A state of uncertainty?

A lessening of democracy?

The mandate of Canada’s Privacy Commissioner has ended. After eight tumultuous years, Daniel Therrien has stepped down, and an interim replacement has been named. But the questions remain.

For his farewell address to the IAPP (International Association of Privacy Professionals) Canada Privacy Conference in Toronto, he had promised a no-holds barred speech. But Therrien, a lawyer and long-time civil servant, was nevertheless his traditional soft-spoken, dignified, exacting self.

He described Canada’s privacy landscape as being in “a state of uncertainty”, an accurate if not somewhat understated observation. Yes, the country’s existing privacy laws are more than 20 years old! Yes, proposed legislative changes to the law were suspended for the last election, and a new bill, although promised for this year, has not yet been tabled.

“It is extremely unfortunate that Canada is taking so long to modernize its privacy laws,” he said, gently summarizing his nearly decade-long attempts to get our laws to more accurately reflect the realities of our digitally mediated world.

One certain lesson from his term in office: our ability to protect our personal information is weak. The laws in place are ineffective.

And as far as the penalties for violating our personal privacy?

Well, ‘dem and a dollar might get you a cuppa coffee.

From Timmy’s.

In what was his last press conference as Privacy Commissioner, Therrien and his provincial privacy counterparts from Quebec, BC and Alberta met with the media to discuss the results of their latest joint investigation into a violation of Canadians’ privacy: the Tim Hortons mobile app.

The Tim Hortons app was used to track and record users’ movements every few minutes on a daily basis, even when the app was not opened!

“We have seen here an absolute lack of proportion between the continual tracking of customers’ location, their habits and other sensitive information this reveals about them, and a company’s desire to sell more products,” Therrien said, adding use of the app was “a mass invasion of Canadians’ privacy.”

With seemingly no holds on those remarks, Therrien was still forced to echo yet again a call he has made for years: “In my view, what happened here (with the Tim Hortons app) once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians.”

A long-standing need for business and consumers

Canada is still working under PIPEDA, the Personal Information Protection and Electronic Documents Act, enacted back in 2001. What was Bill C-11, the proposed Consumer Privacy Protection Act under Bill C-11, was dropped in 2021 when the federal election was called.

Therrien is still hoping for the new law and a new approach to privacy protection, telling the IAPP that “[i]t has been promised in 2022 in the private sector and hopefully it will follow soon thereafter in the public sector.”

Therrien is a proponent of a rights-based approach, one that positions privacy as a fundamental human right necessary for the exercise of other rights, not merely a collection of as data protection statutes. Privacy, he says, is not limited to consent, access and transparency. These are very important mechanisms, but they do not define the right itself. He says a rights-based framework could modernize compliance requirements and boost enforcement power and penalties.

Not only would a rights-based approach provide better protection for people’s personal information, but it would also benefit business and industry too, Therrien maintains.

He sees business success and continued innovation as dependent on consumer trust, but without legal foundation and the protection of rights, that trust cannot exist, Therrien says plainly. He seems almost bemused that a seemingly sophisticated, cutting-edge industry doesn’t get it: it is “surprising to see so much resistance (to rights-based privacy protection) in a field as innovative as the digital economy.”

He’s seen much more than resistance over his eight years term as Privacy Commissioner.

A long-standing pattern of violations and illegalities

Ending his term with the Tim Hortons announcement recalled other of his press conferences, about other major investigations into other privacy violations, committed by other large North American companies.

The Commissioner’s investigation into Clearview AI, for example, showed that company used facial recognition technology in a way that amounted to mass surveillance, scraping images from social media and other online platforms without the consent or knowledge of those directly affected. The Commissioner reminded his audience that the subsequent investigation into the RCMP’s use of Clearview technology shows the increasing risks posed by the lack of laws covering the use of sensitive personal information, particularly biometric data.

“What Clearview does is mass surveillance, and it is illegal,” Therrien described at the time. “It is completely unacceptable for millions of people who will never be implicated in any crime to find themselves continually in a police line-up.”

One could go back ever further in Therrien’s term to find yet another case of the Privacy Commissioner investigating the activities of a for-profit company deeply involved in our personal information: Facebook.

“We have received a complaint against Facebook in relation to allegations involving Cambridge Analytica and have therefore opened a formal investigation,” Therrien announced back in 2018, and that only caused investigators to recall the extremely important privacy questions raised in 2008 in a similar complaint filed with a previous Privacy Commissioner.

The Cambridge Analytica scandal, studied also by legislators from other countries, showed years ago that privacy violations could lead to violations of much more than consumer rights.

Speaking specifically about the latest – and last – privacy scandal he will handle as Commissioner, Therrien told media “[W]e have here an absolute lack of proportion between the continual tracking of customers’ location, their habits and other sensitive information this reveals about them, and a company’s desire to sell more products.”

But that lack of proportion can extend well beyond that morning cuppa.

“As a society we would not accept it if the government wanted to track our movements every minute of every day. It is equally unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought.”

“While disruptive technologies have many benefits, what does not need disruption is the idea that democratic government must maintain the capacity to protect the fundamental rights and values of its citizens,” Therrien said. “That capacity is lessened when organizations have almost complete liberty to set the rules under which they will interact with their clients, and where they can set the terms of their accountability.”

Information Commissioner Caroline Maynard (who’s held that post since 2018) has been named Interim Privacy Commissioner of Canada. She will hold the position until October 31, or until such time as a new privacy commissioner is appointed.

One thing is certain: we will still need one.

-30-