On December 10, 2019, Commissioner Therrien presented his office’s 2019 annual report to Parliament, which was later followed by a press release highlighting key aspects of and views expressed in this latest report.
Unsurprisingly, the need for privacy law reform was featured as a central theme, citing Europe, Brazil and Asian countries as having already reformed their laws and a clear signal that Canada should not lag behind in this regard. What was perhaps more interesting is the way in which the underlying rationale for privacy reform was presented. Rather than focusing on the balance between a data-driven economy and the consumer’s trust that the players in that economy will not misuse their data, the Commissioner highlighted human rights as the primary basis for the need to reform the law. Where Minister Bains has characterized the need for reform first and foremost as something that is necessary to protect online personal information but also to stay competitive in the digital economy,[i] Commissioner Therrien opens the conversation about this dichotomy by stating:
”For good and bad, data-driven technologies are a disruptive force. They open the door for innovation and economic growth, but they have been shown to be harmful to rights, including privacy, equality and democracy.”
New privacy laws should, therefore, have as their central purpose the protection of human and democratic rights (to privacy). That is not to say the Commissioner did not recognize the importance of the information economy and the role of consumer trust in it, but the most salient of statements related to privacy as a human right. The Commissioner’s statements also clearly advocate for stronger powers of enforcement, including the ability to impose significant fines, as unequivocally necessary to give meaning to those rights. The Commissioner highlights the Facebook case as an example of where limited enforcement powers appear to have a direct correlation with lack of industry compliance:
“The Office’s investigation of Facebook in relation to the Cambridge Analytica scandal ended with the social media giant’s deeply disappointing decision not to implement recommendations aimed at correcting serious privacy deficiencies. As discussed earlier in this report, the case highlights the urgent need for legislative reform.”
Another significant statement related to how “consent” should perhaps no longer be the central guiding principle of Canadian privacy law to ensure an individual’s right to privacy is preserved. Instead, it should be in the first instance the role of regulators and the government to ensure the appropriate balance is being struck between individuals and businesses or government organizations, as the case may be. The onus should not only be on the individual. This approach to privacy protection is already part of the EU General Data Protection Regulation (“GDPR”) regime. “Legitimate interests” of an organization is one of the six lawful bases (along with consent, performance of a contract, among others) to allow for a certain personal data processing activity. If applied correctly, it can be used as an alternative to “consent” by the individual, but must always be balanced against an individual’s rights that may be impacted by the processing. The organization must also be able to demonstrate the legitimacy of the processing and that this analysis was conducted.
Other Report Highlights
- Data breach reporting – This should become mandatory for the Public Sector under the Privacy Act (breach reports by the public sector actually decreased from 2018).
- Data breach reporting under PIPEDA – as reported previously, OPC will be auditing businesses for compliance with requirements, including the data breach register.
- Search engine’s accountability – OPC will await the decision in Google Reference (T-1779-18) before finalizing its Position Paper on Online Reputation.
- International cooperation – OPC highlights the importance of coordinated investigations within Canada and abroad.
- Significant investigations (Equifax and Facebook) – the Commissioner again highlighted security standards at Equifax and Facebook’s refusal to implement the Privacy Commissioner’s findings.
- Advice for Federal Institutions – there should be a requirement for government institutions to demonstrate the necessity for collecting personal information before doing so.