The Trudeau government’s proposed overhaul of the current private sector privacy law has to make it clear to businesses that privacy is a fundamental right they have to respect, a Parliamentary committee was told Tuesday.
That was the essence of the testimony of former Canadian federal privacy commissioner Daniel Therrien.
He told the Industry Committee that the government’s promise to include privacy as a “fundamental right” — not just a ‘right’ in the current wording — in the explanatory Purposes section of the proposed Consumer Protection and Privacy Act (CPPA) is not enough. Other sections also have to make it clear privacy is a fundamental right of Canadians, he said.
Those two sections are:
— section (S.12) dealing with the ‘Appropriate Purposes’ a business can collect, use, or disclose personal information lists factors firms have to consider. One of them should be an individual’s fundamental right to privacy, Therrien said;
— and a section dealing with the privacy commissioner’s powers to recommend fines for a firm that violates the CPPA (S.94). This section lists factors the commissioner has to take into account. One factor, said Therrien, should be an individual’s fundamental right to privacy.
“It seems to me from reading parliamentary debates that there’s a consensus around the idea that privacy and economic growth through innovation are not a zero-sum game,” Therrien said. “The question generally is not to decide which should prevail. Both privacy and innovation can be pursued at the same time. It’s only in rare circumstances this will not be possible, and in those cases privacy as a fundamental right should take precedence.”
Unless the fundamental right to privacy is added to S.12 — along with the addition to the Purposes section — the section would give more weight to commercial interests, he said.
Therrien agreed with current privacy commissioner, Philippe Dufresne, that the CPPA is an improvement on the previous version of the bill, but, both said, it still needs improving.
All this may seem like dancing on the head of a pin. However, Canadian businesses subject to federal law have been waiting for over a year for action on the proposed bill. It will mean major changes from the current Personal Information Protection and Electronic Documents Act (PIPEDA) that firms have been familiar with for years.
One of the biggest changes is the proposal that the privacy commissioner can recommend multi-million dollar fines for violating the CPPA to a new data privacy tribunal.
Therrien — and Dufresne — warn that the tribunal will merely delay a business having to face the consequences of violating the CPPA. They say the privacy commissioner should be able to issue fines just as their counterparts do in Europe and Britain, with certain administrative protections.
Businesses, however, don’t want to see a privacy commissioner as judge and jury.
Therrien also repeated his call for federal political parties to be brought under the CPPA. Right now they can collect and process the personal information of voters without regulation.
Interestingly, committee chair Joel Lightbound — a Liberal — asked witnesses what minimal data privacy rules could be included in CPPA that federal political parties would have to follow.
There would be regulations obliging parties to disclose how they use and protect personal data they collect, said Therrien — and penalties for violating the rules to back that up.
Without having to obey privacy law, he suggested, there could be a Canadian version of the Cambridge Analytica scandal, where a private company used the ruse of a survey to scoop up personal data of unwitting tens of millions of Facebook users — including Canadians — that were used in targeted political ads.