Canada’s privacy watchdog has decried the federal government’s lack of progress on updating its privacy laws to cope with the risks of the digital age.
“The time of self-regulation is over,” federal Privacy Commissioner Daniel Therrien wrote in his annual report to Parliament on Thursday, which criticized the government for dragging its feet in response to recommendations from both his own office and from the standing committee on access to information, privacy and ethics, to modernize Canada’s digital privacy law, PIPEDA (the Personal Information Protection and Electronic Documents Act).
Mr. Therrien said that recent events have highlighted the risks of the digital age – events including the Equifax data breach, and the Facebook scandal involving political research company Cambridge Analytica that in 2014 used the social-media site to collect millions of people’s personal information without their consent.
“These issues also underscore deficiencies in Canada’s privacy laws that I and my predecessors have tried to draw attention to for years,” Mr. Therrien wrote. "Canadians need stronger privacy laws that will protect them when organizations fail to do so.”
In concluding its review of PIPEDA earlier this year, the standing committee recommended stricter rules for companies to ensure consent to use personal data and to allow for that consent to be revoked, among other measures. It also agreed with the Office of the Privacy Commissioner that it should have additional enforcement powers, such as the right to launch more of its own investigations – rather than investigating issues largely based on complaints it receives – and to hand out fines.
Thursday’s report characterized the government’s response as “slow to non-existent,” and noted that the committee’s recommendations to amend PIPEDA were met with a commitment to further study and consultations, which the report said could take several years.
“The risk is that the privacy and other rights of Canadians, including their democratic rights, will not be respected, because the legal framework is not sufficiently robust to ensure these rights are respected,” Mr. Therrien said in a news conference on Thursday after the release of the report.
Canada is lagging behind the progress made in other countries and regions, the report stated, most notably the European Union, where sweeping new privacy regulations came into force in May.
Europe’s General Data Protection Regulation (GDPR) includes stricter rules for gaining consent to use people’s information, and the right for people to revoke that consent; the “right to be forgotten” which lets people ask for information about them to be erased; and requirements for companies to notify people affected by data breaches. The GDPR has caused companies to revise their privacy policies, because it imposes very heavy fines for those that don’t comply.
The Commissioner’s report requested a “substantial” increase to the OPC’s approximately $24-million annual budget in order to keep up with changes in technology, and with new legal obligations coming into effect in November for organizations to notify affected individuals and the OPC when a data breach occurs. And it emphasized the Commissioner’s repeated requests for greater powers of enforcement.
Mr. Therrien told reporters that an additional $12-million per year would help the OPC make progress in a number of important areas.
The report also announced a plan to file a reference with the Federal Court to ask for a determination on whether PIPEDA can be interpreted to give individuals the right to ask search engines not to show websites in search results that include incorrect information about those individuals. Known as “de-indexing,” this would give people some say in what shows up when others Google their name.
The Commissioner said he believes PIPEDA allows for this because it includes provisions that require companies to use accurate information, and that allow individuals to challenge the accuracy of information. Such an interpretation could pave the way for Canadians to ask individual websites to remove inaccurate or outdated information about them.
The plan to ask the Federal Court to step in comes as a result of complaints from individuals to the OPC about Google search results. The Office is seeking clarity from the court before acting on those complaints. It has also called on the government to update the law to allow people to protect their reputations online.
However, the OPC has heard from companies, including search engines and news outlets, who question how to balance “the right to be forgotten” with other fundamental rights such as the freedom of expression.
“If that were the rule, we would become the arbiters of truth on these pages. We are a search engine. We are not in a position to say whether that page is true or not true,” Peter Fleischer, Google’s global privacy counsel, said in an interview. He added that such an interpretation of the law would also need to clarify what is meant by “out of date” information – and whether it could be used to expunge information such as accurate news reports that a person finds embarrassing after a certain number of years.
“It’s the private company that will essentially have to act like a judge, and balance the person’s interest in privacy against the public’s continuing interest to access that information,” Mr. Fleischer said.
The Commissioner’s report also stated that the use of personal information by political parties should be covered under privacy legislation.
Stéphane Perreault, Canada’s Chief Electoral Officer, also called for political parties to be covered by privacy legislation during an appearance before a committee studying Bill C-76, the Elections Modernization Act, earlier this week.
Treasury Board president Scott Brison told reporters on Thursday that the federal government will be announcing an action plan on privacy in the coming weeks.
“We take very seriously the important responsibility we have to protect the privacy of Canadians and we recognize that times have changed that require new approaches,” he said.
The federal government’s policies in relation to privacy are shared across three ministers, including Mr. Brison, Innovation Minister Navdeep Bains and Democratic Institutions Minister Karina Gould.
The Interactive Advertising Bureau of Canada disagrees with the OPC’s request for stricter laws, saying instead that its members would encourage amendments to the law to broaden the ability of organizations to collect and use of personal information without people’s consent “when there are legitimate business interests.” The industry group also stated that it did not see a need to increase the OPC’s enforcement powers, and that its members would like to see a right added to the law to allow organizations to challenge matters related to the OPC’s enforcement of its current powers in federal court.
“IAB Canada and its members feel that PIPEDA remains the international gold standard in privacy legislation as it provides a balanced, common sense approach to protecting privacy while remaining flexible enough to enable innovation,” said IAB Canada president Sonia Carreno.