Canadian Privacy Commissioner Daniel Therrien renewed his call for an overhaul of Canada’s private-sector privacy legislation this week. Responding to a national data consultation launched by Innovation, Science and Economic Development Minister Navdeep Bains, Mr. Therrien recommended enacting a new law that would include stronger enforcement powers, meaningful consent standards and the extension of privacy regulations to political parties. While the need for a modernized privacy statute has been evident for some time, Canada’s privacy shortcomings are not limited to a decades-old legal framework struggling to keep pace with technological change.
Mr. Therrien has been increasingly focused on legislative reform, but too often his office fails to fully utilize the existing powers found in the law. For example, the Privacy Commissioner does not have order-making power, but does have the right to ask the federal court to issue binding orders. The extra step may be time consuming and inconvenient, but effective enforcement frequently depends upon going beyond issuing non-binding findings.
Mr. Therrien is not unique in shying away from confrontational enforcement. Previous commissioners were reluctant to name names in investigations and the office was only willing to investigate foreign companies after the federal court ruled that it could do so. Yet despite mounting public concern about privacy, complaints under the law have steadily declined during his tenure. There were were 426 accepted complaints (complaints that proceed to the investigation stage) in Mr. Therrien’s first annual report in 2013 under the Personal Information Protection and Electronic Documents Act. That has dropped every year since: 402 for 2014, 381 for 2015, 325 for 2016 and only 297 in the latest report for 2017.
A consistent decline in the number of complaints could mean that the public is satisfied with the protection of their privacy and has fewer issues to complain about. Polling data suggest otherwise, however, making it just as likely the public is either unaware of the law or left with the impression that the complaint system is ineffective.
Frustration with privacy enforcement is typified by a case involving Jet Airlines discussed in Mr. Therrien’s most recent annual report. The airline removed two passengers with physical disabilities after a disagreement with a member of the flight crew over the handling of service animals. The passengers used Canadian privacy law to request access to their personal information held by the airline, including details about the incident. Jet Airlines refused to disclose the information, initially advising the Privacy Commissioner that it treats all incidents as potential sources of litigation and therefore refuses to comply with any related access requests on the grounds that it could be subject to litigation privilege in the future.
Mr. Therrien rightly concluded that this interpretation of the law was far too broad and that the airline was in violation of the law. Rather than seeking to enforce the law through the federal courts, however, the office merely “encouraged” Jet Airlines to disclose the documents. While the Privacy Commissioner might argue that it would be easier if the law included order-making power that the office could use to compel disclosure, a blatant refusal to comply with the law cries out for a trip to the federal court. The unwillingness to pursue a court order is a failure of enforcement, not a shortcoming in the statute.
In fact, Mr. Therrien has already put the public on notice that he does not believe his office can effectively enforce the mandatory data-breach disclosure rules that took effect last month. He warns in his annual report that “with no funding for this activity and an already full plate, it will not be possible for us to devote the time necessary to properly review breaches and investigate.”
The situation seems little better with enforcement of the Privacy Act, which governs public-sector privacy issues. The privacy commissioner’s office is visible on legislative reform proposals with frequent appearances before parliamentary committees, but seems reactive rather than pro-active on key issues. For example, the office was notified months before the media reports on the recent proposal involving Statistics Canada and the collection of banking records, but only responded with an investigation once public outrage emerged.
Mr. Therrien unquestionably faces an enormous challenge. The days of a Canadian privacy commissioner staring down Facebook (as the office did in 2009) seem like a bygone era. Meanwhile, large Canadian companies such as Bell still adamantly refuse to issue transparency reports detailing their disclosures of personal information to law enforcement and pursuant to court orders years after the office negotiated a standardized approach with government and the private sector.
Meeting the privacy needs of Canadians requires a privacy commissioner willing to stand up to the government and corporate giants, ready to back up its demands by deploying every enforcement tool at his or her disposal. A modernized privacy law is necessary, but it is not sufficient.