Canada's proposed new privacy law is an upgrade, but still falls short of what's needed, says expert
Former Ontario privacy commissioner Ann Cavoukian wants the new legislation to adopt 'privacy by design'
Privacy expert Ann Cavoukian says the federal government's proposed privacy legislation falls short by failing to establish privacy by design as a principal.
Earlier this week, Innovation Minister Navdeep Bains introduced Bill C-11, which empowers the country's privacy commissioner with new order-making abilities, effectively allowing him to go after companies that fail to follow the country's privacy rules, among other changes.
The newly tabled bill has received praise from privacy advocates, but Cavoukian, executive director of the Global Privacy and Security by Design Centre and a former Ontario privacy commissioner, says more needs to be done.
Cavoukian spoke with Day 6 host Brent Bambury about what Bill C-11 gets right, and what it's still missing.
Here is part of that conversation.
When I spoke to you last year, we were talking about Cambridge Analytica and the inability of Canada's privacy commissioner to enforce rulings when there was a violation of Canadian law. What the government is proposing looks like it will address some of that. Is this the law that you've been dreaming about?
I'm not going to use the word dreaming of, but certainly it addresses the issue that our federal privacy commissioner of Canada has not had order making power ever in terms of PIPEDA, the federal private sector legislation.
Unlike privacy commissioners, like myself, the commissioner in Alberta, in British Columbia, we've had order making power. And the beauty of that is I rarely have to use it because when the other side knows you have that authority, then they are more likely to sit at the table and work with you.
It gives the commissioner the authority to take action. This law will give him order making power.
Order-making power, that's a good thing. What else do you think [Bill] C-11 gets right?
The focus on control on the part of individuals relating to the uses of their information.
Privacy is all about control — personal control, relating to the use and disclosure of your personal information. And there is a focus on increasing control and transparency.
It focuses on security, introduces the concept of individuals being able to … demand that their personal information be destroyed once the use has been addressed, and that's similar to the right to be forgotten in the new legislation.
Now, you said it wasn't your dream legislation. What's the shortcomings here?
What they've left out — and this blows me away, because the whole point of addressing and upgrading our legislation was in response, a number of years ago [in] 2017, to the introduction of this very strong law in the European Union, the General Data Protection Regulation.
In the GDPR, they included my privacy by design and privacy as the default — proactively protecting privacy.
They came up with a paper to address this issue in February of 2018. The title of the paper called, Towards Privacy By Design. It was a very strong indication to us that they were going to include privacy by design in whatever legislation they came up with.
Have they walked their talk? No.
We talked about privacy by design before. But but briefly, just explain to us why that matters to people who care about privacy?
Think of a medical model of prevention. You go to your doctor. He does some tests and he says, "Yeah, you've got cancer. We'll just see how it develops, and if it gets worse, we'll give you chemo after the fact." You would never think of doing that. You want to try to prevent the harms from arising.
Privacy by design is a model of prevention, proactively embedding much needed privacy, protective measures that lives within your organization, your policies, your design, et cetera.
Let's talk about this tribunal, because while the privacy commissioner can now recommend fines, there is this separate layer that can actually adjust those penalties or address appeals and that kind of thing. How do you think this added layer of the tribunal will influence or cut into the power of the privacy commissioner?
I think it will counter the strengths you've just given him in order making power. And if you're going to dilute that by having it be reviewed by this data protection privacy tribunal, it's contrary to any of the models of privacy protection out there in terms of having privacy commissioners who make the decisions and issue the orders.
Does this bill do enough to bring Canada's privacy laws up to, say, the EU standards, which you had a hand in drafting? And does it matter if our Canadian rules meet global privacy standards?
It does matter because we want to have what's called "essential equivalence" with the European laws, the GDPR, because then we can engage in trade and business without fear of reprisal, because our laws, our privacy laws are as strong as theirs.
I've always enjoyed having essential equivalents until the GDPR was enacted and all of a sudden our privacy laws didn't do it. So the whole point of upgrading our privacy laws is we do want to have essential equivalence.
We have a minority parliament and obviously this is complicated legislation and it will take time to process and pass. But when the debate happens, when the vote happens, do you anticipate that some parties will be more enthusiastic about strengthening Canada's privacy laws than others?
[With] the Liberals under Trudeau, it's been extremely weak. They have not addressed repeated requests from the federal privacy commissioner to strengthen existing privacy laws. He's been asking for this for years.
Even though they talked the talk in 2018 when they said towards privacy by design, they didn't walk the talk. I'm tired of that. I want a party that will walk the talk. And I'm hoping that will be the Conservatives.
Written by Celeste Decaire. Produced by Sameer Chhabra.