Statement

Remarks by Privacy Commissioner of Canada regarding his 2015-16 Annual Report to Parliament

September 27, 2016
Ottawa, Ontario

The Privacy Commissioner of Canada, Daniel Therrien, made the following statement during a press conference at the National Press Theatre in Ottawa.

(Check against delivery)


My annual report to Parliament was tabled this morning. The report highlights the urgent need to modernize Canada’s privacy framework. It also discusses some of our recent national security-related work.

The fast-paced and persistent nature of technological change is putting ever-greater pressure on privacy. This environment demands a more modern approach to protecting personal information. 

As a society, we are trying to use 20th Century tools to deal with 21st Century privacy problems, and it is clear those tools are increasingly insufficient. 

Meanwhile, 90% of Canadians are very concerned about their inability to protect their privacy.

This is why, for example, we have launched public consultations — one on the issue of online reputation and another aimed at identifying possible solutions to address growing challenges related to consent for the collection and use of personal information.  Consent based on information found in long terms and conditions that no one reads is not a realistic way to protect privacy. We must do better.   

Ultimately, I believe the government should give greater priority to ensuring Canada has a robust and modern privacy protection framework. That means new laws and policies; it also means resources to ensure privacy risks are adequately mitigated.

There are real consequences if we don’t act: the risk of data breaches; excessive collection and sharing of personal information by businesses and governments; and trust in the digital economy, a key condition of economic growth, may be threatened.

Some governments have already moved forward to strengthen their privacy protection frameworks — most notably the European Union There is a risk that, if European authorities no longer find Canada’s privacy laws essentially equivalent to those protecting E.U. nationals, commerce between Canada and Europe may become more difficult. This is what happened to the U.S. when the Safe Harbour agreement was found invalid by E.U. courts.

I’ll turn now to work in the area of national security.

The annual report discusses the first phase of our review of how the Security of Canada Information Sharing Act (SCISA)was implemented and applied in the first six months after it came into force following the passage of Bill C-51.

My office has found that the privacy impact of the new authorities conferred by this new legislation was not properly evaluated during implementation and we have  recommended that formal Privacy Impact Assessments be performed.

Privacy Impact Assessments are a key tool in reducing privacy risks and government policy requires they be conducted when departments establish any new or substantially modified program or activity involving personal information. 

It was therefore quite surprising to learn that most departments did not conduct Privacy Impact Assessments related to implementation of SCISA’s new authorities, particularly given the government had said this legislation was crucial in addressing gaps in its ability to protect the public.

Another concern we have is that a guidance document developed by Public Safety Canada to help federal employees implement the SCISA lacks key information on how to apply the legislation's broad legal standards, thus creating risks of over sharing and use of personal information.

Public Safety agreed with our recommendation to improve the guidance document; however, a year after we provided that advice, still no changes have been made.

Many of you will remember that, earlier this year, it came to light that the Communications Security Establishment had shared metadata that had not been properly minimized with international security partners.

At the time, the message from the CSE and the government was that the sharing had been stopped for the time being, and that the privacy risk was minimal, in part because the metadata did not constitute sensitive private information as it did not include contents of communications.

We questioned the CSE’s contention that the risk to privacy was minimal. Metadata can in fact reveal very sensitive information about individuals’ activities, associates, interests and lives.

It serves the interests of no one to downplay the significance of privacy breaches. To the contrary,  I think it would be helpful  if the government  was more transparent with Canadians on these important points:  First, why is the collection of metadata essential to national security — so that Canadians understand the value of this activity in protecting them — and, second, an acknowledgement that there are indeed risks when things go awry — so that the risks can be weighed with the benefits.

Greater transparency would foster a more complete debate about national security and privacy. This also holds true for the recently announced Government consultations on Bill C-51. 

As you can see, there are important challenges in both the private and public sectors which need to be addressed to ensure Canadians’ privacy is protected.

I would be pleased to further discuss the issues I’ve just mentioned, and anything else you may find of interest in our annual report.

Date modified: