Canada needs a modern privacy framework to ensure continued trust in federal institutions and the digital economy.

Smart phones, cloud computing, Internet-connected gadgets, and algorithms that track our every move online – it’s all putting undue pressure on privacy.

Unfortunately, in Canada we remain hampered by 20th century tools to deal with 21st century privacy problems. Whether we’re dealing with federal government institutions or the private sector, it’s clear we need a modern approach to the protection of personal information.

The fact is, the Privacy Act, which applies to the federal public sector, has remained virtually unchanged since it was proclaimed in 1983, while second- and even third-generation privacy laws have since been adopted at the provincial level and internationally. Meanwhile, Facebook had yet to be imagined when the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal privacy law covering the private sector, came into force in 2001.

My recently tabled Annual Report to Parliament highlights some of the pressing issues that must be addressed if we are to ensure that the privacy rights of Canadians continue to be adequately protected in today’s connected world.

To begin, the government should make the modernization of privacy laws and policies a priority, and invest more resources in a more robust privacy protection framework. The consequences of not moving swiftly to do this are real: more data breaches; excessive collection and sharing of personal information; and the risk that Canadians will lose confidence in the digital economy, thus jeopardizing its growth.

It is also important to keep pace with the privacy protections of other countries, particularly our trade and security allies. Some, including the European Union, have already moved to strengthen their privacy protection frameworks.

If EU authorities decide they no longer find Canada’s privacy laws basically equivalent to their own, commerce between Canada and Europe may be hindered or impeded. This is precisely what happened to the United States when the Safe Harbour agreement was found invalid by the EU courts.

My office has made a number of recommendations to government that touch on technological change, the modernization of legislation, and the need for transparency when it comes to federal institutions.

Technology has made it easier than ever to collect, store and share information. The existing rules are inadequate when it comes to regulating these practices and guarding against unauthorized disclosure. For this reason, we have asked that information-sharing among federal institutions and between them and other organizations be based on written agreements that are subject to our review.

In order to address the growing and increasingly complex number of public sector data breaches reported to my office every year — there were 298 in 2015, compared with 256 in 2014 — we are asking that the government be legally obligated to safeguard personal information. Breach reporting should also be mandated by law, as opposed to only required under a Treasury Board Secretariat (TBS) directive, as is currently the case. Similarly, we are asking that privacy impact assessments aimed at mitigating privacy risks for new or significantly altered government programs and services be required under the law instead of by way of a TBS directive, and that they be submitted to my office prior to implementation.

As a further step to identify privacy issues before they become privacy problems, we have recommended that government institutions consult my office on draft legislation and regulations with privacy implications before they are tabled — something already in practice in a number of jurisdictions in Canada and abroad.

Meanwhile, the shift from paper to digital records has led to the over-collection of personal information.  We are seeking an amendment to the law that would ensure institutions limit collection to information that is “necessary” to, and not just directly related to, the operation of a program or activity.

With respect to enhancing transparency, we are seeking discretion to publicly report on government privacy issues that are in the public interest in a timely fashion. Confidentiality requirements currently limit our ability to discuss public sector privacy issues, including investigative findings, in annual and special reports.

We have also called for tougher transparency reporting requirements for federal government institutions, particularly those involved in law enforcement. As we have said for several years, organizations need to be more open about the number, frequency and type of lawful access requests they make to Internet service providers and other private sector organizations.

I look forward to discussing these and other recommendations further this fall with the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which has resumed its review of the Privacy Act.

On the private sector side, a chief concern relates to consent for the collection, use and disclosure of personal information — a cornerstone of PIPEDA that has been called into question due to the complex nature of data flows in today’s digital age.

Gone are the days of routine, predictable and transparent one-on-one interactions with companies. It is no longer entirely clear who is processing our data and for what purposes. While privacy policies attempt to enlighten us, while shielding companies from legal liability, they’ve been criticized as long, legalistic and of little value to consumers, who are increasingly feeling pressured to simply hold their noses and click “I accept.”

This is what we heard during a priority-setting exercise my office conducted last year. It prompted a discussion paper we released in May outlining potential solutions to this consent conundrum and what role individuals, organizations, regulators and legislators might play going forward.

Potential solutions run the gamut from making individual consent more meaningful through standardized privacy policies that may be developed by industry or by regulators, to privacy dashboards that make it easy for users to control the privacy settings on a particular website or mobile application.

Other potential solutions include legislating no-go zones — allowing for legitimate business interests in situations where consent does not work or is impracticable. For example, a company might track how a customer behaves on its website, to ensure network security.

Privacy trustmarks (seals certifying compliance with particular standards), industry codes of practice, ethics boards charged with weighing privacy concerns for companies and fines, and order-making powers for my office are some of the other measures now up for discussion.

We have received more than 50 submissions in response to our discussion paper from a vast array of industry associations, companies, consumer advocacy groups, civil society organizations, academics, individuals and fellow regulators.

In the end, we hope to put forward a plan — likely a combination of solutions — that will improve the current consent model, allowing companies to continue to innovate and stay competitive, while ensuring Canadians can exercise greater control over their personal information.

The fast-paced evolution of the digital economy has fundamentally changed the privacy landscape and will continue to do so in the years ahead.

Our privacy protection framework is well overdue for an update. Immediate action is needed, if we are to maintain the trust of Canadians in our federal institutions and the digital economy.

Photo: wk1003mike /


Do you have something to say about the article you just read? Be part of the Policy Options discussion, and send in your own submission. Here is a link on how to do it. | Souhaitez-vous réagir à cet article ? Joignez-vous aux débats d’Options politiques et soumettez-nous votre texte en suivant ces directives.