Review of the state of federal laws on broadcasting and telecommunications
Submission to the Broadcasting and Telecommunications Legislative Review Panel of Innovation, Science and Economic Development Canada
January 11, 2019
The Broadcasting and Telecommunications Legislative Review Panel
c/o Innovation, Science and Economic Development Canada
235 Queen Street, 1st Floor
Ottawa, Ontario K1A 0H5
Thank you for the invitation to provide views and recommendations as you review the state of federal laws on broadcasting and telecommunications. Our recommendations and commentary address the three topics in the Terms of Reference that touch on privacy rights and data protection:
Safety, Security and Privacy: Keeping in mind the broader legislative framework, to what extent should the concepts of safety and security be included in the Telecommunications Act (TA) / Radiocommunication Act (RA)?
- The OPC oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information in the course of commercial activity, including telecommunication companies.
- Canadians entrust vast amounts of their sensitive personal information to telecommunications service providers in order to gain access to mobile, internet, telephone and television communications in Canada. Not only does personal information hold vast commercial value, but it is also of considerable interest to law enforcement, intelligence and security agencies. Canadians’ right to privacy must remain top of mind in this context.Footnote 1
- The government’s position that the Acts subject to your review contain robust privacy requirements, and that the privacy interests of individuals have been addressed in the TA and RA, does not accurately characterize the limited protections offered by the current regime. While subsection 7(i) of the TA pertains to privacy, it carries no actual obligation; the RA is silent on privacy.
- Given the heightened sensitivity consumers have expressed in connection with the personal information collected by telecommunications firms, we argue privacy safeguards should be stronger, clearer and would caution against viewing commercially held personal information as simply another “data asset” for exploitation.
- As the Privacy Commissioner conveyed in his November 23, 2018 letter to Minister Bains, he is growing increasingly troubled that longstanding privacy rights and values in Canada are not being given equal importance within a new digital ecosystem eagerly focused on embracing and leveraging data for various purposes.Footnote 2 Individual privacy is not a right we simply trade away for innovation, efficiency or commercial gain.
- The Supreme Court decision in R v. Spencer, four years ago, was an important step forward in privacy protection. In its unanimous decision, the Supreme Court held that there is a reasonable expectation of privacy in basic telecommunications subscriber information. The Supreme Court agreed that this information could reveal Internet usage data and that, absent exigent circumstances, essentially an emergency, or a reasonable law, law enforcement officials need prior judicial authorization, meaning a warrant, to obtain such data from telecommunications companies.Footnote 3
- In that context, we would alert your Review Panel to particular risks to privacy as outlined below, which should be borne in mind when government authorities aim to augment security via commercial systems (like telecommunications infrastructure) meant to carry vast amounts of personal information and private communications.Footnote 4
- We believe any new security or public safety obligations for telecommunications service providers should be developed while taking the following into consideration:
- On safeguards: existing legal safeguards must be adapted to the realities of modern communication tools.Footnote 5 Personal devices hold and transmit extremely sensitive personal information, not just data for capture and use by authorities.
- On thresholds: reductions in safeguards must be accompanied by precise explanations as to why existing thresholds are too onerous. Government must also explain how administrative authorizations to obtain metadata, rather than judicial authorizations, are consistent with Charter requirements. In our view, recent cases of metadata collection show that existing legal standards for collection need strengthening and privacy protections require enhancing.Footnote 6
- On retention and preservation requirements: since 2015, preservation demands (to hold data for 21 days) and orders (which preserve data for three months) have been options available under the Criminal Code. Introducing broad retention requirements not only impede on human rights, it will also increase the risks of privacy breaches.Footnote 7 In keeping with principles of necessity and proportionality, preservation powers used in the context of private communications should focus on serious crime, and for the briefest period needed. Blanket provisions for broad data retention are an unnecessary risk.
- On compelling assistance: Canada has specific rules requiring telecommunications providers to assist law enforcement agencies that came into force in March 2015 (with the Protecting Canadians from Online Crime Act). These powers allow a judge to attach an assistance order to any search warrant, interception order, production order or other form of electronic surveillance.Footnote 8
- On mandatory surveillance capabilities: standards already exist for telecommunications providers to build in surveillance capability, retain communications metadata and provide decrypted content to government upon request. If those requirements (the Solicitor-General Enforcement Standards), which have been a condition of licensing since the mid-1990s, are not adequate, government needs to explain how and why.Footnote 9
- On transparency requirements: recently, telecommunications companies in Canada have published annual reports that provide statistical details on various forms of requests by government, court orders and warrants,Footnote 10 yet government institutions are not subject to similar reporting requirements. We recommend strengthening reporting requirements to address this imbalance.Footnote 11
Governance and Effective Administration: Does the legislation strike the right balance between enabling government to set overall policy direction while maintaining regulatory independence in an efficient and effective way?
- On the matter of effective measures, to address the many challenges posed by companies that handle massive amounts of personal information and sustain Canadians’ trust in the digital environment, privacy protection needs equal footing with innovation and growth. Given the rapidity with which technology and business evolves, the OPC must work with other data protection and privacy regulators here in Canada and around the world.
- We have also learned that we need closer ties to regulators in other areas, such as competition law. However, we are constrained by the parameters of the law. All regulators increasingly need to respond to the impacts arising from the digital environment. A holistic approach would ensure that innovation and economic growth are balanced.Footnote 12
- In addition to an enhanced ability to cooperate with other regulators, we would emphasize the need for enhanced abilities to examine organizations’ practices proactively, rather than after problems arise. We also require the ability to impose appropriate sanctions.
- By way of comparison, the Federal Trade Commission in the United States can impose fines. They are called settlement agreements, but they are fines and they are often in the millions of dollars. That is the situation south of the border. In Europe, under the GDPR (the general privacy regulation adopted in May) data protection offices in Europe can impose fines that are extremely hefty, representing four per cent of the business volume or the value of a business transaction of a given company.
- The OPC should have the power to set and impose fines. We have not called for an exact amount. To take an example in Canada, the Competition Bureau can impose fines in the neighbourhood of $15 million Canadian. The amount should be enough to create an incentive for companies to comply so that the companies do not treat paying the fine as a cost of doing business.
- It is also important to note that currently at least three regulatory agencies cover the same territory: CRTC, Competition Bureau and the Office of the Privacy Commissioner of Canada. Any of the three could investigate a given issue and, in the context of the investigation, collect information that may be commercially sensitive, personal information, etc.
- Under the current laws, all regulatory agencies are prohibited from sharing information with others, including our sister regulatory agencies, which somewhat impedes the completeness of the studies that we make. We can have discussions at the broad policy level with the CRTC and the Competition Bureau, but when we investigate specific complaints we cannot share with them — although it would be very productive — the product of our investigations because we are legally prohibited.
- One of the realities of modern technology is that collection of information and business models are opaque. Ordinary consumers do not understand how their information is obtained, used and shared. Privacy policies or documents that are presented in front of us, sometimes on the screen to give consent or not, are theoretically meant to inform consumers of how their information will be used, but we all know these are very long, complicated, legalistic and impossible to understand.
- Given that opaqueness of technologies and business models, consumers are not well placed to identify problems in terms of what is happening to their information. One of the crucial elements in the law that should change would be to give the OPC — because we have some technological knowledge and business models in this sphere — the authority to audit or inspect what is happening under the hood of technology used by companies so that we can ensure that what is happening is consistent with privacy law.
- By way of analogy, in the food quality inspection regime, for instance, you have people going into meat factories not because they think a violation has occurred, but because health and the quality of food is obviously an important consideration and these inspections reassure the public that the activities of these companies comply with the law.Footnote 13
- We therefore would reiterate the following recommendations to the Panel around effective, efficient, independent regulation in this domain:
- Give the OPC more flexibility to share information with other federal regulators. At present, we can share information and use information but this is limited to specific ends (set out in statute). In past investigations under PIPEDA, issues have surfaced that overlap with the jurisdiction of the CRTC or Competition Bureau. In those instances, we were precluded from sharing relevant information. To address this, PIPEDA should be amended to give the OPC more flexibility to share information to address matters that intersect between consumer and privacy protection.Footnote 14
- Give the OPC the authority to issue orders and the ability to impose administrative monetary penalties. The OPC needs the power to impose penalties to promote compliance, not to punish, which would serve as an important incentive for organizations. Many of our international counterparts have this power.
- Allow OPC to conduct more active compliance review: We also require new powers to conduct compliance reviews, even if a violation of PIPEDA is not immediately suspected. We could then proactively address privacy issues that are unlikely to become subject to complaint as they involve complex business models or opaque data flows of which few Canadians may be aware.Footnote 15
Consumer Protection, Rights and Accessibility: Are further improvements pertaining to consumer protection, rights, and accessibility required in legislation?
- Canadians want to enjoy the many benefits of the digital economy, but they rightly expect they can do so without fear, violation of their rights or their personal information being used against them. In short, they want to trust that rules, legislation and government will protect them from harm.Footnote 16
- Yet Canadian privacy legislation is quite permissive and gives companies wide latitude to use personal information for commercial benefit. Under PIPEDA, organizations have a legal obligation to be accountable, but recent data breaches have demonstrated to Canadians that companies may not be able to manage their information responsibly. Transparency and accountability are necessary but they are not sufficient.
- Following the Facebook/Cambridge Analytica matter, Parliamentarians asked what resources and tools the OPC needed to assist in ensuring that “tech giants” and other companies truly respect their privacy obligations. While our modest ask for increased funding would have an interesting but limited impact, a significantly larger budget might be required to have a true impact in terms of protecting Canadians’ privacy rights. This was the conclusion reached by the U.K. government recently, which decided to double the resources available to our British counterpart.
- You should be aware that the Standing Committee on Access to Information, Privacy and Ethics recently reviewed privacy vulnerabilities in online platforms and possible remedies to assure the privacy of citizens’ data and the integrity of democratic and electoral processes; an interim report was published last June.Footnote 17 The Committee called on the government to take measures to ensure privacy legislation applies to political activities and reiterated the need for greater enforcement powers for the OPC.
- One of the important principles in privacy law under PIPEDA is that companies or organizations may obtain, use and share information when it is directly relevant to the service offered. The challenge is, beyond information that is required to deliver a service, there is quite a bit of information sharing and disclosure to others and use for other purposes. That is where the consent principle comes in under PIPEDA.
- We are in the world of consent under the current privacy law in Canada and a challenge, obviously, is whether consent is obtained meaningfully or not, and whether it should be implied or expressed. Telecommunication companies collect sensitive information about your daily habits, where you go, how often you go into a certain building which may house a medical practitioner, a psychologist, a place of worship, and so on. The principle under federal privacy law is that if information is of a sensitive nature, as described, consent should be explicit, it should be expressed. However, that leaves a lot of room for implied consent where the data is less sensitive.Footnote 18
- Enforcement is key to securing trust in the digital ecosystem.Footnote 19 Currently, our Office cannot make orders or impose fines. In many respects, we are in a weaker position than that of our provincial and international counterparts. Your panel may hear from industry the concern that by granting the OPC enforcement powers organizations would be less willing to collaborate with us and negotiate towards solution. Our colleagues elsewhere have not had this experience. We argue that the time is long past to bring federal privacy enforcement in line with our provincial, territorial and international counterparts.
- There remains an important role for proactive compliance. Both commercial and government organizations seek to use data in innovative ways, which is logical, but Canadians expect this activity to be regulated. A proactive approach to overseeing compliance at the front end, before complaints occur, would bring certainty to the market, and further reassure Canadians that their concerns are addressed.
Thank you again for the important work of your review panel. Please feel free to contact Arun Bauri or Christopher Prince if you have any further requests for information or clarification. You can reach them at Arun.Bauri@priv.gc.ca or Christopher.Prince@priv.gc.ca.
(Original signed by)
A/Director, Policy, Research and Parliamentary Affairs
Office of the Privacy Commissioner of Canada
- Date modified: