Language selection


News release

Time to modernize tools to protect personal information, Privacy Commissioner urges in annual report

Report to Parliament highlights need for change to address emerging privacy risks; highlights key public and private sector investigations, audit and review work and other activities.

GATINEAU, Que., September 27, 2016 – New technologies and business models are putting ever-greater pressures on privacy and demand a more modern approach to protecting personal information, says the Privacy Commissioner of Canada.

“We’re trying to use 20th Century tools to deal with 21st Century privacy problems and it’s clear those tools are increasingly insufficient,” Daniel Therrien says.

Meanwhile, 90% of Canadians are very concerned about their inability to protect their privacy.

"The government should give greater priority to the modernization of laws and policies and it should invest more resources in building robust privacy protection frameworks. This is essential to maintaining public confidence in government and the digital economy," says Commissioner Therrien.

The need for modernization in the face of rapid technological change is the key theme of the Commissioner’s latest Annual Report, tabled today in Parliament. The 2015-16 report describes the work of the Office of the Privacy Commissioner of Canada (OPC) as it relates to both the Privacy Act, which applies to the federal public sector, and the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private sector privacy law.

Both laws predate many of the technological innovations that are creating new challenges for privacy protection by enabling businesses and governments to collect and analyze exponentially greater quantities of information. In fact, as the report notes, the Internet did not even exist when the Privacy Act was proclaimed in 1983 and Facebook had yet to be imagined when PIPEDA came into force in 2001.

In March, the OPC provided a Parliamentary committee studying the Privacy Act with a submission on modernizing the legislation that included 16 recommendations covering three broad themes: responding to technological change; legislative modernization; and the need for transparency.

In addition to the changes needed on the public sector front, Commissioner Therrien says it is also clear that new private sector challenges must also be addressed.

This includes the notion of consent for the collection use and disclosure of personal information, which has been a cornerstone of PIPEDA. Many are questioning how Canadians can meaningfully exercise their right to consent to the collection, use and disclosure of their personal information in an increasingly complex environment involving new technologies and new business models where personal information plays a central role. The OPC has launched public consultations aimed at identifying possible solutions to address growing challenges related to consent.

A second consultation process is examining privacy issues related to online reputation, with the ultimate goal of helping to create an environment where individuals can use the Internet to explore their interests and develop without fear their digital trace will lead to unfair treatment.

Work related to information sharing powers created under Bill C-51

The annual report includes details of the OPC’s review of how the Security of Canada Information Sharing Act (SCISA)was implemented and applied in the first six months after it came into force following the passage of Bill C-51. The Act was aimed at facilitating information sharing between federal government institutions in order to protect against “activities that undermine the security of Canada.” The OPC has also undertaken discussions with Public Safety with respect to the implementation of SCISA.

The OPC has found that the privacy impact of the new authorities conferred by SCISA was not properly evaluated during implementation and recommended that formal Privacy Impact Assessments be performed.

Privacy Impact Assessments are a key tool in reducing privacy risks and government policy requires they be conducted when departments establish any new or substantially modified program or activity involving personal information. 

“It was therefore quite surprising to learn that most departments did not conduct Privacy Impact Assessments related to implementation of SCISA’s new authorities, particularly given the government had said this legislation was crucial in addressing gaps in its ability to protect the public,” says Commissioner Therrien.

The OPC has also found several weaknesses with a Public Safety Canada guidance document intended to help departments implement the SCISA. Although Public Safety Canada agreed during consultations with the OPC to improve the guidance, no changes have been made a year after the OPC provided recommendations aimed at minimizing privacy risks.

The first phase of the review surveyed departments, which reported using the legislation’s new information sharing powers to generate 58 disclosures and 52 receipts of personal information all with regard to individuals they said were suspected as posing threats to security. 

The next phase will seek to verify this information and will also examine the exchange of personal information—for national security purposes—using legal authorities other than the SCISA. 

The goal of this work is to provide as clear a picture as possible of the use of SCISA and other laws, in order to inform public and parliamentary debate over the course of the government’s planned review of Bill C-51.  

“Our hope is that our work in this area will result in the adoption of measures to protect privacy effectively in relation to the collection and sharing of national security information,” says Commissioner Therrien.

The Commissioner also notes that his office will be contributing to the Government’s recently announced national security consultations. While the public consultations are a welcome development, he will be raising concerns about the approach.

“The scope of these consultations is too narrow. They don’t appear to be looking at key privacy concerns related to Bill C-51, such as the inadequate legal standards which allow for excessive information-sharing,” says Commissioner Therrien.

“I’m also troubled by the tone of the Government’s discussion paper – it focuses heavily on challenges for law enforcement and national security agencies, which doesn’t present the full picture. Canadians should also hear about the impact of certain surveillance measures on democratic rights and privacy. A more balanced and comprehensive national discussion is needed.”

CSE metadata sharing raises privacy concerns

The oversight authority for the Communications Security Establishment (CSE) – the Office of the CSE Commissioner – revealed in its 2014-15 annual report that metadata had been shared with international security partners without being properly minimized. The Minister of National Defence subsequently announced that, until further notice, the CSE would no longer share certain metadata with partners.

Given the potential impact on Canadians' privacy, the OPC conducted a review of the circumstances that allowed that situation to arise.

As noted in a summary of the review included in the annual report, the OPC questioned the CSE’s contention that the risk to privacy was minimal. Metadata can reveal very sensitive information about individuals’ activities, associates, interests and lives. As well, the CSE acknowledged that the volume of metadata that had been shared was large.

To minimize the risk, the OPC recommended that the National Defence Act be amended to clarify the CSE’s powers and to add specific legal safeguards to protect Canadians’ privacy in relation to the collection of metadata.

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

The latest annual report is the first to cover issues related to both the Privacy Act and PIPEDA. An amendment to PIPEDA in 2015 aligned its reporting period with that of the Privacy Act, enabling the OPC to prepare one annual report, as opposed to having two reports tabled at different times of the year.

See also:

2015-2016 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act: Time to Modernize 20th Century Tools

Employment and Social Development Canada (ESDC) audit

Report of findings under the Privacy Act

- 30 -

For more information, please contact:

Tobi Cohen
Office of the Privacy Commissioner of Canada

Date modified: