Canada’s private sector privacy law was first introduced 20 years ago, coinciding with the founding of Google and predating Facebook, the iPhone, and the myriad of smart devices that millions of Canadians now have in their homes. Two decades is a long time in the world of technology and privacy and it shows. There has been modest tinkering with the Canadian rules over the years, but my Globe and Mail opinion piece notes the law is struggling to remain relevant in a digital age when our personal information becomes increasingly valuable and our consent models are little more than a legal fiction.
The House of Commons Standing Committee on Access to Information, Ethics and Privacy last week released the results of a comprehensive study into Canadian privacy law. The report, which features 19 recommendations, provides Innovation, Science and Economic Development Minister Navdeep Bains with a road map for future reforms (I appeared before the committee as one of 68 witnesses from across the policy spectrum).
The report touches on everything from special privacy safeguards for minors to enhanced enforcement powers for the Office of the Privacy Commissioner of Canada, but at its heart are three key findings: the law is no longer fit for purpose, the standard of consent is not good enough, and Canada is at risk of restrictions on data transfers with the European Union if the government does not act.
The failure of the current law to keep pace with the changing technological environment will come as little surprise to anyone with even a passing familiarity with the legislative framework. For example, Daniel Therrien, the federal privacy commissioner, recently proposed trying to shoehorn in the right to be forgotten (described as a right to de-index online search results) within the existing law, yet the law is ill-suited to do so. The committee report is truer to the current situation, acknowledging that addressing the complicated challenges associated with harmful yet legal content online requires a legal tool set that does not exist under current Canadian law.
The law features a mandatory review every five years, but that process has yielded few tangible results. Modest reforms from hearings that date back to 2006 have still not been fully implemented. In fact, when scarcely a week goes by without a major data breach affecting thousands of people, it is shocking that Canadian privacy law still does not have mandatory security breach disclosure rules in operation.
Data breach disclosure requirements were included in the Digital Privacy Act that was passed in 2015, but the accompanying regulations have still not been finalized. The failure to expedite security breach disclosure rules is an embarrassing failure for successive Conservative and Liberal governments, placing the personal information of millions of Canadians at risk and effectively giving a free-pass to companies that do not adequately safeguard their customers’ information.
In addition to the Digital Privacy Act delays, piecemeal protections for identity theft and anti-spam rules are now in effect, but those laws point to the emerging battle at the heart of privacy law: the appropriate standard of consent.
Consent provides the foundation for Canadian privacy law, which is premised on users’ agreeing to the collection, use and disclosure of their personal information. However, as anyone who has viewed eerily targeted advertising or received unexpected marketing calls knows, companies have adopted exceptionally aggressive interpretations of the standards of consent, implying agreement to use personal information with little regard for the real intention, expectation or knowledge of individual Canadians.
The committee recommends significant reforms to the standard of consent, but the long-standing battle over Canada’s anti-spam laws provides an advance preview of the challenge of implementing rules premised on genuine consent after years of weaker opt-out models. The fight over the anti-spam law is often portrayed as a dispute over onerous regulations, yet the reality has long been far simpler: it is a fight over implementing higher standards of opt-in consent.
If Canada does not get its privacy house in order, the committee notes there may be a political and economic price to be paid. As Canadian law stagnates, European privacy rules have steadily advanced, with a major overhaul set to take effect in a few months. Canadian law received an “adequacy” finding from European officials many years ago, but that may be in jeopardy as the differences between the two systems widens. The committee recommends identifying what is needed to maintain the adequacy status, whose loss could lead to restrictions on data transfers between Canada and the European Union. Without an adequacy finding, businesses on both sides of the Atlantic would face severe limits on the transfer of personal information between Canada and Europe, causing significant barriers for sectors such as financial services, retail and marketing.
Canada was once regarded as having adopted a progressive, flexible privacy law that balanced the needs of consumers and businesses. After nearly two decades of neglect, the law is badly in need of updating and awaiting a political champion who recognizes that good privacy is also good politics.