Language selection


Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) before the International Grand Committee on Big Data, Privacy and Democracy

May 28, 2019
Ottawa, Ontario

Opening statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Members of the Grand Committee, thank you for the invitation to address you today.

My remarks will address three points that I think go to the heart of your study.

First, that freedom and democracy cannot exist without privacy and the protection of our personal information. Second, that in meeting the risks posed by digital harms, such as disinformation campaigns, we need to strengthen our laws in order to better protect rights. Lastly, I will share suggestions on what needs to be done in Canada – as I am an expert in Canadian privacy regulation – so that we have 21st century laws in place to ensure the privacy rights of Canadians are protected effectively. I trust these suggestions can also be relevant in an international context.

Freedom, Democracy and Privacy

As you know, my UK counterpart, the ICO, in its report on privacy and the political process clearly found that lax privacy compliance and micro targeting by political parties have exposed gaps in the regulatory landscape. These gaps, in turn, have been exploited to target voters via social media and to spread disinformation.

The Cambridge Analytica scandal highlighted the unexpected uses to which personal information can be put and, as my Office concluded in our Facebook investigation, uncovered a privacy framework that was actually an empty shell. It reminded citizens that privacy is a fundamental right and a necessary precondition for the exercise of other fundamental rights, including democracy.

In fact, privacy is nothing less than a prerequisite for freedom: the freedom to live and develop independently as individuals, away from the watchful eye of surveillance by the state or by commercial enterprises, while participating voluntarily and actively in the regular, day-to-day activities of a modern society.

As members of this committee are gravely aware, the incidents and breaches that have now become all-to-common go well beyond matters of privacy, as serious as I believe those to be.

Beyond questions of privacy and data protection, democratic institutions and citizens’ very faith in our electoral process are now under a cloud of distrust and suspicion.

The same digital tools, like social networks, that public agencies, like electoral regulators thought could be leveraged to effectively engage a new generation of citizens are also being used to subvert, not strengthen our democracies.

Data protection from digital harms

The interplay between data protection, micro targeting and disinformation represent a real threat to our laws and institutions.

Some parts of the world have started to mount a response to these risks with various forms of proposed regulation.

The recent UK White Paper on Digital Harms proposes the creation of a digital regulatory body and offers a range of potential interventions with commercial organizations to regulate a whole spectrum of problems. The proposed model for the UK is to add a new regulator agency for digital platforms that will help them develop specific codes of conduct to deal with child exploitation, hate propaganda, foreign election interference and other pernicious online harms.

As well, earlier this month, the Christchurch Call to Eliminate Terrorist and Violent Extremist Content Online highlighted the need for effective enforcement, the application of ethical standards and appropriate cooperation.

Finally, just last week here in Canada the government released a new proposal for an update to our federal commercial data protection law, as well as an overarching Digital Charter meant to help protect privacy, counter misuse of data and help ensure companies are communicating clearly with users.

Underlying all these approaches is the need to adapt our laws to the new realities of our digitally interconnected world. There is a growing realization that the age of self-regulation has come to an end.

The solution is not to get people to turn off their computers or to stop using social media, search engines or other digital services. Many of these services meet real needs.

Rather, the ultimate goal is to allow individuals to benefit from digital services – to socialize, learn, and generally develop as persons – while remaining safe and confident that their privacy rights will be respected.

Suggestions to guide privacy protections

There are certain fundamental principles I believe can guide government efforts to re-establish citizens’ trust. Putting citizens and their rights at the centre of these discussions is vitally important in my view – and legislators’ work should focus on rights-based solutions.

In Canada, the starting point should be to give the law a rights-based foundation, worthy of privacy’s quasi-constitutional status. This is the case in many countries, where their law frames certain privacy rights explicitly as such, with practices and processes that support and enforce this important right.

Canada should continue to have a law that is technology neutral and principles-based. Having a law that is based on internationally recognized principles such as those of the OECD is important for the interoperability of the legislation. Adopting an international treaty for privacy and data protection would be an excellent idea but, in the meantime, countries should aim to develop interoperable laws.

But we also need a rights-based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.

Such a law would define privacy in its broadest and truest sense, such as freedom from unjustified surveillance, recognizing its value and correlation to other fundamental rights.

Privacy is not limited to consent, access and transparency. These are important mechanisms but they do not define the right itself. Codifying the right, alongside the principles-based and technologically neutral nature of current Canadian law, would ensure it can endure over time, despite the certainty of technological developments.

One final point I would make in this regard is the importance of independent oversight. Privacy cannot be protected without independent regulators, empowered to impose fines and to verify compliance proactively, to ensure organizations are truly accountable for the protection of information.

This last notion, demonstrable accountability, is a needed response to today’s world where business models are opaque and information flows are increasingly complex. Individuals are unlikely to file a complaint when they are unaware of a practice that may harm them. This is why it’s so important for the regulator to have the authority to proactively inspect the practices of organizations. Where consent is not practical and organizations are expected to fill the protective void through accountability, these organizations must be required to demonstrate true accountability upon request.

What I have presented as solutions are not new concepts. But as this Committee takes a global approach to the problem of disinformation, it is also an opportunity for domestic actors – regulators, government officials, and elected representatives – to take stock of what is happening around us, to recognize what best practices and solutions are emerging, and to take action to protect our citizens, our rights and our institutions.

Thank you again for your important work. I would be pleased to take your questions.

Date modified: