April 14, 2022
The following is an op-ed by Privacy Commissioner Daniel Therrien. A version of this op-ed was published by Option consommateurs magazine.
The evolution of privacy protection and the case for legislative reform
By Daniel Therrien, Privacy Commissioner of Canada
The privacy environment has changed significantly since I took office in 2014.
Following 9/11, the need to protect against further terrorist attacks seemed to outweigh privacy interests of individuals. That trend changed with time, in part due to the Snowden revelations in 2013.
Today, the privacy conversation is dominated by the growing power of tech giants that seem to know more about us than we do about ourselves.
Many companies seek to monetize our personal information, while governments use it to improve their services. Both the public and private sectors often use personal information for purposes other than those for which they collected it.
As we try to adapt to the rapid evolution of data-driven technologies such as artificial intelligence, facial recognition, the Internet of Things, and the emerging metaverse, the current governance structure is uncertain.
It is more urgent than ever to adopt laws fit for the 21st century. A recent study by Option consommateurs supports this view. In its research report, Option consommateurs recommends that privacy regulators have the power to impose stiff monetary penalties and to conduct proactive audits of the measures employed by companies to ensure their customers’ privacy is protected.
Let's be clear: we need federal laws that enable responsible innovation, but they must be part of a rights-based framework that recognizes the fundamental right to privacy. New laws must strengthen accountability for both businesses and federal institutions and give my office the same powers that many of our provincial and international partners already enjoy.
There is also a need to establish common principles in the Privacy Act, which applies to the public sector, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law. For instance, necessity and proportionality have to be key factors in the decision to collect, use and retain information.
This is especially important given the government’s growing reliance on technologies developed by the private sector. A good example is our Clearview AI investigation. This company provided a facial recognition tool that allowed law enforcement authorities to match photographs of individuals to a database of 3 billion images from the Internet. In the end, we concluded that the company had violated the private sector law (PIPEDA). Following a separate investigation of the RCMP’s use of the technology, we concluded the RCMP had contravened the public sector law (the Privacy Act).
That said, technology and data can and often do serve the public interest. The pandemic offers many examples of that: the use of data to support public health, or the platforms we have all been using to stay connected.
Yet with the increasing use of data also comes new risks. We must urgently consider how to derive benefit from data while respecting our democratic values and fundamental rights.
One way to protect against these risks is to remind organizations seeking to use new technologies to consider privacy by design.
As well, greater flexibility in the use of data must be accompanied by greater accountability, demonstrable to privacy regulators that can protect citizens.
Similarly, rights-based legislation would help foster responsible innovation and trust in government.
As my mandate draws to a close, I urge the government to move quickly to enact much-needed legislation to effectively protect the privacy rights of Canadians.
As a society, we must project our values into the laws that regulate the digital space. Our citizens expect nothing less from their public institutions.
Only through respect for the law and the values we cherish will we be able to enjoy the benefits of new technologies with confidence.
- Date modified: