So it’s been pointed out to me by the mob in front of my house that I haven’t blogged in a while. It’s true! Now, I do often go quiet over the summer, but with all of us stuck in the house I am not sure that’s much of an excuse. ANYWAY…
We hit the posting jackpot at the end of last week that of course I must blog about. The Privacy Commissioner Daniel Therrien, that handsome fellow at the top of this post, on Thursday submitted his annual report to Parliament. I read the Commissioner’s reports and blog about them every year. Last year I even blogged the report over the Christmas holidays when it was delayed from its usual fall release because of the election. Let’s do this, over the holidays (albeit a different one) again!
So to remind you of what this is, let me just cut and paste this as I do every year. I even just cut and pasted that last sentence!
“The Commissioner shall, within three months after the end of each financial year, submit to Parliament a report…” doesn’t sound like the basis for an exciting post on privacy in the modern technological age, yet here we are!
So every year the Privacy Commissioner must, by law, write a report to Parliament. About privacy! What I quoted above is from PIPEDA, the law about privacy and personal information in the public sector. What you may not know is that there is also something called the Privacy Act, which deals with privacy in the public sector (i.e. the federal government and its institutions), and this also has an annual reporting requirement from the very same Privacy Commissioner
So let’s read the report. And by “let’s read” I mean “I will skim the report and pull out the relevant information and share that with you and give you good quotes with my own pithy sarcastic reactions along the way, and you will trust me that I will properly inform you so you don’t have to read it yourself even though that’s probably a mistake”. The bolded headlines here are the sections of the report, in order:
Always the highlight of the report. And this one does not disappoint! For a little background, the Commish was appointed in 2014 for a seven year term. By my very bad lawyer math, his time is almost up! His term is possibly renewable, but that virtually never happens, so this is most likely his final report. And he is fed up! Let’s check the headlines:
“Reveals”? Please. It’s been known forever, as regular readers of this blog well know. But he is frustrated, that’s for sure, as he opens:
The need for federal privacy laws better suited to protecting Canadians in the digital age has been a common thread in our annual reports to Parliament for many years.
Last year in this space, I noted how major investigations into Statistics Canada, Facebook and Equifax had all revealed serious weaknesses within the current legislation.
This year, the COVID-19 pandemic makes the significant gaps in our legislative framework all the more striking.
The “for many years” in the opening sentence is telling. And it’s true! Every fucking year he says our privacy laws are basically a joke. He stresses:
The law is simply not up to protecting our rights in a digital environment. Risks to privacy and other rights are heightened by the fact that the pandemic is fueling rapid societal and economic transformation in a context where our laws fail to provide Canadians with effective protection.
Boy don’t you feel better knowing I am back to blogging so I can tell you these things? He goes on and on about how COVID was bad and exposed our privacy laws (again, as if we didn’t know) and then concludes:
the path that the government ultimately chooses to take when it comes to legislative reform will have a significant effect on future generations.
Sounds like someone is thinking about his legacy!
Privacy by the numbers
We have numbers! I looked at last year’s numbers to see how we compare. “Complaints accepted” under the Privacy Act (recall, that’s regulating government control of personal information) by the Office of the Privacy Commissioner (OPC) was way down, 1420 last year to 761 this year. Yikes! I guess the government is way better now. PIPEDA complaints accepted were also down, from 380 to 289. Businesses are obviously more careful now! Data breaches reported under PIPEDA went from 315 last year to 678 this year. Uh oh, ignore that last comment about businesses.
Privacy in a pandemic
Given this section shares its title with the whole report, it should be good! Did you know we’re doing more things online during the pandemic? It’s true! And it’s not good, from a privacy perspective:
Videoconferencing and other online services have been helpful in allowing some semblance of normal life to continue in the wake of the pandemic. At the same time, however, they are creating important new risks to our privacy rights.
This is particularly concerning given our current privacy laws do not provide an effective level of protection suited to the digital environment.
Hey, did you know our privacy laws suck? I wonder how many times the Commish will repeat that in this report? Oh look, 2 paragraphs later:
dated federal privacy laws designed for different times hamper our work and are no longer up to the task of ensuring respect for the privacy rights of Canadians.
Yes we know. So this chapter actually has a bunch of subsections, even though they are in the same font as the section header. Someone get the OPC a web designer. Anyway, let’s go with italics for the subsections:
Response to the fallout of COVID-19
The OPC did some stuff, specifically they created a “framework to assess privacy-impactful initiatives in response to the pandemic” in April and some recommendations about some future contact tracing app in May.
Advisory work on COVID-19 initiatives
They advised both public and private sector actors on privacy during a pandemic. This better pick up soon, I’m bored.
COVID-19 and law reform objectives
This is becoming repetitive:
While technology offers tremendous benefits, it also raises risks that are not properly mitigated under the current legislative framework.
Lots of talk here about the contact tracing app, and how the government responded to the OPC’s recommendations and made it better, privacy-wise. Many other activities that are happening during the pandemic that have privacy implications, like this one, which I am dedicating to my LAWG 536 students at McGill who I am currently teaching via Zoom:
Similarly, many students have been required to use e-learning platforms and videoconferencing during the pandemic, which can result in commercial organizations having access to information related to learning difficulties or other behavioural data of students.
Sorry kids! Health data is also currently being thrown all over the internet because of the pandemic, and did you know our laws are not equipped to deal with all this?
We need laws that set explicit limits on permissible uses of data, rather than be left to rely on the good will of companies to act responsibly.
I sense a theme.
Blueprint for reform
Basically, this section says (and I am paraphrasing here) “read my fucking report from last year, it tells you what I want to change in the laws, and all of it is just heightened because of the pandemic”.
WHOA. Out of nowhere, we have a fancy graphic! Let’s copy and paste that sucker right in here for fun. Click to embiggen!
As far as I can tell, the point of this is to say how our privacy law sucks, but this time compared to all the other countries out there (well, the countries with privacy laws, anyway). Or as the report puts it – “Canada used to be a leader in privacy law, but has clearly fallen behind other jurisdictions in the world.”
Update on the road towards reform
Yeah, the update is bad. The Feds have said many times they will fix things, and they haven’t. Do something, Feds! Quebec is leading the way with Bill 64. And in case you haven’t heard it ten times already, we’re going to write the same thing again with a different formulation:
issues we identified for law reform are proving to be all the more relevant in the context of the COVID-19 crisis, and the move towards digital government in general, which only serves to reinforce the need for modernized federal privacy laws.
Ongoing policy work
Some stuff about AI.
Conclusion (for this section)
These are unprecedented times for Canada and countries around the world.
No shit sherlock.
The Privacy Act: A year in review
And now we’re in a new section. Just so you remember because I’ve only said it twice already, the Privacy Act regulates the government’s use and treatment of your personal information. And we have an answer from the numbers section above:
we accepted 761 complaints… Although this seems like a significant decrease compared to the previous year, the change is mostly due to an evolution of our counting methodology towards enhancing accuracy and consistency.
Man that sounds like corporate doublespeak to me. The report notes they cleared a lot of the backlog from previous years. Maybe because you only accepted about half the number of complaints this year? Actually, they note that a new, streamlined online complaints form allowed them to receive more “relevant” complaints, whatever that means.
There was something about a nominee to the Supreme Court in March 2019? I don’t remember, and it must be because the OPC didn’t find anything wrong.
Surveillance in the workplace
Correctional Services Canada and Employment and Social Development Canada had some complaints about them in this area, but for the CSC it’s all cool, nothing to see here. ESDC told the OPC they would do better in the future, so it’s all good.
There is some stuff about Canada Border Services Agency and that they should not keep passwords to digital devices longer than they need. But go ahead and search those devices! Also, the Canadian Air Transport Security Authority (CATSA) has some complaints about legal cannabis prescriptions or something. We’re really in the weeds now. The conclusion there is that CATSA should not call the cops unless the traveler has more then 150 grams of cannabis. 150 grams!!! Who the fuck is traveling with a third of a pound of weed???
There were “341 breach reports, in comparison to 155 reports a year earlier” at federal departments and agencies, but don’t worry about it, we have completely reasonable explanations for the increase, like the way we count them. Although at the same time “privacy breaches reported to our office represents only the tip of the iceberg”. Well that can’t be good.
There is then a bunch of stuff about how the OPC advised a bunch of government departments on privacy issues. Moving on.
The Personal Information Protection and Electronic Documents Act: A year in review
Now we’re getting somewhere, this should be good. This is the part where the Commish tells you all the ways companies misused and generally fucked up with your data in the last year. Go!
Breaches of security safeguards
As mentioned above in the numbers section, breaches reported have more than doubled since last year. And they’re big!
Our office is seeing a rise in reports of large-scale breaches affecting a great number of individuals. Most notably, breaches at large organizations including Desjardins and Capital One have been reported to our office.
Banks and credit card companies, pshaw! It’s not like they have important personal information.
Operational updates and trends
Pretty much a repeat of the Privacy Act equivalent section – lower numbers of complaints accepted but that’s only because we count differently now, cleared backlog, streamlined complaint system, etc. Where’s the juicy bits?
This should have some juicy bits! Hmmm. RateMD? Yawn. How about “TD Canada Trust and Loblaw found to comply with current PIPEDA requirements”? Well, compliance is not juicy. Although here the OPC noted how the flow of personal information across borders is problematic. Meh. A Dell customer support subcontractor in India maybe had some personal information they shouldn’t have. More yawns. Where are the Equifaxes and Facebooks of yore???
That is not an official report subsection heading, but the OPC did some other stuff, like advising businesses on PIPEDA and CASL (Canada’s Anti-Spam Law) compliance. And we’re done here, I guess.
Advice to Parliament
So this section is not in fact “GET YOUR FUCKING ACT IN GEAR PARLIAMENT AND UPDATE THE FUCKING PRIVACY LAWS ALREADY WE HAVE HAD ENOUGH OF THIS WAITING AROUND SHIT”. I guess we had enough of that (in nicer terms) earlier in the report. The section is more about the advice the OPC actually gave to Parliament and its various committees in the last year. These seem to be limited to the topics of cybersecurity in the financial sector (they should have it!) and children and the no-fly list (it’s problematic when a parent is on it). Okay then.
International and domestic cooperation
Canada is very cooperative and friendly when it comes to privacy. Internationally, and with the provinces. Good for us!
Privacy cases in the courts
If any of my McGill students are still reading at this point, they should pay attention. This will be on the exam. Wait, we don’t have an exam, only a final essay? Good thing, because these cases are useless at this point. The two most important ones are Privacy Commissioner of Canada v Facebook, Inc. and the Google Reference, both of which are ongoing so there is really nothing to report. There was a Supreme Court decision about the constitutionality of the Genetic Non-Discrimination Act which is interesting if you’re into that area of privacy law I guess.
Wait, we’re done? I was just getting going! In conclusion, our privacy laws need reforming.