Therrien concluded that Stats Can did not break the law when it requested Canadians' banking information

Canada’s Privacy Commissioner Daniel Therrien is calling on Parliament to implement rights-based privacy laws stating that there is an urgent need to modernize laws.

In his annual report, tabled in Parliament on December 10th, Therrien says that there needs to be an overhaul of privacy laws following a number of data privacy investigations, including one into Statistics Canada where the agency asked for financial information from millions of Canadians.

The report highlights that Canada urgently needs to update its privacy protection framework, and that the investigations have revealed weaknesses with current legislation.

Investigations into Statistics Canada, Equifax and Facebook

Therrien stated in his report that Statistics Canada did not break the law when it asked for the personal banking information of 500,000 Canadians.

He recommended that the Statistics Canada programs should be redesigned as Canadians were troubled by the collection since the data would provide significant insights into people’s private lives.

In terms of the Facebook investigation, Therrien outlined how Facebook refused to address its privacy deficiencies in regards to the Cambridge Analytica scandal where Facebook users’ data was harvested. The social media giant decided not to implement recommendations that would have aided its lack of privacy.

“The fact that Facebook said it would not implement recommendations to address those issues leaves a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms,” he said in the report.

In terms of the Equifax breach that impacted 19,000 Canadians, the commissioner stated that security shortcomings were to blame for the breach. The commissioner’s office found that there was inadequate vulnerability management to prevent attacks.

“It was unacceptable to find such significant shortcomings in privacy and security practices in a company that holds a vast amount of highly sensitive personal information and plays a pivotal role in the financial sector,” the report reads.

He says that Equifax has since taken a number of steps to improve its security and accountability programs. It has entered into a binding compliance agreement and has to submit audit reports every two years for a six-year period.

Four steps to reform privacy laws

Therrien says that privacy laws should be able to withstand time, meaning that it should be able to remain relevant despite technological changes. He suggests that this should be done by defining privacy and its values.

Secondly, he suggests that the law should firmly put an end to self-regulation in terms of the privacy sector. To do this, he suggests having a public authority that would be able to prescribe binding rules.

Thirdly, in the public sectors, he suggests that the law should adopt the principles of necessity and proportionality when it comes to data collection. This would avoid the over-collection of data and prevent intrusiveness when collecting information through agencies like Statistics Canada.

Lastly, he suggests that the law should provide enforcement mechanisms that ensure individuals have quick remedies for their privacy protections. He says this could be possible by expanding the Digital Charter and adding more enforcement mechanisms.

Moving forward

Therrien says that the legislative reform should begin with looking at privacy laws as a rights-based foundation. This implies that the purpose of the law should be to protect privacy as a human right and as an essential element.

When asked if he believes that his suggestions will be implemented, he said he believes that the current parliament will proceed and acknowledge his suggestions.

Therrien said that Canadians used to lead globally in terms of privacy laws, but that now Canada greatly lacks in privacy laws. For instance, he said that bills in the United States already include regulations that he has suggested to implement in Canada.

“We see an intention in the speech of the throne, which is an indication that the government intends to proceed with this in the light of the current parliament. I think it is likely that we will have legislation in the relatively near future,” he said during a press conference.