The 2018-2019 Annual Report to Parliament of the Office of the Privacy Commissioner is interesting reading, and it shows that the OPC has been doing some deep thinking about the nature of privacy and has been looking around the world at the philosophies of privacy in other jurisdictions.
The report focuses on two main themes:
1. Enhancing the power of the federal Privacy Commissioner to include:
- the right to prescribe “binding rules” and “binding guidance” for the purpose of enforcing privacy rights and principles
- the right to initiate proactive investigations/audits so that “demonstrable accountability” can be shown to exist. This seems to imply spot checks of businesses – something like the privacy equivalent of a R.I.D.E. program or a suitcase check at the airport – to ensure compliance even in the absence of a complaint
- the right to enforce remedies that are “quick and effective”
2. Amending PIPEDA to make it clear that privacy is a “fundamental human right” and that PIPEDA is not just a bunch of principles, or even rules, about data protection, but rather (in effect) an intrinsic adjunct to Canada’s constitution.
In other words, privacy is not merely about consent, access and transparency, but about respect for human rights.
Because of the quasi-constitutional implications of the amendments that the OPC would like to see, a number of collateral changes could occur:
- the right to be free of “unjustified surveillance” by businesses
- the concept that the use of technology that is incompatible with rights-based privacy laws is illegal
- the embedding in our laws of the “right to be forgotten” that is found in the European General Data Protection Regulation (GDPR)
It seems that the Privacy Commissioner is tired of PIPEDA and wants to throw out the bathwater while keeping a close eye on the baby. What I believe is being proposed is a whole new federal privacy regime that will see:
- new private sector privacy legislation that is drafted with both rights and obligations, as in most statutes
- elimination of the “principles-based” look and feel of PIPEDA, which reads like an industry code of conduct rather than as a statute
- enshrining the Office of the Privacy Commissioner in the role of a real regulator with the obligation to enforce the law, provide quick and effective remedies for breaches and police ongoing compliance by businesses
Personally, I like it. It’s been hard for me as a lawyer, over the years, to throw the chicken bones into the air and somehow divine how to provide commercial clients with demonstrably reliable advice. Privacy and data security consultants have experienced much the same quandary. Privacy principles are great, but lawyers and privacy consultants should not have to be mind readers. PIPEDA was good at the time it came in, but it’s time now for Canada to take its rightful place as a country in which privacy isn’t just a good idea, but rather a right that individuals can expect to exercise and in which businesses know exactly what they have to do to respect privacy rights.