Reforming Canada’s privacy laws: Shifting from the whether to the how

Remarks at the International Association of Privacy Professionals (IAPP) Canada Privacy Symposium 2019

May 23, 2019

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

This is the fifth time I have had the privilege and the pleasure to share my perspective with you in this important venue.

Throughout these years, an important theme has been the need to reform privacy laws. It was not always a winning proposition. For a long time, the questions were: Where is the harm? Where is the evidence that privacy rights are not respected and that companies are not complying with the law?

I believe we have finally reached the point where the question of whether privacy legislation should be amended is behind us. The question before us now is how. With its announcement of a Digital Charter in the last few days, the government seems to agree.

A privacy tipping point

Events of this past year have highlighted like never before the urgent need to modernize the way in which privacy rights are protected in this country.

Our Facebook investigation starkly illustrated that we have reached a critical tipping point upon which privacy rights and democratic values are at stake.

Our examination of how the Cambridge Analytica scandal happened uncovered that Facebook’s privacy framework was actually an empty shell. That is a shocking thing to have to say about a global giant, which has amassed so many intimate details about so many people.

Meanwhile, the findings in our Equifax investigation also highlighted very troubling shortcomings in a company that also holds vast amounts of highly sensitive personal information and that plays a pivotal role in our financial sector.

Poor security safeguards. Retention issues. Inadequate consent procedures. Moreover – again – a fundamental lack of accountability.

Privacy and innovation

Calls for more effective privacy laws are now coming from everywhere – even Mark Zuckerberg claims he likes the GDPR and would welcome the adoption of similar regulation in the US. But it is understandable the business community would be apprehensive about legislative reform.

The solution is not to get people to turn off their computers or to stop using social media, search engines or other digital services. Many of these services meet real needs.

Rather, the ultimate goal is to allow individuals to benefit from digital services – to socialize, learn, and generally develop as persons – while remaining safe and confident that their privacy rights will be respected.

Government response

Legislative reform – for both PIPEDA and the Privacy Act – finally seems to be on its way.

In recent months, we have been gratified to hear Parliamentary committees, and members of Parliament from all parties, saying that they support my office’s calls to update our laws.

The government has finally responded with its Digital Charter announcement of the last few days and with more specific proposals, although still somewhat general, notably in the area of privacy.

At this point, we are still analyzing these proposals. They cover a wide variety of issues, but they also leave grey zones. For instance, if the law provides exceptions to consent for “standard business practices,” how are privacy and the public good to be protected?

Resources

I should take a moment here to mention another way in which the government has responded to the challenges my office is facing.

The recent federal budget included some very good news for my office: the government announced a permanent increase of more than 15 percent to our total annual budget, as well as some additional temporary funding.

This is clearly a step in the right direction. It will help us to deliver on our existing mandate in the face of the exponential growth of the digital economy.

Part of the funding included in the federal budget is temporary, to help us deal with a complaints backlog. We currently have more than 300 complaints older than a year. By 2021, that backlog should be almost eliminated.

The new resources will also help us to address significant pressures brought about by the new legislative and policy requirements related to breaches.

Since mandatory breach reporting requirements came into effect under PIPEDA last November, the volume of reports has increased more than five-fold. New resources will enable us to more thoroughly review breach reports in both the public and private sectors.

The funding will also help increase our capacity to inform Canadians of privacy issues, their rights and how to exercise them. As well, we will be better positioned to guide organizations on how to meet their privacy obligations.

I have said this before and I will say it again. An effective regulator does not depend primarily on enforcement to seek compliance. The first strategy should be guidance and engagement. We will use an important share of the new funding in that area.

Appropriate resources are a part of the solution. An effective legislative framework is even more important.

Legislative reform

I said earlier that the real question before us now is how Canada’s laws should be updated.

Privacy is more than a set of technical or procedural rules, settings, controls and administrative safeguards; it is certainly not a barrier to progress as is often implied.

Instead, it is a fundamental right and a necessary precondition for the exercise of other fundamental rights, including freedom, equality and, as we saw in Cambridge Analytica, democracy.

The starting point therefore should be to give the law a rights-based foundation.

We should continue to have a law that is technology neutral and principles-based. These elements will enable the law to continue to endure over time and provide a level playing field. 

But we also need a rights-based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.

Legislation should also define privacy in its broadest and true sense. Privacy is not limited to consent, access and transparency. These are important mechanisms but they do not define the right itself, a quasi-constitutional right as we all know.

In 2001, Senator Sheila Finestone introduced in Parliament a bill titled the Privacy Rights Charter. A Charter of rights is perhaps what inspired the Prime Minister when he announced a Canadian Digital Charter last week in Paris.

Senator Finestone’s bill defined privacy as including the following rights:

1. physical privacy;
2. freedom from surveillance;
3. freedom from monitoring or interception of their private communications; and
4. freedom from the collection, use and disclosure of their personal information.

Recognizing that privacy is not an absolute right, the bill went on to say that: “No person shall unjustifiably infringe an individual’s right to privacy.”

I am not suggesting that Canada in 2019 should adopt exactly what was in the Finestone Charter. For one thing, the scope of privacy rights has of course been the subject of many court decisions, including by the Supreme Court of Canada, since the early 2000s.

But I do think that modern privacy legislation should start by defining privacy in its proper breadth and to codify its quasi-constitutional status. This, alongside the principles-based and technologically neutral nature of the law, would ensure it can endure over time, despite the certainty of technological developments.

The principles-based nature of the legislation would ensure it is interoperable. Its breadth and quasi-constitutional nature would ensure it reflects Canadian values.

PIPEDA should also be drafted as a real statute, conferring rights and imposing obligations; it should not be drafted as an industry code of practice. Judges have commented on the "peculiar" nature of PIPEDA's drafting. Others have been less charitable. The end result is that it is difficult to interpret and apply. It is possible to have principles-based legislation drafted intelligibly. We need look no further than to the substantially similar legislation adopted by some provincial legislatures.

Some of the other questions that should be addressed during a review of PIPEDA include consent, binding guidance and enforcement powers.

In my view, we should maintain an important place for meaningful consent, where it is effective in exercising individual control and autonomy, but we must also consider other ways to protect privacy where consent may not work, for instance in certain circumstances involving the development of artificial intelligence.

Here I think that the notion put forward by the government that data should be used for the public good, is an essential consideration to bear in mind.

Also, to bring greater certainty to both individuals and organizations, a public authority such as my office should be empowered to issue binding guidance or rules that would clarify how general principles and broadly framed rights are to apply in practice.

Principles-based legislation has important virtues. Binding guidance or rules would ensure a more practical understanding of what the law requires.

Guidance could also be amended more easily than legislation– a feature that is important as the pace of technological change accelerates.

And of course, to ensure effective enforcement, my office should be empowered to make orders and impose consequential fines for non-compliance with the law.

But even large fines may not be sufficient, as was remarked when Facebook announced it was placing $3-5B in reserve in the event the US FTC were to impose such a penalty.

Which leads me to accountability.

Demonstrable accountability

The business community has championed accountability as an important component of privacy protection.

I agree that accountability is important. However, as we have so clearly seen in Facebook, Equifax and other cases, the principle as currently framed is not sufficient to protect Canadians from the practices of companies that claim to be accountable but actually are not.

What is required is a law that ensures demonstrable accountability.

In today’s world where business models are opaque and information flows are increasingly complex, individuals are unlikely to file a complaint when they are unaware of a practice that may harm them. This is why it’s so important for the regulator to have the authority to proactively inspect the practices of organizations. These powers exist in the UK, in the EU and in other countries.

Where consent is not practical and organizations are expected to fill the protective void through accountability, these organizations must be required to demonstrate true accountability upon request.

Transborder data flows

Accountability was also an important theme in our Equifax investigation, which as you know has led us to revisit our position on transborder data flows.

I must say I have read several interesting theories about what motivated this change in position. No, I do not think I am Parliament. No, I am not fixated on the GDPR, nor with consent for that matter. However, I am very focused on finding and applying effective solutions to protect the privacy of Canadians, consistent with the law.

The proposal to change our position was ultimately based on our obligation to ensure that our policies reflect a correct interpretation of the current law. Our starting point was a straightforward question of statutory interpretation.

Given the recent announcement by Innovation, Science and Economic Development Minister Navdeep Bains that a new PIPEDA will clarify rules on transborder data flows, we at the OPC will need to adjust. Yesterday, I suggested to suspend and reframe our consultation so that it may inform our position both in the longer term (on the content of a new law) and the shorter term (how to apply the current law).

This was generally well received, but not by all. We will confirm our new approach to consultations soon. To be clear, work that organizations have already completed on submissions will not be lost. The consultation questions we had posed remain relevant.

In the meantime, we do not expect organizations to change their practices, although, if we receive individual complaints, we will need to assess them based on the specific facts of the case before us and our interpretation of the law in its current form.

Our goal again is to ensure that the privacy of Canadians is effectively protected.

The historic OPC position gave great weight to the accountability principle in protecting privacy in a transborder context. Yet we have seen in Equifax that this principle as currently framed does not always provide effective protection. During our investigation, Equifax officials had difficulty answering basic questions as to who was responsible for their clients’ personal information as between the Canadian and US affiliates.

One option under legislative reform might again be to adopt a more robust accountability regime – demonstrable accountability with actual monitoring to ensure the arrangements in place truly protect personal information. Minister Bains seemed to move in that direction in his privacy proposals paper earlier this week.

Subject to other views that I assume we will receive, we think consent is part of the short term solution, and is perhaps dictated by the current law. But should it have a role in the longer term? Maybe not, as long as there are other effective ways to protect privacy.

Conclusion

I will close by saying that I believe the best way for Canada to position itself as a digital innovation leader is to demonstrate how we can establish a framework for innovation that also successfully protects Canadian values and rights, and protects our democracy.

We are at an important moment for privacy in Canada. Change is coming. I sincerely hope and will work hard, as will all OPC colleagues, to ensure we find a way that will allow Canadians to participate in the digital economy and receive government services confident that their rights will be respected.