Office of the Privacy Commissioner of Canada

11/10/2022 | Press release | Distributed by Public on 11/10/2022 06:45

A vision for privacy: Rights, trust and public interest

Keynote address at CBA Privacy and Access Law Section Online Symposium

November 4, 2022

Virtual

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

Introduction

Thank you for that kind introduction and for inviting me to speak to you today.

This is my first keynote address as Privacy Commissioner of Canada and in many ways, it is perfectly fitting that it be with this group. The CBA plays an invaluable role in Canada, not only as the champion for Canadian lawyers and Canadian law; but indeed for the protection and promotion of the rule of law itself.

In recent years, the CBA has been putting a particular emphasis on upholding equality in the profession and eliminating discrimination. You will not be surprised to hear that I absolutely support these priorities.

I have been a member of the CBA throughout my career and was fortunate to occupy a number of roles with the CCCA, the public sector lawyers' forum, the constitutional law sections and the Quebec Branch executive. In all of these roles, it was clear to me that the CBA's credibility is high and its contributions are impactful. This is certainly true for this group with respect to Privacy law. As Canada's new Privacy Commissioner, I look forward to working closely with you in advancing law reform and implementing world class privacy protection and promotion regimes for the benefit of Canada and all Canadians.

Like many of you, my professional life as a lawyer has been dedicated to the strengthening of Canada's public institutions and to the protection and promotion of the fundamental rights of Canadians. As senior general counsel at the Canadian Human Rights Commission, I was responsible for the organization's legal and operational activities pursuant to the Human Rights Act, and as the Law clerk and Parliamentary counsel of the House of Commons, I was the institution's chief legal officer and led what I liked to describe as the department of justice to the legislative branch, responsible for privacy and for the protection of parliamentary democracy and the rights and privileges of parliamentarians. I also briefly served early on in my career as a legal officer with Global Affairs Canada with respect to international human rights and criminal law tribunals.

All these roles required the promotion and protection of fundamental legal and constitutional norms while at the same time ensuring that practical objectives and interests were also achieved. It required rejecting the false choice of saying that you can have either human rights or national security; or you can either have parliamentary privilege or health and safety, or you can either have the principle of sovereignty of nations or a system of international criminal law.

This approach of protecting and promoting fundamental rights while achieving important interests also applies to the world of privacy and finding the right ways of protecting and promoting our fundamental right to privacy while harnessing these new technological opportunities will be a key challenge for Canada's institutions in the coming years.

The rapid advancements we are seeing in technology are exciting. They offer tremendous potential for innovation and for improving the lives of Canadians. However, ensuring that we are able to use these innovations while protecting privacy is critical to our success as a free and democratic society based on the protection and recognition of individual and collective rights.

To do so, Canada's federal public and private sector privacy laws will need to be modernized, both to respond and adapt to these societal and technological changes, and to keep pace with legislative developments in other jurisdictions domestically and internationally.

An important step towards this modernization was taken by the government with the tabling of Bill C-27, the Digital Charter Implementation Act in June of this year. The Bill aims at modernizing the Personal Information Protection and Electronic Documents Act and is a recognition by the government that Canadians need and expect modernized privacy laws. As Canada's new Privacy Commissioner, I welcome the tabling of this Bill which is an improvement on its predecessor C-11 and on PIPEDA and I look forward to providing my advice to Parliament, hopefully later this Fall, on how the Bill can be further improved.

In doing so, I will apply the three elements of my vision for privacy that I presented to the House of Commons and Senate during my confirmation hearings in June. The three elements are:

  1. Privacy as a fundamental right
  2. Privacy in support of the public interest and Canada's innovation and competitiveness, and
  3. Privacy as an accelerator of Canadians' trust in their institutions and in their participation as digital citizens.

These three pillars reflect the reality that Canadians want to be able to fully participate as active and informed digital citizens without having to choose between this participation and their fundamental privacy rights. Canadians should be able to benefit from the public interest and economic advances brought by these new technologies with the reassurance that their laws and their institutions are there to appropriately safeguard and protect their personal information. In short, privacy is fundamental, it supports important public and private interests and it builds necessary trust.

Today I want to talk about what those three pillars mean to me as Privacy Commissioner and what they mean for Canadians.

Privacy is a fundamental right.

In 2019, the OPC and its international colleagues in the Global Privacy Assembly declared in a resolution that "privacy is a precondition for citizens' other freedoms as well as a keystone right for democracy and personal and social development." It said there is an "indispensable link between the protection of the right to privacy and a society's commitment to promote and respect human rights and development."

This description of privacy as a necessary condition for the existence of other fundamental rights is consistent with the Supreme Court of Canada's long-standing interpretation of privacy law as having quasi-constitutional status. The Court reiterated this important principle in the 2013 United Food and Commercial Workers case, where it stated that "legislation which aims to protect control over personal information should be characterized as 'quasi-constitutional' because of the fundamental role privacy plays in the preservation of a free and democratic society."

This also echoes international law and the inclusion of the right to privacy in the 1948 Universal Declaration of Human Rights. I note that Bill C-27 now contains a preamble that would make explicit Parliament's recognition of the importance of the privacy and data protection principles contained in various international instruments.

Treating privacy as a fundamental and quasi-constitutional right means treating it as we do other human rights. As a priority.

It means that privacy must be legally protected and promoted with a strong, fair and enforceable legal and rights-based regime. A regime that must offer meaningful remedies that prevent and address violations and that will act as an incentive for institutions to create a culture of privacy. Let me repeat that. A culture of privacy. Privacy by design where it is considered, valued, and prioritized. Privacy that is included and embedded at the outset of innovation, not as an afterthought or regulatory irritant.

It means that the collection, use, retention and disclosure of personal information must be limited to what is demonstrably necessary and proportional.

It means that, just as we cannot contract out of human rights, the protection of privacy cannot rest entirely on a model of consent. Indeed, in a legal system based on the rule of law and democratic principles, it cannot be left to individuals alone to ensure the protection of their fundamental right to privacy as a pure contractual matter. Consent certainly forms an important part of privacy law, but it cannot be the sole element.

Those who trade in and benefit from the knowledge economy must also be accountable for the way they use information. As the litigators among us know, one of the ways courts determine which party has the onus to do something is by assessing which party is best equipped to fulfill the task or provide the necessary information, and which party is the most vulnerable or in need of protection.

This is certainly true in the case of children who need even greater privacy safeguards. Those of us who are parents will have seen firsthand our children's increased use of technology and social media in recent years. With the pandemic, some of these uses have even become mandatory with some schools requiring students to use various online apps for education purposes.

If it is not realistic to expect adults to understand and be accountable for complex privacy consent forms and rules, it is simply unacceptable to put this burden on children. The legal system and all its institutions must step up to provide more protections and more information for children on how to navigate in the digital world in a safe and privacy protective manner.

Treating privacy as a fundamental right means giving privacy a large and purposive interpretation consistent with the purpose and objectives of the legislation which can, in the case of private sector privacy law, be the promotion of trade and commerce as a matter of federal jurisdiction.

It means that in cases of conflict - and these will be rare - between quasi-constitutional privacy rights and private or public interests, privacy will prevail. I say that these will be rare because by creating a culture of privacy and protecting personal information at the front end, we will be able to avoid most conflicts and achieve both privacy and the desired public or private interests.

This brings me to my second pillar.

Privacy supports the public interest and Canada's innovation and competitiveness

The second element of my vision is a recognition of the positive impacts of privacy and a rejection of the false choice between privacy and the public interest or innovation. Just as we can - and indeed we must - have human rights and national security, we can and must also have privacy while fostering the public interest and innovation. It is not a zero-sum game and as in so many things, we must reject extremes in either direction.

Canadians should be able to fully participate as active and informed digital citizens without having to choose between this participation and their fundamental privacy rights. Canada can be an innovation hub and a model of good government while at the same time providing a strong and effective quasi-constitutional legal regime to protect the personal information of Canadians.

To make a comparison with the justice system, we would all, as lawyers, agree that procedural fairness and natural justice in trials are essential. But we also recognize that legal proceedings must be concluded without unreasonable delays and that the costs of the justice system must be managed effectively. We do not look at these goals as a zero-sum game where we are trading off fairness for cost saving or expediency. Instead, we need to work hard together as a legal profession, and whatever our roles in the system, to ensure that the fundamental right to natural justice is protected while we achieve the other important public interest goals of timely and affordable justice. I am not saying that this is easy, but I am saying that it is necessary.

This applies with equal force when dealing with privacy, the public interest and innovation. While privacy will prevail in cases of conflict, we must do all that we can to avoid these conflicts and achieve these goals while protecting privacy.

The importance of avoiding such conflicts was recognized by the Supreme Court of Canada in the Same-Sex Marriage Reference when the Court held that the first step in dealing with a potential conflict between competing rights is to make all efforts to prevent it. This is certainly true when dealing with a potential conflict between a fundamental right such as privacy on the one hand and ordinary but important public or private interests on the other.

The solution to avoiding the conflict is by considering privacy at the front end, not as an afterthought. It will be cheaper and more effective, and the costs will become investments.

In fact, a survey earlier this year done by Cisco suggests that privacy is good for business - 81% of respondents reported returns on their privacy-related spending. Money spent on protecting and promoting privacy is an investment in trust and the security of your clients, in both the private and the public sectors.

It is not an either/or proposition. Even in the context of privacy-intrusive tools such as facial recognition technology, Federal provincial and territorial privacy commissioners in Canada have not called for an outright ban but rather for a clear and strong legal framework to regulate its use. This was the subject a recent report by the Access to Information, Privacy and Ethics Committee of the House of Commons which recommended a moratorium on the use of facial recognition technologies until they could be reviewed by courts or by my office.

I welcomed the committee's report, which confirms and reiterates the pressing necessity of ensuring the appropriate regulation of privacy impactful technologies such as facial recognition and artificial intelligence in a way that protects and promotes Canadians' fundamental right to privacy. I noted that the report confirmed the need for critical measures such as:

  • Mandatory privacy impact assessments (PIAs) and consultation with my Office prior to the adoption, creation and use of facial recognition technology.
  • Improved accountability and transparency through enhanced oversight and public reporting and consultation.
  • Strong and effective legal frameworks to set limits on the use of facial recognition technologies by police and to ensure that privacy is protected at every stage of the process; and
  • The modernization of private and public sector privacy laws.

Just last week, my provincial and territorial colleagues and I issued a resolution on Digital ID where we expressed the view that benefits of digital ID ecosystems could only be realized with adequate privacy protection. In announcing the resolution, I stated that the development and implementation of a digital ID ecosystem is a tremendous opportunity to demonstrate how innovation and privacy protection can coexist.

We can see the benefits of a system that will allow individuals, businesses and governments to confirm identities and carry out transactions online with a high degree of efficiency and confidence. But we must also recognize that unless digital identity projects and the frameworks that support them meet high standards of privacy, security, transparency, and accountability, they will not be trusted enough to be widely adopted, and those benefits will not be realized. Our resolution called for governments and other stakeholders to build those characteristics into the ecosystem from the beginning.

Earlier this summer, I attended the meeting of the G7 Data Protection Authorities in Bonn, Germany. The theme of our meeting was "Data Free Flow with Trust" and our discussions focused on international data spaces, data transfer tools, privacy-enhancing technologies and de-identification standards. All these themes support the proposition that privacy and international trade can and must co-exist.

Private sector privacy law reforms put forward by the government have sought this balance by giving organizations greater flexibility to use personal information, even without consent, if it was done for legitimate business interests. As you may recall from the OPC's submissions on the former Bill C-11, which died on the order paper last summer, my office agreed with that intention, if it was done within a rights-based framework, in a necessary and proportionate manner and with greater corporate accountability.

Some of the tools to achieve both the public and individual interest and protect privacy include privacy by design, the preparation of privacy impact assessments in appropriate cases, and the regulation and use of de-identified information.

Treating privacy as a fundamental right and finding ways to achieve the public interest and innovation at the same time is not only possible, but it is indeed a virtuous circle that will generate trust that will further benefit these interests. This brings me to my third pillar.

Privacy as an accelerator of trust in the digital economy

When the Minister for Innovation, Science and Industry, Fran├žois-Philippe Champagne, introduced Bill C-27 in June of this year, he emphasized the importance of trust. I agree and would add that the way to achieve trust is through the effective protection of privacy.

When individuals trust that their rights will be protected, they feel confident about participating freely in the digital economy. This is good for Canadians, good for business and good for innovation.

Yet, in our most recent survey of Canadians, more than half of respondents felt businesses do not respect their privacy.

How do we restore this trust? Let me highlight three things.

First, we need a strong set of public and private sector privacy laws that fairly and effectively regulate the collection, use, retention and disclosure of Canadians' personal information so that Canadians can know that they are not left alone in protecting their fundamental right to privacy. As I stated earlier, these laws need to be rights based and provide effective remedies in cases of violations. To achieve this in Canada, both PIPEDA and the Privacy Act will need to be modernized.

Second, and this touches my office directly, we need to ensure that data protection authorities have the necessary authorities and resources to provide not only compliance and protection mechanisms to deal with complaints, but also a strong advisory and promotion role to provide independent and expert advice and input to organisations so that privacy can be fully embedded in major initiatives at the front end and monitored on an ongoing basis.

A recent example of the importance of organisations obtaining and being seen to obtain independent advice arose in the case of the RCMP's use of on-device investigative tools that can access content as well as activate the camera and audio functions of smartphones without the users' knowledge. In June of this year, the RCMP confirmed to Parliament that it had been using such a tool with judicial authorisation but without having notified my office - despite being required to do so under government policy. Canadians expressed concern about this situation and the Access to Information, Privacy and Ethics Committee of the House of Commons launched a study on the matter.

In my testimony before the Committee, I noted that while there may be valid reasons for the use of such tools in appropriate circumstances, the RCMP's failure to consult my office had resulted in a reduction of Canadians' trust. I indicated that it was imperative that a privacy impact assessment be provided to my office in such cases and that this should be made a binding legal requirement in the Privacy Act.

In another appearance this summer, before the Standing Senate Committee on Transport and Communications, in its review of proposed amendments to the Broadcasting Act, I made a similar recommendation that the CRTC be required to engage with my office when it considered the issuance of orders that could have a privacy impact on Canadians.

My hope is that in most of these situations, we would either be satisfied with the measures taken or we would be able to provide advice resulting in course corrections at the outset. What is certain is that the very fact that these consultations would take place with my office would generate trust that the privacy of Canadians is properly considered and that it is protected.

As a third measure to restore trust, we need to create a strong culture of privacy where Canadians do not feel that they are being nudged or encouraged to provide more information that what is strictly necessary and proportional to achieve an organisation's purposes. We need to make it easy for Canadians to choose the most privacy protective settings and make it clear to them when, how and why their information is collected, used, disclosed and retained.

Our findings in the Tim Hortons investigation, where the company's app tracked users' locations even when the app was not in use and without the users' knowledge or consent demonstrate how trust can be undermined when privacy is not sufficiently considered and protected. It serves as a reminder of the work that remains to be done as a society to protect and promote a culture where privacy protection is the default setting and where Canadians have the reflex to always ask why their personal information is sought. A culture of privacy, with privacy by design, and privacy by default.

In conclusion, there is no doubt that the modern economy increasingly depends on the value of data extracted through digital technologies. But we have also seen the risks and the harms of technologies with inadequate privacy protections. Canadians should not have to look over their shoulders when using technology. The way forward is through reform of our privacy laws in a manner that recognizes and protects privacy as a fundamental right, while at the same time supporting the public interest and innovation, and accelerating Canadians' trust in their institutions and the digital economy.

And now I would welcome your questions.