Canada’s top privacy watchdog cautioned that telemedicine and e-learning platforms that saw massive uptake during the pandemic could pose significant risks to sensitive information as he repeated on Thursday long-time warnings that the country’s laws are out of step with the digital economy.
The Privacy Commissioner of Canada tabled his annual report in Parliament, signalling that the country faces an economic threat from trading partners if it does not align privacy legislation such as the Personal Information Protection and Electronic Documents Act (PIPEDA) with jurisdictions such as the European Union and California. Both locations establish strong digital privacy and data-collection rights and have significant monetary penalties for companies that don’t comply with regulatory consumer protections.
Commissioner Daniel Therrien, appointed in 2014, has pushed the federal government for years to update federal privacy legislation, prompting discussion among lawmakers but little change except for promises to review laws and the development of a “digital charter” last year to clarify Canadians' rights online. As a result, Mr. Therrien has argued that Canada’s privacy laws are stuck in the year 2000 – when PIPEDA was introduced, well before Big Tech giants such as Facebook Inc. and Alphabet Inc.'s Google led the building of a digital economy centred on collecting and building patterns out of consumer data.
Asked whether he thought he would ever get traction in modernizing federal law, Mr. Therrien said that he hoped provinces would force Ottawa’s hand: Quebec is considering European-style legislation, and he hopes other provinces do the same as well.
“I don’t think it would be a tenable situation if Ontario, Quebec, B.C. and a few others had strong privacy legislation but federal legislation was not similarly amended,” he said. “Something would have to give.”
He also warned that the EU’s review of trading partners' privacy legislation could put Canada in the crosshairs soon. Its European General Data Protection Regulation, or GDPR, is one of the world’s strongest consumer-focused regulations, and the European Commission regularly reviews trading partners' privacy legislation to ensure safe, compatible data transmission from member countries.
“Our understanding is that the European Commission will make a decision about the adequacy of Canada’s laws in the not-too-distant future,” Mr. Therrien said.
Much of the report warned of the consequences of fast-growing digital technologies during the COVID-19 pandemic. Although his office signed off on the Ottawa-approved COVID Alert app after it complied with the Commissioner’s privacy principles, the report warned that “there is still a possibility that third parties may seek to compel app users to disclose information as to their use of the app, including any exposure notifications.”
Similarly, Mr. Therrien warned that the lack of a legal framework around contemporary data collection practices posed a risk to Canadians adjusting to new work and school technologies in the pandemic. The fast rise of telemedicine, he said, could pose a risk to doctor-patient confidentiality. And e-learning platforms, he said, have the potential to collect sensitive data about learning disabilities or other behavioural issues. He did not name any specific companies or platforms.
“Do you want your conversations with doctors available to companies and used in a profile that will affect your future life? Obviously, the answer is no,” the Commissioner said in a news conference Thursday. “Do you want the information of our children to be collected by companies for purposes that have nothing to do with education? … Again, the answer is no.”
A spokesperson for federal Innovation Minister Navdeep Bains, who promised a review of privacy laws last year, said in an e-mail that Ottawa is in the midst of strengthening privacy laws to “ensure respect for the privacy of Canadians, support responsible innovation and enhance reasonable enforcement powers.” The spokesperson, John Power, added that “we value the important work done by the Privacy Commissioner and look forward to continue working with him and his office as we review the findings of his report.”
The Commissioner’s annual report also discussed a confidential leak to media outlets, including The Globe and Mail, in 2019 about a disagreement between Prime Minister Justin Trudeau and former justice minister Jody Wilson-Raybould about the appointment of a new judge to the Supreme Court of Canada. Chief Justice Glenn Joyal of the Manitoba Court of Queen’s Bench, the subject of the leak, eventually withdrew his candidacy for personal reasons.
After a complaint from an unnamed Member of Parliament about the leak, Mr. Therrien’s office investigated and found that the federal institutions that fall under its jurisdiction did not violate the Privacy Act. Despite this, Mr. Therrien wrote it was “clear” that Chief Justice Joyal had his privacy violated by the disclosure of this information. The commissioner wrote that this is “yet another example of the need for legislative reform.”
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.
Josh O’Kane