The government must make privacy reform a priority, Canada’s privacy commissioner said today in his annual report to Parliament.
The annual report covers the period from April 1, 2020 to March 31 of this year. This is the last annual report privacy commissioner Daniel Therrien will produce before his term runs out on June 4, 2022.
“There is no doubt that the modern economy will increasingly depend on the value of data,” he said. “The new Parliament must legislate to enable responsible innovation, but this should be done within a rights-based framework that recognizes the fundamental right to privacy. As a society, we must project our values into laws.”
The previous government introduced Bill C-11, but it died when Parliament was dissolved for the fall election. Although new privacy legislation wasn’t mentioned in the latest speech from the throne, Therrien said he is encouraged that Minister of Innovation, Science and Industry François-Philippe Champagne recently told a news service he will introduce an amended bill in 2022. He gave no details on how it will be changed from C-11.
While C-11 would have given Therrien more power, he was among those critical of the proposed legislation. He said he was “deeply concerned” the legislation would be “a step backwards” from the current Personal Information Protection and Electronic Documents Act (PIPEDA). His submission on the bill to a Parliamentary committee included some 60 recommendations for changes.
In the report, Therrien says many key files during his mandate – the Facebook/Cambridge Analytica scandal and its impact on democracy, successive data breaches, growing use of facial recognition technology and risks of surveillance, ineffective consent policies and online reputation – identified key threats to privacy and other human rights.
The Facebook/Cambridge Analytica incident involved the use and disclosure of the personal information of millions of voters in British Columbia, the United States, and the United Kingdom by AggregateIQ Data Services of Victoria to Facebook. Therrien found that Facebook, despite its detailed privacy policies, had failed to obtain meaningful consent from people and failed to take responsibility for protecting the personal information of Canadians. Despite its public acknowledgment of a “major breach of trust,” Facebook disputed the findings and refused to implement Therrien’s recommendations to address deficiencies.
“This case demonstrates the weakness of the current law in forcing companies to be accountable and makes plain that Canadians cannot rely exclusively on companies to manage their information responsibly,” today’s report said.
Facebook and the office of the privacy commissioner (OPC) are still fighting in Federal Court over Therrien’s findings. The OPC is seeking a declaration that Facebook contravened PIPEDA. The Federal Court can impose binding orders requiring an organization to correct or change its practices and comply with the law.
This year Therrien and three provincial privacy commissioners found that the scraping of billions of images of people on the internet by U.S.-based Clearview AI represented mass surveillance and was a clear violation of the privacy rights of Canadians.
The investigation found that Clearview AI had collected highly sensitive biometric information without the knowledge or consent of individuals. Furthermore, Clearview AI collected, used and disclosed Canadians’ personal information for inappropriate purposes, which cannot be rendered appropriate via consent.
“Despite our findings, the company continued to claim its purposes were appropriate, citing the requirement under federal privacy law that its business needs be balanced against privacy rights,” today’s report said. “We have urged Parliamentarians to ensure a new federal law stipulates where there is a conflict between commercial objectives and privacy protection, Canadians’ privacy rights should prevail.”
Meanwhile the OPC and Google are battling in court over whether PIPEDA applies to the search engine. The case relates to a complaint from an individual alleging that Google is contravening PIPEDA by continuing to prominently display links to online news articles concerning him in search results when his name is searched. The complainant requested that Google remove the articles from results for searches of his name. The Federal Court said PIPEDA applies to Google. In September Google said it will appeal.
The OPC enforces violations of PIPEDA, which covers federally-regulated industries including banks, telecommunications and parts of the transportation sector. Some provinces which don’t have their own privacy laws also follow PIPEDA.
During the most recent reporting period, the OPC received 782 breach reports, affecting at least 9 million Canadian accounts. “This represents a 15 per cent increase in reports received over the previous year,” the annual report says. “Since mandatory breach reporting obligations came into effect in 2018 under PIPEDA, our office has seen a 600 per cent increase in reports.”
The leading cause of reported breaches was unauthorized access (64 per cent), which includes, among others, external actors gaining access to systems through malware, ransomware or social engineering, says the annual report. It also includes scenarios where employees viewed information without authority and used the information for inappropriate purposes.
“We also saw that 28 per cent of breaches were caused by unauthorized disclosures, including employee errors involving misdirected communication and disclosures resulting from a failure of technical safeguards and system vulnerabilities.
“Our office continues to see an elevated proportion of incidents originating from cyber attacks, with 42 per cent (328) of the breaches reported in 2020-21 attributed to malware, ransomware, password attacks, credential stuffing attacks, and other cyber threats. Of particular concern are the ransomware attacks and credential stuffing attacks.”