Federal Privacy Law – Is It About to Change: Part Deux?

In my last blog, published on December 19, I speculated about whether privacy law is about to change and promised to write more about it. My speculation was sparked by the 2018-2019 Annual Report to Parliament made by the Office of the Privacy Commissioner.

Well worth studying, by the way. It’s well-written and pulls no punches.

I mentioned that the themes of the report include substantially enhancing the power of the federal Privacy Commissioner and amending PIPEDA to make it clear that privacy is a “fundamental human right” that ought to be regarded as part of Canada’s constitution.

Here’s a bit more about this excellent report:

In his introductory remarks – something like a covering letter for the report itself – Federal Privacy Commissioner Daniel Therrien made quite a few interesting statements:

• it is an important role of government to ensure that individuals are not left alone when interacting with businesses
• privacy must not been seen simply through the lens of website terms and conditions
• technical rules to protect personal data, such as consent, access and transparency, while important, do not define the right to privacy; that is the job of legislation
• legislation should define privacy as including freedom from unjustified surveillance
• legislation should recognize and protect the freedom to live independently while still participating voluntarily and safely in digital society
• rights-based laws do NOT impede innovation or the delivery of government services in this digital age; instead, rights-based laws will promote trust in government and commerce
• business will find ways to offer products and services while respecting new laws based on rights and values

Pretty interesting stuff.

Mr. Therrien also made a few points – some of them potentially very controversial – that I believe are almost certain to inform significant changes in privacy laws:

1. The law must endure over time despite changes in technology. This is possible if privacy law is based on underlying values and fundamental rights that “define privacy in its fullest sense.”

2. The law must “truly and firmly put an end to self-regulation” so that a public regulator can prescribe binding rules to promote certainty of rights and obligations. Industry codes and ethical rules simply cannot do the job of legislation.

3. The accountability principle in PIPEDA is important, but is too often ineffective. The accountability principle cannot protect citizens from practices of companies that claim to be accountable but that, in truth, are not. What is needed for rights-based legislation, he writes, is “demonstrable accountability” – meaning “true accountability” that is demonstrated to the regulator, which would have right to inspect the privacy practices of businesses to verify accountability.

This “demonstrable accountability” should also be the key to cross-border data flows. It is even possible that the European regime of standard contractual clauses should be adopted.

4. Rights-based legislation should require “necessity and proportionality” in the digital collection, sharing, using and storage of personal information. The trend is over-collection, which is “extremely intrusive.” This should apply to governments as well as industry.

5. Rights-based legislation requires effective enforcement, and quick and effective remedies for the protection of privacy rights.

I have to quote here verbatim one of the most striking paragraphs in Mr. Therrien’s “covering letter”:

Canada’s laws have unfortunately fallen significantly behind those of trading partners in terms of the enforcement of privacy laws. At the same time, most Canadians believe their privacy rights are not respected by organizations. This is a damning condemnation, and, in my view, an untenable situation in a country governed by the rule of law. It is certainly not conducive to building consumer trust, one of the government’s stated objectives.

It is also fairly obvious that Mr. Therrien is not wholly in agreement with the “Digital Charter” that has been proposed by Innovation, Science and Economic Development Canada. Mr. Therrien’s issues with the Digital Charter include the fact that the Office of the Privacy Commissioner should be given only “circumscribed” order-making powers and that fines would have to be levied not by the Commissioner, but rather by a judge after a review by the Attorney General and the AG’s decision to prosecute. Mr. Therrien feels strongly that Canada’s Privacy Commissioner should be able to levy fines directly, without going through a round-about and slow judicial process. By way of example, he pointed to Facebook’s contravention of the law and how Facebook ignored the Commissioner’s recommendations and “waited it out” for the courts to come to the same conclusion. The Digital Charter would make the process, he says, even slower because of the need for review by the Attorney General. He stated:

Both the current framework and the government’s proposal [i.e., the Digital Charter] create an excellent incentive for companies not to take privacy seriously, change their practices only if forced to after years of litigation, and generally proceed without much concern for compliance with privacy laws.

The “Advice to Parliament” (called Privacy Law Reform: A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy) is the actual report that contains the Commissioner’s recommendations. In it, he expatiates on the recognition of privacy as a Canadian value that is rooted in human rights; the insufficiency of Canada’s current laws for the protection of privacy; the fact that human rights are embedded in the European General Data Protection Regulation (GDPR); the need to define privacy clearly and broadly and to regard the laws that protect it as a quasi-constitutional; the concept that privacy laws need to confer rights and impose obligations rather than merely to provide guidance and principles of conduct; and the need for prompt and effective enforcement of privacy rights bolstered by a right of inspection by the Regulator and ability of the Regulator to levy fines.

In my next blog article, I will write more about what Commissioner Therrien is urging Parliament to do with respect to meaningful consent, proportionality in collection, demonstrable accountability, specific powers of the Regulator, private rights of action, collaboration with other Regulators, extension of the scope of privacy laws, and the so-called “right to be forgotten.”

You might want to take a look at the Privacy Commissioner’s proposal for new Preambles to both PIPEDA and the Privacy Act. It is revolutionary stuff!