OTTAWA – Canada’s federal private sector privacy law should include order-making powers and the ability to impose fines, like the U.S. and many European countries, says the Privacy Commissioner of Canada.
Its annual report tabled Thursday in Parliament says “urgent change” is needed to restore Canadians’ confidence in technology.
"Canadians' fear that they are losing their privacy is real”, said Commissioner Daniel Therrien, in the report’s news release. “They expect concrete, robust solutions to restore their confidence in technology as something that will serve their interests and not be a threat to their rights.”
The report also included the results of a consultation on the challenges facing consent, which currently is the foundation of Canada's federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Therrien said that the consultation heard that Canadians want better information, not “50-page privacy policies written in legalese most lawyers don't understand”, to exercise their right to give or withhold consent.
While acknowledging that personal information is an important part of a data-driven economy, the OPC pledged to issue guidance on appropriate methods of de-identification. The Commissioner is also recommending that Parliament consider whether new exceptions to obtaining consent may be appropriate where consent is not practicable, such as in some big data uses.
"It is clear, for example, that Canadians need to be supported by an independent regulator with the legislation and resources necessary to properly inform citizens, guide industry, hold businesses accountable, and sanction inappropriate conduct”, continued Therrien. “Canadians do not feel protected by a law that has no teeth and businesses held to no more than non-binding recommendations."
The Commissioner added that his office won't wait for legislative changes and will begin to act immediately to improve privacy protections for Canadians. This includes:
- Shifting towards a proactive enforcement and compliance model, rather than a complaints-based ombudsman model of privacy protection because the OPC may be better placed than individuals to identify privacy problems related to complex new technologies;
- Updating key guidance on online consent to specify four key elements that must be highlighted in privacy notices and explained in a user-friendly way;
- Developing new guidance that would specify areas where collection, use and disclosure of personal information is prohibited, for example, situations that are known or likely to cause significant harm to the individual.
