of a fourth industrial revolution. Disruptive technologies are adopted at a staggering pace.
New technologies can provide important benefits but they also present huge challenges to legal and social norms that protect fundamental Canadian values.
Government must step up its efforts to protect these values. My office stands ready to do its part, but we need better tools to provide the protection Canadians want and deserve.
Report a problem or mistake on this page
- Date modified: