(Version française disponible ici)
Canada’s digital charter carried a core promise of keeping Canadians safe and secure online when it was announced in 2019. Yet, it appears to have become a legislative version of vapourware – a product announced, never to be released.
Not one of the charter’s underlying bills has become law. The government even initially refused to share many legislative amendments with the parliamentary committee charged with studying them.
Ottawa’s funding decisions and its attitudes toward transparency all make clear that its priorities lie elsewhere.
The government often moves to protect its own interests – rather than those of Canadians – when it does act on online safety.
After cyberattacks compromised more than 11,000 credentialsthe Canada Revenue Agency in 2020, the agency responded by tightening its privacy statement for the electronic tax-filing service NETFILE to clear itself of liability in the event of future data security breaches.
Law enforcement has also struggled to adapt to new threats presented by the online landscape. Five years ago, the government promised a centralized reporting site to help combat increased online scams that have reached new heights year after year. But it is still in beta testing and two years behind schedule.
The RCMP operates the national cybercrime and fraud reporting system with just 105 employees for the entire country with no cybercrime investigators in Saskatchewan, Manitoba or anywhere in the Maritimes, according to a government response to my access-to- information request.
Canada’s digital security spending has been inefficient, too. For example, the government’s $28.5-million cybersecurity certification program, formally launched in 2020 for small- and medium-sized businesses, had delivered only 41 certificates as of August 2023 – after promising 5,000.
The trend was downward: only two were from 2023. Despite the poor performance, the government has announced a cybersecurity certification program for defence contracts with a $25-million price tag.
Canada’s digital security measures have likewise been criticized as outdated and for not keeping up with those of peer countries. The United States, Australia and the United Kingdom have laws regarding cybersecurity for critical infrastructure. Canada still does not.
The proposed Canadian bill in this area has been languishing for more than a year and is based on an already-replaced European law. The proposed law does not mention ransomware, even though more than half of the reports to the RCMP cybercrime reporting system involve the malicious cyber activity that blocks access to computer sites until money is paid.
As for the proposed privacy law from the digital charter, it would not update the outdated consent model constantly being perpetuated in website and app privacy notices. It would place no meaningful constraints on data transfers abroad. It avoids specific meaningful measures for protecting children.
It is also notable for failing to bring government conduct under stricter regulation. It covers only the private sector.
The extent of the problems Canada faces online is made worse by the antagonism many federal institutions show toward transparency in the use of technology.
Multiple federal institutions have been using tools capable of extracting personal data from phones or computers of government employees without having conducted privacy-impact assessments, as required by government policy.
The Communications Security Establishment, one of Canada’s key security and intelligence organizations, has been called out for ignoring requests for information by its own oversight body. In a worrying sign of its lack of commitment to respecting human rights online, the agency did not acknowledge in a response to an access-to-information request whether it has used, or is actively using, mercenary proprietary spyware.
As for funding decisions on technology procurement, the scandals of ArriveCAN during the COVID-19 pandemic and the Phoenix pay system for government employees speak for themselves. The federal government showers cash on consultants for such projects, yet vital components of Canadian democracy are weakened through underfunding.
Just as the digital charter has resulted in little action, promises of transparency have proven to be a familiar political ritual. In 2014, then-Opposition MP Justin Trudeau introduced his first private member’s bill, the Transparency Act, to draw attention to problems with access to information.
But eight years into the Trudeau government, Information Commissioner Caroline Maynard has stated in unequivocal terms that “it is clear that improving transparency is not a priority for the government.”
On balance, federal tech policies and priorities are increasingly making Canadians unsafe and insecure through privacy and data protection legislation that deprives citizens and regulators of meaningful enforcement powers, funding priorities deeply out of touch with needs, and gaps in law and policy that the government shows no urgency to fill.