News release

Commissioner: Digital revolution and Canadians’ privacy fears demand real solutions

Privacy Commissioner Daniel Therrien’s Annual Report outlines actions and recommendations for overhauling privacy protections to address consent challenges posed by the digital age

NOTE: News conference with the Commissioner will be held in Ottawa at 1 p.m. ET today. Details follow below.

OTTAWA, September 21, 2017 – Canadians fear they are losing control over their personal information in the digital age and urgent change is needed to restore confidence in technology, the Privacy Commissioner warns in his annual report to Parliament.

Commissioner Daniel Therrien is recommending a number of solutions, including legislative amendments to provide for order-making powers and the ability to impose administrative monetary penalties, to ensure Canadians’ privacy rights are properly protected.

“Canadians’ fear that they are losing their privacy is real. They expect concrete, robust solutions to restore their confidence in technology as something that will serve their interests and not be a threat to their rights,” says Commissioner Therrien, noting polls show that an overwhelming majority of Canadians are concerned about their privacy.

His Annual Report to Parliament, tabled Thursday, includes the results of a consultation on the challenges facing consent, which currently is the foundation of Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

“The digital revolution has brought us important benefits and will continue to be a major contributor to economic growth,” says the Commissioner. “Few of us would like to go back to the pre-digital age, but no one has agreed to give away their privacy on the basis of 50-page privacy policies written in legalese most lawyers don’t understand. Canadians have told us privacy policies are broken and they want better information to exercise their right to give or withhold consent meaningfully.”

During its consultation, the Office of the Privacy Commissioner of Canada (OPC) received more than 50 written submissions from businesses, civil society, academics, lawyers, regulators and individuals and held five stakeholder roundtables across Canada, as well as a series of focus groups with individual Canadians in four cities.

“What we heard is that, while consent remains central to personal autonomy, other mechanisms are also needed,” says Commissioner Therrien.

“It is clear, for example, that Canadians need to be supported by an independent regulator with the legislation and resources necessary to properly inform citizens, guide industry, hold businesses accountable, and sanction inappropriate conduct. Canadians do not feel protected by a law that has no teeth and businesses held to no more than non-binding recommendations.”

To that end, Commissioner Therrien has called for amendments to the federal private sector privacy law to provide for order-making powers and the ability to impose administrative monetary penalties.  This would bring Canada in line with many of its provincial and international counterparts – such as the U.S. and many European countries.

The Commissioner added that his office won’t wait for legislative changes and will begin to act immediately to improve privacy protections for Canadians. This includes:

  • Shifting towards a proactive enforcement and compliance model, rather than a complaints-based ombudsman model of privacy protection because the OPC may be better placed than individuals to identify privacy problems related to complex new technologies; 
  • Updating key guidance on online consent to specify four key elements that must be highlighted in privacy notices and explained in a user-friendly way;
  • Developing new guidance that would specify areas where collection, use and disclosure of personal information is  prohibited, for example, situations that are known or likely to cause significant harm to the individual.

The report acknowledges that there is a need to encourage innovation and that personal information is an important part of a data-driven economy.

To that end, the OPC will issue guidance on appropriate methods of de-identification and the Commissioner is recommending that Parliament consider whether new exceptions to obtaining consent may be appropriate where consent is not practicable, such as in some big data uses.

The Commissioner also noted that it is important to empower children to protect their privacy from a young age and called on provincial and territorial governments to integrate privacy education in school curricula.

Year in review

The 2016-17 annual report outlines the work of the OPC as it relates to both PIPEDA and the Privacy Act, which applies to the federal public sector.

The report includes details of the second phase of the OPC’s review into how the Security of Canada Information Sharing Act (SCISA) was implemented after coming into force in 2015. The review focused on the nature of information exchanges between institutions and found significant deficiencies related to recordkeeping, and that no specific risk management activities have been undertaken to identify and mitigate privacy risks related to SCISA's operationalization.

The OPC also completed its review of the Canada Border Services Agency’s Scenario Based Targeting Program which uses advanced analytics to identify potential terrorist threats, among other things, based on traveler demographics. The review raised the concern that some of the national security scenarios used by CBSA are broad and based on personal characteristics which identify a large number of law abiding individuals, whose personal information is used and shared without sufficient privacy protections.

The annual report also highlights the results of an investigation into a series of breaches involving the Phoenix pay system. The investigation concluded the breaches — which impacted all federal public service employees paid by the system — were the result of a combination of inadequate testing, coding errors and insufficient monitoring.

Another important investigation discussed in this year’s annual report is that of the Privy Council Office’s MyDemocracy.ca website, which was launched last December as part of a national dialogue on electoral reform. The investigation found the website allowed the disclosure of personal information of participants to third parties such as Facebook without their consent, however, there was no evidence that PCO was using measures to identify participants or to track responses to the survey questions.

The report also discusses an investigation related to the RCMP’s use of cell site simulators, sometimes referred to as “Stingray” devices or “IMSI catchers.”

About the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law.

- 30 -

News conference details:

Privacy Commissioner Daniel Therrien will hold a news conference to discuss the annual report.

Thursday, September 21, 2017, 1 p.m. ET

National Press Theatre, 150 Wellington Street, Ottawa

Journalists in Ottawa wish to attend the news conference in person and who are not members of the Canadian Parliamentary Press Gallery will require accreditation from the gallery in advance. For more information, contact Marc Fortier at marc.fortier@parl.gc.ca.

Journalists outside of Ottawa may email communications@priv.gc.ca to join the news conference by telephone.

See also:

Commissioner's statement
Annual report
Consent backgrounder
National security backgrounder

For more information:

Valerie.Lawton@priv.gc.ca
819-994-5663

NOTE: To help us respond more quickly, journalists are asked to please send requests for interviews or further information via e-mail.

Date modified: