Privacy as a fundamental right in the digital age
Keynote remarks at the 25th Annual Vancouver International Privacy & Security Summit (VIPSS)
February 24, 2023
Vancouver, British Columbia
Address by Philippe Dufresne
Privacy Commissioner of Canada
(Check against delivery)
Thank you, Michael, for that kind introduction. It is a pleasure to be here with all of you in beautiful Vancouver.
This is my first time at Reboot Communications’ International Privacy & Security Summit, and I am so impressed with the thought-provoking and engaging discussions on the agenda. Cybersecurity, the flow of data internationally, the importance of protecting health information, how geopolitics are shaping global security, the privacy implications of artificial intelligence, cryptocurrency, and digital identification platforms – to name but a few.
Such a rich and diverse range of issues, highlighting the opportunities and challenges that we are collectively facing with the rapid changes in our legal, technological, and societal landscapes.
Having the opportunity to connect and exchange on these issues helps to inform the debate and leaves us all with a better understanding of the roles that we must play to address them.
Technology plays an increasingly central role in our world, our lives, and our economy. It offers tremendous potential for public- and private-sector innovation, and for improving the lives of Canadians. Ensuring that we can benefit from these advances, innovations, and conveniences while protecting privacy will be critical to our success as a free and democratic society, and a key challenge for Canada’s institutions in the coming years.
In order to do so, Canada’s federal public and private sector privacy laws need to be modernized to respond and adapt to the changing landscape, and to keep pace with legislative developments in other jurisdictions both domestically and internationally. In this digital age, the world is at our fingertips, and the price of that convenience is often the sharing of personal information. But what are the risks of that tradeoff, and are people aware of them before they make the choice to share?
This is why protecting privacy is one of the key challenges of our time. I fully intend to meet this challenge and in doing so, I will apply the three elements of my vision for privacy, which are:
- Privacy is a fundamental right;
- Privacy supports the public interest and Canada’s innovation and competitiveness; and
- Privacy accelerates the trust that Canadians have in their institutions and in their participation as digital citizens.
These three pillars reflect the reality that Canadians want to be active and informed digital citizens, able to fully participate in society and the economy without having to choose between this participation and their fundamental privacy rights.
Today, I would like to talk to you about what these three pillars mean to me as Privacy Commissioner, what they mean for Canadians, and how they can inform current practices and the modernization of our federal privacy regime, starting with the first pillar – privacy as a fundamental right.
Privacy as a fundamental right
In their historic 1890 article published in the Harvard Law Review, Samuel D. Warren and Louis D. Brandeis wrote about the right to privacy and grappled with how to define one’s right to protect their private life, ultimately describing it as “the right to be let alone”.
That article, which is now over 130 years old, is still remarkably relevant. It describes the desirability and the necessity of protecting privacy; to live freely; to control your identity and your life, as well as whether, when and how to share information about yourself with others. The right to privacy is even more important in today’s increasingly digital world.
Privacy is a fundamental right because personal information is a core part of who we are as individuals, and respecting privacy rights is essential to our dignity and to the enjoyment of other fundamental freedoms.
In 2019, my Office and our international colleagues in the Global Privacy Assembly declared in a resolution that “privacy is a precondition for citizens’ other freedoms as well as a keystone right for democracy…”. This is consistent with the Supreme Court of Canada’s long-standing interpretation of privacy law as having quasi-constitutional status, and with international legal instruments such as the 1948 Universal Declaration of Human Rights that have recognized the fundamental right to privacy.
Treating privacy as a fundamental and quasi-constitutional right means treating it as we do other human rights. As a priority. It means that privacy must be legally protected, with a strong, fair, and enforceable rights-based regime.
A regime that offers meaningful remedies to prevent and address violations and that acts as an incentive for institutions to create a culture of privacy, with privacy by design, where it is considered, valued, prioritized, and embedded at the outset of innovation – not as an afterthought, a regulatory burden, or a ‘tick box’ exercise.
Creating a culture of privacy means limiting the collection, use, retention, and disclosure of personal information to what is demonstrably necessary and proportional to achieve an organization’s purposes, and being transparent about what those are. It also means adequately training those dealing with that information on the importance of protecting privacy, and having monitoring mechanisms in place to ensure accountability.
Customers cannot be solely responsible for the protection of their privacy. Organizations must also be accountable for the ways that they collect, use, and disclose information, especially when dealing with those who are more vulnerable.
This is certainly true in the case of children, who are less able to understand and appreciate the long-term implications of consenting to their data collection and therefore need even greater privacy safeguards. Those of us who are parents have undoubtedly seen firsthand our children’s increased use of technology and social media over the last few years.
Last month, U.S. President Joe Biden wrote an op ed in the Wall Street Journal where he expressed concern about the lack of “serious federal protections” for privacy and said that the protections “should be even stronger for young people, who are especially vulnerable online”.
We can and must do more to protect children, and this will be one of my key priorities. Yesterday, my Office announced that with my privacy protection colleagues in British Columbia, Alberta, and Québec, we have launched a joint investigation into TikTok, a short-form video and streaming application. We will be investigating whether the organization’s practices comply with Canadian privacy law, with a particular focus on their privacy practices as they relate to younger users and whether valid and meaningful consent is obtained for the collection, use and disclosure of their personal information.
We want children to be able to benefit from technology and be active online, but to do so safely and free from fear that they may be targeted, manipulated, or harmed as a result. Personal privacy is not a right that we should have to surrender – at any age – in the name of innovation, profit, or the public interest.
Treating privacy as a fundamental right means that in cases of conflict – and these will be rare – between privacy rights and private or public interests, privacy must prevail. I say that these cases will be rare because by creating a culture of privacy where it is prioritized, valued, and protected at the front end, we will avoid most conflicts and achieve both privacy and the desired public or private interests.
This brings me to the second element of my vision – privacy in support of the public interest and Canada’s innovation and competitiveness.
Privacy in support of the public interest and Canada’s innovation and competitiveness
I believe that Canada can be an innovation hub and a model of good government while at the same time protecting the personal information of Canadians. I believe that we can and must have privacy while at the same time fostering the public interest. It is not a zero-sum game and, as in so many things, we must reject the premise of this false choice and extremes in either direction.
All of us, whatever our roles in the private and public sectors, or as citizens participating in our democracy, need to work together to ensure that the fundamental right to privacy is protected while we achieve other important private and public interest goals. It is not an either/or proposition.
Finding this balance will not always be easy, but it is absolutely possible and necessary.
It is also good business and good public policy.
Resources spent on protecting and promoting privacy – on creating a ‘culture of privacy’ – are smart investments in the security and trust that Canadians have in organizations. By considering privacy at the front-end and building it into our innovations, policies, and practices, and by demonstrating a commitment to transparency, accountability, security, and the protection of privacy, you generate efficiencies down the line so that these costs become investments that are good for businesses and governments alike.
Achieving both privacy and other competing interests of great importance is not a challenge unique to the private sector. Privacy must not be surrendered in the name of the public interest either.
Recently, the Federal Court of Canada issued a decision about whether Health Canada was justified in refusing to release information under the access to information regime that may have made it possible to identify individuals who were licensed to grow medical marijuana before it was legalized. The Court found that while “access to information is a foundational right, essential to the health of our democracy”, that “the protection of privacy is also a hallowed value” and that “privacy rights must be recognized as ‘paramount’ over access to information” to the extent that the information being sought is personal information.
Facial recognition technology is another example. Even in the context of this privacy-intrusive tool, privacy protection authorities in Canada have not called for an outright ban but rather for a clear and strong legal framework to regulate its use. The House of Commons’ Access to Information, Privacy and Ethics Committee agreed and reiterated in their September 2022 report the importance of modernizing public and private sector privacy laws to ensure the appropriate regulation of such privacy-impactful technologies.
In November 2022, the Committee issued another report on the use of on-device investigative tools by the RCMP, calling for a legislative framework that recognizes privacy as a fundamental right and that requires government institutions to consider and address privacy impacts at the outset when developing and using new technologies.
My provincial and territorial colleagues and I have also issued a resolution on digital identification. In announcing the resolution, I stated that the development and implementation of a digital ID ecosystem is an opportunity to demonstrate how innovation and privacy protection can coexist.
We can all see the benefits of a system that will allow businesses and governments to confirm identities and carry out transactions online with a high degree of efficiency and confidence, and individuals to reap the rewards of this convenience and expediency. But we must also recognize that unless digital identity projects and the frameworks that support them meet high standards of privacy, security, transparency, and accountability, they will not be trusted enough to be widely adopted, and those benefits will not be realized.
Keeping up with – and staying ahead of – fast-moving technological advances is another key focus area. We need modernized privacy laws that are technologically neutral so that they can be nimble enough to stand the test of time in the face of unprecedented technological developments.
Treating privacy as a fundamental right and finding ways to achieve the public interest and innovation at the same time is not only possible, it is a virtuous circle that generates trust which further benefits these interests.
This brings me to my third pillar – privacy as an accelerator of trust in the digital economy.
Privacy as an accelerator of trust in the digital economy
In our most recent survey of Canadians, more than half of respondents expressed concern over the respect of their privacy. Privacy matters to Canadians. The more that individuals trust that their privacy rights will be protected, the more confident they will feel about participating freely in the digital economy, which is good for Canadians, good for businesses, and good for innovation.
So, how do we restore this trust, and what is our role in accelerating it?
Let me highlight three ways.
First, we need a strong set of public and private sector privacy laws that fairly and effectively regulate the collection, use, retention, and disclosure of personal information so that Canadians know that they are not alone in protecting their fundamental right to privacy, and so that organizations can benefit from a clear set of rules.
In June 2022, the federal government took an important step toward modernizing the private-sector law with the tabling of Bill C-27, the Digital Charter Implementation Act. The second reading of the Bill is set to take place when the House of Commons resumes on March 6, 2023, and I am very much looking forward to providing my advice to Parliament soon on how it can and must be further improved.
I am also encouraged by the remarks of the Minister of Justice and Attorney General of Canada, the Honourable David Lametti, who following the tabling of Bill C-27, said that public sector privacy reform is not far behind. It will be important that the legislative regimes are harmonized to ensure that both public and private sector privacy laws are grounded in the same principles – especially given the increasing prevalence of public-private partnerships.
With the possibility of law reform on the horizon, my Office is preparing to be ready to deliver on its new mandate should Bill C-27 be adopted by Parliament. This will be another priority in the year ahead, and it will be essential that my Office be properly resourced in a timely way to prepare for the transition, including any necessary operational and structural changes that may be required, in order to fully and effectively take on the important new responsibilities under that proposed legislation.
This leads me to a second way to help restore trust, which is to ensure that data protection authorities have the necessary authority and resources to not only deal with complaints, but to also play a strong advisory and promotion role giving independent and expert advice and input to organizations planning new initiatives that involve the collection or use of personal information.
Ensuring that we have the necessary enforcement tools to provide meaningful remedies to prevent and address privacy right violations, including order-making powers, is essential.
It also serves as an incentive for institutions to create a culture of privacy. At the same time, we need proactive and preventive measures to avoid complaints in the first place.
Identifying and assessing privacy implications from initiation to implementation and beyond is a responsible, proactive approach, and my Office is here to help maximize the impact of those efforts through our Business Advisory and Government Advisory Directorates. Privacy Impact Assessments are an essential tool for integrating privacy considerations into new programs, policies, and technologies to ensure the protection of personal information.
My hope is that when organizations consult with my Office, we will either be satisfied with the measures taken to safeguard privacy or we will be able to provide advice resulting in course corrections at the outset. Ultimately, I am confident that the very fact that these consultations take place with my Office reassures Canadians that their privacy is being properly considered and protected, which builds trust in our institutions. This has never been more important than it is now.
As a third measure to restore trust, we need public and private sector organizations to cultivate a strong and lasting culture of privacy where it is considered, valued, and prioritized in all that we do.
We need to make sure that individuals are not being nudged or encouraged to provide more information than what is strictly necessary and proportional to achieve an organization’s purposes. We also need to make it easy to choose the most privacy protective settings, and to make sure that privacy practices are clear and understandable so that individuals know when, how and why their personal information is being collected, used, disclosed, and retained.
Our findings in the Tim Hortons investigation, where the company’s app tracked users’ locations even when the app was not in use, and without the users’ knowledge or consent, demonstrate how trust can be undermined when privacy is not sufficiently considered and protected.
My Office’s recent report following our investigation into Home Depot’s sharing of customer information with Meta Platforms is another illustrative example.
Our investigation revealed that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing them with an electronic copy of their receipt, but then sending these email addresses, in a coded format, along with high-level details about each customer’s in-store purchases, to Meta, who would then use this information to determine if a customer had a Facebook account. If they did, Meta would compare the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads and could also use the information for its own business purposes, including user profiling and targeted advertising. When their emails were requested, customers were not informed of this planned exchange of information between Home Depot and Meta.
We found this practice to be a breach of privacy law, in part because we concluded that it was unlikely that Home Depot customers would have expected that their personal information would have been shared with a third party, like Facebook, simply because they opted for an email receipt. In announcing the decision, I stated that consumers need clear information at key transaction points so that they can make informed decisions about how their personal information is being used and provide meaningful consent.
The takeaway for companies is that they should not trivialize the use of personal information. While our investigation dealt with an individual case, our conclusions apply to any organization that has a similar practice with respect to e-receipts. Considering privacy at the front-end means taking steps to ensure that as an organization you are being clear and transparent with customers about the purposes for which their personal information is being collected, used, and disclosed, and obtaining meaningful consent from them before doing so. This is not only required by privacy law, but also an important investment in the trust that Canadians have in businesses and the digital economy.
These examples serve as reminders of the work that remains to be done to promote a culture where privacy protection is the default setting and where Canadians have the reflex to always ask why their personal information is being sought.
A culture of privacy, with privacy by design, and privacy by default.
In closing, I want to leave you with a quote from Tim Cook, the CEO of Apple, who remarked during his keynote speech at last year’s Global Privacy Summit in Washington, D.C. that the “fight to protect privacy is not an easy one, but it is one of the most essential battles of our time”. He noted that while he is “profoundly inspired by what technology can make possible, […] we know too that technology is neither inherently good, nor inherently bad. It is what we make of it. It is a mirror that reflects the ambitions of the people who use it, the people who build it, and the people who regulate it.”
My remarks today have focused on the opportunities and challenges that we are facing, and I hope to have left you with an idea of the roles that we can all play in addressing them, and where we can look and work to find solutions.
We need to work together as leaders, regulators, consumers, and citizens to achieve a world where the fundamental right to privacy is respected and valued. A world where Canadians can benefit from the convenience that technology affords without having to look over their shoulders while they do. A world where privacy does not come at the expense of innovation or the public good, but rather supports these goals by reinforcing the confidence that people have in the organizations that they engage with because they know that their privacy is being protected. This can and must be achieved, and I look forward to working with all of you in doing so.
- Date modified: