Written by this guy. This will be… fun?
So every year the Privacy Commissioner, that guy in the pic above at this point in time (Daniel Therrien), must give a report to Parliament about privacy. You know it happens every year because I wrote about it, uh [/checks archives], two years ago. Hmmm, you would have thought I would have written about it last year while I was teaching privacy law at McGill, but maybe I was grading exams or something?
Anyway, let’s just cut and paste what I wrote two years ago, by way of explanation:
“The Commissioner shall, within three months after the end of each financial year, submit to Parliament a report…” doesn’t sound like the basis for an exciting post on privacy in the modern technological age, yet here we are!
So every year the Privacy Commissioner must, by law, write a report to Parliament. About privacy! What I quoted above is from PIPEDA, the law about privacy and personal information in the public sector. What you may not know is that there is also something called the Privacy Act, which deals with privacy in the public sector (i.e. the federal government and its institutions), and this also has an annual reporting requirement from the very same Privacy Commissioner
So yeah, it’s that time of year! Woohoo! Time to get drunk and read a 100-page report. The report is technically called “2017-18 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act” which is boring, so they give it a fun subtitle. For this year, it’s “TRUST BUT VERIFY: Rebuilding trust in the digital economy through independent, effective oversight”, which is catchier, I guess. Caps lock and bold in original, seriously!
The report is divided into several sections. Let’s take ’em one by one in the order in which they appear, because any other order would be stupid and confusing.
The Commissioner’s Message
Hello Mr. Therrien! This is the opportunity for the Privacy Commissioner to get a few things of his chest. And he seems pissed! I mean, he’s got a section entitled “Progress from government slow to non-existent.” His news release about the report is entitled “Privacy Commissioner denounces slow progress on fixing outdated privacy laws”. Get to work, government!
First, the Commish talks about Facebook and Cambridge Analytica, calling it a “serious wake-up call”. He’s got a point there! But he’s using Facebook to make a broader point:
These issues also underscore deficiencies in Canada’s privacy laws that I and my predecessors have tried to draw attention to for years
Basically, Canadian privacy laws suck. I am sure I have said that before. It allows companies too much freedom with our persona info, or as the Commish says about privacy law – “it is quite permissive and gives companies wide latitude to use personal information for their own benefit.” But it’s no more Mr. Nice Guy:
Canadians need stronger privacy laws that will protect them when organizations fail to do so. Respect for those laws must be enforced by a regulator, independent from industry and the government, with sufficient powers to ensure compliance.
The regulator we have, the Commish himself and his office, can do fuck all. This is what I will tell my students in class this week. And yes, I will use those words. The Commish wants powers to walk right into Facebook’s office and start asking questions:
Given the opaqueness of business models and the complexity of information flows in the age of data analytics, artificial intelligence (AI) and the Internet of Things, that regulator, my Office federally, should be authorized to inspect the practices of organizations even if a violation of law is not immediately suspected. Individuals are unlikely to file a complaint when they are unaware of a practice that may harm them.
In other words, trust but verify
Catchy! You can see why he used it as the report title. So yeah, the Commish is tired of the government fiddling while Rome burns – “Canadians cannot afford to wait several years until known deficiencies in privacy laws are fixed.” Because he really he has no powers, he goes on to talk about the basic things his office (the OPC) has done, but it’s just a bunch of guidelines that are not binding. Here are those guidelines btw. Don’t worry about them though, they’re just guidelines! To guide!
The Commish goes on to talk about the OPC position paper on online reputation, which I already wrote about, so we’ll just skip it. He closes out by saying there are so many privacy issues his office needs more money. He’s got a point there. Let’s go to his big finish:
To sum up, recent events underscore the significant risks facing privacy protection in the digital age. Modern laws consistent with evolving international norms are urgently required if we are to provide Canadians with the protection they expect and deserve.
Privacy by the numbers
This section is essentially a table of numbers, summarizing the OPC’s activities over the reporting period (which I guess I should mention is April 1, 2017 to March 31, 2018). Like how many complaints they had, how many committees they appeared in front of, and how many Twitter followers they have. That last stat is obviously the most important, so I will report that it is 13,976. That seems kind of low for the office responsible for saving our privacy. For comparison’s sake, beloved (?) Canadian comedian Rick Mercer has 1.76 million followers. Who’s laughing now?
The Personal Information Protection and Electronic Documents Act – A year in review
Well this should be fun! (It is not). The report in this section details those guidelines I mentioned earlier, and the OPC’s online reputation thing I also mentioned, so no need to dive into that again. This is getting easier! The Commish also details the Parliamentary Report about the future of privacy law, which I wrote about in this post, so I’ll refer you to that. These 100 pages are flying by!
This section also has some wonderful stuff about the work the OPC did with several large companies – Microsoft and Facebook in particular. They were very cooperative! It’s easy to cooperate when the office investigating you has no powers to do anything. The report then details all the investigations they did, and what the outcome was. But really, the main issue remains:
without the backdrop of powers to order changes or sanction organizations with penalties for non-compliance, organizations can be slow to respond to our investigative inquiries and equally slow to commit to taking corrective action.
This section then turns to data breaches, and there were a lot of them! Notable ones were Bell Canada, Nissan Canada Finance, Uber and the Equifax. The good news is that coming November 1st, these companies will be required to notify the OPC and the public in the case of data breaches. The bad news is that the OPC has no budget to deal with the inevitable flood of reports!
This section concludes with a bunch of times the OPC got involved with Parliament, making submissions and appearances to tell us our privacy is in peril. Good to know.
The Privacy Act – A year in review
The Privacy Act is all about what federal government departments and agencies are supposed to do with your personal information. Fortunately, this section is a whole lot sexier than that!
The exciting issues discussed in this section are Trump! And Trump! And Canadians having their phones searched at the border. Basically the report says “it sucks, but what are you gonna do?”
Also, we need some changes to the Privacy Act, which was written in 1983 and hasn’t changed much since. They’ll get right on that.
This section also talks about a bunch of investigations to government departments and agencies about certain data and privacy practices. Also their data breaches, which, uh, maybe you should panic:
Based on government statistics, it is clear that thousands of breaches occur annually. From our review, it is obvious that some material breaches go unreported and, more importantly, others likely go entirely unnoticed in many institutions.
Privacy cases in the courts
This section is very handy for people like me, and my students! They talk about privacy cases they participated in, and other cases they “followed with interest”. Those followed with interest ones are important, but I’ve written about all of them already, so let’s move on.
International and domestic cooperation
The OPC cooperated with its international and provincial counterparts on occasion.
I am not recapping the Appendices. And we’re done! OK one fun fact, because there are lots of stats in there – Correctional Service Canada was the runaway leader in privacy complaints among government institutions. Oh those wacky jailhouse lawyers!
Superterriffic Funtime Analysis Hour
Canada’s privacy laws are weaksauce, everyone knows it and has known it forever, and no one in power seems to be in a rush to do anything about it.