Remarks by Privacy Commissioner of Canada regarding his 2018-19 Annual Report to Parliament
December 10, 2019
The Privacy Commissioner of Canada, Daniel Therrien, made the following statement during a press conference at the National Press Theatre in Ottawa.
(Check against delivery)
For several years, my predecessors and I have been calling for fundamental reform of Canada’s privacy laws. In May, the government announced reviews of both the federal private sector law, Personal Information Protection and Electronic Documents Act, or PIPEDA, and the public sector law, the Privacy Act.
In last Thursday’s Speech from the Throne, the government also committed to reviewing the rules currently in place to ensure fairness for all in the new digital space. I welcome this commitment. The question is no longer whether laws should be modernized, but how.
These are challenging times for privacy. For good and bad, data-driven technologies are a disruptive force. They open the door for innovation and economic growth, but they have been shown to be harmful to rights, including privacy and democracy.
We have a crisis of trust. Polling tells us that 90 percent of Canadians are very concerned about their inability to protect their privacy. Only 38 percent of Canadians believe businesses respect their privacy rights. Only 55 percent of Canadians believe government respects their privacy. Some 30 million Canadians have suffered a data breach in the past year.
Canadians want to enjoy the benefits of digital technologies, but they want to do it safely. It is the role of government to give Canadians the assurance that legislation will protect their rights.
Given that privacy is a fundamental human right and a necessary precondition to the exercise of other fundamental rights such as freedom and equality, the starting point should be to give privacy laws a rights-based foundation.
In other words, new privacy laws should reflect fundamental Canadian values.
But, what does it mean to have rights-based privacy laws? This is what our annual report seeks to clarify.
First, the law should recognize privacy in its proper breadth and scope, not as a set of process rules like consent, access and transparency, but as a human right. Privacy is often seen through the lens of website terms and conditions leading to a less than meaningful form of consent. This is a narrow view, and one which puts individuals at a distinct disadvantage when faced with organizations with immeasurably more knowledge and power.
To entrench privacy in its proper human rights framework, the law should ensure that the right to privacy is interpreted and applied in relation to its underlying values, as a human right and an essential element in the exercise of other fundamental rights. To that end, our report suggests the adoption of a preamble and purpose clauses that seek to reflect these values, while acknowledging legitimate business interests and the public interest.
Second, a reformed private-sector privacy law must put an end to self-regulation.
It is untenable that organizations like Facebook are allowed to reject my office’s findings as mere opinions. The law should no longer be drafted as an industry code of suggested best practices, but rather as a set of enforceable rights and obligations.
Third, we need enforcement mechanisms that offer quick, effective remedies for people whose privacy rights have been violated, and that help to ensure ongoing compliance by organizations.
This includes empowering the Privacy Commissioner to make binding orders and impose consequential, but proportional penalties for non-compliance with the law.
As well, my office should be enabled to conduct proactive inspections to ensure organizations are demonstrably accountable for their privacy practices.
Fourth, in the public sector, the law should allow privacy-invasive activities and programs only where federal institutions can demonstrate they are necessary, and where the intrusion is proportional to the benefit to be gained.
This issue was central to our Statistics Canada investigation.
We received more than 100 complaints about two programs involving the collection of credit histories and the proposed collection of line-by-line financial transaction information from banks without the knowledge or consent of affected individuals.
Canadians were deeply troubled by these initiatives. This concern was clearly justified given the scale of the proposed collection; the highly sensitive nature of the information; and the fact that the information in question would paint an intrusively detailed portrait of a person’s lifestyle, consumer choices and private interests.
While the investigation did not find that Statistics Canada had violated current laws, it did raise significant privacy concerns. It also served to highlight the inadequacy of existing legislation.
While Statistics Canada officials described their objectives in general terms, they did not demonstrate the necessity of collecting so much highly sensitive information about millions of Canadians.
We were pleased Statistics Canada ultimately agreed with our recommendations not to implement the projects as originally designed, and to work with us to redesign the initiatives so that they respect the principles of necessity and proportionality.
I hope this experience will encourage other departments to fully consider privacy issues as they align their activities with the government’s strategy to make more strategic use of the data they collect.
Before closing, I want to emphasize that a rights-based law is not an impediment to innovation. To the contrary: good privacy laws are key to promoting trust in both government and commercial activities.
Without that trust, innovation, growth and social acceptance of government programs can be severely affected.
Some leading voices in the tech industry are also calling for legislation that ensures responsible innovation. Notably, Brad Smith, CEO of Microsoft, said recently that society needs a “new wave” of privacy protection that shields human rights. If the president of Microsoft thinks we need rights-based privacy laws, I assume he is not too concerned with risks to innovation.
Countries in Europe, Asia, South America and Africa, have recently modernized their privacy laws. While Canada used to be a leader in privacy protection, unfortunately the world is now passing us by.
In its early years, the Internet was seen and promoted as an instrument for freedom. Now we see more clearly that it brings very important benefits, but also very grave risks to our values. It is time to put values and rights at the centre of our privacy laws.
- Date modified: