Keynote Remarks at the International Institute of Communications (IIC) Canada’s 19th Annual Communications Law & Policy Conference
May 15, 2023
Address by Philippe Dufresne
Privacy Commissioner of Canada
(Check against delivery)
Thank you for that kind introduction. It is a pleasure to be here with all of you on this beautiful day at the National Arts Centre.
As I was preparing my remarks for today, I was struck by the important role that the International Institute of Communications plays as a world leader bringing together the people who work in and regulate the sectors where privacy issues are at the forefront more today than ever before: global telecommunications, media, and digital media.
With the increasingly central role that technology plays in our world and our lives, the communications landscape has changed.
The world is at our fingertips, it seems that everything that we do has become digitized, and news and information are shared instantaneously.
But the price of that convenience is often the sharing of personal information, and people are not always aware of the risks and implications of their participation in the digital world.
That is why all of you play a crucial role in ensuring the protection of privacy so that we can benefit from these advances, innovations, and conveniences while at the same time ensuring that our fundamental right to privacy is protected.
Achieving this balance is a key challenge for all of us in the public and private sectors and will ultimately be critical to our success as a free and democratic society.
Since my appointment as Privacy Commissioner in June of last year, I have set my vision for privacy as one that reflects the reality that Canadians want to be active and informed digital citizens, able to fully participate in society and the economy, without having to choose between this participation and their fundamental privacy rights.
My vision has three pillars, which are:
- Privacy is a fundamental right;
- Privacy supports the public interest and Canada’s innovation and competitiveness; and
- Privacy accelerates the trust that Canadians have in their institutions and in their participation as digital citizens.
We know that privacy matters to Canadians. They want and need to trust that their privacy rights are being protected so that they can feel confident about participating freely in the digital economy, which in turn is good for businesses and governments alike.
We also know that organizations in both the public and private sectors are having to adapt to the scale and pace of technological advancements that we are seeing and are working hard to operate and innovate in a manner that protects the privacy of Canadians, their customers, and their clients.
So today, I would like to talk about the importance of protecting privacy and the work that my Office is doing domestically and internationally in that regard, as well as what we can do to help enable, guide and support organizations as they comply with the applicable privacy laws now and in the future, and why that is not only necessary but a smart investment to make.
Fundamental Right to Privacy
Privacy is a fundamental right. That is the first pillar of my vision for privacy and something that I have repeated at every opportunity over the last year since my appointment as Privacy Commissioner.
What I have come to appreciate is that privacy is a part of everything that we do, and the right to protect our personal information – the details about who we are, what we do, where we go and what we believe – is a core part of our individual dignity.
Some of my Office’s recent investigations and findings illustrate why the right to decide whether, when and how to share information about ourselves is essential – even more so in today’s increasingly digital world.
My Office’s findings in the Tim Horton’s investigation last year described how the company’s app was tracking users’ locations even when the app was not in use, and without the users’ knowledge or consent.
Earlier this year, we released the results of our investigation into Home Depot’s sharing of personal information with Facebook when their customers opted for an electronic receipt at checkout.
We found this practice to be a breach of privacy law, in part because we concluded that it was unlikely that Home Depot customers would have expected that their personal information would have been shared with a third party, like Facebook, simply because they opted for an email receipt instead of a printed one.
Since issuing our findings, my Office has learned of several other retailers allegedly engaging in similar practices, and we have reached out to those organizations and are in the process of confirming how they are complying with the expectations flowing from our investigation.
Organizations must not trivialize the use of personal information. Considering privacy at the front-end means taking steps to ensure that as an organization you are being clear and transparent with customers about the purposes for which their personal information is being collected, used, and disclosed, and obtaining meaningful consent from them before doing so.
This is not only required by privacy law, but also an important investment in the trust that Canadians have in businesses and the digital economy.
In 2019, my Office conducted a joint investigation with the Office of the Information and Privacy Commissioner for British Columbia into Facebook’s privacy practices.
The investigation followed a complaint that a UK consulting firm, Cambridge Analytica, was able to access millions of Facebook users’ private data without their consent for use in psychographic modelling for political purposes.
Facebook disputed the investigation’s findings and did not agree to implement our recommendations, so in February 2020, we filed an application with the Federal Court seeking an order requiring Facebook to correct its privacy practices in accordance with Canada’s federal private sector privacy law.
Facebook brought a separate application seeking judicial review of the OPC’s investigation and decision.
After hearings earlier this year, the Federal Court dismissed both applications last month.
On Friday, I announced that my Office is appealing that decision, which raises important questions with respect to the interpretation and application of privacy law in Canada that will benefit from clarification by the Federal Court of Appeal.
The issues at the heart of these cases are directly related to the fundamental privacy rights of Canadians and their ability to participate with trust in our digital society.
They also demonstrate how easily trust can be undermined when privacy is not sufficiently considered and protected.
Whether you are buying a coffee, at a checkout counter, or online connecting with friends, you need to know that your personal information is protected. You want to choose what gets shared, when, and with whom.
Respecting the right to privacy is also essential because it underpins and enables so many other fundamental freedoms that we enjoy, from democratic rights to freedom of expression, to the right to live free from discrimination.
Over the last few years, we have seen so many examples of this in Canada and around the world, as privacy issues have emerged in everything from abortion rights and election interference to interactions with the police and advertising practices.
In 2019, my Office and our international colleagues in the Global Privacy Assembly declared in a resolution that “privacy is a precondition for citizens’ other freedoms as well as a keystone right for democracy…”.
This is consistent with the Supreme Court of Canada’s long-standing interpretation of privacy law as having quasi-constitutional status, and with international legal instruments such as the 1948 Universal Declaration of Human Rights that have recognized the fundamental right to privacy.
Privacy is also intrinsically linked with many important public interest issues.
Anti-money laundering, the fight against modern slavery, national security, and telecommunications, to name but a few.
As a society, it is imperative that we have the tools and the ability to address these important public interest goals, and we must ensure that by protecting the fundamental right to privacy, we are not inadvertently frustrating them.
But achieving both privacy and other competing interests of great importance is possible, and privacy does not need to be sacrificed in the name of the public interest or innovation.
All of us, whatever our roles, need to work together to ensure that the fundamental right to privacy is protected while we achieve other important private and public interest goals.
It is not an either/or proposition or a zero-sum game.
Children’s right to privacy
This is especially true in the case of children, who are going online at younger ages each year for school and to connect with their friends.
We are already seeing the first generation of children born into a world where their digital life is a daily reality.
As a parent, it is a reality that I have lived, and as Privacy Commissioner, it is an issue that I take very seriously.
We want children to be able to benefit from technology and to be active online, but we want them to do so safely and free from fear that they may be targeted, manipulated, or harmed as a result.
Last week, the Brookings Institution published a policy brief noting the adverse effects that social media companies can have on the mental health of minors, who often deal with online bullying and sexual harassment on these platforms.
Young people are also less able to understand and appreciate the long-term implications of consenting to their data collection, which is why they need even greater privacy safeguards.
My Office recently announced that with my privacy protection colleagues in British Columbia, Alberta, and Québec, we have launched a joint investigation into TikTok.
We will be investigating whether the organization’s practices comply with Canadian privacy law, with a particular focus on their privacy practices as they relate to younger users and whether valid and meaningful consent is obtained for the collection, use and disclosure of their personal information.
We can and must do more to protect the privacy of children, and this will be one of my key priorities in the year ahead.
Artificial Intelligence and the Fourth Industrial Revolution
Staying ahead of the fast-moving pace of technological advancement is another one of my key focus areas, especially in the world of artificial intelligence (AI) and generative AI.
Whether it is AI chatbots like ChatGPT, Bing or Google’s Bard, these new technologies have seemingly limitless possibilities – some have likened it to opening a Pandora’s box – but we need to make sure that the related risks of these privacy impactful tools are addressed appropriately.
We need to consider privacy implications, concerns about algorithmic biases, and the need for a clear and strong legal framework to regulate their use. That is responsible innovation.
Last September, the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (ETHI) completed a study on the use of facial recognition technology, and called for a moratorium on its use until it could be reviewed by the courts or my Office.
I welcomed the Committee’s report which confirmed the pressing need to ensure the appropriate regulation of privacy impactful technologies, such as facial recognition and artificial intelligence, in a way that protects and promotes Canadians’ fundamental right to privacy.
In April, my Office announced that we have launched an investigation into the company behind ChatGPT to determine whether the organization’s practices comply with Canadian privacy law.
My Office is monitoring and researching these and other new technologies so that we can anticipate how they may impact privacy, and so that we can promote the most privacy enhancing technologies.
AI technology and its impact on privacy is also a matter of global privacy interest. We have, and will continue to, engage with our domestic and international partners on these issues.
Domestic and International Collaboration
We work with our provincial and territorial colleagues through joint investigations and policy guidance, which are vital in a world where privacy enforcement authorities are collectively facing a rising number of complaints and issues of increasing complexity.
My provincial and territorial colleagues and I have also issued a resolution on digital identification. In announcing the resolution, I stated that the development and implementation of a digital ID ecosystem is an opportunity to demonstrate how innovation and privacy protection can coexist.
We can all see the benefits of a system that will allow businesses and governments to confirm identities and carry out transactions online with a high degree of efficiency and confidence, and individuals to reap the rewards of this convenience and expediency.
But we must also recognize that unless digital identity projects and the frameworks that support them meet high standards of privacy, security, transparency, and accountability, they will not be trusted enough to be widely adopted, and those benefits will not be realized.
Trans-border data flows are another area of global interest.
At last summer’s G7 Data Protection and Privacy Authorities Roundtable in Bonn, the discussion centered on the issue of “data free flow with trust”, highlighting the need to build consumer trust by ensuring high global data protection standards for information flowing across borders, with the right to privacy and data protection as a guiding principle.
I look forward to continuing these discussions with my G7 colleagues in a few weeks in Tokyo under the Japanese presidency.
As the regulator of one the world’s most advanced digital economies, my Office plays a leadership role in discussions on digital issues and promotes the adoption of higher standards for data protection around the world.
It is important that Canada’s private-sector privacy law be interoperable with other laws, both domestically and internationally, to facilitate and regulate commercial exchanges that rely on personal data, and to reassure citizens that their personal data is subject to similar protections when they cross borders.
My Office also works to foster greater cooperation and collaboration across regulatory spheres.
In today’s digital economy, with the emergence of data-driven business models and platforms, we are seeing increasing intersection between privacy, consumer protection, antitrust and other regulatory spheres.
In March, my Office provided comments to the Minister of Innovation, Science and Industry on the future of Competition Act reform.
As competition and privacy issues are increasingly overlapping, this is an issue of great interest to me.
In our submission, we recommended that the Act be revised to allow more collaboration between my Office and the Competition Bureau, particularly related to our investigative work, inquiries and other formal compliance matters.
The digital economy continues to bring several regulatory spheres together, and this requires greater cooperation between various agencies, as well as stronger laws to provide the protection that Canadians expect and deserve.
We continue to look for ways to work more closely with our colleagues and regulatory partners.
It is also more important than ever that organizations have regulatory predictability, particularly in fields like telecommunications where multiple regulators have authority and oversight.
The goal is not necessarily more regulation, but better regulation, so that there is interoperability across borders and regulatory spheres.
We are also seeing the emergence of cross-regulatory fora elsewhere, like the Digital Regulation Cooperation Forum in the United Kingdom, which brings together regulators from the privacy, competition, telecommunications, and financial sectors to share information and collaborate to protect digital rights across regulatory spaces.
The question is how digitization will affect our society, and how can we ensure that our laws protect our values and rights as the pace of technological development accelerates?
One answer is that we need modernized privacy laws that are technologically neutral so that they can be nimble enough to stand the test of time.
Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (or PIPEDA), has been around since 2000. This July will mark the 40th anniversary of the Privacy Act, which covers federal government institutions.
So, I am looking ahead and preparing for law reform.
The government took an important step toward modernizing PIPEDA with the tabling of Bill C-27, the Digital Charter Implementation Act, which was referred to the House of Commons’ Standing Committee on Industry and Technology for study last month.
My written submissions and recommendations to the Committee were made public by the Committee last week, and I am looking forward to appearing before the Committee to discuss this important Bill and provide my advice on how it can and must be further improved.
In our submission, which is available on our website, I state Bill C-27 is a step in the right direction and make 15 key recommendations that I believe are necessary to strengthen the legislative framework and further protect the privacy of Canadians while supporting the digital economy.
I am also encouraged by the remarks of the Minister of Justice and Attorney General of Canada, the Honourable David Lametti, who following the tabling of Bill C-27, said that public sector privacy reform is not far behind.
It will be important that the legislative regimes are harmonized to ensure that both public and private sector privacy laws are grounded in the same principles – especially given the increasing prevalence of public-private partnerships.
Leadership and our Collective Roles
Privacy matters to Canadians more today than ever before. It also supports the public interest and Canada’s innovation and competitiveness.
The more that individuals trust that their privacy rights will be protected, the more confident that they will feel participating freely in the digital economy. And the more loyal they will be as clients of privacy protective organizations.
As a result, organizations that consider privacy implications at the outset of any innovation or initiative, and that make it easy for Canadians to choose privacy protection as the default setting, will find that it is ultimately more cost-efficient and effective, and those costs will become investments or downpayments in a relationship of trust that will serve consumers, businesses, public policy, and innovation alike.
This is where my Office can help.
We have a strong advisory and promotion role and can give independent and expert advice and input to organizations planning new initiatives that involve the collection or use of personal information.
We can help organizations to be proactive and take preventive measures to avoid complaints in the first place.
My Office also continues to provide timely and relevant information and general guidance to businesses on our website and through our Government and Business Advisory Directorates and can offer specific advice to help companies identify and assess privacy implications.
Whether through Privacy Impact Assessments, which are an essential tool for integrating privacy considerations into new programs, policies, and technologies to ensure the protection of personal information, or through less formal consultations, we want to help create a culture of privacy where there are measures adopted and investments made to ensure that privacy protections are sustained and strengthened.
My Office is seeing an increasing demand from organizations for advice and guidance on their privacy obligations, and with the prospect of private sector law reform on the horizon, we anticipate an even greater need for consistent guidance on how organizations can remain compliant with a new federal privacy law while fully participating in the digital economy.
We also want to understand the operational realities and the challenges that organizations are facing.
That context and information is important and helps to inform the advice and guidance that we give.
My hope is that when organizations consult with my Office, we will either be satisfied with the measures taken to safeguard privacy or we will be able to provide advice resulting in course corrections at the outset.
Ultimately, I am confident that the very fact that these consultations take place with my Office reassures Canadians that their privacy is being properly considered and protected, which builds trust in our institutions.
This highlights the important role that all of you play as industry leaders and experts in ensuring that privacy is considered at the front-end, and that this valuable work is communicated clearly to Canadians.
This means taking steps to ensure that as an organization you are being clear and transparent about the purposes for which personal information is being collected, used, and disclosed, and obtaining meaningful consent.
It means limiting the collection, use, retention, and disclosure of personal information to what is demonstrably necessary and proportional to achieve an organization’s purposes, and being transparent about what those are.
It also means adequately training those dealing with that information on the importance of protecting privacy, and having monitoring mechanisms in place to ensure accountability.
The good news is that resources spent on protecting and promoting privacy are smart investments in the security and trust that Canadians have in organizations.
As noted earlier, they are downpayments on trust that will reward investors and consumers alike as we work towards a culture of privacy.
I look forward to continuing to find ways that we can all work together as industry leaders, regulators, consumers, and citizens so that Canadians can benefit from the many benefits and conveniences that technology affords without having to look over their shoulders while they do.
We can have privacy and the public interest. We can have privacy and innovation.
Strong privacy protections can be a competitive advantage.
I wish you all a wonderful rest of the conference.
- Date modified: