Statement before the Special Committee to review BC’s Personal Information Protection Act

June 22, 2021, by video conference
Ottawa, Ontario

Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Thank you for the invitation to speak with you today.

Digital technologies that rely on the collection and analysis of personal data are at the heart of the fourth industrial revolution and are key to our socio-economic development.

The pandemic has made clear that these technologies can bring important benefits, such as allowing us to remotely work, receive health services or education.

But time and again, we have seen through privacy breaches or other scandals like the Facebook/ Cambridge Analytica matter, that digital technologies can create important risks, not only for privacy but also for other fundamental rights like freedom, democracy or equality.

Other jurisdictions have modernized their privacy laws in recent years, notably the European Union, where the General Data Protection Regulation (GDPR) came into force in 2018.

The GDPR is sometimes said to be overly prescriptive.

I would rather say it continues to be a very good yet imperfect model for privacy legislation globally, and my suggestion would be to not shy away from using it as a source of inspiration, while at the same time adopting other rules you think might be better adapted to your local conditions.

Interoperability between privacy laws helps to facilitate and regulate commercial exchanges that rely on personal data.

It also helps to reassure citizens that their data are subject to similar protections when they leave our borders. And finally, it benefits organizations by reducing compliance costs.

Interoperability of laws domestically is also important, and as you know, in November 2020, the federal government tabled Bill C-11, the Digital Charter Implementation Act, which would enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA).

In May, my office released a submission package in response to C-11. Despite Bill C-11’s ambitious goals, our view is that in its current state the Bill would represent a step back overall for privacy protection.

There are serious problems with this Bill.

It seeks to address most of the privacy issues relevant in a modern digital economy, but in ways that are frequently misaligned and less protective than the laws of other jurisdictions.

However, with some important amendments, the Bill could become a strong piece of legislation that effectively protects the privacy rights of Canadians, while encouraging responsible economic activity.

Today, I will focus my comments on a number of key recommendations my office made in the context of Bill C-11.

These comments were informed by precedents, best practice, research, and privacy regimes worldwide.

Many of our recommendations on C-11 align with the recommendations made by Commissioner McEvoy’s office and I am happy to be able to provide the Committee with additional context and our experience on the recommendations proposed by the OIPC.

Consent and Exceptions

As said, to draw value from data, in a responsible way that protects privacy and other rights, our laws must urgently be amended.

In Bill C-11, the government is seeking to achieve this by maintaining the consent model and adopting several new exceptions. 

While some of those exceptions are reasonable, others are too broad or ill-defined to foster responsible innovation.

For example, there is no reasonable justification for an exception to consent based on the impracticability of obtaining consent.

In my view, what we need is that the law should accommodate new, unforeseen but responsible uses of information in society’s interests or for legitimate commercial interests, within a rights-based framework.

Such provision would give considerable flexibility to use data for new purposes unforeseen at the time of collection, within a world of knowable purposes and subject to regulatory oversight.

What we need is not self-regulation but true regulation, meaning objective and knowable standards adopted democratically, enforced by democratically appointed institutions.

We need sensible legislation that allows responsible innovation that serves the public interest and is likely to foster trust, but that prohibits using technology in ways that are incompatible with our rights and values.

I agree with Commissioner McEvoy that meaningful, informed consent should be part of our private sector privacy laws and that individuals should understand how their personal information will be used.

That being said, privacy protection can no longer hinge on consent alone.

In today’s complex information environment, it is neither realistic nor reasonable to ask individuals to consent to all possible uses of their data.

Enforcement

On the subject of enforcement, an effective regulator must be properly equipped with meaningful powers that lead to quick and effective remedies.

In many countries, this is done by granting regulatory authorities the power to issue compliance orders and impose significant monetary penalties.

Given the immense profits that can be made through the inappropriate use of personal data, serious financial penalties are imperative - there needs to be real consequences for businesses that break the law, and incentives to comply.

However, the penalty provisions in C-11 are hollow.

First, Bill C-11 lists only a few violations as being subject to administrative penalties. This list does not include obligations related to the form or validity of consent, nor the numerous exceptions to consent, which are at the core of protecting personal information.

It also does not include violations to the principle of accountability, which is supposed to be an important counterbalance to the increased flexibility given to organizations in the processing of data.

As you may know, Bill C-11 also creates an additional layer of decision-making in the form of the Personal Information and Data Protection Tribunal, which would be responsible for imposing monetary penalties and hearing appeals against decisions of my office.

We believe that this tribunal, which does not exist in this form anywhere else, would create unnecessary delays for consumers. The courts are perfectly capable of reviewing the legality of OPC decisions.

Worse, it would encourage companies to choose the route of appeal rather than finding common ground with the OPC when we are about to issue an unfavourable decision.

We believe that the addition of this tribunal would only delay access to justice for consumers.

We have recommended that we be granted the authority to impose penalties at the conclusion of inquiries, an approach similar to that found in the GDPR, the law in the UK, Quebec’s Bill 64, and as recently proposed by Ontario in its white paper on a private sector privacy law for the province.

Regulatory Cooperation

My office’s long history of cooperation with domestic and foreign data protection authorities has shown the overall value of cooperation, and proven that it is possible to coordinate activities even where parties are applying different laws.

Extending this potential for cooperation not only creates efficiencies for the cooperating authorities, but more importantly can lead to better outcomes for Canadians.

We are recommending amendments to Bill C-11 to further enhance our ability to cooperate with domestic and international authorities, and support our BC counterparts in their recommendation in this regard, given the significant benefits to be gained from such cooperation.

Compliance Agreements

The OIPC has recommended that PIPA be amended to enable the Commissioner to enter into compliance agreements with organizations to allow for responsive, flexible oversight.

PIPEDA currently grants us this power, which allows us to ensure that organizations follow through on commitments they have made to the OPC to rectify their practices.

We have found these agreements to be an important means of effectively resolving complaints.

For example, our monitoring of a compliance agreement entered into with dating website Ashley Madison allowed us to ensure a fulsome implementation of a variety of remedial actions, including the implementation of a comprehensive privacy and security framework. 

We are pleased that they would remain available to us as an enforcement mechanism under Bill C-11.

Breach Notification

Breach notification is a fundamental element of modern privacy laws. It enhances transparency and accountability in the way private sector organizations manage personal information.

Breach notification and reporting requirements were made mandatory under PIPEDA in 2018.

Mandatory breach notification to individuals ensures people are made aware of instances where there is a risk of harm with respect to their personal information and allows individuals to take steps to protect themselves if their personal information may have been compromised.

Recordkeeping requirements and an obligation to report breaches to a privacy commissioner ensures accountability and oversight as to how breaches are managed and further prevented by organizations.

The obligation to report breaches also raises awareness of these incidents and trends, systemic issues and solutions.

We are also better prepared to develop outreach and educational tools to help inform Canadians and to help businesses mitigate future risks.  

Our experience to date has shown that PIPEDA’s breach provisions could be improved.

For instance, the timeliness for reporting is often poor, leaving consumers at risk and the regulator without knowledge to propose remedies.

It is impossible to hold organizations to account when 40% of reports are currently submitted to us over 3 months after the breach occurred.

To help address these deficiencies, we have recommended that Bill C-11 be amended to require organizations to report breaches “without unreasonable delay” but within 7 days after they become aware of the incident.

Conclusion

Now is an opportune time for Canada to show leadership on privacy law reform.

What we need, at both the federal and provincial level, is sensible legislation that allows for responsible innovation that serves the public interest, and which prohibits the use of personal information in ways that are incompatible with our rights and values.

Provinces have an important role to play in ensuring Canadians’ privacy is protected.

With that, I welcome any questions you may have.