Andrew Clement is a professor emeritus in the faculty of information at the University of Toronto.
In poll after poll over the past three decades, solid majorities of Canadians have expressed concerns about their data privacy rights. These polls are not easily dismissed as just another survey of people’s consumer preferences. As our federal government notes, “Privacy has long been considered a fundamental right in Canada,” a right the Supreme Court of Canada has upheld based on the Charter of Rights and Freedoms.
But who should pay for protecting everyone’s right to privacy and what is a reasonable cost? The federal Office of the Privacy Commissioner has long been hobbled by a woeful lack of funding.
A simple solution: Canada should build a robust funding model into its privacy legislation akin to the “polluter pays” principle, in which some oil and gas regulators are funded by the industry. Companies, those who monetize personal information for commercial gain, should cover the costs for strong privacy protection, and it wouldn’t cost them much.
Making money from personal information is proving to be enormously profitable, especially through targeted advertising. In Canada, Google receives around $1 for each click on one of its ads. Facebook’s average annual revenue per user in the United States and Canada has been estimated at $66.
Based on the example of these youthful tech giants, even traditional companies not associated with the data industry have been getting into the game, often with little respect for privacy. Consider Canada’s “most trusted brand” Tim Hortons, which launched a smartphone app designed for “continual collection of vast amounts of location information” from its customers. When the Office of the Privacy Commissioner recently slapped its wrist for this illegal behaviour, Tim Hortons offered those whose rights it violated a free “hot beverage and a baked good,” estimated at $9.
In stark contrast to booming data businesses is the privacy commissioner’s office, Canadians’ foremost public institution mandated to protect their right to privacy. The federal government provides it with under 50 cents per capita annually for enforcing Canada’s privacy law covering commercial handling of personal information, the Personal Information Protection and Electronic Documents Act. Particularly disappointing is that this figure has not budged significantly over the past decade, even as the personal data industry has burgeoned and complaints involving the act have doubled.
The effect of this serious underfunding is that the office has struggled to meet even its core responsibilities. Responding to complaints has so stretched its resources that backlogs grew to require temporary supplementary funding, and severely stunted other vital areas of the its mandate.
The protection legislation empowers the privacy commissioner to initiate audits of commercial data practices where it has “reasonable grounds to believe” that the law is being violated. There is no shortage of areas where the reasonable grounds threshold is met – for example, camera surveillance in public places and inscrutable data supply chains, combined with algorithmic practices that fuel the advertising technology business. However, the commissioner’s office has conducted only two audits since the act came into force more than 20 years ago, and not once since 2011.
Also contributing to the office’s weaknesses as an effective regulator and advocate is that the legislation prevents it from fining violators or issuing binding orders to correct illegal behaviour. The good news is the long overdue modernization of the act before Parliament.
The Digital Charter Implementation Act, Bill C-27, promises to rectify these two major shortcomings. However, exercising these prospective powers will add significantly to the resource demands on the office. This could become a serious limiting factor if the privacy commissioner is to become more pro-active – most importantly in holding to account the personal data industry giants and others adopting a surveillance-based business model. To effectively pursue the kind of deep investigations and protracted court battles needed to redress the yawning imbalance between large enterprises and citizens will incur significant new costs.
In anticipation of the new legislation, the federal government in 2019 permanently increased the Office of the Privacy Commissioner’s budget, but only by 15 per cent, barely denting the shortfall accumulated over the past decade. Unless the office is assured of funding well above what is on offer so far, the tools given to it will be too heavy to wield well. Perversely the promised privacy reform would ring hollow. Privacy rights will continue to erode, the office’s reputation will suffer and Canadians will become further disenchanted with the institutions created to protect them.
This is why we need a funding model akin to the “polluter pays” principle, so that the larger the customer base, the more privacy protection services the office provides.
Britain’s data protection law, which authorizes an annual registration fee paid by every business that handles personal information, offers a valuable precedent. This has enabled Britain’s Information Commissioner’s Office to become one of the world’s best-funded and most vigorous data protection authorities.
Bill C-27 could similarly insist that every commercial organization that collects, uses or transfers personal information of Canadians contribute a modest per capita fee to support the Office of the Privacy Commissioner’s mandate. Given the many thousands of such organizations, some of which handle the information of millions of Canadians, a fee of 2 cents for everyone whose data they monetize could easily double the annual funding for the office’s private-sector privacy protection operations. To protect our fundamental privacy rights, would this be too much to ask?