The Necessary Rebirth of the Privacy Act

Remarks at the Library of Parliament

November 29, 2013
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Let me begin by thanking the Library of Parliament for arranging this opportunity to discuss the urgent need to reform the federal Privacy Act.

On top of providing one final opportunity as Commissioner to stress the growing need for change to an exceedingly important law, today’s event also gives me one last time to speak within these stone walls.

It has of course been an enormous privilege to serve Canadians during the last decade and I can’t think of a better subject upon which to speak for one last time as Commissioner upon Parliament Hill. 

As most of you know, the Privacy Act sets out the ground rules about how federal government departments and agencies need to handle personal information.

Or, more accurately, how personal information needed to be handled 30 years ago when the legislation was introduced.

As we all recognize, the world of personal information has changed dramatically since then, but the Act has remained largely as it was written. As a result, it has not been adjusted in the face of the transformative advances in technology over the last 30 years and so it certainly has not kept pace with the privacy concerns and expectations of Canadians.

There have been repeated proposals to patch up this or that aspect of the legislation. You could liken them to the ongoing repairs and maintenance that have been carried out over the years to the building where we find ourselves today, the historic Centre Block of the Parliament Buildings.

But there comes a time when patching up is no longer good enough. That’s going to happen here in 2018 when Parliament will be moved out so the crumbling mortar, cracked stones and aging water pipes here can be extensively rehabilitated. As well, major renovations will take place to accommodate technology demands unimagined when this building was reconstructed after a disastrous fire a century ago. The people in charge are calling the Centre Block project a “rebirth.”

The Privacy Act meanwhile has barely been maintained and also needs to be reborn. A wide public debate and a holistic review of the Act’s shortcomings should give Canadians a modernized Privacy Act. Just as important, however, that process would also send a strong signal to public servants and citizens that the federal government takes seriously its responsibility to protect personal information. To maintain legitimacy, credibility and trust, the government’s stewardship of personal information must respond to the heightened privacy concerns and expectations of Canadians.

Let’s explore the various stages leading to my call for this rebirth.

Looking back

First some history. Widespread concern about protecting personal privacy began to emerge in the late 1960s because of the convergence of two trends – the information revolution spawned by the first mainframe computers and the growing bureaucratic use of personal information.

Governments in the Western World created task forces, commissions and committees to study the issue. In Canada this resulted in a 1972 report Privacy and Computers which no doubt the staff of the Library of Parliament could quickly lay their hands upon.

The very next year, the government of Sweden passed a data act – the first national data protection legislation. The American Privacy Act was then passed in 1974.

Here in Canada, in 1977, the federal government decided that privacy should be the responsibility of a member of the new Canadian Human Rights Commission. The human rights commissioner responsible for privacy was Inger Hansen, who passed away in September. She was appointed for a four-year term in 1977 and reappointed in 1981.

Meanwhile officials of the OECD had been actively working on developing a broad set of fundamental principles to protect personal data that could be adopted by the member countries and other nations and thus avoid restrictions on transborder data flows.

In September 1980 the OECD Council adopted a set of eight fair information principles which were brief, technology-neutral and written in accessible language. These qualities made them remarkably adaptable to the changing social and technological environment and have also contributed to their enduring influence and importance.

Canada’s Privacy Act, then being drafted, reflected the OECD fair information principles. It also modelled the role of a new Privacy Commissioner on that of an ombudsman.

When the Act was proclaimed on July 1, 1983, Canada instantly became a world leader in privacy law, with our legislation coming ahead of national privacy laws in countries such as Ireland, Australia and the Netherlands, to name a few.

That, however and decidedly, was then. So how did we get to today where our Privacy Act has stood still amidst fast moving times and stands as an outdated model for no one?

Past efforts at reform

It’s not for lack of attempts at reform.  In fact, these stretch back almost as far in time as the birth of the Act itself.

Reform efforts began in 1987, a mere four years after the Act came into effect and well before my mandate as Commissioner. The House of Commons Standing Committee on Justice and the Solicitor General made more than 100 unanimous recommendations for improving the privacy and access-to-information legislation in its report, Open and Shut: Enhancing the Right to Know and the Right to Privacy. However, no change came to the Act.

A decade later, in 1997, after a lengthy study and cross-Canada consultations, the Standing Committee on Human Rights and the Status of Persons with Disabilities issued a report, Privacy: Where Do We Draw the Line. It recommended that the Act be broadened and strengthened in relation to all issues of privacy within the federal sector. These efforts though brought no change to the Act.

Fast forward to June 2006 when I presented a set of proposals for reforming the Privacy Act to the House of Commons Standing Committee on Access to Information, Privacy and Ethics. In another appearance before the Standing Committee in April 2008, I updated these proposals to 10 recommended Quick Fixes. Then in May 2009 I again testified at the Committee and added two more to make a round dozen of Quick Fixes.

Among the most pressing reforms, in my view, and one recognized by previous efforts, is the need for a legislated “necessity test” to require that government agencies and departments demonstrate a need for the information which they are collecting. The federal privacy legislation governing the private sector, PIPEDA, already contains such a test.

Also highly desirable is legislated mandatory reporting of data breeches within the federal government, now covered only by a non-binding guideline from the Treasury Board Secretariat. Another piece of Treasury Board guidance which should also be incorporated into legislative reforms concerns proper safeguards on the security of personal information which the government has collected.  

In June 2009 the Committee issued its report, The Privacy Act: First Steps Towards Renewal. It suggested the minister “further study” the necessity test, did not take a position on mandatory breach notification and supported the strengthening of security safeguards and six more of the Quick Fixes. In two others, the committee recommended further discussion between the minister and the Privacy Commissioner. And it dismissed one Quick Fix as “not a top priority.”

On reform proposals suggested by others, the Committee said these should be “considered for study at a later date, when an in-depth comprehensive review of further reforms to the Privacy Act is commenced.”

No Privacy Act reforms have yet been legislated and no such in-depth comprehensive review has been initiated by the government.

Taking stock  

To summarize, during the past 26 years there have been numerous attempts to modernize the Privacy Act with no appreciable movement. So as I suggested at the beginning of my remarks the time has come to stop trying to patch up this first-generation privacy legislation. It needs to be reborn.

That rebirth should come about through the same process which produced the original Act, a legislative response to the privacy challenges we face today, and will face in the immediate future.

Here are some indicators of the current privacy environment:

• Canadians are living more and more of their lives online. More than 80 per cent of Canadians are Internet users and two out of three of them told Statistics Canada they had used a social network in 2012;
• Today’s smart phones have more computing power than those early mainframe computers, the ones whose emergence initially gave rise to privacy concerns; and
• Governments routinely send torrents of personal information across borders with the click of a button, a far cry from the days of fax and snail mail back when the Privacy Act was born.

Against this backdrop, consider the results when a representative sample of Canadians were asked a year ago to rate how seriously government takes its responsibility to protect personal information. Only 21 per cent choose “seriously,” the top two rankings on a seven-point scale. That level was essentially unchanged from a survey the previous year.

And that vote of no-confidence was measured BEFORE the news that an external hard drive with personal information about more than half a million student loan recipients had been lost by the former Human Resources and Skills Development Canada.  It also came BEFORE the beginning of Edward Snowden’s revelations about government surveillance programs.

These are the realities of the 21st Century – more powerful information and communication technologies, the challenge of managing electronic information and the social and political demands of engaged citizens. They dictate that Canada’s federal Privacy Act be modernized.

In the absence of legislative action, however, the Treasury Board Secretariat has attempted to compensate by developing policies on matters such as outsourcing of government information handling and the preparation of privacy impact assessments by agencies or departments proposing initiatives.

These efforts are to be commended, but these guidelines and directives lack the weight of law and the unambiguous certainty which it can uniquely bring. In practice, this means they can be ignored with little penalty.

Ideally, wouldn’t it be better to have the force of law to motivate better practices so rather than focusing on reporting breaches, the emphasis would be on avoiding them altogether?

Meanwhile, under the current regime, Treasury Board suggests that my office be notified of any privacy breaches. Yet internal departmental reports show 3,134 separate breach incidents affecting more than 725,000 Canadians between 2002 and 2012.

Of those, just 13 per cent were reported to my Office. By no stretch of imagination can this meet the threshold of the greater accountability and transparency which Canadians are demanding from their governments.

I say governments (plural) because the need to modernize privacy laws extends beyond the federal sphere. Canada’s provincial and territorial information and privacy commissioners and ombudsmen made this clear last month when we met in Vancouver. There, we approved a resolution calling for such modernization and spelled out nine specific goals for privacy laws in particular.

Underlying this call are many of the same concerns I have expressed here today – the advance of technology, changes to government practices such as outsourcing or shared service models and the rising privacy expectations of Canadians.

As well, and I quote from the resolution: “Recent revelations about government surveillance programs have heightened Canadians’ concerns about the erosion of their privacy rights and have prompted calls for increased transparency and greater oversight of national security initiatives.”

Moving forward

So much for the past and the present of privacy protection in Canada. What about the future? How do we move forward?

First, we should abandon the notion of trying to patch up the Privacy Act with bits and pieces borrowed from the various reform proposals that I have already described. Certainly some of these individual items should be incorporated into the rebirth of the Act. But which ones and how they mesh needs to be decided by a holistic review; one that considers both the heightened privacy expectations of Canadians along with the more intense threats to the protection of personal information today.

As was done before the original birth of the Privacy Act, we must inform ourselves about what is happening elsewhere in modernizing privacy legislation. In particular, we need to pay close attention to what is happening at the Organization for Economic Co-operation and Development.

In response to the new realities of our increasingly digital world, the OECD has revised its Guidelines Governing the Protection of Privacy and the Transborder Flows of Personal Information. Those are the fair information principles which preceded and were reflected in our own Privacy Act.

The new guidelines expand the concept of accountability in privacy protection, emphasizing the need for organizations to demonstrate that they have mature, functioning privacy programs. They also call upon member countries to implement mandatory breach notification and call for privacy authorities to be given the governance, resources and technical expertise necessary to exercise their powers effectively.

Extensive and comprehensive reviews of privacy law are also underway in the European Union and in Australia and should be studied closely.

Conclusion

In closing now, the most important aspect of moving forward, however, may not lie in guidelines or modernization efforts in other countries. I believe what is truly crucial is a recalibration of Canada’s approach to balancing protection of privacy with national security concerns.

The last 12 years have witnessed a seemingly relentless push for greater security in an uncertain world. The annual reports from my Office have documented one instance after another in which privacy played second fiddle to security demands.

And today, there is a burgeoning debate and controversy over the revelations of covert surveillance of millions of law-abiding citizens through spy agencies reportedly having access to their emails and other Internet activities. I am hopeful that the still-mounting public unease over the intrusiveness of this surveillance society may mark the beginning of a pendulum swing back toward privacy.

Finally, since I am just mere days from ending my mandate as Privacy Commissioner allow me to offer a somewhat philosophical reflection.

Perhaps we need to step back and ask ourselves what we are trying to protect and are there other ways of doing so.

Perhaps the time has come to be more ambitious.  In much of the world, privacy is viewed as a human right.  It’s recognized as a human right by the United Nations and in Quebec’s Charter of Human Rights and Freedoms. 

What if privacy had been included as a named right in the Canadian Charter of Rights and Freedoms back in 1982? Would we still be reliant upon political will to address the privacy challenges of the 21st century?

And now, I will leave that as a thought for our panellist to consider, just as I must leave the push for the rebirth of the Privacy Act in the hands of my successor along with the privileged people who convene within these walls everyday, serving the interests of their more than 30 million constituents.