Canada’s new privacy commissioner has vowed to maintain his predecessor’s strong push for tougher private-sector privacy laws.
The federal government has hinted that it will soon re-introduce legislation updating how private-sector companies are required to protect their customers’ privacy. A previous version of the bill died in the last Parliament and had been heavily criticized by former privacy commissioner Daniel Therrien.
As one of his last acts, Mr. Therrien earlier this month released a report on a joint investigation that found the Tim Hortons customer rewards mobile app was tracking users’ location data hundreds of times a day. The commissioner said the case illustrated the “urgent need” for stronger privacy laws.
Use of facial-recognition technology by law enforcement must be limited, say privacy watchdogs
Prime Minister Justin Trudeau last week announced the nomination of legal expert Philippe Dufresne to replace Mr. Therrien, whose seven-year term had already been extended by one year. Mr. Dufresne appeared on Monday before the standing committee on access to information, privacy and ethics, where his nomination was endorsed unanimously after he answered questions for about an hour.
Mr. Dufresne indicated several times that he shared Mr. Therrien’s concerns about the government’s original bill, the Consumer Privacy Protection Act, which was known as C-11, and expressed hope that a replacement would take the feedback from the commissioner’s office and others into account.
He said effective privacy legislation can be a win for consumers and business.
“Privacy rights that are strong, and that are well known, and that are practical, are going to generate trust in Canadians to be participating in the digital economy, which is going to be good for industry,” he said.
Mr. Dufresne has been Law Clerk and Parliamentary Counsel of the House of Commons since 2015. Prior to that, he was senior general counsel with the Canadian Human Rights Commission.
“This is a very important time for privacy and this was one of the many reasons why I was interested in being commissioner,” he said. “There needs to be a modernization of the two fundamental privacy laws, the Privacy Act and PIPEDA.”
While the Privacy Act relates to citizen interactions with the federal government, C-11 had sought to update the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers how private-sector companies collect and protect client information.
That law is now more than two decades old, and is widely criticized as poorly equipped to deal with the volume, precision or range of data harvesting that has come to underpin whole segments of the modern economy. Major jurisdictions including the European Union and California have overhauled their privacy laws in recent years, pushing back against unchecked data collection and threatening significant fines against bad actors.
Federal Innovation Minister François-Philippe Champagne hinted as recently as last week that he is working on a “very quick” timeline to bring in new private-sector privacy legislation.
The Liberals have promised several times during their three terms to reform PIPEDA. But they dragged their feet as controversies arose globally and nationally over data misuse.
Former innovation minister Navdeep Bains tried to take a principles-based approach to overhauling the policy, rather than a prescriptive one, first unveiling a digital charter of rights for Canadians that lacked many specifics. Meanwhile, privacy advocates began warning that the outdated privacy law didn’t just threaten individual rights, but Canada’s trade relationships because digital information flows are regulated more heavily elsewhere.
Ottawa announced the new bill in November, 2020, but it died in Parliament after Mr. Bains left his cabinet post and the Liberals turned their attention to the 2021 election.
Earlier in June, Canada’s chief electoral officer, Stéphane Perrault, questioned the fact that political parties continue to be exempt from federal privacy laws. He said in a report that parties should follow the same principles that govern private-sector organizations, including requirements to declare the purposes for which data are collected before collection begins and to seek consent for the collection, use or sharing of personal information.
For subscribers only: Get exclusive political news and analysis by signing up for the Politics Briefing.
Bill Curry
Josh O’Kane