Canada's privacy watchdog seeks stronger enforcement powers

Share

Canada's privacy watchdog is transforming the way it has pursued protective measures for more than 15 years, planning to more actively go after companies and other organizations for privacy concerns. And it has renewed calls for an update to the country's privacy laws, saying the current system of enforcement "has no teeth."

Since the enforcement of the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2001, the Office of the Privacy Commissioner of Canada has acted as an ombudsman, opening investigations into privacy concerns primarily when it received complaints from Canadians – although it does occasionally launch investigations on its own.

In his annual report to Parliament on Thursday, Commissioner Daniel Therrien said that the OPC would expand its approach, pursuing "a pro-active enforcement and compliance model … because the OPC may be better placed than individuals to identify privacy problems related to complex new technologies." The office will still look into complaints from individuals, in addition to the new approach. It will ask government for a "modest" increase in its budget to fund that expanded enforcement.

For subscribers: The Equifax hack is Canada's problem, too. So where's the outrage?

Mr. Therrien also repeated a call for changes to federal law that would give his office the ability to issue binding orders and hand down fines where necessary, saying that the current system is insufficient to ensure compliance. The OPC has been asking for such legislative reform for years.

"The model of laws where you have regulators with order-making authority, and the authority to impose fines, is being adopted more and more across the world," Mr. Therrien said in an interview Thursday.

The report comes as some industry observers have raised concerns that Canada is not keeping up with global peers. Next May, the European Union will enact broad changes to how it pursues privacy protection when the new General Data Protection Regulation (GDPR) comes into force.

Some have suggested that if Canada's laws are not updated, it could lose "adequacy status" with the EU – which allows for the free flow of data with other jurisdictions it feels have adequate privacy protections in place, and which is crucial for cross-border trade – the next time that status is reviewed in the coming years. Mr. Therrien also raised that concern on Thursday.

Government needs to demand that organizations show they are protecting people's privacy, Mr. Therrien said.

"Companies don't have a legally-imposed obligation to demonstrate that they're accountable," he said. "… We would do audits, essentially, of the measures taken by companies to demonstrate that they are truly compliant."

The commissioner's report also noted that the current state of play in the digital sphere – where consumers are asked to agree to arcane privacy policies swamped in legalese that most don't read – is "broken." The OPC is pushing for more understandable privacy agreements: Companies should tell people what personal information about them is being collected, how and why it is shared, and what risk there is to them as a result. Children also need to be better informed, the report stated, recommending that privacy education be introduced into school curricula.

But it also noted that it is not always possible for people to give meaningful consent, particularly in cases of large-scale data analysts where information is "commodified and may be processed by multiple players totally unbeknownst to the individual to whom the data belongs." Such broad uses of people's data are also an argument for a more aggressive enforcement approach by the OPC, the report added, since people cannot lodge complaints about privacy concerns if they aren't aware of them.

"Individual consumers will notice some problems but they are unaware of the vast majority of concerns with privacy because of the complexity of the beast," Mr. Therrien said.

Since earlier this year, the House of Commons' standing committee on access to information, privacy and ethics has been holding meetings to review PIPEDA and will make recommendations on potential changes.

"Governments understand that for the digital economy to flourish, consumers need to have confidence that their data will be protected adequately," Mr. Therrien said. "There is a direct link between consumer trust and growth in the digital economy."