The future of privacy law reform in Canada

Remarks at the IAPP Canada Privacy Symposium 2021

May 26, 2021

Speech delivered by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Every year since becoming Privacy Commissioner, I have had the privilege of being invited to give an address at this conference.

This being the end of the seventh year of my mandate, I gave some thought to a retrospective speech, but ultimately decided against it.

As you have seen in my recent submission to the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) on Bill C-11, and recent submissions on Privacy Act and Access to Information Act reforms, my focus remains firmly on the future.

I think it is clear that private sector privacy reform will not come to pass before the next parliamentary recess, which may mean it will not come to pass in the form of Bill C-11 at all.

This gives us a chance to reflect on what law reform might look like when Parliament does return. This is what I would like to address today.

My objective is not to start from a blank page and ignore the proposals in front of us. It is to challenge us as members of the privacy community to confront fundamental issues that must be addressed squarely if Canadian laws are to be fit for purpose in these modern times.

The value of data, the values of privacy and the consent model

The first question we face is: how to define permissible uses of data so as to both enable responsible innovation and protect the rights and values of citizens?

Digital technologies that rely on the collection and analysis of personal data are at the heart of the fourth industrial revolution and are key to our socio-economic development.

To draw value from data, the law should accommodate new, unforeseen but responsible uses of information in society’s interests or for legitimate commercial interests.

In Bill C-11, the government is seeking to achieve this by maintaining the consent model and adopting several new exceptions.  While some of those exceptions are reasonable, others are too broad or ill-defined to foster responsible innovation. For example, there is no reasonable justification for an exception to consent based on the impracticability of obtaining consent.

This is a very bad way to achieve responsible innovation.

We must face the truth that consent has its place but it cannot be the only means of protecting privacy. In fact, consent can be used to legitimize uses that objectively are completely unreasonable and contrary to our rights and values. And refusal to provide consent can sometimes be a disservice to the public interest.

What we need, as suggested  in the recommendations we issued on artificial intelligence last fall,  is to authorize the use of data for legitimate business interests, within a rights-based framework.

Such provision would give considerable flexibility to use data for new purposes unforeseen at the time of collection, within a world of knowable purposes and subject to regulatory oversight.

What we need is not self-regulation but true regulation, meaning objective and knowable standards adopted democratically, enforced by democratically appointed institutions.

We need sensible legislation that allows responsible innovation that serves the public interest and is likely to foster trust, but that prohibits using technology in ways that are incompatible with our rights and values.

This leads to the second question: the need for a rights-based framework.

Rights-based framework

It was at this conference in 2019 that I first put forward the idea that modern laws entrench privacy as a human right and as an essential element for the exercise of other fundamental rights.

I will not repeat the reasons why. I will just say that they remain extremely relevant, for instance in the context of AI where risks to fundamental rights, such as the right to be free from discrimination, are heightened.

Today I want to address the argument that a rights-based framework is not possible in a federal law in Canada due to our Constitution.

We agree that the principal basis for a federal privacy law in the private sector is Parliament’s jurisdiction over trade and commerce. However, if the law is in pith and substance about regulating trade and commerce, then it can include privacy protections, including privacy as a human right.

In fact, as noted by the Supreme Court of Canada in its recent decision on the Greenhouse Gas Pollution Pricing Act, a preamble would strengthen the constitutional footing of the legislation by identifying the purpose and background to the legislation.

In the Genetic Non-Discrimination Act case, the Supreme Court noted that the absence of a preamble creates difficulties in carrying out a division of powers analysis. Given the constitutional doubts that have been raised around PIPEDA, a preamble would provide much needed interpretive guidance to the courts about the law’s objective and constitutional basis.

So, in our submission to ETHI on Bill C-11, we recommend the adoption of a preamble and purpose clauses that specifically provide that the purpose of the CPPA is to “promote confidence and therefore the sustainability of information-based commerce”, firmly grounding the Act in federal jurisdiction.

Significantly, this purpose would be achieved by “establishing rules for the lawful, fair, proportional, transparent and accountable collection, use and disclosure of personal information that (among other things) recognize the fundamental right of privacy of individuals”, thus achieving a better balance between commercial  interests and human rights.

It should be noted that recognizing privacy as a human right is not incompatible with a principles-based data protection framework and it need not result in a law that is overly prescriptive. The prescriptive nature of a law is often related to the level of detail associated with the definition of specific privacy principles.

A rights-based framework operates at the same level of generality as a principles-based law. Neither is strictly prescriptive. They are both equally flexible and adaptable to regulate a rapidly changing environment such as the world of technology and the digital economy.

On the public sector side, I am encouraged by the federal government’s approach to this issue as laid out in its discussion paper on Privacy Act reform. It proposes adding a purpose clause that specifies that one of the key objectives of the legislation is “protecting individuals’ human dignity, personal autonomy, and self-determination.” This would recognize the broad scope of the right to privacy as a human right.

Public-private partnerships and the need for common/similar principles

The third question is the need for common or at least similar principles for the public and private sectors.

A fundamental aspect of the environment within which our privacy laws must be defined is the increased role of public-private partnerships and contracting relationships.

We have seen how public-private partnerships and contracting relationships involving digital technologies can create additional complexities and risks for privacy.

The pandemic certainly underscores this. Videoconferencing services and online platforms are allowing us to socialize, work, go to school and even see a doctor remotely but they also raise new privacy risks. Telemedicine creates risks to doctor-patient confidentiality when virtual platforms involve commercial enterprises. Meanwhile, e-learning platforms can capture sensitive information about students’ learning disabilities and other behavioural issues.

A number of government led COVID-19-related initiatives have involved partnerships with the private sector. In cases where the legal authority for an initiative was based on consent obtained by a private-sector organization; there was no policy requirement for government institutions to ensure that this consent was meaningfully obtained.

As a result, a public sector institution could deploy a technological solution to the pandemic that allows its private-sector partner to use the personal information collected for purposes unrelated to public health and without meaningful consent. This is not acceptable.

Our recent investigation into Clearview AI and our ongoing related investigation into the RCMP’s use of Clearview’s facial recognition technology is another example of the risks involved in public-private partnerships. The company’s technology allowed the RCMP and other organizations to match photographs of unknown people against the company’s databank of more than 3 billion images compiled from data scraped without authorization from Internet websites.

The result was that billions of people essentially found themselves in a police line-up. We concluded this represented mass surveillance and was a clear violation of PIPEDA. We are now discussing with the RCMP whether it had a legal obligation to ensure its private sector partner complied with the law.

Common privacy principles enshrined in both our public and private sector privacy laws would help address gaps in accountability where the sectors interact.

We were pleased to see proposals in the government’s recent reform paper that could help address some of these risks, and which we would also like to see incorporated into Bill C-11.

The discussion paper proposes measures aimed at providing meaningful oversight and quick and effective remedies, such as order-making and expanded rights of recourse to Federal Court.

It also introduces principles to the Privacy Act, including a new accountability principle supported by concrete requirements to demonstrate strong governance and oversight practices. To that end, it would enshrine Privacy by Design, privacy impact assessments and proactive audits into law.

We have asked that our privacy laws include the principles of necessity and proportionality, which ensure privacy-invasive practices are carried out for a sufficiently important objective, and that they are narrowly tailored so as not to intrude on privacy rights more than is necessary.

While Bill C-11 lacks related provisions, the proposed Privacy Act reforms include a similar “reasonably required” standard.

Our recent investigation into Statistics Canada highlights our concerns. You will recall the agency had started collecting detailed credit information, and was proposing to collect even more financial transaction and account balance data, about millions of Canadians from private sector companies.

Clearly, these initiatives were privacy-invasive but due in part to the inadequacy of federal laws to deal with 21st century privacy issues, our investigation did not find legal violations had occurred.

Once again, the pandemic is also highlighting shortcomings in the law related to necessity and proportionality, as well as effectiveness.

It is central to the current global debate on vaccine passports and was a key aspect of our decision to support the deployment of the COVID Alert App.

The “reasonably required” standard proposed in the DOJ discussion paper, with modifications, would helpfully bring a form of necessity and proportionality to the analysis of government initiatives like the Statistics Canada projects and those we have seen during the pandemic.

Interoperability, internationally and domestically

The fourth question is the need for interoperable laws, internationally and domestically.

An important impetus for the CPPA is the desire to maintain Canada’s EU adequacy status. It is vital for the data that supports trade to travel outside our borders, without infringing upon the rights and values that we broadly share with our partners.

Interoperability between laws helps to facilitate and regulate these exchanges and it reassures citizens that their personal information is subject to similar protections when it leaves Canada. It also benefits organizations by reducing compliance costs and increasing competitiveness.

This is true internationally, but interoperability is also important domestically. Currently, with Bill C-11 stuck in its tracks and provincial bills under consideration, there is the potential for  a patchwork of privacy laws across Canada. To some degree, this is normal in a federal state, but we should strive for substantial similarity.

Quebec’s Bill 64 is not perfect (rules on transborder data flows come to mind) but it has several good features that would make it a significantly better updated privacy law than what the federal government has put forward in Bill C-11.

For example, it includes provisions that address profiling and protect the right to reputation, which are consistent with our approach to rights-based legislation. It subjects political parties to the private sector law and has a more efficient adjudication and financial penalty regime.

You may have seen the jurisdictional comparative chart we submitted to Parliament along with our proposed amendments to Bill C-11. It shows how the CPPA is frequently misaligned and less protective than the laws of other jurisdictions, well beyond Europe.

In particular, Bill C-11 does not require knowledge and understanding for consent to be considered meaningful, it does not prescribe an objective standard for accountability, nor does it establish a comprehensive framework for governing trans-border data flows.

Canada aspires to be a global leader in privacy and it has a rich tradition of mediating differences on the world stage. Adopting a rights-based approach, while maintaining the principles-based and not overly prescriptive approach of our private sector privacy law, would situate Canada as a leader showing the way in defining privacy laws that reflect various approaches and are interoperable.

Penalties, role of the OPC and transparency

The fifth question I will address is the need for quick and effective remedies.

As many cases have shown us, serious financial penalties are an imperative given the immense profits that can be made through the inappropriate use of personal data.

Unfortunately, the penalty provisions in C-11 are hollow. First, Bill C-11 lists only a few violations as being subject to administrative penalties. This list does not include obligations related to the form or validity of consent, nor the numerous exceptions to consent, which are at the core of protecting personal information.

It also does not include violations to the principle of accountability, which is supposed to be an important counterbalance to the increased flexibility given to organizations in the processing of data.

Bill C-11 also creates an additional layer of decision-making in the form of the Personal Information and Data Protection Tribunal, which would be responsible for imposing monetary penalties and hearing appeals against decisions of my office.

We believe that this tribunal, which does not exist in this form anywhere else, would create unnecessary delays for consumers. The courts are perfectly capable of reviewing the legality of OPC decisions.

Worse, it would encourage companies to choose the route of appeal rather than finding common ground with the OPC when we are about to issue an unfavourable decision. We believe that the addition of this tribunal would only delay access to justice for consumers.

We understand the need for the OPC to have fair processes. Indeed, we welcome transparency and accountability for our actions and decisions. As such, we would gladly consult stakeholders in developing rules of practice that would ensure fairness towards parties in proceedings leading to the imposition of orders and penalties.

On a final note, I want to mention that Bill C-11 would also impose new responsibilities on my office, including the obligation to review codes of practice and certification programs, and advise individual organizations on their privacy management programs.

We welcome the opportunity to work with businesses but fear our limited resources will be stretched too far. We need discretion to manage our workload in the best interest of Canadians. This is just another way Bill C-11 is misaligned with the laws of other jurisdictions.

Conclusion

In conclusion, some argue Bill C-11 is well designed because it is aligned to Canadian realities: the role of SMEs in our economy, the need to innovate, our Constitution.

These are all worthy considerations but, other than the Constitution, where is the evidence that Canada is different than its allies in these regards? I hope we see this evidence in the next phase of public debate, so that facts can help us distinguish myths from reality.

From where I sit, I believe we have made a constructive proposal to address the constitutional question. Certainly, SMEs do need to be accommodated through scaling, but their proportion in Canada is similar to that of other countries. If SMEs can thrive in the UK and Australia, why wouldn’t Canadian SMEs function under similar laws?

As for the argument that strong privacy laws are an impediment to innovation, we think the opposite is true. Legislation that effectively protects privacy can contribute to economic growth by providing consumers the confidence that their rights will be respected. Many countries with strong privacy laws are also leaders in innovation. If Germany and South Korea are leaders in innovation with strong privacy laws, why can’t Canada?

I remain optimistic that the government is open to improving Bill C-11 and that we will finally see meaningful change come to our public and private sector laws.