The Canadian government often talks about the importance of privacy, but actions speaks louder than words. Not only has privacy reform clearly not been a priority, but the government seems more than willing to use the weak privacy rules to further other policy goals. There is an obvious price for the government’s indifference to privacy safeguards and it is paid by millions of Canadians when major privacy incidents (think Tim Horton’s or Home Depot) result in no substantive changes and no urgency for reform from the government. Indeed, as I noted yesterday on Twitter, the government has managed to rush through user content regulation in Bill C-11 and mandated payments for links in Bill C-18, but somehow privacy reform in Bill C-27 has barely moved. Some of the responsibility must surely lie with Innovation, Science and Industry Minister François-Philippe Champagne, who brings high energy to everything but privacy reform, but the decision reflects on the entire government.
The latest example occurred yesterday with the decision to ban TikTok from government devices. The official rationale came from Mona Fortier, President of the Treasury Board:
My statement announcing a ban on the use of TikTok on Government of Canada mobile devices. pic.twitter.com/X8Zfuyz5p4
— Mona Fortier 🇨🇦 (@MonaFortier) February 27, 2023
The key line – picked up by TikTok itself – is that the app is being blocked because of “concerns about the legal regime that governs the information collected from mobile devices.” That legal regime – PIPEDA – is the same regime that all Canadians rely upon to protect their privacy. It is also widely recognized to be outdated, which is why privacy reform is so badly needed. While I have my doubts about the rationale (it seems far more likely that the U.S. did it and so we followed), it is astonishing to hear a minister say that the government’s concerns with its own law is so great that it is blocking thousands of employees from installing a widely used app on their devices. If the problem lies with the law, isn’t up to the government to fix it?
Yet the lack of urgency with privacy reform extends beyond creating a two-tier security environment where government employees are subject to one standard and everyone else relies on a law the government admits is a cause for concern. Consider Bill C-18, which will be hotly debated at the Canadian Heritage committee today as MPs race to bring Google before the committee to explain why it is testing removing links to Canadian news content rather than preparing to pay hundreds of millions of dollars for those links with expectations that it fund 35% of the news expenditures of every news outlet in the country.
In the immediate aftermath of the Google report, the Canadian Association of Broadcasters sought to justify Bill C-18 on the grounds that it was about broadcasters getting their fair share of revenue from the sale of user data. That is clearly not something found in the legislation, but it suggests that broadcasters and the government are more comfortable profiting from weak privacy laws rather than addressing the core problem of the inadequate laws themselves.
In fact, Canadian Heritage Minister Pablo Rodriguez has effectively linked his digital cultural policy to the ongoing commercial success of the Internet platforms, viewing the companies as the source of funding for film and television production, music, and news. The irony that the government prioritizes “getting money from web giants” over safeguarding Canadians from potential misuse of their information by those companies should not be lost anyone. The incentive structure for Heritage is to keep the data taps flowing: more data to tech companies means more revenues which means more money for the cultural sector. Rather than seeking to regulate privacy and data governance, Rodriguez wants to profit from it by funding his policy objectives. And with an indifferent ISEd Minister and other cabinet colleagues openly admitting the law is a cause for concern but unwilling to do anything about it, Canadians may have the answer to why the government seems to embrace weak privacy rules.
It is amazing how little comes from huge security breaches. Don’t forget LifeLabs where it involved our personal health data.
If one of the big tech companies had had a similar breach it would have been the tech story of the year and it would have destroyed their brand, but for other companies the result is little more than a yawn. No wonder it keeps happening.
Is this because they are Canadian or is that small and medium sized companies in most countries can get away with so much in the areas of privacy and security?
Interesting read. over-reliance on policies. The government should just fix the law
My gut feeling on the issue is that it just isn’t “sexy” enough, in that it isn’t likely to generate the kind of good will toward the governing party that other bills like C-11 and C-18 will (and note that in the case of those bills the good will will be coming from the very organizations that are supposed to be informing the Canadian public about what is happening in government). Note as well that privacy legislation update will require a fair amount of work on the part of the government, whereas the others that are getting attention don’t really require a lot of attention from the government to implement. I don’t consider this to be an issue specifically with the current government; most governments seem to do this to some extent.
Pingback: TikTok Bans Are Ineffectual Without Real Privacy Oversight — Pixel Envy