Daniel Therrien says it’s time his office had some real power built into its privacy protection model, such as the ability to impose “substantial financial penalties” on companies and organizations that misuse the personal information they collect.
Canada’s Privacy Commissioner should also be able to issue binding orders about privacy-protecting activities (or the lack thereof); right now, his Office can only make recommendations that companies may ignore if they desire.
(This affects current investigations such as the Equifax breach; the Canadian Office of the Privacy Commissioner can only offer advice designed to prevent such a significant breach occurring again.)
Therrien recently released his 2016/17 Annual Report to Parliament; in it, he makes specific recommendations on a number of privacy-related topics, and he includes results from a consultation on the challenges facing the concept of consent in the digital age, currently the foundation of Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
“It is clear,” he noted when releasing the report, “that Canadians need to be supported by an independent regulator with the legislation and resources necessary to properly inform citizens, guide industry, hold businesses accountable, and sanction inappropriate conduct. Canadians do not feel protected by a law that has no teeth and businesses held to no more than non-binding recommendations.”
The annual report includes recommendations for legislative reform and other solutions to help Canadians better control how their personal information is collected and used. Changes to the power and capabilities of the OPC are in the hands of our elected Members of Parliament.
“The digital revolution has brought us important benefits and will continue to be a major contributor to economic growth,” Therrien added. “Few of us would like to go back to the pre-digital age, but no one has agreed to give away their privacy on the basis of 50-page privacy policies written in legalese most lawyers don’t understand.”
Sometimes, however, consent is not an option – as some Canadians heading to the U.S. have found.
During personal interrogations at the border, they’ve been forced to turn over the passwords to their laptops and mobile phones. Therrien has previously cautioned people when travelling across the border to limit the personal information and data they bring, or to remove sensitive information from devices that could be searched, and it continues to be a concern for the Privacy Commissioner.
Also described in his report is a review of the Canada Border Services Agency’s Scenario Based Targeting Program, in which advanced analytics are used to identify potential terrorist threats, based on traveler demographics. The review raised the concern that some of the national security scenarios used by CBSA are based on personal characteristics which identify a large number of law-abiding individuals whose personal information is used and shared without sufficient privacy protections.
Another important investigation discussed in this year’s annual report is the Privy Council Office’s MyDemocracy.ca website, which was launched last December as part of a national dialogue on electoral reform. The investigation found the website allowed the disclosure of personal information of participants to third parties such as Facebook without their consent; however, no evidence that PCO was inappropriately identifying participants or tracking responses to the survey questions was found.
The report also discusses an investigation related to the RCMP’s use of cell site simulators, sometimes called StingRay devices or IMSI catchers.
Several agencies have now acknowledged using the technical trickery to spoof a user’s cellphone into connecting to a fake or phony cell tower, set-up specifically to monitor or track the user.
A primary concern of complainants to the Privacy Commissioner was that the police forces in question would not confirm their use of the surveillance technology. Speculation became ripe as to just what the devices could or could not do, and how they were (and are) being used.
Unable to do more, the Privacy Commissioner’s Office said it would “strongly encourage the RCMP to continue to make efforts toward openness and accountability in terms of the technologies it employs in its law enforcement activities”.
Other issues addressed in the report include how the Security of Canada Information Sharing Act (SCISA) was implemented after coming into force in 2015; a review of the CSIS Operational Data Analysis Centre; and an investigation related to the Phoenix pay system.