Teresa Scassa - Blog

 

It’s been a busy privacy week in Canada. On November 16, 2020 Canada’s Department of Justice released its discussion paper as part of a public consultation on reform of the Privacy Act. On November 17, the Minister of Industry released the long-awaited bill to reform Canada’s private sector data protection legislation. I will be writing about both developments over the next while. But in this initial post, I would like to focus on one overarching and obvious omission in both the Bill and the discussion paper: the failure to address privacy as a human right.

Privacy is a human right. It is declared as such in international instruments to which Canada is a signatory, such as the Universal Declaration of Human Rights and the International Convention on Civil and Political Rights. Data protection is only one aspect of the human right to privacy, but it is an increasingly important one. The modernized Convention 108 (Convention 108+), a data protection originating with the Council of Europe but open to any country, puts human rights front and centre. Europe’s General Data Protection Regulation also directly acknowledges the human right to privacy, and links privacy to other human rights. Canada’s Privacy Commissioner has called for Parliament to adopt a human rights-based approach to data protection, both in the public and private sectors.

In spite of all this, the discussion paper on reform of the Privacy Act is notably silent with respect to the human right to privacy. In fact, it reads a bit like the script for a relationship in which one party dances around commitment, but just can’t get out the words “I love you”. (Or, in this case “Privacy is a human right”). The title of the document is a masterpiece of emotional distancing. It begins with the words: “Respect, Accountability, Adaptability”. Ouch. The “Respect” is the first of three pillars for reform of the Act, and represents “Respect for individuals based on well established rights and obligations for the protection of personal information that are fit for the digital age.” Let’s measure that against the purpose statement from Convention 108+: “The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.” Or, from article 1 of the GDPR: “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” The difference is both substantial and significant.

The discussion paper almost blurts it out… but again stops short in its opening paragraph, which refers to the Privacy Act as “Canada’s quasi-constitutional legal framework for the collection, use, disclosure, retention and protection of personal information held by federal public bodies.” This is the romantic equivalent of “I really, really, like spending time with you at various events, outings and even contexts of a more private nature.”

The PIPEDA reform bill which dropped in our laps on November 17 does mention the “right to privacy”, but the reference is in the barest terms. Note that Convention 108+ and the GDPR identify the human right to privacy as being intimately linked to other human rights and freedoms (which it is). Section 5 of the Bill C-11 (the Consumer Privacy Protection Act) talks about the need to establish “rules to govern the protection of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.” It is pretty much what was already in PIPEDA, and it falls far short of the statements quoted from Convention 108+ and the GDPR. In the PIPEDA context, the argument has been that “human rights” are not within exclusive federal jurisdiction, so talking about human rights in PIPEDA just makes the issue of its constitutionality more fraught. Whether this argument holds water or not (it doesn’t), the same excuse does not exist for the federal Privacy Act.

The Cambridge Analytica scandal (in which personal data was used to subvert democracy), concerns over uses of data that will perpetuate discrimination and oppression, and complex concerns over how data is collected and used in contexts such as smart cities all demonstrate that data protection is more than just about a person’s right to a narrow view of privacy. Privacy is a human right that is closely linked to the enjoyment of other human rights and freedoms. Recognizing privacy as a human right does not mean that data protection will not not require some balancing. However, it does mean that in a data driven economy and society we keep fundamental human values strongly in focus. We’re not going to get data protection right if we cannot admit these connections and clearly state that data protection is about the protection of fundamental human rights and freedoms.

There. Is that so hard?

Published in Privacy

Technology has enabled the collection and sharing of personal information on a massive scale, and governments have been almost as quick as the private sector to hoover up as much of it as they can. They have also been as fallible as the private sector – Canada’s federal government, for example, has a substantial number of data breaches in the last few years.

What has not kept pace with technology has been the legislation in place to protect privacy. Canada’s federal Privacy Act, arguably a ground-breaking piece of legislation when it was first enacted in 1983, has remained relatively untouched throughout decades of dramatic technological change. Despite repeated calls for its reform, the federal government has been largely unwilling to update this statute that places limits on its collection, use and disclosure of personal information. This may be changing with the new government’s apparent openness to tackling the reform of both this statute and the equally antiquated Access to Information Act. This is good news for Canadians, as each of these statutes has an important role to play in holding a transparent government accountable for its activities.

On March 10, 2016 Federal Privacy Commissioner Daniel Therrien appeared before the Standing Committee on Access to Information, Privacy and Ethics, which is considering Privacy Act reform. The Commissioner’s statement identified some key gaps in the statute and set out his wish list of reforms.

As the Commissioner pointed out, technological changes have made it easier for government agencies and departments to share personal information – and they do so on what he describes as a “massive” scale. The Privacy Act currently has little to offer to address these practices. Commissioner Therrien is seeking amendments that would require information sharing within the government to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with legal obligations to protect privacy, it would offer a measure of transparency to a public that has a right to know whether and in what circumstances information they provide to one agency or department will be shared with another.

The Commissioner is also recommending that government institutions be explicitly required under the law to safeguard the personal information in their custody, and to report data breaches to the Office of the Privacy Commissioner. It may come as a surprise to many Canadians that such a requirement is not already in the statute – its absence is a marker of how outdated the law has become. Since 2014, the Treasury Board of Canada, in its Directive on Privacy Practices has imposed mandatory breach reporting for all federal government institutions, but this is not a legislated requirement, nor is there recourse to the courts for non-compliance.

The Commissioner is also seeking more tools in his enforcement toolbox. Under the Privacy Act as it currently stands, the Commissioner may make recommendations to government institutions regarding their handling of personal information. These recommendations may then be ignored. While he notes that “in the vast majority of cases, government departments do eventually agree to implement our recommendations”, it is clear that this can be a long, drawn out process with mixed results. Currently, the only matters that can be taken to court for enforcement are denials by institutions to provide individuals with access to their personal information. The Commissioner is not seeking the power to directly compel institutions to comply with its recommendations; rather, he recommends that an institution that receives recommendations from the Office of the Privacy Commissioner have two choices. They may implement the recommendations or they may go to court for a declaration that they do not need to comply. On this model, relatively prompt compliance would presumably become the default.

The Commissioner is also seeking an amendment that would require government institutions to conduct privacy impact assessments before the launch of a new program or where existing programs are substantially modified. Again, you would think this would be standard practice by now. It does happen, but the Commissioner diplomatically describes current PIAs as being “sometimes uneven” in both their quality and timeliness. The Commissioner would also like to see a legislated requirement that government bills that will have an impact on privacy be sent to the OPC for review before being tabled in Parliament.

The Commissioner seeks additional amendments to improve transparency in relation to the government’s handling of personal information. Currently, the Commissioner files an annual report to Parliament. He may also issue special reports. The Commissioner recommends that he be empowered under the legislation “to report proactively on the practices of government”. He also recommends extending the Privacy Act to all government institutions. Some are currently excluded, including the Prime Minister’s Office and the offices of Ministers. He also recommends allowing all individuals whose personal information is in the hands of a federal government institution to have a right of access to that information (subject, of course, to the usual exceptions). Currently on Canadian citizens and those present in Canada have access rights.

This suite of recommendations is so reasonable that most Canadians would be forgiven for assuming these measures were already in place. Given the new government’s pre- and post-election commitments to greater transparency and accountability, there may be reason to hope we will finally see the long-overdue reform of the Privacy Act.

 

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law