In one of his last public speeches before his term runs out next week, the federal privacy commissioner again urged Parliament to make privacy an enforceable right for all Canadians.
Daniel Therrien, who has served for eight years, made that pitch today in an address to the annual Canadian privacy symposium of the International Association of Privacy Professionals (IAPP) in Toronto.
He also took the opportunity to criticize the Liberal government’s abandoned Consumer Privacy Protection Act [C-11] as being too pro-business, and businesses as blind to the public’s worries about privacy being eroded.
Therrien complained about the lack of input OPC got over the years in consultations with companies. “When we are met with silence when we try to understand a certain commercial reality, no one wins,” he said. “Similarly, when we receive clearly self-interested and incomplete feedback, we may give it less weight.”
Both the OPC and the government recognize the public lacks trust that their privacy rights are respected, he said, but “industry stakeholders ask: where is the evidence of a problem?
“The reluctance by many Canadian industry stakeholders to acknowledge that problems are anything but marginal is not conducive to finding balanced solutions that instill trust while enabling commerce.”
His speech came as the government has promised to try again to update the Personal Information Protection and Electronic Documents Act (PIPEDA) after failing to pass a new law in the last session of Parliament. That proposed law fell in part from criticism from Therrien that the proposed Consumer Privacy Protection Act [C-11] had major failings, including not clearly stating privacy is a fundamental right.
“Some industry representatives exaggerate the benefits of the current law [PIPEDA] and what they see as harms that would come from stronger regulation,” Therrien said. “They say a made-in-Canada approach has been good for the country, and that a rights-based approach would hurt innovation.
“Yet studies by reputable private firms indicate Canada is far from a leader in innovation [today]. Countries governed by the GDPR [the European Union’s General Data Protection Regulation], like Germany, and other countries with similar laws, like South Korea, are ahead of Canada. These economies are not about to collapse, they actually flourish. The idea that a rights-based law would impede innovation is a myth that is simply without foundation.” The reverse is true, he added: There can be no innovation without trust, and there is no trust without the protection of rights.
Rights-based privacy laws, he argued, are becoming the international standard, so a Canadian rights-based law would be in the interest of Canadian business.
The Liberal government pointed out that the preamble of C-11 said the purpose of the law was to establish rules to govern the protection of personal information “in a manner that recognizes the right of privacy of individuals with respect to their personal information.” Therrien says that’s not enough.
Industry associations are already pressuring the government not to closely follow the GRDR, which gives residents of EU countries rights including the right of access to information about them held by organizations, the right to have that data erased, to have restrictions on data processing and to avoid their data being used in automated decision-making.
In his speech today, Therrien said consistently an overwhelming majority of Canadians say they are concerned about their lack of control over their personal information. “The former Bill C-11 would have given consumers even less control over their personal information, and organizations more control. The knowledge and understanding required for meaningful consent [for collection of personal data under the law] would have been weakened. Organizations would have been able to collect and use information for any purpose that they determined, subject to an undefined appropriateness standard, and their accountability would be defined by procedures they would decide to put in place.
C-11 said companies must obtain an individual’s valid consent for the collection, use or disclosure of the individual’s personal information. But there were exceptions: An organization may collect or use an individual’s personal information without their knowledge or consent if it is made for a business activity listed in the act. One example is something necessary to provide or deliver a product or service that the individual has requested. Another is an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.
To critics, that in effect meant a company could make its own rules. “What is needed is not more self-regulation [by businesses] but true regulation,” said Therrien, “meeting objective and knowable standards adopted democratically, enforced by democratically appointed institutions like my office, that can ensure the protection of rights and can ensure organizations are truly accountable.”
“While disruptive technologies have many benefits, what does not need disruption is the idea that democratic government must maintain the capacity to protect the fundamental rights and values of its citizens,” he added. “That capacity is lessened when organizations have almost complete liberty to set the rules under which they will interact with their clients and where they can set the terms of their accountability.”
“A new law should re-introduce the knowledge and understanding elements of meaningful consent, define an acceptable standard for accountability – namely the obligation to implement a privacy management program to ensure compliance with the law – and it should authorize the OPC [the Office of the Privacy Commissioner], like many other data protection authorities in Canada and abroad, to conduct pro-active audits to verify compliance with the law.”
The need for the OPC to do spot audits was “demonstrated in spades” by the controversy over giving the Public Health Agency of Canada access to anonymized cellphone tower location data of Canadians from carriers for COVID-19 mobility research. The goal was legitimate, Therrien said, but the government failed to instill trust of Canadians that the data was used appropriately. The public uproar prompted an investigation by the House of Commons ethics and privacy committee, which earlier this month issued a report calling on the government to develop clear guidelines regarding the use of mobility data by federal institutions. The majority also demanded the government consult with the OPC, stakeholders, and community groups that may be disproportionately affected by such initiatives.
While the government and data processor BlueDot told the OPC about the project, neither gave the commissioner the detailed information allowing them to “look under the hood” to confirm privacy was respected, Therrien said,