A plea for a privacy protection legislative reform
By Daniel Therrien, Privacy Commissioner of Canada
The privacy environment has changed significantly since I took office in 2014. Following 9/11, the need to protect against further terrorist attacks seemed to outweigh privacy interests of individuals. This trend has changed with time, in part due to the Edward Snowden revelations made in 2013.
The urgency of adopting new laws to better protect personal data
Today, the privacy conversation is dominated by the growing power of tech giants that seem to know more about us than we do about ourselves.
Many companies seek to monetize our personal information, while governments use it to improve their services. Both the public and private sectors often use personal information for purposes other than those for which they collected it.
As we try to adapt to the rapid evolution of data-driven technologies such as artificial intelligence, facial recognition, the Internet of Things, and the emerging metaverse, the current governance structure is uncertain.
It is more urgent than ever to adopt laws fit for the 21st century. A recent study by Option consommateurs supports this view. In its research report, Option consommateurs recommends that privacy regulators have the power to impose stiff monetary penalties and to conduct proactive audits of the measures employed by companies to ensure their customers’ privacy is protected.
Establish laws on the fundamental right to privacy
Let’s be clear: we need federal laws that enable responsible innovation, but they must be part of a rights-based framework that recognizes the fundamental right to privacy. New laws must strengthen accountability for both businesses and federal institutions and give my office the same powers that many of our provincial and international partners already enjoy.
Apply common principles laws to the private and public sectors
There is also a need to establish common principles in the Privacy Act, which applies to the public sector, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law. For instance, necessity and proportionality have to be key factors in the decision to collect, use, and retain information.
New technologies to keep an eye on
This is especially important given the government’s growing reliance on technologies developed by the private sector. A good example is our Clearview AI investigation. This company provided a facial recognition tool that allowed law enforcement authorities to match photographs of individuals to a database of 3 billion images from the Internet. In the end, we concluded that the company had violated the private sector law (PIPEDA). Following a separate investigation of the RCMP’s use of the technology, we concluded the RCMP had contravened the public sector law (the Privacy Act).
That said, technology and data can and often do serve the public interest. The pandemic offers many examples of that: the use of data to support public health, or the platforms we have all been using to stay connected.