Sensing that Canadians lack confidence in the private sector and government on safeguarding and using their personal data, the federal privacy commissioner says he’s temporarily no longer going to wait until people file complaints about alleged privacy issues before acting.
Instead, Daniel Therrien will be more proactive, including launching investigations into questionable privacy practices or “chronic problems” on his own when necessary.
And, he warned, “when we will launch Commissioner-initiated complaints, we will also, when appropriate, ask organizations to demonstrate accountability” of their privacy management practices.
In a complaints-driven investigation privacy accountability is one of the matters the commission office is entitled to look into under the law. That will apply in a commission-ordered investigation.
“Don’t wait until we come to your door” acting on a complaint, Therrien said in an interview. “Accountability should include the concept that if we do come to the door, even though you have not violated the law necessarily, you should be able to demonstrate that you have programs to protect privacy.”
It’s what Therrien called the commission’s new policy of “proactive compliance.”
“Something has to change or we run the risk Canadians will lose trust in the digital community, thus hindering its growth,” he said Wednesday at the opening of the annual International Association of Privacy Professionals’ Canadian conference in Toronto.
That lack of trust, he added, may impact the spread of innovation.
“More fundamentally … it is quite unhealthy in a democracy when most citizens fear one of their most basic rights is routinely not respected.”
His office will draw on complaints and trends to determine if there are issues or sectors that would benefit from a special investigation. In an interview he said investigations would be on “issues of broad concern.”
This “proactive enforcement” will will last at least until September, when Therrien files his annual report to Parliament, where he may call for changes to federal legislation to update his office’s mandate.
“I don’t want to worry organizations in this group [at the conference],” he added. “To the contrary I believe this approach will shift the focus to addressing those privacy threats posing the greatest risk to Canadians. It will also assist compliance-minded organizations to avoid restrict misststeps that are costly to their businesses and their consumers.”
As part of being proactive, to help the private sector Therrien is considering offering to audit companies – perhaps for a fee – to see if they comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
A survey done by his office shows 92 per cent of Canadian respondents are concerned about protection of privacy, he said, and nearly half said they felt they’ve lost control over how organizations collect and use their personal data.
“So what I propose is a slight course correction, a tilting of the scales – it’s not a revolution.”
“While we will continue to investigate complaints we will look for ways to be more proactive. We will take key privacy principles to the next level and champion demonstrable accountability and our work will be more citizen focused.”
In addition “we will pay close attention to what’s happening on the international front” to make sure the privacy rights of Canadians are their data is respected when they travel.
“My hope is this will all lead to improved outcomes for privacy protection of Canadians.”
Therrien oversees enforcement (PIPEDA), which covers private sector companies that come under federal jurisdictional, and the Privacy Act, which covers the federal government.
In an interview Therrien said there wasn’t a particular incident that led to his decision. Instead, it was the realization that “we’re looking at extremely small portion of the pie” of privacy issues by dealing with complaints. In addition, he added, he likes the ability of privacy commissioners in the U.K. and Ireland to offer to do voluntary privacy audits for businesses.
“We need to look at a broader set of facts and business models if privacy is to be protected.”
In their investigation of complaints, annual reports to Parliament and speeches federal privacy commissioners have been outspoken.
In addition the office launches research. For example, new research was announced this week into privacy issues surrounding connected cars, smart toys and the country’s data brokerage industry. There is also a report in the works are on how whether individuals properly consent to the use of personal data (due in September). He’s also called for legislative change that would require written information-sharing agreements between federal institutions or with other levels of government, foreign states and organizations to protect personal data. And he also wants an explicit requirement that federal institutions only collect information necessary for the operation of a government program or activity.
Therrien has also told Parliament his office needs in addition to his powers as ombudsman the ability to make recommendations, make orders and issue fines “to make sure so-called bad actors are brought into line.”
Don’t expect a flurry of privacy commission investigation. Therrien said he does have resource limitations and investigating of complaints usually has priority.