With Ottawa committing this week to update the nation’s public and private sector privacy legislation, federal privacy commissioner Daniel Therrien made a pitch for how to do it: Make privacy a right.
“Privacy is more than a set of technical or procedural rules, settings, controls and safeguards,” he told a privacy conference on Thursday, but “a fundamental right and precondition for the exercise of other fundamental rights, including freedom, equality and … democracy.”
The Personal Information Protection and Electronic Documents Act (PIPEDA, which covers the private sector) “should be a real statue, confirming rights and imposing obligations. It should not be drafted as an industry code of practice” Therrien told the annual International Association of Privacy Professionals’ Canadian symposium in Toronto.
“The starting point for review in my view should be to give the law a rights-based foundation. It should continue to be technologically neutral and principles-based … but we also need a rights-based statute, a law that confers enforceable rights to individuals while also allowing for responsible innovation.”
He didn’t suggest a constitutional ammendment. In response to a question after the speech his office said the law would confer enforceable rights to individuals.
The law should also define privacy broadly, he added. It shouldn’t be limited to ensuring an individual gives consent for their information to be used by a third party, access to data and corporate transparency. “These are important mechanisms. but they do not define the right itself, a quasi-constitutional right.”
He noted in 2001 Senator Sheila Finestone introduced a privacy rights charter in Parliament that defined privacy as including physical privacy, freedom from surveillance, freedom from monitoring interception of private communications, freedom from collection and disclosure of personal information, and forbidding a person for unjustifiably infringing on intruding on another’s right to privacy. Therrien said he wasn’t suggesting this definition would do, but that this kind of broad definition of privacy should be discussed. Several court decisions have outlined the scope of privacy rights in Canada, he also noted.
A broad definition, he added, “would ensure it reflects Canadian values”
Therrien would also like the Office of the Privacy Commissioner (OPC) to be given the power to issue binding — not just suggested — guidance on interpreting privacy rights, as well as issue orders and fines for non-compliance with the new privacy law.
“Events of the past year have highlighted like never before the urgent need to modernize the way privacy rights are protected in this country,” Therrien said. “Our Facebook investigation starkly illustrated that we have reached a critical tipping point on which privacy rights and democratic values are at stake. Our examination of how the Cambridge Analytica scandal happened uncovered their (Facebook’s) privacy framework was an empty shell. That is a shocking thing to have to say about a global giant that has amassed so much intimate detail about so many people.”
This was a reference to the international uproar over the discovery that U.K. based consulting firm Cambridge Analytica was able to use personal data from millions of Facebook users in election advertising campaigns.
In a report issued in April, Therrien said Facebook committed serious violations of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians. However, Facebook refused to allow an audit of its privacy policies and practices over the next five years. Therrien is now seeking a compliance order from the Federal Court.
In addition, his investigation into the huge 2017 Equifax showed “very troubling shortcomings in a company that also holds vast amounts of highly sensitive personal information and plays a pivotal role in the financial sector.” Problems included “poor safety safeguards, [data] retention issues, inadequate consent procedures and, like Facebook, a fundamental lack of accountability.”
That’s why Therrien said he also wants the OPC to have the confirmed power to pro-actively inspect the privacy practices of organizations.
(This story has been updated from the original to clarify the Commissioner is seeking rights-based privacy legislation and not a constitutional ammendment).