Meeting Canadians’ privacy priorities
Remarks at the Access and Privacy Conference, University of Alberta
June 12, 2015
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Good morning everyone. Before I begin, please let me thank the University of Alberta, and in particular Wayne MacDonald, for the invitation and opportunity to speak at this conference.
This is my first time at this event, which is of course associated with an access to information and privacy program that stands as the first of its kind in Canada and is an ongoing, rich source of privacy professionals during a time when privacy continues to rise in strategic importance for organizations, big and small.
Last year’s event, of course, came just days after my appointment. And now, I can tell you both about my first year on the job, as well as the course our Office has set to meet the key privacy challenges facing Canadians today.
An active and memorable first year
Before we get to that though, let me take you back to June 6 of last year.
I came into the post following a career of legal service on corrections, citizenship and security files and was an unknown in the privacy world. As a result, my nomination raised many questions and even some criticism.
Looking back, I cannot say that was easy for me, but given the interest in who was to fulfill the role, I saw firsthand the passion and care many people have about privacy.
As I said at the time, my career, today and before, was driven by my passion for human rights.
This grew in me from an early age thanks to my father, who followed his career as a parole officer by serving as Commissioner of the Canadian Penitentiary Service in the 1970s.
Growing up, the importance of public service, the dignity of individuals and the relationship between citizen and state were things instilled in me, and they brought me to where I am today.
And so, when I look back at the first days following my appointment, I knew that the initial headlines would not tell my tale.
Instead, I looked forward to the work our Office would produce and on which I would ultimately be judged.
My first year saw our Office engage in debates over new cyberbullying and anti-terrorism bills, and legislation to reform PIPEDA. We shared our review of the RCMP’s lawful access practices, and put forth a policy position on the use of genetic tests by insurance providers.
And then there were the tragic events on Parliament Hill and St-Jean-sur-Richelieu, which led to Bill C-51. While I was not invited to speak to the House Committee that studied this bill, I used other means to add my voice to the public debate, so that people have a clearer understanding of the privacy issues at stake. And although the bill was largely unamended, public support for it waned and I hope further debate will have an impact on politicians in the longer term.
Based on this, I hope I am being seen as thoughtful and thorough, offering concrete solutions, being outspoken when necessary and having an independent mind.
I also want to be seen as someone who is collaborative and consultative, and who recognizes the importance of our organization staying ahead of the curve on emerging issues in order to best protect and promote Canadians’ privacy rights.
And this is where I would like to start looking forward, and talk about the work we have recently completed to identify the new privacy priorities that will guide the work of our Office in the years to come.
New privacy priorities – keeping abreast of change and staying ahead of the curve
What we did and heard
Our priority-setting exercise began with a central and guiding objective: To increase the control Canadians have over their personal information.
We set out to hear from a wide range of individuals and organizations about what privacy issues were important to them. We reached out to individuals by conducting focus groups. We held meetings in locations across the country, with public and private sector stakeholders, academia, civil society organizations, and consumer groups.
In fact, one of our stakeholder sessions was held right here in Edmonton, and I would like to thank Commissioner Clayton for her support and close participation.
Through focus groups and round table discussions, we sought opinions, concerns and ideas related to some key privacy themes that come up frequently in our work.
We wanted to know if we had captured the issues correctly, which ones were the most important, along with why and what specific actions could be taken to achieve maximum impact and by whom – be it individuals, organizations, regulators or legislators.
The exercise was extremely insightful. It broadened our understanding of different groups’ concerns, providing a better sense of where we should focus our efforts to make best use of our resources and, as an organization, make important decisions about our proactive work.
Let me share some of the key things we heard.
One thing that rang loud and clear was the need to closely examine PIPEDA’s current consent model. Many noted that privacy policies were often long, legalistic and incomprehensible, falling short of clearly explaining how personal information collected from individuals would be used and by whom.
Others questioned whether it was realistic to seek one-time consent in exchange for personal information in an age where analytics and algorithms identify new possible uses for data all the time.
All told, it was largely observed that asking people to read a tome of legalese before clicking “accept” is no longer sufficient and becoming less and less so as Big Data gets even bigger.
As difficult as it may be today to determine how our personal information may be used down the road in the digital age, participants also highlighted the difficulties people face in escaping their digital past.
In particular, several called on us to delve more deeply into questions surrounding the Right to be Forgotten, while many also shared concerns about confusing privacy settings and the lack of mechanisms to delete or correct information.
Many of the academic experts and consumer advocates we talked to raised serious concerns about privacy risks tied to new technologies such as medical and wearable devices, which collect information from and about people’s bodies. Experts pointed out that, with the emergence of powerful analytics, this very personal information could be used for numerous secondary purposes, ranging from marketing to insurance, or others yet to be conceived of.
At the same time, while such devices, which represent exciting new ways to protect, preserve and improve personal health, are becoming more popular, the individuals we heard from knew seemingly very little about the possible privacy risks.
Another key point emerging from our listening exercise was concern about government surveillance.
While people were generally accepting of targeted surveillance to protect national security and prevent crime, they were worried about how surveillance might damage their own basic rights and freedoms, including the right to privacy.
Perhaps not surprisingly, in order to provide reassurance and build public trust, we heard calls for more transparency on the part of authorities.
Participants also encouraged our Office to take a greater leadership role here particularly as the government moves to implement several new, related bills.
In addition, we also heard various concerns about the borderless nature of today’s digital economy. Individuals were generally uncomfortable with their personal information leaving Canada, perceiving international laws to be less privacy protective. Organizations meanwhile raised confusion and costs associated with the lack of harmonized privacy legislation internationally.
What we decided
Based on our discussions, we landed on four broad priorities that I will outline for you now.
- The economics of personal information;
- Government surveillance;
- Reputation and privacy; and
- The body as information.
Let me now highlight our key goals for each.
The economics of personal information
With respect to the economics of personal information, we aim to both enhance the privacy protection and trust of individuals so they can participate in the digital economy with confidence.
One of our first key actions will be starting an exercise to examine the consent model and identify ways to enhance users’ control.
First off, we will produce a discussion paper outlining challenges with the current model.
We will also suggest potential solutions, ranging from greater self-regulation to greater accountability, to enhanced regulation. I also expect that we will examine the practicality and feasibility of technological solutions, such as just-in-time notifications and other innovative ways of communicating information about privacy practices.
From there, we will engage stakeholders and seek their views.
In effect, this will continue and delve deeper into the discussion that we heard during our priorities exercise.
On one hand, we heard from many that users need more information and stricter data retention and disposal policies are needed to provide individuals greater control over their personal information.
While, on the other, some held that the current model provides the right tools to exercise control with greater openness by organizations about their privacy practices.
We will have a full airing of these views before determining and sharing our position, which will identify improvements.
In the medium term, we will apply those improvements within our jurisdiction through our enforcement work.
We will also recommend legislative changes as appropriate.
In the end, we want this work to help ensure privacy remains protected in a manner that gives individuals meaningful control over their personal information.
And in doing so, we also want to respect innovation, knowing full well the growth potential of the IT sector, which has empowered society with information like never before, creating new economic, intellectual and social opportunities, which were unimaginable just a relatively short time ago.
Under government surveillance, our goal is to contribute to the adoption and implementation of laws and other measures that demonstrably protect both national security and privacy.
And for our initial work under this priority, we will take action to reduce key privacy risks associated with recent federal legislation.
For example, our Office expressed concern about Bill C-51. And while our suggested amendments were not enacted, we will dedicate resources, examine and report on how this Bill is implemented.
We will use our review and investigative powers to examine the information collection, use and sharing practices of departments and agencies involved in activities made possible by this new law to ensure they respect the Privacy Act.
Moving forward, we will report our findings to Parliament and Canadians. We will issue recommendations for potential improvements to policies or legislation, as warranted.
We also plan to take action in the face of the new lawful access provisions of Bill C-13, another piece of legislation we raised concerns about.
In particular, we will work with other organizations and provide guidance to both the public and private sectors.
This will seek to establish standards for transparency and accountability reports regarding companies sharing personal information with law enforcement agencies.
Reputation and privacy
On reputation and privacy, we want to help create an environment where people can use the Internet to explore their interests and develop as individuals without fear that their digital trace will lead to unfair treatment.
Under this priority, we will work to help enhance digital literacy among vulnerable populations such as youth and seniors.
We will also examine and establish a position on potential recourse mechanisms, such as the Right to be Forgotten, in the Canadian context.
The body as information
And for our fourth and final priority, the body as information, our goal is promoting respect for the privacy and integrity of the human body as the vessel of our most intimate personal information.
In doing so, we will seek to learn more about the privacy implications of new technologies that collect information both about and from within our bodies.
From there, we will work to inform both consumers and developers about the potential privacy risks of these exciting technologies and how they can be mitigated.
Strategies to achieve goals
Of course, determining priorities and goals is important, but showing how we plan to achieve them is just as significant.
And today, I am happy to announce that my Office is issuing a report outlining in greater detail our four priorities, the strategies that will help us reach our goals and some of the concrete activities we plan to launch going forward.
Entitled, The OPC Privacy Priorities 2015-2020: Mapping a course for greater privacy protection; it is available on our website and I invite all of you to read it.
It details the actions we will take to achieve our goals, and how we will utilize the following five, cross-cutting strategies:
- Exploring innovative and technological ways to protect privacy;
- Enhancing accountability and promoting good privacy governance;
- Enhancing our public education role;
- Devoting special attention to vulnerable groups; and
- Taking into consideration the fact that privacy knows no borders.
Continuing emphasis on collaboration
Following up on this last point, as my predecessor, Jennifer Stoddart, said at this very conference three years ago,
“As Commissioners, we must proceed in our work cognizant and respectful of each other’s jurisdiction. At the same time though, when circumstances dictate, we mustn’t be constrained by jurisdictional lines from supporting each other or working together. Indeed, we should never lose sight of the fact that while the application of privacy law is bounded by jurisdictions, privacy as a value is universal. Privacy itself transcends borders.”
Some of you here may have had a chance to have a read of our latest annual report under PIPEDA released this week. It devotes a special focus to actions taken by our Office during the past year with the privacy and data protection authorities of other countries.
In years past, our Office worked to grow international networks, relationships and activities. And in 2014, our international enforcement action became both more significant and common, becoming the new normal.
As our priorities exercise indicated, Canadians are concerned that there are weaker privacy protections offered in other countries, meaning they will have less recourse to remedy problems when their personal information leaves Canada.
In the face of such concerns, continually increasing international collaboration is essential to build and maintain confidence in today’s global, digital economy.
The combined work of authorities can result in stronger and clearer messages to encourage and compel stronger privacy practices among international companies who need to comply with a variety of different privacy laws around the world.
Our Office has been at the forefront of international collaboration, and this derives heavily from our history and experience at home.
Indeed, our Office along with our provincial counterparts here in Alberta and in British Columbia, enjoy a long history of producing joint guidance on issues, including online consent, accountability and cloud computing.
In the near future, our Offices will be releasing our latest joint effort with guidance for businesses on the Bring Your Own Device phenomenon, where employees use their own devices for work and personal purposes, raising privacy and security issues.
Such work promotes compliance and provides clarity for organizations operating in Canada and among various privacy laws.
And of course, when we stand and speak together, our message rings most clear. For example, in October, just days after the tragic events in Ottawa and St-Jean-sur-Richelieu, when security concerns were understandably very high, all of Canada’s Privacy Commissioners stood together in a joint resolution calling for new public safety initiatives to be measured and proportionate in order to preserve our democratic values.
All told, as federal Commissioner, I look forward to working more collaboratively both beyond and within our borders to clearly inform organizations of their privacy obligations and individuals of their rights, while protecting Canadians’ personal information wherever it may travel.
In closing, I want to thank Wayne and the University once again for inviting me here to speak with you all today.
As exciting and invigorating as my first year as Commissioner has been, I look forward to what lies ahead.
Again, I encourage you all to read the report outlining the strategies and activities we plan on launching to reach our goals.
And, I also look forward to working with my counterparts here today and, of course, with the many future privacy professionals in attendance studying in this prestigious program.
- Date modified: