Who wants to read an 87-page privacy report from this guy on the holidays?

Me I guess?

So really I cannot let this go by and just wait until January. I have been breathlessly waiting for this report! Last year it came out in September. This year it came out a couple of weeks ago. What’s up with the delay? I vote it’s election-related. Don’t want to submit a parliamentary report when Parliament is possibly a lame duck.

Let’s take a step back and explain WTF I am talking about! So every year, the guy up there submits an annual report about privacy to Parliament. His name is Therrien. Daniel Therrien. He is the current Privacy Commissioner, and thus the most important privacy dude in Canada. Too bad he has no powers to do anything. ANYWAY. Let’s get to the damn report already we’ve all got holiday beverages to imbibe!

So to remind you of what this is, let me just cut and paste this as I do every year!

“The Commissioner shall, within three months after the end of each financial year, submit to Parliament a report…” doesn’t sound like the basis for an exciting post on privacy in the modern technological age, yet here we are!

So every year the Privacy Commissioner must, by law, write a report to Parliament. About privacy! What I quoted above is from PIPEDA, the law about privacy and personal information in the public sector. What you may not know is that there is also something called the Privacy Act, which deals with privacy in the public sector (i.e. the federal government and its institutions), and this also has an annual reporting requirement from the very same Privacy Commissioner

So let’s read the report. Together.

The first thing you can’t help but notice is the title – “Privacy Law Reform – A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy”. That is a mouthful. Let’s break it down with pithy comments / translations!

Privacy Law Reform

Canada’s privacy laws suck.

A Pathway

For the love of God do something Parliament! Here, I’ll tell you how.

Respecting Rights

Your rights are currently not being respected!

Restoring Trust in Government

I’ll leave the pithy comment for this one to commentor Steve. There is just too much to unpack.

So the report starts off with the Commissioner’s message. He opens:

For several years, my predecessors and I have been calling for fundamental reform of Canada’s federal private and public sector privacy laws

Readers of this site certainly know this to be true! At least the government is finally coming around, maybe. Here’s the crux of the problem, and Mr. Therrien rejecting it:

While there is general agreement that legislative reform is needed, we continue to hear industry and government officials adopting language that emphasizes the need to balance privacy rights with economic interests, security and other important goals. They imply that privacy and objectives such as innovation are engaged in what some have called a zero-sum game.

We must reject the notion that rights-based laws impede economic growth or other important societal objectives.

Yes! Time for rights! The Commish is calling for a rights-based approach to privacy law. Sounds good to me. He then summarizes what the law reform should look like, but we’ll get to that in the section discussion below. Let’s go to the sections!

Privacy by the numbers

There are some numbers. The Office of the Privacy Commissioner (OPC) sent 1,098 Tweets. Important info! Actual important info is that there were 380 complaints under PIPEDA accepted for investigation by the OPC. Is that a lot? Damned if I know. It’s probably about the same every year. Remember these are complaints “accepted”, not “made”. You can bet the # of complaints made is 10-100 times that. Also, the OPC “examined” 315 PIPEDA data breaches. No, I do not know what they mean by “examine”. It’s not like I teach this stuff at a University or anything. Let’s move on.

Advice to Parliament

The Commish opens with this gem:

In our last three Annual Reports, our Office has provided a detailed account to Parliament that Canadians need stronger, more enforceable, federal privacy laws

Translation – I am sick and tired of waiting for you government fucks to do something already. He then gets to the point:

we believe that Canadians also deserve federal privacy laws that are based on rights for individuals. The incorporation of a rights-based framework in our privacy laws would help support responsible innovation and foster trust in government, giving individuals the confidence to fully participate in the digital age

Well I am not sure about that “fostering trust in government” part, but he’s on a roll! What would that rights-based privacy law look like? The Commish outlines:

Recognizing privacy as a human right

A good start! People assume the “right to privacy” is a constitutional right, but it is not explicitly in the Canadian Charter. The courts have read  some privacy rights into the  “right to life, liberty and security of the person” and the “right to be secure against unreasonable search or seizure” that are in there, but that’s not enough. It’s why we say the right to privacy is only a “quasi-constitutional” right. Though that’s still pretty good! Too bad it doesn’t really say that in a law somewhere. The right to privacy is in need of more protection! The problem in Canada, as the Commish notes:

our current privacy laws are drafted largely as data protection statutes rather than as laws that protect and promote the exercise of a broad range of rights. Privacy is not limited to consent, access and transparency. These are important mechanisms, but they do not define the right itself nor acknowledge its quasi-constitutional status…. Modernized privacy legislation should start by defining privacy in its proper breadth and more formally codify its quasi-constitutional status

Ok let’s do that!

A rights-based approach for protecting Canadians’ privacy

The European GDPR has it, so why shouldn’t we? Huh? So how would all this look? The Commish presents 4 key elements:

1. Define the right to privacy in its broadest sense
2. Recognize in law the quasi-constitutional nature of privacy legislation
3. Draft the law in the usual manner of legislation, conferring rights and imposing obligations, rather than as the current model, which contains what reads as an industry code of conduct, with some obligations but also several recommendations, examples and good practices that do not create enforceable entitlements for individuals
4. Ensure effective enforcement

Boy some of this seems to be going around in circles. I did expand on that number 3 because it is important. PIPEDA literally does have an “industry code of conduct” in it, the “Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96”. Yawns-ville! But our most important privacy law is literally based on this code of conduct. That’s… not good.

As for #4, the Commish has been screaming about it for years. As have I, and every other privacy law expert in this country. I always get a good laugh, and then abject terror, when I give the answer to this question when giving a lecture – “We have one major privacy law in Canada and an anti-spam law. You can get $10,000,000 in fines under one and $0 in fines under the other. Which is which?” We have a privacy law that can’t be enforced. That’s no good! Also, the OPC issues findings but companies just ignore them. That’s not good either! Here:

For a company like Facebook to dismiss the investigative findings of our Office and think it can decide what legal obligations it will or will not follow is untenable

Darn right! But wait, there’s more.

Additional elements for privacy law reform in Canada

The Commish has many many many more ideas! Such as:

1. Maintain an important place for meaningful consent, but also include alternative solutions to protect privacy where consent is not feasible
2. Require a necessity and proportionality standard for collecting personal information
3. Require organizations and federal government institutions to demonstrate their accountability
4. Empower a public authority to issue binding guidance to ensure a practical understanding of what the law requires and to provide certainty to individuals, organizations and federal government institutions
5. Permit the OPC to choose which complaints to investigate and, at same time, ensure individuals are given a private right of action
6. Authorize regulators with different mandates to share information
7. Extend coverage of the law to all of federal government and political parties
8. Include additional protections against harms that result from infringements of human rights in a digital era

So basically re-write Canada’s privacy laws completely. Works for me! These are all good ideas and long overdue. As the Commish concludes:

In this complex digital environment, what is clear is that our privacy laws need to be reflective of the current times, and more forcefully assert protections for the rights of Canadians. Now is the time for action.

Preach, brother! We are still not finished with this section however. Even though the Commish just concluded. Oh well. There is actually a very interesting Supplement to “Privacy Law Reform” (quotation marks in original for some reason). The Commish proposes new preambles and “purposes” for both PIPEDA and the Privacy Act. He’s actually writing laws. Well done sir! Even if it isn’t your job. The preambles and purposes basically reflect the stuff he’s been talking about for the last 30 pages. Works for me!

Parliamentary activities

And we’re finally on to a new section. Here the Commish recalls how in the past year he’s done some good things with Parliament, like some updates to the Election Act in preparation for possible election fuckery. But as he writes “Unfortunately, the Act did not make federal political parties subject to privacy laws”. He’ll soon fix that.

There is some other stuff about how he consulted with and wrote reports for Parliament on some other laws. He also submitted some studies! Good for him.

The Privacy Act – A year in review

What a year it was! To recap, the Privacy Act deals with the Federal  government’s treatment of your personal information. But frankly it’s kind of useless! Here:

The Privacy Act’s advanced age was readily apparent in some of our investigations. We saw how the Act is not up to the task of confronting the challenges of the digital age.

Good to know! Anyway, the Commish received 1,420 complaints under the Privacy Act, up from 1,254 a year earlier. Your government at work! Three departments in particular were pretty uncooperative with Canadians: Health Canada, the RCMP and Correctional Services Canada.

Then there is a whole sub-section on Statistics Canada. Remember when we discovered they were collecting financial and bank information from Canadians without their consent? Good times. The OPC found StatsCan was not breaking any laws (really for true!) but that it really didn’t look good. Just more proof privacy laws need serious reform.

They also did some investigating into the searching of laptops and devices by border agents. People don’t like that! And the OPC agrees – “Canadians’ privacy rights are not being respected during device searches at border points.” There were some other investigations.

Finally, the Commish reports that “number of data breaches reported by public institutions dropped significantly in 2018-2019 – down by 46%”. So obviously everything is safe and secure now. Or not: “There are strong indications of systemic under-reporting of certain types of breaches across government.” Sleep well everyone!

The Personal Information Protection and Electronic Documents Act (PIPEDA) – A year in review

Facebook! Equifax! Facebook! Equifax! And what do you know:

These and other cases summarized in this section attest to the failings of accountability and safeguards in current business models, and support our case for legislative reform.

He’s been saying that for 50 pages already! I already wrote about Facebook giving the OPC the middle finger back when it happened, so let’s not revisit that. Let’s look however at what the Commish thinks:

For these reasons, our Office announced its intention to apply to the Federal Court to seek a binding order to force the company to take action to correct its privacy practices.

Resolving this issue is vital. It is untenable that organizations can ignore our Office’s legal findings. Facebook should not get to decide how Canadian privacy laws are interpreted.

Facebook does what it wants, Commish.

Equifax did better, promising to take corrective actions and entering into a binding agreement with the OPC. There were other data breaches the OPC looked into but did not do very much about.

During the year, PIPEDA’s mandatory data breach reporting came into effect. Surprise, the number of data breaches reported went up 50%!

Privacy cases in the courts

Will this report never end? The most important case was the Google reference for which we are still awaiting a final decision more than a year later. There was a temporary ruling in July which I should probably have written about but didn’t. Sue me.

International and domestic cooperation

The OPC cooperated.

Appendices 1-5

We’re done here. Happy Festivus!