Privacy commissioner warns of crisis in Canadian data protection laws
Federal privacy commissioner Daniel Therrien warned of a “crisis of trust” in Canada caused by inadequate regulations to protect Canadians’ personal information online.
Therrien’s annual report to Parliament was the most blistering version to date of a message he’s been delivering for years, calling on the government to reform legislation and enact stiffer penalties for companies that abuse the privacy of Canadians.
“Canada’s laws have unfortunately fallen significantly behind those of trading partners in terms of the enforcement of privacy laws,” Therrien wrote.
“At the same time, most Canadians believe their privacy rights are not respected by organizations. This is a damning condemnation, and, in my view, an untenable situation in a country governed by the rule of law.”
While there is general consensus in Ottawa that something needs to be done about the country’s privacy laws, just what to do and whether those laws can be enacted in 2020 remains up in the air.
Therrien argues that to adequately regulate technology companies, his office needs the ability to levy fines and to make legally binding orders requiring companies to change their practices.
“Privacy is so much more than consenting or not to terms and conditions dictated by companies,” Therrien told reporters at a news conference in Ottawa. “It is a human right, and it must be explicitly recognized as such in privacy laws.”
The report pointed to investigations around the Facebook Cambridge Analytica scandal, which resulted in minimal action despite the fact that Therrien’s office determined that several companies broke Canadian law.
“The fact that Facebook said it would not implement recommendations to address those issues leaves a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms,” Therrien wrote. “This is extremely worrisome given the vast amount of sensitive information people have entrusted to Facebook.”
In response to Therrien’s report, both Conservative MP Michelle Rempel Garner and New Democrat Charlie Angus called for action from the governing Liberals.
“Today’s Privacy Commissioner’s report underscored the Liberal government’s lack of action to protect the value of data and the privacy of Canadians,” Rempel Garner said. “In his press conference, he (Therrien) stated that nearly every Canadian’s data has been the subject of a privacy breach at some point.”
Angus accused the Liberals of being too cozy with big tech.
“I’d say the government needs to explain why they’re continuing to protect Facebook and the digital giants,” he said.
I’d say the government needs to explain why they’re continuing to protect Facebook and the digital giants
Charlie Angus, NDP MP
At this point, even tech companies are generally calling for more regulation, with the caveat that any new rules need to be carefully crafted in a way to avoid stifling innovation.
“It can’t simply be the privacy commissioner as judge, jury and executioner without due process,” said Andre Leduc, vice-president of policy at industry group ITAC.
“Industry has some concerns with the concept of the privacy commissioner having broad order-making powers, because there has to be an element of due process included.”
Earlier this year the federal government published a Digital Charter, laying out 10 principles that will guide policy on data and privacy issues. The Digital Charter calls for tougher penalties for companies that violate the rules, and gives some additional powers to the privacy commissioner’s office.
Innovation Science and Industry Minister Navdeep Bains was not available for an interview in response to the privacy commissioner’s report, but in an email, Dani Keenan, a spokeswoman, highlighted the Digital Charter as the government’s key policy document.
“Our government takes the protection of Canadians’ personal information very seriously. Trust is the foundation on which our digital and data-driven economy is built,” Keenan wrote in an email.
But in his report, Therrien argued that the Digital Charter’s approach is too limiting, by requiring the privacy commissioner to get approval from the Attorney General to take action.
“At the moment, as we saw in our Facebook investigation, an organization that we have found in contravention of the law can simply ignore our recommendations and ‘wait it out’ until the courts have come to the same conclusion as my office,” Therrien wrote.
“In the government’s proposal under the Digital Charter, a further step would be added, in the form of a review by the Attorney General.”