Course correction for improved outcomes for Canadians

Remarks at the IAPP Canada Privacy Symposium 2017

May 17, 2017
Toronto, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Less than a year into my mandate I attended this conference and told you that my goal as Privacy Commissioner was to increase the control Canadians have over their personal information.

At that time, I laid out the priorities we would focus on, or the what we would do to achieve this goal.

We consulted widely, as you know, in the construction of our action plan — and in particular in our work on consent and online reputation which are now in the final stages. In every focus group, stakeholder roundtable and even our polling, we heard the same thing.

While Canada’s largely reactive, complaint-based model for privacy protection has enjoyed a certain success over the years — our investigations, for instance, have led to many positive changes to privacy practices — it is facing formidable challenges in the digital age. Our ombudsman model has been unable to make Canadians more confident that their privacy is protected and that they have a say in what happens to their personal information.

According to our most recent survey, 92 per cent of Canadians expressed concern about the protection of their privacy and nearly half said they felt as though they’ve lost control over how organizations collect and use their data.

On the public sector side, we’ve heard concerns over government surveillance, lawful access and invasive border security measures.

On the private sector side, as we heard during our consultations on consent, many believe privacy policies are woefully inadequate in achieving informed consent. Participants in one focus group in Montreal went so far as to say they “never” really achieve informed consent.

The truth is, people are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what’s happening to our personal information.

This is certainly troubling. Something has to change or we run the risk that Canadians will lose trust in the digital economy, thus hindering its growth, and they may not enjoy all the benefits afforded by innovation. More fundamentally, it is quite unhealthy in a democracy when most citizens fear one of their basic rights is routinely not respected.  

What I propose is a slight course correction, a tilting of the sails, with respect to how my Office approaches privacy protection. With your permission, I would like to focus on that today. The plumbing, as opposed to the renovation, which I promise will be revealed in due course.

While we will continue to investigate complaints, we will also look for ways to be more proactive. We will take a key privacy principle to the next level and champion demonstrable accountability and our work will be more citizen-focused.

Finally, recognizing that privacy knows no borders in an increasingly globalized world, we will pay very close attention to what’s happening on the international front. We will aim to ensure the privacy of Canadians is respected wherever they or their data may travel and that Canada’s privacy protections hold up against those of other countries.

My hope is that this will all lead to improved outcomes for the privacy protection of Canadians.

The shift towards proactive enforcement

As you know, the Privacy Commissioner is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.

The two laws I oversee — the Privacy Act and PIPEDA — are both largely complaint-driven. But as I mentioned earlier, there is a growing disconnect between those who provide and those who receive products and services.  

It is no longer clear to consumers exactly who is doing what with their data and whether it is acceptable. People don’t know what they don’t know.

My Office, however, is better positioned to examine these often opaque data flows and to make determinations as to their appropriateness under Canadian privacy law.  

Although we aim to educate individuals, government institutions and businesses about their rights and responsibilities, there is more we can do proactively under our existing authorities.

I don’t raise this to worry the organizations in the room. To the contrary, I believe this approach will further shift the focus towards addressing those privacy threats posing the greatest risk to Canadians. It will also assist compliance-minded organizations in avoiding missteps that can prove costly to their businesses and their customers.  

So what would more proactive enforcement look like?

While complaint-based investigations are the norm, I have the power under PIPEDA to initiate investigations where I am satisfied there are reasonable grounds to do so — a relatively flexible threshold.

Going forward, we will examine investigative trends, calls to our Information Centre and feedback we receive through our outreach activities to determine whether there are specific issues, chronic problems or sectors that could benefit from a Commissioner-initiated investigation.

We are also considering how best to engage with organizations more directly to ensure they are meeting their privacy obligations.

Voluntary privacy audits or advisory visits or meetings, where we can validate compliance with PIPEDA or recommend ways companies can improve their privacy practices before an incident occurs, are options we’ve seen used effectively by other data protection authorities. 

The chief constraint with this type of proactive work is resources — a limited budget, only so many privacy investigators and an already heavy workload of cases that come before us.

That being said, we are aware, through our recent consultations on consent, of fee-based models and we are interested in exploring such options.

Promoting demonstrable accountability

Proactive compliance and enforcement certainly came up in our discussion paper on consent and a number of submissions received during the consultation period noted other data protection authorities have been doing this type of work for some time. We will have more to share on our plan going forward when we release our final report on consent in the fall, so stay tuned.

Suffice it to say that my Office cannot deliver greater control over personal information and stronger privacy protection alone. Industry and federal institutions must be involved in the solution. CEOs and deputy ministers must be accountable for the privacy practices of their organizations. 

It is worth noting that PIPEDA was the first personal information protection law in the world to include the concept of accountability, building on a brief mention of it in the 1980 OECD privacy guidelines. While it has served as a model for other data protection laws, there is much discussion today within the international privacy community about taking accountability to the next level.

One way to do this would be to promote the idea that accountability must be demonstrable. This is already in the accountability guidelines that we published along with our colleagues from British Columbia and Alberta.

Currently, it is only when a matter is brought to our attention through the complaints process that we look under the hood; that we ask organizations to demonstrate they regularly update and follow specific policies and procedures to protect personal information; that they provide adequate privacy training to staff; and that they have appointed somebody to be in charge of these matters.

I believe demonstrable accountability through proactive compliance could result in improved outcomes for privacy. I know, for example, that some of my European counterparts use mini-audits as an effective tool for improving accountability. When we will launch Commissioner-initiated complaints, we will also, when appropriate, ask organizations to demonstrate accountability.

By going into companies and asking questions about their privacy practices, they can better identify gaps that can be addressed before serious problems occur.

This is especially important as technologies evolve and the collection, use and disclosure of information become less transparent and harder for individuals to comprehend. If we are not proactively engaging with organizations that use big data, artificial intelligence, biometrics and other cutting edge-innovations, it will be impossible to ensure accountability in this rapidly evolving area.

We are also looking at what role we can play in encouraging industry to develop codes of practice. In fact, we’ve already identified a couple of opportunities. This year, through our Contributions Program, we will be funding an arms-length project aimed at developing a code of practice for connected cars and another for legal apps.

Proactivity and the public sector

On the public sector side, we have proposed a series of recommendations to Parliamentarians as part of a recent review of the Privacy Act that would go a long way towards demonstrating accountability through proactive compliance.

Privacy Impact Assessments are a prime example. They must be completed by virtually all federal institutions ahead of launching any new or redesigned program or service that could impact privacy and can be an excellent risk assessment and mitigation tool.

Last year, we received 93 PIAs from some 31 different institutions. We would like it spelled out in law, rather than by virtue of a Treasury Board directive, that they be produced and submitted to my Office in a timely fashion. Basically we’d like to receive and review more PIAs as a means of mitigating issues upfront rather than remedying problems after the fact.

We’ve also called for legislative change that would require written information-sharing agreements between federal institutions or with other levels of government, foreign states and organizations.

While we understand the argument that information sharing can help streamline government services, which may be desirable for Canadians, there are privacy risks. Citizens also expect institutions to protect their privacy and the government must put down markers on how this will occur. Written agreements submitted to my Office for review that take into account necessity and proportionality would help.

Institutions should be required to consult with my Office on draft legislation that may impact privacy. To address the risk of over-collection of data, we’ve also asked for an explicit requirement that institutions only collect information necessary for the operation of a program or activity.

I’m pleased to say that the House of Commons Standing Committee on Access to Information, Privacy and Ethics has agreed with all our recommendations in a report issued in December. While government officials have their own objectives when it comes to reform, they have responded positively to our call for modernization, acknowledging the Privacy Act is in need of a wholesale review.

If our recommendations are adopted, I believe the changes will go a long way towards improved accountability in the federal government.

Becoming more citizen-focused

Another way in which we are shifting our approach to privacy protection is with respect to our additional focus on citizens.

For one thing, we are redefining our desired outcomes. From now on, citizen empowerment will be the standard by which we measure the success of our activities. If our goal is to reduce the proportion of Canadians who are concerned about their privacy, our activities must be seen as useful to both individuals and organizations, and must help the latter reach compliance with Canada’s privacy laws.

You may have already noticed some of the activities we’ve been doing over the last year in this area.

We overhauled our website to make it more user friendly for individuals looking for privacy information, and we will continue to monitor, test and update it regularly to ensure it is meeting visitors’ needs.

We are developing new tips sheets and information for individuals that we hope are easier to digest and include concrete advice people can truly use. For instance, we have new tip sheets on wearables and protecting personal data online and on mobile devices.

We also introduced a “smart” online information request tool to serve Canadians better by allowing them to communicate with us electronically, and in many cases, to receive immediate answers to their privacy questions.

Furthermore, we have made a concerted effort to reach out to vulnerable populations — namely seniors and youth — through the development of lesson plans with our provincial colleagues, articles in targeted publications, exhibiting and speaking opportunities and with the launch of our new Facebook page.

As I mentioned earlier, helping organizations and federal institutions comply with privacy laws ultimately serves to improve privacy protections for individuals.

As such, we have updated and produced new guidance for businesses on identification and authentication, how to apply specific sections of PIPEDA and on addressing employee snooping. Our investigation into a massive breach at Ashley Madison also resulted in “takeaways” businesses could use to improve privacy practices. For federal institutions, we added a privacy tip sheet for human resources professionals.

The Deconstruction Series was another new initiative aimed at providing timely, in-depth information about key investigative findings — namely the Ashley Madison and CASL-related CompuFinder cases. We hope these sessions helped organizations learn from the missteps of others to avoid similar pitfalls.

To reach SMEs, we gave presentations at Chambers of Commerce and Facebook Small Business Boost events across the country. And an insert about privacy responsibilities was sent to more than half a million SMEs in a CRA mail-out.

We will continue to review and update existing guidance, to publish new guidance for individuals and organizations as issues arise or evolve, and to ensure that information and advice is as accessible and useful as possible.

I want to mention that our new website also has a new feedback button, which you can use to tell us whether you find a particular piece of advice or guidance useful or not, and why. I would encourage you to take advantage of that new tool and to tell us what you think.

While we received a lot of feedback during our consultations on consent and online reputation, it’s important that we continue to hear from you, the privacy community. Is our guidance useful? What else can we do to help improve compliance? How can we work together to empower citizens and bolster their trust?

We can probably all agree that consumer trust, the trust of Canadians, is key to a robust and vibrant digital economy.

Central to building that trust is ensuring that the companies Canadians do business with, the organizations they engage with and the government institutions they entrust with their most intimate data, respect their privacy.

International considerations

When it comes to protecting the privacy of citizens, we are also closely monitoring what’s occurring on the international front, namely in Europe and the U.S.

As you know, in 2018, the General Data Protection Regulation (GDPR) will come into force in Europe.  As it requires reviews of adequacy decisions every four years, Canada’s adequacy status — which since 2001 has allowed data to flow freely from the EU to Canada — will have to be revisited.

The European Commission noted in January that Canada’s adequacy status is “partial” in that it only covers PIPEDA, and that all future adequacy decisions will involve a comprehensive assessment of our privacy regime, including access to personal data by public authorities for law enforcement, national security and other public interest purposes.

In December, I along with my provincial and territorial counterparts, provided a submission to the government as part of its consultation on Canada’s national security framework. We cautioned that national security activities, including certain provisions in Bill C-51, could affect the EU’s assessment. We stressed that necessity and proportionality are key to maintaining Canada’s status and noted a change to our status could have far reaching impacts on Canada’s trade relationship with Europe.

I have further urged Parliamentarians to give serious consideration to reviewing any gaps that may exist between Canadian privacy law and European law, including differences in the enforcement powers of data protection authorities and the right-to-be-forgotten, which is included in the GDPR.

I would just add that while my Office has called for stronger enforcement powers under the Privacy Act and PIPEDA, we are still reviewing whether the right-to-be-forgotten makes sense for Canada as part of our consultation on online reputation and privacy. Our final report is expected by the end of the calendar year.

A number of concerns south of the border are also raising difficult questions. 

Canadians have reportedly faced deeply personal interrogations when traveling to the U.S. and have been forced to turn over passwords to laptops and mobile phones. We have cautioned people to limit what they bring when travelling, or to remove sensitive information on devices that could be searched.

When U.S. President Donald Trump issued an Executive Order excluding non U.S. citizens and lawful permanent residents from the protections of the U.S. Privacy Act regarding personally identifiable information, we received numerous requests to consider the implications for Canada.

I concluded that while Canadians have some privacy protection in the U.S., that protection is fragile because it relies primarily on administrative agreements that do not have the force of law.

I’ve urged Canadian government officials to ask their U.S. counterparts to strengthen privacy protections for Canadians — namely to ask that we be added to a list of designated countries under the Judicial Redress Act. This would extend certain judicial recourse rights established under the U.S. Privacy Act to Canadians.

I have also asked the government for confirmation on whether administrative agreements previously reached between Canada and the United States will continue to offer privacy protection to Canadians in the United States.

Upon receipt of the government’s response, which I expect shortly, I will inform Canadians of my conclusions, including the level of risk and what, if any, mitigation measures can be taken.

I should add that despite differences in privacy law and practice, it’s important to note that my Office enjoys strong partnerships with our counterparts around the world. From joint investigations to joint policy resolutions, these collaborative efforts are essential to boosting privacy protections globally.

Conclusion

To conclude, there is clearly no shortage of things to do.

The scale and pace of technological advances and commercial innovations, while creating remarkable opportunities, is significantly straining the ability of individuals to protect their privacy.

By shifting our strategy towards proactive enforcement and compliance, by ensuring we are citizen focused and by keeping on top of international developments, I hope Canadians may begin to feel more empowered and in control of what happens to their personal information.