Protecting your private data

By: Senator Art Eggleton and Senator Raymonde Saint-Germain

Canadians are concerned about the protection of their private data – so found a 2016 Survey of Canadians on Privacy undertaken by the Privacy Commissioner of Canada.  A reported 90 per cent of Canadians expressed some level of concern about data privacy and 74 per cent of Canadians felt they have less protection of their personal information now than they did just a decade ago. 

Canadians are right to be concerned.

The recent Facebook and Cambridge Analytica scandal revealed the shocking use of personal data gleaned from millions of Facebook users and sold to a third-party for the purpose of swaying international government elections.  The Canadian whistle-blower at the heart of the scandal, Christopher Wylie, referred to the incident as the “canary in the coal mine” in his recent appearance in front of a House of Commons committee: “Cambridge Analytica is the beginning, not the end.”

At a recent Open Caucus meeting of the Senate, data experts came together to discuss the imperative of enhancing the statutory protections of private data in Canada.  What was clear is that current government policies and legislation are not keeping up with advancements in technology. 

It’s time we did more.

Currently, Canada’s federal privacy laws operate on a complaint-only basis with a general framework for consent unlike the European Union (EU) which has strict, pro-active privacy regulations safeguarded by the General Data Protection Regulation (GDPR).

As Dr. Valerie Steeves of the University of Ottawa told the Open Caucus, the EU’s GDPR is informed by a commitment to privacy as a “human right” and is not just a collection of legal restrictions.  PIPEDA, Canada’s Personal Information Protection and Electronic Documents Act, by contrast, emphasizes “consent” – but, she argues, “consent should be the floor, not the ceiling,” when safeguarding Canadians’ privacy. 

Canada needs to model itself on the human rights approach to privacy that the EU has adopted. 

Our broad consent laws enable our personal data to be used in myriad second and tertiary ways without our knowledge or permission.  “Once we move into a big data environment, consent becomes a weak tool,” Steeves stressed.  We also need “algorithmic transparency” as big data companies use data in ways we may not have even conceived of yet.

Daniel Therrien, the Privacy Commissioner of Canada, emphasized that “Canadian trust is at risk” – and not just consumer trust, but trust in our democratic processes.  He pointed out that his office currently lacks powers to enforce compliance with existing privacy laws — and that privacy issues are not unique to Facebook: “Self-regulation has shown its limits.”

An all-party Parliamentary committee agrees.

The recently tabled Parliamentary report, Towards Privacy By Design, which reviewed PIPEDA, recommends significantly increased enforcement powers for the Privacy Commissioner, specifically, broader audit powers, discretion for which complaints to pursue and the ability to make orders and impose fines for those who are not compliant with privacy legislation. 

We fully agree. “We need to give the law some teeth,” as Dr. Avin Levin of Ryerson University put it. 

Levin emphasized that the protection of Canadians’ private data is “a question of law and political will.”  It’s in our power to do something about it, but we can’t continue to sit on our hands. 

He recommended that companies like Facebook should be liable for harm caused by content posted on their platforms.  “Those waiting for the free market to regulate the internet and social media companies will probably be waiting forever,” Levin said.

Adam Kardash, Partner with the legal firm, Osler, Hoskin and Harcourt LLP cautioned against unduly stifling innovation in business.  In responding to the idea for “opt-in consent,” he cautioned that for legitimate business activities that use data analytics, opt-in consent would often be “wholly impractical, if not impossible to implement.”

One area received wide consensus.  It’s time political parties are included in our privacy legislation.

Political parties are currently exempt from PIPEDA — free to collect, store and use private data, including political viewpoints, and can micro-target voters and follow their own code of conduct without oversight. 

That’s not good enough.

Bill C-76 was introduced recently to tighten rules around elections, including measures for campaign spending and foreign advertising, but it does not address privacy issues or consent for the collection, use and storage of person voter information. 

That needs to change.  In the short-term, Bill C-76 could be amended to bring federal political parties under PIPEDA. 

The government should also consider implementing several of the important recommendations out of the all-party Committee report, including giving the Privacy Commissioner powers of enforcement. 

In the longer-term, Canada should look to the European Union as a model for more comprehensive and pro-active powers to safeguard Canadians’ data privacy.

The technology demands that we catch up.  And as Senator Serge Joyal put it, “We must also make sure the legislation is not outdated the moment it is adopted.” 

Senator Art Eggleton is a member of the Canadian Senate from Toronto. He currently serves as Chair of the Standing Committee on Social Affairs, Science and Technology.

Senator Saint-Germain is Deputy Facilitator of the Independent Senators Group. She was appointed to the Senate in 2016, after two terms as the Québec Ombudsman and a distinguished career in the public administration.