Canada’s Privacy Act Urgently Needs Major Upgrade

By: Lee Rickwood

April 6, 2016

Canada’s Privacy Act is more than 30 years old, and like an old piece of technology (they get old in what, like 18 months?!?) it is in need of a major upgrade.

The new version will not be automatically downloaded in the background, however, and so Canada’s Privacy Commissioner is urging Parliament to review and revise what he has called “increasing antiquated” laws around public sector privacy and data security, and he’s calling on all of us to provide our input and ideas around protecting personal information and individual reputations in the online world.

Therrien at IAPP

Canada’s Privacy Commissioner Daneil Therrien will discuss his legislative and regulatory priorities in a keynote address at the IAPP Canada Privacy Symposium 2016 in Toronto next month.

The country’s Privacy Act was proclaimed back in 1983, and only now are political leaders and legislators even considering changes, a fact Commissioner Daniel Therrien welcomed in prepared remarks to a Standing Committee on Access to Information, Privacy and Ethics that is looking at Canada’s federal public sector privacy law.

Government departments increasingly collect and use ever-greater amounts of personal information, as Therrien noted in his remarks to the Committee and in a subsequent written submission, and that only raises the stakes as far as the value and importance of privacy protection.

(The Commissioner’s remarks and the Parliamentary review at this stage are of Privacy Law implications in the public sector; private sector privacy gaps are just as controversial, and are being addressed in other fora and through other legislative means. The Commissioner has concerns there, as well, and controversy still surrounds the implementations of laws such as Bill C-51, a bill that Therrien says does nothing to assuage the fears that Canadians rightly hold about the misuse use of personal data surveillance tools and collection techniques.

Not only are strong regulations needed to protect personal data privacy, so too robust technical infrastructure – another techno-arena in which Canada may be behind the times.)

“Over the years, we have seen massive government breaches affecting tens, even hundreds, of thousands of citizens,” he reminded his audience. Of course, public institutions should safeguard – not threaten – personal information, but there should also be a legal requirement for such institutions to report data breaches or gaps in their protection to the Privacy Commissioner (and, one would hope, from that Office to the public at large).

In fact, the OPC wants the law to allow it to report more often and more proactively about the privacy practices of federal institutions (right now, that report is annual, barring special needs).

“Reporting to Parliamentarians and Canadians only once or twice a year on how the government is managing privacy issues through annual or special reports to Parliament is inadequate. We would like to be in a position to share this information in a more timely way,” Therrien said.

A complementary proposal is to require government agencies and institutions to have a Chief Privacy Officer, one who is trained in the relevant issues and accountable to the general public.

Likewise, as the Commissioner noted, privacy rules and regulations should extend to all government institutions, and in that proposal it is underscored that major government offices, like those of appointed Ministers and even the Prime Minister are not currently or comprehensive covered.

In an interesting side note, Therrien pointed out that Parliament should also consider regulating the collection, use and disclosure of personal information by political parties.

The fact that political practices in Canada are not bound by the Privacy Act, or the Personal Information Protection and Electronic Documents Act, has troubled personal privacy proponents and voter’s rights advocates for many years.

In a bid to avoid another three whole decades letting privacy protection fall behind the tech times, the Privacy Commissioner is calling for a review of the Act every five years. Better than thirty, certainly, but it’s no real-time download, that’s for sure.

Another proposal to tighten the timeline is to have all government departments consult with and report to the OPC on any bill, rule or regulation that impacts privacy in any way before the bill is  tabled in Parliament; fixing a leak before it springs should be much easier that after the floor gets all wet.

As discussion, review and lawmaking continue, Commissioner Therrien will discuss his legislative and regulatory priorities in a keynote address at the IAPP Canada Privacy Symposium next month.

As well, the Commissioner’s office is currently conducting an online public consultation about the problems and challenges related to online privacy.

Everyday Internet users — that’s us — and subject experts alike are invited to share their ideas up until April 28th.


The International Association of Privacy Professionals’ global privacy and security conference is now underway in Washington D.C.

This year IAPP, the International Association of Privacy Professionals’ global privacy and security conference is now underway in Washington D.C.; the Canadian national conference will be held in Toronto.



Leave a Reply

Your email address will not be published. Required fields are marked *