The state of privacy as I end my term
Remarks at the International Association of Privacy Professionals (IAPP) Canada Privacy Symposium 2022
May 26, 2022
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
This will be my last speech to the IAPP as Privacy Commissioner of Canada. For that occasion, Kris Klein expressed the hope that I would give “a no-holds barred speech”, where I would let you know what I think about the state of privacy in Canada. I certainly want to leave you with parting thoughts, with an eye to the future.
So, what do I think about the state of privacy in Canada? In a word: that state is one of uncertainty.
It does not have to be that way. But it reflects human nature: excited by what is new, but comforted by what is known. In all kinds of human activity, there is resistance to change.
Still, I find it surprising to see so much resistance in a field as innovative as the digital economy.
As we all know, digital technologies are disruptive.
There are many benefits to this. These are not just words that I express for the sake of appearing to give a balanced view. Take it from someone who has spent his entire professional life in government. I have experienced my share of antiquated rules and people content to continue old ways because “we have always done things that way”.
So, I truly believe there are real benefits to disruptive digital technologies.
There is no doubt that the modern economy depends, and will increasingly depend, on the value of data extracted through digital technologies. The pandemic has also shown that these technologies can serve the public interest, be it in health, in education or by showing that we can do our jobs without burning so much fuel and endangering the planet to reach our downtown office.
But during my term, we have also seen through investigations the risks and the harms of disruptive technologies, most recently in the mass surveillance permitted by facial recognition.
To take an example outside our investigations, we have seen how social media allowed people to share anti-democratic views and eventually storm the U.S. Capitol to disrupt the constitutionally mandated transition of powers process.
The state of privacy is and will remain uncertain so long as we do not learn the lessons of the digital revolution.
As Commissioner, I have always been mindful of this characteristic of technology: it is neither good nor bad. Depending on how you use it and regulate it, it can bring important benefits or huge risks.
This was true in my early work on national security and cyber criminality issues. Law enforcement and national security agencies need effective powers to use modern technologies to protect citizens, but we insisted these powers must respect longstanding protections such as independent oversight and legal standards to protect privacy. Bills were eventually amended so as to achieve both privacy and public safety. Things do not have to operate in a zero sum game.
This was also true in our work on the consent model. After extensive consultations, we issued new guidelines on meaningful consent in 2018, but we also put forth the idea that where consent is not practicable, alternatives may need to be considered to maintain effective privacy protections. We wrote: “While recommending exceptions to consent may seem contrary to our mission as a privacy regulator, in fact we have come to the conclusion that acknowledging this reality (that sometimes consent is simply not possible or practicable) with appropriate protections is preferable to otherwise stretching or distorting the concept of implied consent so as to become meaningless.”
We tried to learn the lessons of history, including that consent is not always the most effective means to protect privacy and improve trust in the digital economy.
We also sought to be balanced in our approaches and strategies.
You will recall the adoption of our strategic priorities in 2015, again after extensive consultations.
Under our first strategic priority, the economics of personal information, balance came in the form of recommendations for more effective ways to protect privacy while recognizing the legitimate interest of organizations to process personal data. Or, as I wrote in 2020, in recognizing the value of data and the values protected by the right to privacy.
Under our second priority, government surveillance, we sought to advance positions that achieved both privacy and public safety.
Under our third priority, reputation, we adopted a draft position that recognized a right to de-index inaccurate or obsolete data, while respecting freedom of expression.
Under our fourth priority, the body as information, balance came in guidance and legislative proposals that recognize the benefits of facial recognition technology, but ensure that its use should be limited and subject to rigorous protections proportionate to the very high risks of the technology.
Finally, balance came in our proactive strategies, which included a few Commissioner initiated complaints and investigations, but also the creation of a business advisory group whose mandate is to assist organizations in their efforts to comply with the law.
Right now in Canada we are about to finally see privacy law reform. It has been promised in 2022 in the private sector and hopefully it will follow soon thereafter in the public sector.
Some industry representatives exaggerate the benefits of current laws and what they see as harms that would come from stronger regulation. They say that a made in Canada approach has been good for the country and that a rights based approach would hurt innovation.
Yet studies by reputable private firms indicate that Canada is far from a leader in terms of innovation. Countries governed by the GDPR like Germany, and others with similar laws like South Korea, are ahead of Canada. The idea that a rights based law would impede innovation is a myth. It is simply without foundation.
In fact, the reverse is true. There can be no innovation without trust, and there is no trust without the protection of rights.
A made in Canada approach that would be too different from what is becoming the international gold standard would not be in the interest of Canadian business. To the contrary, interoperable laws are in Canada’s interest. Such laws help reassure citizens that their data are subject to similar protections when they leave our borders. They also mean that Canadian businesses can operate abroad and use the personal information of non-Canadians in a way these clients can trust.
If we learn the lessons of the early years of the digital revolution, we will adopt privacy laws that allow for innovation, sometimes without consent, for legitimate commercial interests and socially beneficial purposes, within a framework that protects our fundamental rights and values.
This does not mean a carbon copy of the GDPR. There can and should be some adaptations. For instance, fewer recitals. Fewer consent pop-ups.
The adoption of a rights-based law does not mean that Canada would have a more prescriptive law. That is another myth that needs to be busted.
A rights-based law operates at the same level of generality as a principles-based law. They are both equally flexible and adaptable to regulate a rapidly changing environment such as the world of technology and the digital economy.
In the “no holds barred” category, on what basis would organizations be given the flexibility allowed by a principles-based law but individuals would not be entitled to protection in the form of a law that protects their fundamental rights and values?
My strongly held view is that we need both a principles-based law and a rights-based law. I frankly fail to see the balance in proposals that advocate the former without the latter.
This leads me to a final and related point on law reform. If we learn the lessons of the past, we will also move away from a law akin to self-regulation to one of true regulation, enforced by a democratically appointed regulator.
It is no secret that PIPEDA has not been effective in producing consumer trust, at least in the past several years. Consistently, an overwhelming majority of Canadians say they are concerned about their lack of control over their personal information.
Former Bill C-11 would have given consumers even less control over their personal information, and organizations more control. The knowledge and understanding requirement for meaningful consent would have been weakened. Organizations would have been able to collect and use information for any purpose they determined, subject to an undefined appropriateness standard, and their accountability would be defined by the procedures they would decide to put in place.
What is needed is not more self-regulation but true regulation, meaning objective and knowable standards adopted democratically, enforced by democratically appointed institutions like my office that can ensure organizations are truly accountable.
While disruptive technologies have many benefits, what does not need disruption is the idea that democratic government must maintain the capacity to protect the fundamental rights and values of its citizens. That capacity is lessened when organizations have almost complete liberty to set the rules under which they will interact with their clients, and where they can set the terms of their accountability.
A new law should:
- reintroduce the knowledge and understanding element of meaningful consent;
- stipulate that personal information may not be collected for any purpose determined by an organization but only for “specific, explicit and legitimate purposes”;
- prescribe an objective standard for accountability, namely the obligation to implement a privacy management program “to ensure compliance” with the law;
- authorize the OPC, like many other data protection authorities in Canada and abroad, to conduct proactive audits to verify compliance with the law.
The need for independent proactive audits has been demonstrated in spades in the recent story about the Public Health Agency’s use of mobility data obtained in modified form from private sector organizations.
The government and its commercial partners, although pursuing legitimate goals in the public interest, failed to instill trust among affected Canadians that their data was used appropriately. Why? In part, I think, because, although we were informed both by government and an organization of their intent, neither was prepared to give the OPC the detailed information required for us to “look under the hood” and confirm that privacy was indeed respected.
Now, I understand that government departments and commercial organizations may not always be thrilled by the idea that the regulator will examine their data processing practices. But I would put to you that this is a shortsighted view.
If you think about it seriously, you may come to accept that in a world where innovation requires trust, an important factor of trust in the population would be the assurance that an independent expert has their back, will verify and ensure compliance with the law, and will take appropriate action to stop or correct non-compliant behavior.
If that were the law, these audit powers would be used rarely, in high risk circumstances, based on criteria such as those now applied by the UK ICO. But these few audits would create trust in the whole digital economy.
More generally, new laws should:
- enable responsible innovation;
- adopt a rights-based framework;
- increase corporate accountability;
- adopt similar principles in public and private sectors laws – given the increased reliance on public-private partnerships;
- ensure Canadian laws are interoperable, internationally and domestically; and
- adopt quick and effective remedies, including giving my office the authority to make orders and to impose monetary penalties where warranted.
Here I should note that the OPC should have similar powers and be subject to similar appeal procedures as its provincial counterparts, if the federal office is to remain an influential and often unifying voice in the development of privacy law in Canada.
Let me now move to a different angle to address the question raised by Kris. This too may fall in the “no holds barred” category.
If the state of privacy is to improve in Canada, we as a society need to have a more balanced conversation, not one based exclusively on interest.
Former Bill C-11 would have required the OPC to more formally engage with stakeholders in certain contexts, including the adoption of guidelines.
This would not pose any problem for the OPC. As you know, I have consulted extensively during my mandate, first on my strategic priorities, then on consent, on artificial intelligence and more recently on facial recognition. Some may even remember a consultation on cross-border data transfers.
I must say I was sometimes disappointed by these consultations. I of course expected that, to some extent, stakeholders would speak to their private interest, but I also expected a certain elevation of perspective in the public interest.
Naturally, the OPC must ensure that its positions and guidance are not only principled but grounded in the reality of entities it oversees. This is a point I stressed often with my OPC colleagues, yet it is likely we could have done more.
But if the OPC is to better understand the realities of entities, particularly in the private sector, stakeholders need to engage more fully with the regulator. When we are met with silence when we try to understand a certain commercial reality, no one wins. Our guidance may then lack the requisite contextual grounding and you may not find it practical. Similarly, when we receive clearly self-interested and incomplete feedback, we may give it less weight.
The problem is actually deeper. During all of my professional life, I have had to engage with stakeholders with different interests than the organization I represented. During all of my professional life, stakeholders and I have been able to acknowledge differences in perspectives but to see considerable common ground on the objective conditions at play. Only in my privacy period have I seen a complete disagreement on these objective conditions. Where I see a lack of trust by the population based on a perception -and a reality -that their rights are often not respected, and where the government sees a similar lack of trust, industry stakeholders ask: where is the evidence of a problem?
The reluctance by many Canadian industry stakeholders to acknowledge that problems are anything but marginal is not conducive to finding balanced solutions that instill trust while enabling commerce.
When the vast majority of Canadians say year after year that they are concerned because they think they are losing their privacy, they cannot all be wrong in seeing there is a significant problem.
When most of our trading partners are adopting laws that move away from self-regulation and towards greater protection of rights, they are not all on an economic suicide pact. They are doing this because they think this is what is best for their country, socially and economically.
That said, the OPC is preparing to more formally engage with stakeholders as we expect the new private sector privacy law will again encourage us to do so.
In the not too distant future, you should expect to be consulted on the procedure to be followed in the conduct of future inquiries, to ensure fairness, and on how you would like to be consulted when the OPC will prepare guidance under the new law.
We also intend to make more room for a broader range of stakeholders in the future. The views of industry stakeholders are important but, since they have more resources than others to participate in our consultations, they have been the dominant voice in the past. You should expect the OPC to seek views from more diverse groups going forward.
My hope is that my remarks today will provoke a more fulsome and authentic discussion between the OPC and stakeholders, be they from industry, civil society, academia or other sectors and groups.
As a final thought, am I hopeful that the state of privacy will soon improve in Canada?
I do see signs that give me hope.
First, I think citizens are more aware now than ten years ago that privacy is not just for geeks or techies. There is a growing awareness, however diffuse, that privacy regulation is linked to important issues about democracy and the economy.
I hope and actually believe that the actions of the OPC had some influence in this growing awareness. I am proud of the fact that we were able to make that contribution.
No meaningful change can occur unless the population is aware of an issue and is sufficiently concerned to demand reforms.
Second, we see that several provincial governments have noticed these concerns and have signaled that they are ready to act. British Columbia and Ontario have started to design proposals and Quebec has actually adopted new legislation, Bill 64. The federal government cannot stand idle in the face of these developments.
Third, there is also movement in the U.S. Several laws were adopted in U.S. states in recent years and the federal FTC is showing encouraging signs that it wants to address, in their words, “abuses stemming from surveillance-based business models”.
I am generally an optimistic person. Am I hopeful that effective laws will soon be adopted in Canada? Less than I would like. Resistance to change is stronger than I had anticipated.
That said, a Privacy Commissioner is not a legislator. My job was to protect the privacy of Canadians within the powers I had and to raise awareness of the true significance of privacy in the population. As an Agent of Parliament, I also had the privilege of advising legislators on how to improve privacy rights while upholding other public interests.
On these fronts I leave in peace. I am grateful to my predecessors for the road they traveled and I wish my successor good luck for the next journey.
I am particularly grateful to the great staff at the OPC, all tremendous colleagues with a great passion and commitment to privacy and service to Canadians.
And I am happy that as a group, I and my fellow provincial and territorial privacy commissioners have deepened our collaboration to ensure greater consistency and effectiveness in the application of privacy laws in Canada. Now, as a society, let’s just apply the lessons of the digital revolution and move on to adopting interoperable laws that will effectively protect the rights and values of Canadians.
Report a problem or mistake on this page
- Date modified: