Canadian Privacy Commissioner, Daniel Therrien, has today released a letter written to Navdeep Singh Bains, the Minister of Innovation, Science and Economic Development, calling for a new Canadian privacy law. Such a new law must, he said, include the following aspects:
- Continue to be technology neutral and principles-based, because these features enable the law to endure over time and create a level playing field, but it should mostly be drafted as a rights based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.
- Maintain an important place for meaningful consent but it should also consider other ways to protect privacy where consent may not work, for instance in certain circumstances involving the development of artificial intelligence. The concept of ‘legitimate interest’ in the GDPR may provide one such alternate approach.
- Empower a public authority to issue binding guidance or rules that would clarify how general principles and broadly framed rights are to apply in practice. A principles based legislation has important virtues, but it does not bring an adequate level of certainty to individuals and organizations. Binding guidance or rules would ensure a more practical understanding of what the law requires. They could also be amended more easily than legislation as technology evolves.
- Confer to the OPC stronger enforcement powers, including the power to make orders and impose fines for non-compliance with the law. These powers should include the right to independently verify compliance, without grounds, to ensure organizations are truly accountable to Canadians for the protection of their personal information.
- Give the OPC the ability to choose which complaints to investigate, in order to focus limited resources on issues that pose the highest risk or may have greatest impact for Canadians. At the same time, to ensure no one is left without a remedy, give individuals a private right of action for PIPEDA violations.
- Allow different regulators to share information. Meaningful protection of consumers and citizens in the fast-paced digital and data-driven economy understandably must involve several regulators, and they must be able to better coordinate their work.
- Finally, it is absolutely imperative for privacy laws to be applied to Canadian political parties.
The letter is here, along with a news release.
I agree wholeheartedly with the last bullet point, but I think we should hold off before revamping our privacy law. In my view, it works and it works well. The only impetus for change would be the adequacy determination from Europe, which is not scheduled until 2020. At that point, we'll have an understanding of what's necessary to maintain this important status. In the meantime, the OPC hasn't made a strong case for order making powers. We would have two choices: either create a Privacy Tribunal like the Canadian Human Rights Tribunal (which is often pointed to as a poster-child of inefficiency) or turn the Office of the Privacy Commissioner into something like the CRTC's CASL enforcement group (which has problems of overreach and a clear propensity towards zealous punishment of companies that are making a good faith effort to comply with the law).
At this stage, I haven't seen the Privacy Commissioner fully use all the tools in his toolbox. He has the ability to take a company to the Federal Court. In most of the cases he has done so (that I'm aware of), they've settled. Obviously the Commissioner would not settle a case if it was not to his satisfaction.