Canada’s privacy law ‘ill-suited’ to 21st century, watchdog warns Trudeau

Canada's privacy watchdog tells Justin Trudeau that federal privacy law is badly out of date, hasn't kept up with technology.

Thestar.com
June 24, 2016
By Alex Boutilier

Canada’s privacy watchdog has warned Prime Minister Justin Trudeau that federal privacy protections are “ill-suited” for the 21st century.

In a letter obtained by the Star, Privacy Commissioner Daniel Therrien told Trudeau the rules around government’s handling of private information has not kept up with technological advances or society’s expectations.

The Privacy Act, which governs how the federal government uses Canadians’ personal information, has not been substantially changed since it was introduced in 1983.

When the law was introduced, most government business was conducted on paper. Now, government departments and agencies increasingly hold vast sums of information electronically - bringing a new set of issues, challenges, and vulnerabilities.

“One of the biggest changes in the privacy realm is technology, Canadians’ relationship to it, and the desires by government and industry to harness its power for various purposes,” Therrien wrote in a Nov. 10 letter, obtained under access to information law.

“In this complex, new environment, modernization of our privacy framework and the pressing need for greater transparency around how technology is used is critical to maintaining citizens’ trust in government and the digital economy.”

The Star requested an interview with Therrien but he was unavailable.

This isn’t the first time the issue has been raised with Parliamentarians. In a March 22 letter to the House of Commons committee on privacy issues, Therrien provided 16 recommendations to modernize the Privacy Act - and warned that the legislation is becoming increasingly irrelevant.

“Without renewal, the protections of the Act are proving to be increasingly out of touch with Canadians and their engagement with the digital world,” Therrien wrote.

“Government operates in a radically transformed environment when compared with 1983. Canadians have come to expect more openness and transparency about how their personal information will be used by government, with whom it will be shared, and how it will be protected.”

As part of their campaign platform last year, the Liberals pledged to update the Access to Information Act - also introduced in 1983 - and to mandate a five-year review of the legislation so it doesn’t become so badly out of date again.

Therrien is arguing for many of the same powers the Liberals are granting Information Commissioner Suzanne Legault: the power to compel departments to comply with recommendations; a mandatory five-year review of the Privacy Act, and extending the mandate to apply to all government institutions, including ministers’ offices and the Prime Minister’s Office.

While the sorry state of access to information law has been widely reported, however, the problems with the Privacy Act have flown largely under the radar.

A spokesperson for the Prime Minister’s Office said that they value the feedback from the commissioner and hope to build on it over the course of their four-year mandate.

“The issue remains a priority for the government because we take the privacy of Canadians very seriously, and are committed to working with the commissioner on an active and ongoing basis,” Cameron Ahmed wrote in an email.

“The minister of justice is currently reviewing the commissioner’s recommendations and proposals.”

Michael Geist, a University of Ottawa law professor specializing in Internet and privacy issues, said privacy commissioners have appealed to successive federal governments to update the law but those appeals have failed to force action.

“Each (commissioner) has called for reforms and each has failed to get the government to act,” Geist wrote in an email to the Star.

“The federal government demands far more of the private sector on privacy than it does of itself. The law is terribly outdated and has long been in need of updating to reflect current privacy law standards.”

Privacy Commissioner Daniel Therrien has made 16 recommendations to update the Privacy Act. They include:

Privacy Breach Reporting

Therrien has suggested that when government departments and agencies have serious privacy breaches, they should be required to be reported to his office. Currently, government-wide regulations require departments to consider reporting any “material” breach - breaches involving a large number of people, or where damages to an individual are foreseeable - to the privacy watchdog, although reporting has been spotty over the last number of years.

Power to Compel

Currently the privacy commissioner has no order-making power - he can recommend a department take action, but cannot compel them to do so. In recommendations to a House of Commons committee, Therrien notes that most departments agree with his recommendations, there are some who take lengthy delays to take action.

Public Education

The commissioner’s office has no explicit authority to educate Canadians about risks to their privacy, although they do make some efforts to do so. Therrien says the OPC should be explicitly allowed to educate government departments and agencies about their responsibilities to protect Canadians’ personal information.

Five-Year Review

The Privacy Act has not been substantially updated since 1983. Therrien’s office believes a mandatory five-year review would ensure the Privacy Act does not become so badly out-of-date in the future.