Two posts in a Beatles-esque 8-day week? It’s a Festivus miracle!!!
There are very few traditions here at AM.com, let me list them. 1 – errr, I can’t really think of any traditions TBH besides the one I am about to mention. And that one is that I read the Privacy Commissioner’s Annual Report on whatever holiday it comes out. Here’s last year’s on thanksgiving. And here’s 2019, which indeed I also read over the Christmas holidays because an election fucked up the fall delivery schedule that year. 2016. 2018. Does 4 years a tradition make? Fuck if I know. But let’s do this!
So yes, we had a fall election again this year (sigh, what a waste of everyone’s time) so again the September / October report came out in December. Though it was December 9, so admittedly I am a bit late. But after just writing a post about a 5 month-old case, I frankly think I am doing quite well here.
ANYWAY. This years report‘s zippy title is “Projecting our values into laws.” Well that’s dumb. Isn’t that just the basis of Western democracy? Frankly it could even be applied to non-democracies, or literally any state going back to Babylon in the 18th century BCE. Let’s hope this thing picks up when we read it.
Hmm, the second line seems to be a subtitle maybe? – “Laying the foundation for responsible innovation”. Maybe that’s the actual title of the Report? I honestly don’t fucking know. But it’s even stupider. The OPC’s news release of the Report doesn’t even say what the title of the Report is. Maybe even they are embarrassed at either possible title’s lack of zippiness. (EDIT – read to the end of this blog post to find out the actual title!) Commissioner Therrien is on his 7th Annual Report, the last of his mandate; he’s losing interest I guess? But just this past summer he was re-appointed but only for another year, so he better find his love for titles again for his big finish next year. Maybe the news release’s titles / headings will help sort this out?
To build a more resilient economy, Commissioner calls on government to make privacy law reform a priority
Last decade has shown benefits and real threats of technology. Respect for values and rights are the foundation for responsible innovation.
Jebus. “Respect for values and rights are the foundation for responsible innovation”??!1!!1?? I need a drink. [/pours drink] [/drinks drink]
Ok where were we. Let’s read this thing, taking these headings as they come.
Always my favourite part of the Report. By this point in his (first) mandate it is basically the Commissioner banging his head against the wall saying FIX THE THE F*ING PRIVACY LAWS ALREADY:
Over the course of my mandate, it has become increasingly clear that we need a stronger privacy framework to protect the rights of Canadians in an increasingly digital world
Go back and read my last Annual Report blog posts. Always the same thing, year after year. Well actually this time he’s like “maybe my bitching for 7 years worked!”
Following calls to action over the course of many years by my office, industry stakeholders and civil society, the government finally tabled Bill C-11 to overhaul Canada’s federal private sector privacy law
Yay! And then an election was called, and Bill C-11 died a quiet death. It’s ok though, the Commish never really liked C-11 anyway:
I was deeply concerned that Bill C-11, which died on the order paper when the election was called, would be a step backwards
It probably was! But don’t warry – as mentioned in my last post, the PMO’s letter to the Minister of Innovation, Science and Industry told him essentially to bring back C-11 in all its glory. Um, yay? The Commish writes “I am hopeful that the government will make some of the changes we have proposed” to future privacy legislation; we’ll see. What about all this “values” stuff of the (possible) title of the Report?
As a society we must project our values into the laws that regulate the digital space
OK, then. What are those values anyway? Unclear; the Commish does not specify.
The Commish then goes on to talk about how privacy has evolved over the last 7 years of his mandate. We’ve gone from Edward Snowden and “privacy is dead” because of national security in a post-9/11 world, to bad private actors (see Facebook / Cambridge Analytica) that the Commish has no powers to do anything about.
He then recaps developments in the 4 areas of interest the OPC identified back in 2015 – Economics of personal information, Government surveillance, Reputation and privacy, and the body as information. All still as relevant today as back then. Bottom line – the OPC has done some stuff in these areas, but (say it with me) the OPC has no powers to enforce anything. Or as the Commish puts it:
We have made some headway, but our ultimate objective of restoring Canadians’ trust in government and the digital economy remains elusive. Indeed, that goal will remain out of reach until the government enacts new federal laws that appropriately protect privacy rights in Canada.
He then summarizes 2020-21 as “the year of collaboration” because when you have no power you need to collaborate. Then it is on to the future. And you are not going to believe this, but the Commish wants new privacy laws!
He looks at the various privacy laws reform in development and already passed. He notes Bill C-11 sucked, and lays it all out in one handy chart:
You probably can’t read that (though you can click to embiggen) but you just have to look at the last column to see that C-11 falls short of privacy protections around the world, and even in Canada. Modern privacy law according to the Commish should, among other things: define permissible uses, have a rights-based framework, properly define corporate accountability, have similar principles for the public and private sectors, and have quick and effective remedies with an effective OPC role. The Commish says C-11 fails in ALL of these! The Commish is particularly upset that C-11 created a Data Protection Tribunal which added a layer of complexity in enforcement and takes power from the OPC. He’s not wrong.
We are not even close to finishing this message! The Commish has a lot to say this year. He says some stuff about Artificial Intelligence, and here’s your money quote:
The risks of AI systems in undermining human dignity, self-determination, and fairness further demonstrate why a rights-based approach to privacy law is needed
AI “undermining… self-determination” is straight of many of our best Sci-Fi works I am counting on commentor Steve to remind me of. He then says some stuff about political parties, and says they should be subject to privacy laws. He’s right again! He talks about potential Privacy Act (privacy and data protection as it relates to Federal government bodies) reform, and gives some praise to the government as they “did a considerably better job overall of addressing many similar concerns to those we raised in the context of Bill C-11.” There is some stuff about the Access to Information Act which I skipped.
Now it is on to the provinces. Yay, Quebec! Our Bill 64 is awesome according to the Commish. Also kudos to Ontario for moving forward with some privacy stuff.
In conclusion, we all live online and technology dominates our lives, and “only through respect for the rights and values we cherish will Canadians be able to safely enjoy the benefits of these technologies.” What are those rights and values? Still unclear. And we’re done. Well with this part.
Privacy by the numbers
W00t, numbers! PIPEDA complaints accepted were 309 for the year, up from 289 last year. 73% of those complaints were well-founded. Data breach reports continue to climb – 315 two years ago, 678 last year, and now 782. What a wonderful time to be alive. Finally, the most important numbers: the OPC has 18,616 Twitter followers and sent 443 Tweets.
The Privacy Act: A year in review
COVID, COVID, COVID! We had the tracing app, the vaccine passports, border issues, contact-tracing initiatives, etc. The OPC was right in the middle of all it! They recommended government bodies be careful with privacy on that stuff. It’s what they do! They also advised on some non-COVD things, like some law enforcement and national security stuff. Meh, whatever, that’s barely important.
The Report then dives into the details of all the investigations of Privacy Act complaints. The OPC sped things up and got through some of the backlog from last year. And then the Report dives into individual cases of Privacy Act violations. My goodness we are getting into the weeds here. The juiciest one is Clearview AI – “Our investigation found that the RCMP’s use of Clearview AI’s facial recognition technology to conduct hundreds of searches of a database compiled illegally by Clearview AI was a violation of the Privacy Act.” The RCMP had some other privacy issues too, but don’t worry they’ve promised to not do it again.
And it’s on to the the Privacy Act data breaches. There were many! And the OPC thinks the government is even hiding some – “we remain convinced that under-reporting by federal government organizations represents a systemic problem” and “we are concerned that several large institutions have been conspicuously absent from the breach reports we receive.” Don’t you feel good about our government now? Let’s move on.
The Personal Information Protection and Electronic Documents Act: A year in review
We are maybe halfway through this Report. Stop your whining, I have to read the whole fucking thing you guys are just reading my semi-witty remarks.
Data breaches! Ooh boy they are a problem, up 15% from last year. And the most hit hard was the financial sector. That can’t be good. 64% of all breaches were caused by unauthorized access (hackers), while 28% were caused by unauthorized disclosures (“oopsies”). Ransomware attacks are becoming a big problem. Becoming? Well, the OPC only started collecting data on those this year so they really aren’t sure. The OPC was involved in investigating some high-profile breaches – BMO and Desjardins in particular (there’s that financial sector!). BMO did a good job fixing their mistakes; Desjardins going much slower.
Complaints! People complained about their personal information being badly treated by companies. Once again, the OPC goes through a bunch of specific cases, which I am not.
Then there is a bit about Canada’s Anti-Spam Law (CASL). Huh? I mean I guess technically the OPC is one of the 3 federal agencies involved in enforcing CASL, but they never really talk about it, because they have more important things to do. And why is it in the PIPEDA section? It’s its own damn law! Anyway, they did some CASL stuff.
They also did some more flowery stuff, like advising businesses, offering guidance, and running a “Contributions Program”, where half a million dollars is available every year for privacy research projects of academic institutions and non-profits. I think I should get some of that money just for reading this Report.
Advice to Parliament
Because of COVID, the Commish did not do as much advising as he would have liked. He did show up to a parliamentary committee to talk COVID and privacy. He even showed up in Quebec’s National Assembly to talk Bill 64 and in BC to talk about the review of their Personal Information Protection Act. Is that even allowed?
International and domestic cooperation
The OPC did a lot of cooperating. We’re getting tired here.
Actually the list of international things the OPC did is quite impressive. I honestly did not know how much they did in that area. Kudos to you, OPC! I guess when you have no enforcement powers you have to keep busy somehow.
Before the courts
Talk about blogging synergy; there is a big section about the Google Reference which I just wrote about! So go read that. There are some other cases the OPC is involved in, but none are as sexy as the Google case. Though there is a Facebook case in the courts, nothing really exciting is happening there, there were just some motions. There were other cases the OPC was not involved in but “watched with interest”, like the constitutionality of CASL. Again with the CASL.
There are appendices – definitions and a shitload of tables. Let’s pick a random thing just so we can say we read it: the OPC investigated Environment and Climate Change Canada four times for Privacy Act violations (Table 10, Privacy Act section). And we’re done! Whew.
I really could not just leave the whole title thing unresolved. After some digging, I found the statement the Commish made to the press when the Report was released. It includes this line:
When it comes to federal privacy laws, our societal values and fundamental rights, centuries in the making, are not adequately protected. That must change – hence the title of this report: Projecting our values into laws: Laying the foundation for responsible innovation.
So it’s both and it’s still stupid, and I still don’t know what it means or what the values are. But at least we’ve solved that mystery. Mazel tov to you, dear reader, for making it to the end of this post. Happy holidays!! Drinks on me.