Privacy Commissioner Daniel Therrien holds a news conference at the National Press Theatre in Ottawa on Thursday, Sept. 21, 2017, to discuss his annual report.Sean Kilpatrick/The Canadian Press
In their distinctive ways, countries are finally turning their attention to privacy in cyberspace.
The United States is going with punishment by public shaming. In the face of grilling by members of Congress this week, Facebook founder Mark Zuckerberg acknowledged that some regulation of the internet economy is “inevitable.”
Europeans are embracing tougher regulation. A sweeping new privacy regime set to take effect next month will force tech giants such as Google and Facebook to get peoples’ explicit consent before using their information, compels the speedy disclosure of data breaches and imposes steep fines for violations.
And then there is the Canadian response – plodding, understated and, so far, completely inadequate. Federal Privacy Commissioner Daniel Therrien quietly launched an investigation this month into the fallout from the Facebook scandal in Canada, which affected more than 600,000 users out of nearly 90 million worldwide.
Unfortunately, there isn’t a lot Mr. Therrien can do. He can’t issue legally-binding orders or impose fines – powers that even many of his provincial counterparts have. More of an ombudsman than a regulator, his main tool is an obsolete law that was created before Facebook was even born.
For years, he and his predecessors have been begging the government to strengthen the law that governs privacy in the business world – the Personal Information Protection and Electronic Documents Act. He says his office needs real enforcement powers and broader reach to deal with emerging threats to privacy in cyberspace.
“It is a flaw and [Mr. Therrien] has been making every effort to get that remedied,” said Ann Cavoukian, Ontario’s former privacy commissioner and now expert-in-residence on privacy and data analytics at Ryerson University.
In February, the House of Commons standing committee on Access to Information, Privacy and Ethics issued a report calling for sweeping reforms to the legislation.
Even the Bank of Canada appears to be nudging Ottawa to act. In a February speech, senior deputy governor Carolyn Wilkins talked about the need to overhaul privacy and antitrust laws to deal with threats to user data in cyberspace, even musing about regulating Facebook and other tech platforms as utilities.
So far, the Trudeau government has been non-committal.
“It’s fairly obvious there is heightened political attention to privacy, but I don’t get the sense there is political urgency or a champion in Canada,” said Michael Geist, a law professor at the University of Ottawa and expert on internet and e-commerce law.
Ottawa would likely face significant push-back from the private sector if it tried to replicate Europe’s much stricter privacy protections - which include the right to have personal data removed from search engines, social media sites and other online platforms – Mr. Geist pointed out.
Ottawa is still playing catch-up on past promises. Next week, the government will unveil long-delayed regulations requiring companies to notify customers of data breaches or face significant fines. But the rules won’t take effect until Nov. 1.
The government will respond “very soon” to both Mr. Therrien’s concerns and the Commons committee report, said Karl Sasseville, spokesman for Innovation, Science and Economic Development Minister Navdeep Bains. But it’s not clear how far, or fast, Ottawa is prepared to go on legislation.
“All the options are on the table,” Mr. Sasseville insisted. “We’ll be coming forward with an approach that will take all these issues into account.”
There is some urgency. The wide scope of Europe’s new General Data Protection Regulation could leave Canada out of step, creating legal problems for companies that do business in Europe. Businesses could find their websites or data transfers blocked if Canadian rules fall short of the new European standard.
“We have to take action, at least to achieve adequacy with the EU regulations,” Ms. Cavoukian argued. “I can’t imagine why they wouldn’t after the Facebook incident.”
Facebook’s glaring failure to prevent the profiles of nearly 90 million users from ending up in the hands of murky political consultants should be a wake-up call.
But with Ottawa’s track record of moving slowly and cautiously on privacy issues, experts worry it could take years for the privacy commissioner to get the powers he needs.
That’s hardly reassuring to the millions of Canadians who have so much of their lives and personal data floating around in cyberspace.