Frustration with government inaction permeates the Privacy Commissioner of Canada’s annual report, tabled September 27th, 2018. He lists privacy crises, including big data breaches at Equifax, Uber, and Nissan Canada Finance that affected thousands of Canadians. He makes mention of the “insidious purposes” companies can put personal information to with specific reference to the Cambridge Analytica/Facebook scandal. And he decries the fact that he, and his predecessors, have been calling for critical updates to Canada’s federal privacy laws for years to no avail.
Some of the key issues the report highlights are:
- In 2016 the Minister of Justice said her office was looking at modernizing our 35-year-old Privacy Act but no concrete proposals have emerged.
- Similarly, despite clear recommendations from the Parliamentary Committee tasked with looking at the private sector act, PIPEDA, the government has chosen to do further consultation rather than sit down and start making the difficult decisions that need to be made to protect Canadians from new kinds of data collection and new modes of surveillance.
- Political parties are not covered by privacy laws in Canada, and the new electoral reform act, Bill 76, “adds nothing of substance in terms of privacy protection.”
- The OPC reissued its call for better enforcement powers, including the ability to levy administrative fines and make binding orders.
- Guidelines for obtaining meaningful consent and on inappropriate data practices have been issued this year, but the Commissioner notes that there is resistance from companies who feel they go too far.
The report also describes a reorganization of the Commissioner’s office, which has been streamlined into two tracks, promotion and compliance. The goal is to focus on preventing privacy harms through proactive interactions with data collectors rather than wait for complaints to come in after people have been harmed. This formalizes the Commissioner’s early announcement that he wished to take a more active approach to protecting people’s because data collection practices are increasingly difficult for consumers to see or understand — which means that people may not be making complaints because they don’t know what’s happening, not because there is no problem.
CCLA shares the Commissioner’s concern. Canadians cannot afford to wait several years until known deficiencies in privacy laws are fixed. Technology is evolving rapidly, and as he notes, “many new technologies disrupt not only business models but also social and legal norms. Legal protections must improve apace if consumer trust is to reach the level everyone desires.”
We also have been calling for privacy law reforms for a long time and we share the Commissioner’s conviction that the time to modernize the laws that protect our privacy rights. There has been extensive consultation. Many deficiencies are well known. And as Commissioner Daniel Therrien says, “To be clear, it is not enough to ask companies to live up to their responsibilities. Canadians need stronger privacy laws that will protect them when organizations fail to do so.”