Fwd: Update on Privacy From Canada

In unveiling its Speech From the Throne (SFT) last October, the Government spelled out its priorities and governing agenda leading up to the next federal election, scheduled for fall 2015.  At the time, I identified a few areas in the policy document that could have implications for privacy, and since then there have been significant developments for many of them.  Below, I provide an update on the state of privacy in Canada, including the nomination of Daniel Therrien as the new Privacy Commissioner of Canada.

Cyberbullying

At it committed to do in the SFT, on November 20, 2013, the Government introduced in Parliament Bill C-13, The Protecting Canadians from Online Crime Act.  Prior to its introduction, I had written in the Globe and Mail about some of the key considerations for such a bill with my colleague Shaheen Shariff of McGill University.  The Bill, still before Parliament, is designed to update Canadian criminal law to address the issue of cyberbullying, among other things creating a new criminal offence for the non-consensual distribution of intimate images.

Bill C-13 also includes various provisions concerning lawful access that had proven contentious when the Government previously introduced them in 2012 in the form of Bill C-30, and they did not become law.  These additional provisions allow for various means of communication access and interception by law enforcement agencies, but jettisons the most controversial amendments of C-30 related to warrantless access to basic subscriber information.

At the time of writing, Bill C-13 is set for passage through the House of Commons, despite calls by some – including the parent of one prominent cyberbullying victim – to sever the legislation into two parts, allowing the cyberbullying portions to be passed while holding back the lawful access components for further study.  Should it be approved by the House of Commons by majority vote this spring, the Bill will then be referred to the Senate for further consideration.

Government Surveillance and Lawful Access

While the debate on the appropriate balance between public security and privacy remains much more acute in the US, the issue has spilled into the public realm in Canada.  In addition to the ongoing debate around Bill C-13, in January 2014, the Office of the Privacy Commissioner (OPC) tabled a special report to Parliament that assessed the current oversight mechanisms for government surveillance and made ten recommendations on how to strengthen transparency and accountability in the system.

Subsequently, in April 2014, it was revealed through an access to information request that telecommunications companies operating in Canada responded to almost 1.2 million requests by law enforcement agencies in 2011 for basic subscriber information, without the consent or notification of these subscribers.  The voluntary sharing of this information is allowed for under Canada’s private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). 

The resulting concern over these voluntary disclosures and the broader use of signals intelligence has led to significant public debate, with the Globe and Mail, Canada’s national newspaper, calling for a Royal Commission on the matter of lawful access and privacy.  As new technologies and business models have the potential to permanently reshape the balance between public safety and privacy, the general matter of privacy in the digital age is turning out to be one of the defining public policy challenges of our time.  A non-partisan, independent and expert group struck to study and make recommendations on this issue might indeed be a wise course of action.

Digital Privacy Act

One important development that was not identified in the Speech From the Throne was the Government’s introduction earlier this spring of Bill S-4, the Digital Privacy Act, a signature element in its new digital economy strategy.  The legislation is the latest attempt at PIPEDA reform, which dates back to 2006. 

Unlike past iterations of legislative change, amendments contained in S-4 are in many cases new and significant.  As contemplated under the Bill, private sector companies that experience a data breach that “creates a real risk of significant harm” must notify individuals and report such breaches to the Privacy Commissioner. 

S-4 also clarifies the definition of consent for the collection, use or disclosure of personal information to ensure that such consent is only valid “if it is resasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure….”  This clarification should help address the challenges of obtaining meaningful consent from younger individuals and the elderly.

Finally, S-4 would introduce a new innovation in the form of compliance agreements between the Privacy Commissioner and private-sector companies.  Such agreements would allow the Commissioner to work with companies to address deficient privacy practices without resorting to lengthy and costly legal action, and to seek compliance from the courts to enforce the agreements if necessary.

While these are certainly all positive developments for federal privacy law in Canada, some had hoped for more and bolder reforms, including monetary penalties for privacy breaches and order-making powers for the Commissioner without need to refer to the courts.  Michael Geist, an expert on digital issues at the University of Ottawa, has raised concerns that provisions in S-4 may further expand the voluntary sharing of personal information with more governmental agencies. 

Two other points are worth noting here.  The mandatory breach notification obligation as contemplated under S-4 does not extend to the public sector.  Under the Treasury Board Secretariat’s current Guidelines for Privacy Breaches, governmental departments “should consider notifying individuals whose personal information has been wrongfully disclosed, stolen or lost”, but this is not required.  Given the fact that governmental agencies are amassing significant amounts of personal information, it would seem incongruous that mandatory breach notification should exist for the private sector but not for the public sector. 

The second point has to do with the resourcing that will likely be required for the Office of the Privacy Commissioner to effectively take on its new responsibilities.  If as expected the OPC receives significantly more notifications under a new mandatory breach notification requirement than it has in the past, it will likely need to develop new protocols and processes to deal specifically with this new function within the office. This will put pressure on existing resource levels and staff.

Nomination of a New Privacy Commissioner

On May 28, the Prime Minister nominated Daniel Therrien as the new Privacy Commissioner of Canada.  A career civil servant, Mr. Therrien is currently Assistant Deputy Attorney General for Public Safety, Defence and Immigration at the Department of Justice, and was the co-lead on negotiations with the US for the privacy principles governing the exchange of information between Canada and the US under the Beyond the Border Action Plan.  As the position enjoys the status of an independent Agent of Parliament, the nomination is subject to a vote in the House of Commons and in the Senate.

Reaction to the nomination has been strong, garnering significant mainstream media attention.  While the governing party and the Leader of the Liberal Party, the second opposition party in Parliament, supports the nomination, some Canadian privacy advocates have written to the Prime Minister expressing their concern over the appointment, as has the Leader of the Opposition.  With a majority of Members of Parliament and Senators supportive of the nomination, the appointment is expected to be approved.

The first new Privacy Commissioner in ten years, coming at a time of significant change in the world of privacy, is an exciting prospect.  As Mr. Therrien settles into his new position, he will surely have many issues to grapple with.  Some of the key, strategic questions he could consider are:

-  What is the appropriate balance between public safety/national security and privacy in the digital age?

-  What is the appropriate balance between innovation/economic growth and privacy in the digital age?

-  How should the capable staff of the Office of the Privacy Commissioner be best aligned to safeguard the privacy of Canadians in a time of such unprecedented technological change?

Privacy watchers will no doubt be keenly watching to see how these and other questions are addressed in the coming months.

Kevin Chan, a Non-Resident Fellow at Stanford’s Center for Internet and Society, was previously Director of Policy, Parliamentary Affairs and Research in the Office of the Privacy Commissioner of Canada (OPC).  His thoughts and writings are his own, and do not represent the views of the OPC.  He can be reached at [hidden email]