Ottawa should put privacy and innovation on the same level when creating a new national policy on data and digital transformation, the federal privacy commissioner has told the government.
And the way to do it, says Daniel Therrien, is by giving Canadians firmer privacy rights over their data.
A new privacy law “should mostly be drafted as a rights-based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.”
“I am growing increasingly troubled that longstanding privacy rights and values in Canada are not being given equal importance within a new digital ecosystem eagerly focused on embracing and leveraging data for various purposes,” the commissioner said in a letter to Innovation Minister Navdeep Bains released Wednesday. “Individual privacy is not a right we simply trade away for innovation, efficiency or commercial gain.”
Over the summer the Innovation department launched a national consultation — which closed in October — on creating a policy to drive innovation but also maintain trust and confidence in how the personal data of residents is used. “I am wary of this discourse,” Therrien wrote, “as it suggests to Canadians that privacy is at odds with innovation, or similarly, that privacy is at one end of the spectrum and digital innovation at the other.”
While the government says having trust that data and privacy will be protected is vital, there must be strong legal privacy protections. “Yet, when it comes to effecting real legislative change in this context, the government has been slow to act, putting at continued risk the trust Canadians have in the digital economy and confidence that our Canadian values will be preserved.”
While the private sector has to obey the Personal Information Protection and Electronic Documents Act (PIPEDA), that law only encourages transparency and accountability of businesses, Therrien wrote. “The reality is that our principles-based law is quite permissive and gives companies wide latitude to use personal information for their own benefit. While our law should probably continue to be principles-based and technologically neutral, it must be rights-based and drafted not as an industry code of conduct but as a statute that confers rights, while allowing for responsible innovation.”
“Canada should simultaneously pursue privacy and innovation,” he wrote, based on the principles of Privacy by Design created by former Ontario privacy commissioner Ann Cavoukian.
He cited with approval a proposed U.S. Internet Bill of Rights which would include making it mandatory for users to consent to the collection and sharing of data with a third party, give users the right move their data from one company to another, a right to have personal information secured and to be notified following a security breach, a right to have an entity that collects personal information to have reasonable business practices and accountability to protect privacy, and a right not to be unfairly discriminated against or exploited based on one’s personal data.
A new privacy law would maintain an important place for meaningful consent, Therrien added but it should also consider other ways to protect privacy where consent may not work — for example, in development of artificial intelligence.
A “public authority” should be empowered to issue binding guidance or rules to the private sector that would clarify how general principles and broadly framed rights are to apply in practice, the letter says. Binding guidance or rules would ensure a more practical understanding of what the law requires. Rules could also be amended more easily than legislation as technology evolves Therrien added.
He also repeated his call to give the office of the privacy commissioner stronger enforcement powers, and that privacy laws should apply to Canadian political parties. Under proposed legislation political parties would only have to post a privacy policy, not follow PIPEDA.