News release

Commissioner’s annual report sets out blueprint for how to modernize Canadian privacy laws

Report includes investigation findings into invasive data initiatives at Statistics Canada

NOTE: News conference with the Commissioner will be held in Ottawa at 11 a.m. ET today. Details follow below.

OTTAWA, December 10, 2019 – Privacy Commissioner Daniel Therrien is urging Parliamentarians to adopt rights-based privacy laws to better protect Canadians in the face of data-driven technologies creating serious risks for privacy.

The Commissioner’s latest annual report, which was tabled in Parliament today, provides a blueprint for how Canada’s federal privacy laws should be updated.  Among other things, it explains what would be the key elements of a rights-based law.

It also includes the findings of an investigation into more than 100 complaints about two privacy invasive data collection projects at Statistics Canada.

Privacy as a fundamental human right and foundational to the exercise of other human rights

The annual report notes that events of the last year have highlighted like never before the urgent need to update Canada’s privacy protection framework. In addition to the new Statistics Canada findings, investigations into Facebook and Equifax also revealed serious weaknesses with current legislation.

Commissioner Therrien says: “For good and bad, data-driven technologies are a disruptive force. They open the door for innovation and economic growth, but they have been shown to be harmful to rights, including privacy, equality and democracy.”

Consequently, the Commissioner suggests the starting point to legislative reform is to give new privacy laws a rights-based foundation. A central purpose of the law should be to protect privacy as a human right in and of itself and as an essential element to the realization and protection of other human rights.

A reformed private-sector privacy law should also firmly put an end to self-regulation, meaning in part that it should no longer be drafted as an industry code of conduct. And while consent is important, it is unfair and not always effective to place much of the burden of privacy protection on the shoulders of individual consumers. It is the role of government and of independent regulators like the OPC to protect citizens and restore balance in their relationship with organizations.

“Canadians want to enjoy the benefits of digital technologies, but they want to do it safely. Legislation should recognize and protect their freedom to live and develop independently as persons, away from the watchful eye and unconscious influence of a surveillance state or commercial enterprises, while still participating voluntarily and safely in the day-to-day activities of a modern society.”

To achieve that protection, the Commissioner is proposing enforcement mechanisms to offer quick and effective remedies for people whose privacy rights have been violated, and to help ensure broad and ongoing compliance for organizations.

This includes empowering the Privacy Commissioner to make binding orders and impose consequential penalties for non-compliance with the law, as well as proactive inspections to ensure organizations are demonstrably accountable to the regulator for their privacy practices.

Additionally, in the public sector, the law should allow privacy-invasive activities and programs only where federal institutions can demonstrate they are necessary to achieve a pressing and substantial purpose and where the intrusion is proportional to the benefit to be gained.

“A rights-based law would not be an impediment to innovation; to the contrary, good privacy laws are key to promoting trust in both government and commercial activities,” says Commissioner Therrien. “Without that trust, innovation, growth and social acceptance of government programs can be severely affected.”

“Other countries, not only in Europe but also in Asia, South America and Africa, have recently modernized their privacy laws and it is time that Canada move in the same direction.”

Statistics Canada Investigation

Illustrating the interdependence of privacy, trust, and social acceptance, the investigation into Statistics Canada examined programs involving the collection of credit histories and the proposed mass collection of line-by-line financial transaction information from banks without the knowledge or consent of affected individuals.

Media stories about the two initiatives prompted a storm of outrage.

While the investigation did not find that Statistics Canada had violated current laws, it did raise significant privacy concerns about the design of the programs. It also highlighted the inadequacy of existing legislation.

“Canadians were deeply troubled by these initiatives,” says Commissioner Therrien. “This concern was clearly justified given the scale of the proposed collection, the highly sensitive nature of the information and the fact that the information in question would paint an intrusively detailed portrait of a person’s lifestyle, consumer choices and private interests.”

During the investigation, Statistics Canada officials spoke about their objectives, but did not demonstrate the necessity of collecting so much highly sensitive information about millions of Canadians.

The statistical agency ultimately agreed to follow the Commissioner’s recommendations not to implement the projects as originally designed, and to work with his office to redesign the initiatives to respect the principles of necessity of proportionality.

“We welcome Statistics Canada’s commitment to making changes that will integrate better privacy protections into future statistical initiatives. This will help to build public trust,” says Commissioner Therrien.

“We also hope that this experience will encourage other federal departments to fully consider privacy issues as they work to align their activities with the federal government’s strategy to make more strategic use of the data they collect.”

Other work by the OPC

The Commissioner’s annual report also addresses other work under both the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law. This includes, for example, statistical information, descriptions of business and government advisory work, as well as summaries of investigations, including one that examined privacy issues related to searches of electronic devices such as cellphones and laptops by Canadian Border Services Agency officers.

Related content

• 2018-19 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act
• Statistics Canada: Invasive data initiatives should be redesigned with privacy in mind
• Crossing the line? The CBSA’s examination of digital devices at the border
• Commissioner's statement

News conference details:

Privacy Commissioner Daniel Therrien will hold a news conference to discuss the annual report.

December 10, 2019, at 11 a.m.  ET, National Press Theatre, 150 Wellington Street, Ottawa

Note to editors: Media attendance is for accredited members of the Parliamentary Press Gallery. For more information or to obtain temporary accreditation, please contact Mr. Philippe Perrier, Coordinator, Press Event Support, of the Canadian Parliamentary Press Gallery, at 613-992-6517 or by email at philippe.perrier@parl.gc.ca.

Call-in information: Journalists outside of Ottawa may call to join the news conference. For that number, please email communications@priv.gc.ca. (This line is available to media only.)

For more information:

Communications@priv.gc.ca

NOTE: To help us respond more quickly, journalists are asked to please send requests for interviews or further information via e-mail.