Shifting for results for Canadians

Remarks at the IAPP Canada Privacy Symposium 2018

May 24, 2018
Ottawa, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


At this midway point of my mandate as Privacy Commissioner, it has become increasingly clear to me that to have a more positive impact on the privacy rights of a greater number of Canadians, we at the OPC need to change our approach to privacy protection.

And here I am not referring to the need to modernize our laws, although that remains a necessity. Even more so in my view after the Facebook/Cambridge Analytica/AIQ crisis.

To quote a report titled Regulating for Results by the Centre for Information Policy Leadership: “A fundamental challenge for any Data Protection Agency is how to maximize effectiveness when there is so much they could do and so little resource to do it.”

This is certainly true for my office.

We have spent considerable time trying to convince our legislators that Canada’s privacy laws are grossly outdated and in need of reform if this country is to be a world leader in this field and to effectively protect Canadians’ privacy in an increasingly networked world.

Since last year, we raised concerns about national security legislation and recommended legislative and other changes in both our draft position on online reputation and our work to address problems with the current consent model.

The Facebook/Cambridge Analytica incident, which we are now investigating, has garnered worldwide attention and thrust a much-needed spotlight on privacy issues. So too have other major privacy incidents — Yahoo, Loblaws, Nissan and Equifax, to name a few. It sometimes takes a crisis to effect change and we are cautiously optimistic Parliamentarians are listening.

But the truth is, many of these things are beyond our control and we anxiously await government action. That being said, we are not being complacent.

What we are trying to do is to breathe new life into old laws with a vision of a more proactive approach to privacy protection. You may recall this is something I discussed at this conference last year.

Since then, we have fine-tuned this new approach, we’ve set some ambitious goals for our work, we’ve made some important structural changes at the OPC, and we are putting our vision into concrete action. This is what I will focus most of my remarks on today.

The scale and pace of technological advances and their use in business and government organizations are significantly straining the ability of individuals to protect their privacy. Innovation in the areas of data analytics, artificial intelligence, genetic profiling and the Internet of Things raises novel and highly complex privacy risks.

While we recognize these technologies are necessary for economic growth and to improve government services, they must be used in a manner that respects the privacy of Canadians. People want both. We also believe that many organizations want to do the right thing and we want to help them with that.

As such, and to address some of the challenges we face, we have made significant changes to our organizational structure that we believe will help us achieve better results for privacy.

We have streamlined our operations by clarifying program functions and reporting relationships, and become more forward-looking by shifting the balance of our activities towards greater pro-active efforts. Our objective, as I said earlier, is to have a broader and more positive impact on the privacy rights of a greater number of Canadians, which is not always possible when focusing most of our attention on the investigation of individual complaints.

With that in mind, our work will now fall into one of two program areas — Promotion or Compliance. Activities aimed at bringing departments and organizations towards compliance with the law will fall under the Promotion Program, while those related to addressing existing compliance issues will fall under the Compliance Program. In the coming weeks I will be announcing the two Deputy Commissioners who will oversee these new sectors.

We know that a successful regulator is not one that uses enforcement as a first or primary strategy to seek compliance. Thus our first strategy will be under the Promotion Program to inform Canadians of their rights and how to exercise them, and to guide and engage with organizations on how to comply with their privacy obligations.

Guidance and information will be issued on most key privacy issues, starting with how to achieve meaningful consent in today’s complex digital environment, which I will discuss in greater detail in a moment.

We will also work with industry proactively and collaboratively in an advisory capacity, to the extent our limited resources allow. We will seek to better understand privacy impacts of new technologies and provide practical advice on how to use them in a privacy compliant way.

Addressing privacy issues upfront and resolving matters cooperatively, outside formal enforcement, is our preferred approach. It avoids time-consuming and costly investigations, helps mitigate against future privacy risks, offers organizations a measure of consistency and predictability in their dealings with our office and allows everyone to benefit from innovation.

It is for these reasons that we will primarily consider our Promotion tools before engaging our second strategy — proactive enforcement.

Under the Compliance Program, our proactive enforcement actions will target systemic, chronic or sector-specific privacy issues that aren’t being addressed through our complaint system and that we believe may inflict significant damage to the privacy rights of Canadians.

By delineating our activities more clearly under two programs, Compliance and Promotion, by being more proactive and by ensuring we are citizen-focused, I hope Canadians may begin to feel more empowered and in control of their personal information. And generally safer in the knowledge that their rights will be respected.

I’d like to elaborate now on some of the work we will be doing in the coming year under our new approach and structure.

Through our restructuring, the new Business Advisory Directorate (formerly the Toronto office) will aim to provide advice to businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). In part we want to proactively engage with organizations, on a voluntary basis, on privacy risks of a high impact nature, either upon request or based on our own intelligence.

The aim: to gain a better understanding of innovative new business models and practices and to address, and potentially resolve, any privacy concerns before they materialize. We also want to explore the possibility (through pilots) of responding to advice requests from smaller businesses not necessarily at the cutting edge of technology, but who nevertheless have a significant impact on the privacy of Canadians. Given resource pressures, we will need to be selective, at least for the moment, in deciding which projects we are able to take on.

By the way, the Toronto office will no longer perform investigations. This is because we want to make a clear delineation between Compliance and Promotion functions. The Business Advisory Directorate is part of Promotion. It is when you get a call from PIPEDA Investigations in Compliance that you should start to worry.

This year, on the engagement front, I am pleased to announce the first advisory project initiated by my office which is now underway. It relates to Sidewalk Toronto, a smart city endeavor between Waterfront Toronto and Sidewalk Labs, owned by Google’s parent company Alphabet.

The initiative — which I expect most of you are familiar with — involves building a technology-driven neighbourhood on the city’s eastern waterfront that includes sensors aimed at helping city planners find efficiencies.

Understandably, the initiative is raising many questions about data collection, privacy, where the information will be stored and how it might be used, including whether it will be sold or used for marketing purposes.

Last month, members of our Business Advisory Directorate, along with a colleague from the Ontario IPC, met with those behind the project to learn more about it and how they were addressing some of these privacy concerns.

Overall, we were encouraged by their efforts to proactively address privacy and data security in the design and implementation of the initiative.

We reminded officials of key privacy principles including purpose specification, ensuring individuals could access their own personal information and being accountable for protecting the data and being clear about who owns it.

We also emphasized the importance of high standards and techniques when it comes to de-identification of data to mitigate the risk of re-identification, and that any open data component to the initiative be done in a privacy protective manner.

Given the project is still in its early stages, we will continue to monitor developments and proactively engage with Sidewalk Toronto officials as it progresses.

On the subject of smart cities, last month we also teamed up with a number of our provincial and territorial counterparts and issued an open letter to the federal government. We called for privacy and security of personal information to be considered in the selection, design and implementation of the winning proposals in a smart cities competition recently launched under the Government of Canada’s Impact Canada Initiative.

Our Government Advisory Directorate is also in the business of giving advice — to federal institutions — and we plan to do more of this going forward, again with the philosophy of bringing departments towards compliance with the law as they deliver services to Canadians.

We recently concluded a series of stakeholder engagement sessions with federal government ATIP and program area staff to help inform our efforts as we re-align our advisory services.

We are consistently asked to provide more guidance to individuals on how to exercise their privacy rights and to organizations on how to respect their obligations. Resources permitting, we have committed to doing just that and have identified 30 topics on which to get started.

At the top of the list are consent and no-go zones. I’m pleased to announce that our final guidelines for organizations on Obtaining meaningful consent and Inappropriate data practices are available as of today. The consent guidelines are, in fact, a joint effort with our Alberta and British Columbia counterparts.

Among other important advice in the meaningful consent guidance, we outline four elements that must be emphasized in privacy notices and explained in a user friendly way:

  1. What personal information is being collected;
  2. With which parties is personal information being shared;
  3. For what purposes is it being collected, used or disclosed; and
  4. What are the risks of harm or other consequences that might come from any collection, use or disclosure of the information provided?

Some have expressed concerns about our decision to include risk of harm among the four elements to be emphasized. This decision flows from the definition of valid consent in PIPEDA. The Act requires that an individual understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.

What we are taking about are those residual risks that might remain despite an organization’s best efforts to apply mitigation measures designed to minimize risk and impact of potential harms. In the end, only meaningful residual risks of significant harm must be included in notifications — risks such as bodily harm, humiliation, loss of employment and identity theft that fall below the balance of probabilities, but are more than a minimal or mere possibility.

I know that there may also have been some concern about binding language in the guidance. While it is clear that we cannot use guidance to establish new legal standards, we think our role as a regulator includes giving guidance that clarifies PIPEDA requirements and sets expectations as to how the law should generally be interpreted and applied. Given that PIPEDA is so broad in nature, individuals and organizations need an adequate level of certainty.

Now let me give you some examples of what we mean by guidance that distinguishes between requirements and best practices or recommendations:

The four elements to be highlighted in our view are requirements. Because it is not possible to have meaningful consent without giving emphasis to these four elements.

In applying the guidelines there is the issue as to the level of detail that each of these elements needs to have.

The level of detail will depend. For instance, one of the four elements is the need to inform individuals of the 3rd parties with which the organizations collecting the information will share information. The requirement for which we see a clear and direct connection to PIPEDA, is that these third parties need to be described in sufficient detail as to allow the individual to understand what they are being asked to consent.

The level of specificity provided for describing or including each 3rd party is a recommended best practice.

Similarly, we speak of layering in our guidance and this is a recommended best practice.

A very important and useful change that was recommended by stakeholders following publication of the draft guidelines issued for consultation in September, is that in the final version available today, we have added a checklist that distinguishes between “must do’s” (what we feel is a legal requirement) and “should do’s” (what we feel is a best practice).

As I mentioned, we have also launched new guidance on no-go zones. The guidelines are up in final form. While context is of course important in the application of subsection 5(3) of PIPEDA, I firmly believe there is value in, even a need for, specific examples of practices that will generally be found inappropriate. These no-go zones should set useful boundaries for individuals and organizations.

Because there is no reason to delay the application of the 5(3) guidelines, they will become applicable very shortly, on July 1. However, because the consent guidelines may require organizations to implement changes to their systems and practices, their application will begin on January 1, 2019.

I can also tell you that Barbara Bucknell, our Director of Policy, Research and Parliamentary Affairs, will be discussing our consent work in greater detail during a session later at this conference.

As mentioned, our preferred approach to bringing organizations into compliance with Canada’s privacy laws is through education and engagement. This does not mean there is no place or role for enforcement. We must first investigate complaints, but we also want to undertake proactive investigations.

Also, we are generally required by law to investigate individual complaints. As you may know, we have called on the government to amend PIPEDA to allow us to decline certain complaints so we might better utilize our limited resources, and have suggested individuals be granted some form of judicial redress, such as a private right of action, in such cases.

It’s no secret that our enforcement teams are already facing tremendous pressures. Mandatory breach reporting for the private sector comes into force in November and, as was the case in other jurisdictions, is expected to significantly increase our already heavy workload. Our public sector investigators are also overwhelmed with complaints and breach reports, the latter of which was recently the subject of a review that raised serious concerns about how federal institutions identify and manage breaches. We expect to have more to say on that in our next annual report.

Yet despite these constraints and pressures, as mentioned earlier, we nonetheless want to apply a greater measure of proactivity to our enforcement work.

Canada’s largely reactive, complaints-based model for privacy protection seldom affords us the opportunity to examine new technologies, complex data flows and opaque business models. People are unlikely to file a complaint when they do not know what is happening to their personal information.

Consequently, there is a greater responsibility on my office to proactively identify and address privacy issues of greatest risk to Canadians, for instance through more Commissioner-initiated investigations.

Therefore, I am also announcing today that we are proceeding with our first proactive, industry-wide Commissioner-initiated investigation into the privacy management practices of data and list brokers.

Organizations that deal in lists are responsible for how the information is compiled, which includes obtaining consent from those on the lists.

Preliminary inquiries into industry practices have raised a number of concerns about how databases of Canadians’ detailed personal information are being compiled and then subsequently disclosed to marketers. Detailed profiles about individuals may be inaccurate, and could be accessed and used for purposes that individuals may know nothing about.

As such, our investigation will look at accountability, openness and transparency in the management of personal information collected, used and disclosed, as well as the means of consent obtained for the personal information collected, used or disclosed. In total, we will be investigating the practices of six different data brokers. This would also include a consideration of CASL and the address harvesting provisions enforced by my office.

We believe that this industry can benefit from an investigation of this nature, and that Canadian consumers will welcome it. I understand Brent Homan will be speaking more to our proactive compliance efforts in another panel.

In closing, I think you will agree we have set an ambitious agenda.

By enhancing our advisory role, we can help organizations achieve their objectives in a privacy compliant way and foster greater confidence among Canadians that will only serve to benefit the digital economy.

I am confident that changes to our approach will be good for businesses that want to be responsible corporate citizens, federal institutions that wish to maintain the trust of Canadians and, of course, Canadians who ultimately want greater control over their personal information.

Date modified: