For years, Canada's privacy commissioners have warned the country's decades-old privacy legislation is in urgent need of an overhaul, and that the commissioner's office requires new tools to properly do its job.
But change hasn't come quickly — and Daniel Therrien, the current commissioner, says his office is no longer content with waiting for the government to act. So it's trying a new approach with the powers it currently has.
In his annual report, presented to Parliament on Tuesday, Therrien said his office will soon issue new guidance on how companies should ask Canadians for consent to collect, use, and disclose their personal information. It's one of a wide range of emerging privacy issues on which his office will begin to issue new or updated guidance on in the coming years.
But more importantly, Therrien will shift some of the resources of the Office of the Privacy Commissioner (OPC) toward a "proactive enforcement model," launching its own investigations into important issues affecting the privacy of Canadians, rather than merely reacting to individual complaints.
Therrien says that both moves are part of a larger effort to bring more accountability to how companies handle Canadians' personal information — something Canadians have told the OPC they feel "utterly powerless" to control.
Therrien also reminded Parliament there's only so much the OPC can do with the powers and resources available to it under what he described as "critically outdated privacy laws."
"It is not enough for the government to say that privacy is important while taking no systemic measures to protect it," Therrien wrote in his report, adding that Canadians "do not feel protected by laws that have no teeth, and organizations that are held to no more than non-binding recommendations."
How to ask for consent
Under current legislation, the privacy commissioner cannot issue binding orders or fines against companies that misuse personal information or ignore its recommendations. Nor can his office launch investigations without reason to believe a violation has occurred, limiting the effectiveness of its proactive enforcement scheme.
Until that changes, Therrien says, his office has been pursuing other means to make companies more accountable and transparent about their practices.
For example, the OPC has spent the last year reviewing its guidance around consent — a foundational component of the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private companies can use Canadians' data.
The commissioner's report says lengthy privacy policies written in opaque language, coupled with the increasingly complex ways in which personal information is collected and used, have made it difficult for users to know what they're consenting to when they use, say, an internet-connected light bulb or a social network's mobile app.
The OPC is recommending organizations make it easier to understand…
- What personal information is being collected.
- Who it is being shared with.
- Why the information us being collected, used, or shared.
- The risk of harm to the individual, if any.
The idea is that this information should be displayed prominently and in a user-friendly format, rather than buried in a lengthy policy document written in legalese. But without stronger enforcement powers, the OPC can only hope that companies are willing to get on board.
Keeping the public sector accountable
Beyond consent, the OPC says that it has identified additional topics that it intends to issue guidance on over the coming years, including facial recognition, encryption, artificial intelligence, the use of genetic information.
There will also be new draft guidance on "no-go zones" where companies would be unable to collect, use, or disclose information, even with a user's explicit consent.
And there is strong interest in reforming the public sector Privacy Act, which governs how federal government institutions handle personal information.
For example, OPC wants to see the act modified so there is a legal requirement that information be collected only if it is "necessary for the operation of a program or activity."
The commissioner also wants wants federal institutions be legally required — rather than merely required as a matter of policy — to conduct privacy impact assessments "on any new or significantly redesigned programs or services that could impact privacy."
When the RCMP began using an invasive cellphone surveillance device called an IMSI catcher, for example, it did not consult with the OPC or file a privacy assessment.
And if a federal government institution suffers a data breach, the OPC would like to see it required to report the breach to it. The office says that it received only a single report of a "web hacking incident" in the past year.