Privacy Commissioner Daniel Therrien is hamstrung by weak enforcement powers
Privacy Commissioner Daniel Therrien is hamstrung by weak enforcement powers
Michael McEvoy was in the picturesque English town of Wilmslow near Manchester when the news broke.
An obscure data analytics firm called Cambridge Analytica had harvested the Facebook profiles of millions of people. It had worked with Donald Trump’s campaign and the winning side of the historic Brexit referendum, using the data to profile, micro-target and help influence voters.
“You could feel a sea change almost immediately when some of these stories started coming out,” says McEvoy, who was working, at the time, with a fellow Canadian, U.K. Information Commissioner Elizabeth Denham.
McEvoy, who now serves as British Columbia’s information and privacy commissioner, says Canadians haven’t always paid much attention to the fact that their information was being shared or used.
“I think with Cambridge Analytica, what they saw was a company, without their consent, psychologically profiling them, and if you happen to be an American citizen, that profiling information was used as a tool to promote Donald Trump’s presidency. People began to realize, ‘Oh, I understand what could go very, very wrong with this’ and at that point turned not only to Facebook but they turned to regulators to ask what are we doing to protect people.”
Chantal Bernier, former interim federal privacy commissioner, who leads Dentons’ privacy and cybersecurity practice, agrees the scandal was a game changer for privacy law.
“I think it was a watershed for awareness. You just have to look at Facebook’s numbers. I think that it has also been a watershed in relation to the awareness of the impact on democracy of access to personal information.”
The Cambridge Analytica scandal and the European Union’s implementation of the new General Data Protection Regulation in May have thrust privacy law into the spotlight in recent months. It has also shone a light on the digital Wild West that has emerged where Big Data is big business and regulators say barely a day goes by without a data breach somewhere in Canada.
Privacy lawyers say they have never been busier. Some firms are hiring more privacy lawyers to help with the increased workload — much of it from companies that want to ensure they comply with the GDPR.
“Last year was extremely busy,” says Éloïse Gratton, a partner at Borden Ladner Gervais LLP and co-leader of its privacy and data protection practice.
“I hired two full-time associates and this year has been another crazy year so I have hired a partner.”
Gratton says she has never had to handle as many regulators investigations as she has in the past year — an indication that Canadians are taking their privacy more seriously.
Suzanne Morin, vice president and enterprise chief privacy officer for Sun Life Financial, is chairwoman of the Canadian Bar Association’s privacy and access law section. She’s also seeing an increase in business for experts in privacy law.
“I would say for sure privacy as a practice area is on the rise. We are seeing more university courses. We’re actually seeing more positions for lawyers with privacy expertise. Privacy professionals, if we think of that as sort of an area of practice, is definitely on the rise as well.”
Dozens of class action privacy cases have been launched in Canada with customers suing over data breaches or intrusive business practices. Some companies aren’t waiting to see what the courts say and are settling cases for large sums.
In June, California adopted a new digital privacy law that could affect Canadian businesses that sell online.
Under the law, which takes effect in January 2020, customers have the right to know what information a company has gathered on them, why the data was collected and where it is being shared. They also have the right to block a company from selling or sharing their information or to ask that it be deleted.
But while other countries and jurisdictions are beefing up their privacy laws and incorporating concepts developed in Canada like privacy by design, Canada’s own federal privacy laws haven’t been updated in decades.
The Privacy Act, which applies to government institutions, hasn’t been substantially updated since it was adopted in 1983 — an era when information was stored in filing cabinets, computers used floppy disks and most Canadians had never heard of the World Wide Web.
While Justice Minister Jody Wilson-Raybould has promised MPs that the law will be reviewed and updated, there has been little — if any — progress. Government insiders say it might be addressed after the next federal election, scheduled for 2019, but it’s not one of the priority files.
The Personal Information Protection and Electronic Documents Act, which governs the private sector, was adopted in 2001, well before the emergence of predictive analytics, data mining and artificial intelligence. Two government attempts to update it, in 2010 and 2011, have died on the order paper.
The House of Commons Standing Committee on Access to Information, Privacy and Ethics has recommended both laws be significantly updated and strengthened. A third report, tabled in June, recommends that political parties be subject to privacy laws.
The Digital Privacy Act, adopted in June 2015, does make some changes such as mandatory notification of data breaches, which will go into effect on Nov. 1.
In June, federal Innovation, Science and Economic Development Minister Navdeep Bains launched a consultation on “digital and data transformation,” which includes the question of privacy. According to federal government figures, 87 per cent of Canadians are connected to the internet and 94 per cent of Canadian businesses are using personal data.
In its discussion paper for the consultation, the government acknowledges that Canada’s privacy laws need an overhaul.
“Framework laws are one element that requires revisiting in light of this new digital and data reality,” the paper says. “As the economy moves increasingly online, and is increasingly fuelled by the data provided by the users and purchasers of products, fundamental questions arise about appropriate safeguards and competitiveness, including against deceptive marketing, abuse of dominance, and the processing and use of personal information.”
Federal Privacy Commissioner Daniel Therrien says it is the government’s prerogative to consult but the consultation means that new legislation is unlikely to be introduced until some time after the next federal election, scheduled for 2019.
“If I look at the calendar, I would speculate that amendments to the private sector law would probably not be in effect until 2021 or 2022.”
Meanwhile, Therrien says, he has done what he can do within his existing powers, issuing new guidance that raises the bar on the definition of meaningful consent in the digital world.
With decades-old federal laws, a patchwork quilt of provincial privacy laws and new international laws such as the GDPR, navigating privacy rules in the 21st century can be a challenge for both lawyers and their clients.
But as Canada moves from the industrial to the digital age, Therrien and other experts say trust — trust by Canadians that their privacy is protected — is essential to the digital economy.
“We are now in the fourth industrial revolution, where data is an important economic input,” Therrien explains. “If the economy is to flourish, there needs to be a legal framework such that citizens and consumers will have trust in the digital economy.”
Violating that trust can be costly. In July, still reeling from the impact of the Cambridge Analytica scandal, Facebook’s shares dropped nearly 19 per cent — one of the largest one-day drops for a stock in history — wiping out an estimated US$119 billion in share value.
Contributing to Facebook’s loss was a drop in revenue because of Europe’s GDPR, strict new privacy rules that many consider the new gold standard in privacy law.
Among the sweeping changes, customers must consent to the collection of their information and be informed about how it is going to be used. Privacy by design and privacy by default — first developed by former Ontario Information and Privacy commissioner Ann Cavoukian — are key principles. EU citizens can take their data with them and can request their data be erased — the right to be forgotten. Fines for violating the GDPR can range as high as four per cent of a company’s global gross revenue, up to 20 million euros.
Europe has traditionally considered Canada’s privacy protections equivalent or “adequate,” allowing businesses to easily exchange data and personal information about customers. However, people like McEvoy, Cavoukian and University of Ottawa law professor Michael Geist say there is a very real risk that Canada could lose its adequacy status if privacy laws aren’t strengthened.
“Canada’s adequacy finding is very likely to be put at risk if there is a review to see whether it meets the current European privacy law standards,” says Geist, adding that GDPR-compliant companies could begin to see Canada’s privacy law framework as a business risk.
The EU’s European data protection supervisor, Giovanni Buttarelli, agrees there is a risk.
“Yes, it’s true, more or less. But we do not go for a negative finding. We’re not creating a blacklist of enemies. The question is that other countries will move, will ask for [an adequacy finding] and, therefore, we have to apply the principle of first come, best served. So, if Canada knocks on the door two years from now, it will have to wait a lot because of the queue.”
Buttarelli says Japan and South Korea have already expressed interest in getting adequacy status.
Others, however, question whether Canada needs to adopt all the measures found in the GDPR.
“Canada needs to do what is right for Canada,” says Morin, pointing out that many of the GDPR’s concepts are already found in Canada’s privacy laws.
“We should not be too quick to adopt methods from other jurisdictions that might not be right for ours.”
Gratton says Canada’s laws are well-balanced.
“We have decent laws. They’re not perfect. They’re not as stringent as what they have in Europe, but [they’re] definitely more stringent than what they have in the [United] States.”
There are also two schools of thought in Canada’s legal community on the role of Canada’s federal privacy commissioner.
Should the commissioner play the traditional role of an ombudsman with power to advise, investigate and report? Or should they act more as a regulator with powers to make orders, obtain warrants and impose stiff fines on companies that violate the privacy of Canadians?
Canada’s federal privacy watchdog can bark, but it can’t really bite.
Therrien believes that must change.
“When needed, stronger powers are required, in my view. It can start with a helping hand, giving guidance, giving advice; but when that does not work, we need as many other privacy commissioners and data protection authorities across the world, we need to have enforcement powers and order making and fines to ensure that the privacy rights of Canadians are respected.”
Therrien says the privacy commissioner should also have the power to inspect the practices of companies and governments as well as the U.K. information commissioner’s power to raid a company and force it to hand over its files, “with a view to ensuring that practices do actually comply with the law in the context where technology is complex and business models are opaque and difficult to understand.”
Therrien adds, “Therefore, there needs to be someone acting for citizens and consumers with better information than most citizens and consumers to ensure that the law is not a theoretical exercise but actually being respected in practice.”
Testifying in May before the House of Commons Standing Committee on Access to Information, Privacy and Ethics, Denham echoed that call.
“I would say that the Canadian Privacy commissioner’s powers have fallen behind the rest of the world,” she says.
“So, having order-making power, having the ability to levy administrative penalties, civil monetary penalties and certainly even [the] ability to seize material and to act quickly I think are really important when we’re dealing with global data companies and fast-paced investigations.”
Denham, who has been at the forefront of the international investigation into Cambridge Analytica, said her own offices’ powers needed to be strengthened during the investigation.
“Government has moved really quickly and tabled amendments . . . to provide us with even more powers of no-notice inspections, streamlined warrants, the ability to make emergency orders and also criminal sanctions for destruction of records and information,” Denham says.
The other school of thought, however, fears that moving from an ombudsman to a regulator model would stifle innovation and economic development.
“If we have an ability to fine without first having that dialogue with the organization, my concern is that given that our laws are so flexible, companies will be concerned with getting fined,” says Gratton. “They will hesitate to innovate, launch new services [and] new products because they’ll fear that they’re going to get a fine, they’re going to get some negative press, and we don’t want that.”
Morin says the existing system is working well.
“Our enforcement regime has been found to be adequate already . . . when you look at all the pieces and the fact that our Privacy commissioner can do an audit if he’s got reason to believe. He can take organizations to court. Individuals can go to the Federal Court and they can get damages including changing of practices.”
Cavoukian, who heads Ryerson University’s Privacy by Design Centre of Excellence, says one of the best ways to safeguard privacy is to bake it in from the very start with privacy by design and privacy by default.
“In this day and age of ubiquitous computing, massive online connectivity [and] social media . . . there’s no way we’re going to be able to address all of the privacy harms if we don’t try and prevent them upfront. You can’t just do it with regulatory compliance after the infractions have happened.”
Gratton says privacy by design is part of a risk-based approach for companies.
“Nowadays, companies want to benefit and make money from the data that they have. They want to innovate. Sometimes, this is through business analytics, so, creating trends, analyzing the data, coming up with statistics and reusing this type of data to produce more services, more products. Maybe sell these trends. Maybe they have a value for a third party. Maybe the government has an interest in knowing that specific types of customers in that space have this kind of background and so on.
“But they want to make sure they do this right. So, it’s less and less about complying with the law. You have a list and you can check boxes.”
Big Data and emerging technologies also present new challenges when it comes to legal concepts such as consent, says Gratton.
“One of the challenges is our laws are based on consent, built on the consent model, which makes less and less sense with new types of business models. The internet of things. Smart homes, smart cities. How do you get consent? Can you get consent?
“All of these business models sometimes have a lot of players in the chain. So, who’s responsible for getting consent? Who had that interaction with the individual? Maybe it’s more than one entity. We’re definitely going to have to address that.”
Consent should also be transparent, says Gratton.
“Sometimes, I will advise my clients: You can do this. You can hide a consent clause in your privacy policy or in your form and you can do this, but it is going to piss off your customers, so don’t do it. It’s against the expectation. Customers don’t expect you to do this.”
Ownership of data is another emerging issue. Companies collect personal information from customers but then use analytics or algorithms to process that information.
Bernier says the visibility of those algorithms and the way the information is processed is an important issue, as is the deletion of data. If a customer asks for their data to be deleted, can they also make a company delete the profile it created using its algorithms?
De-indexing or anonymizing the data is one option, but as Geist points out, Canada’s federal privacy law is silent on the use of the anonymized or de-identified data often used in Big Data.
Biometrics such as facial recognition technology, fingerprints and iris scans is another new challenge in privacy law, says McEvoy.
Sometimes, it makes sense, such as using a biometric identifier to allow a prisoner to communicate with their lawyers or download documents from a computer, he says. Other times, it doesn’t.
“It doesn’t make sense to use biometrics to clock people in and out to see if they’re properly counting their hours at work. I don’t know if that’s necessary to collect that kind of sensitive information, whether that’s necessary to effect the purpose that an employer would be looking for.”
McEvoy says technology can also be a challenge for law firms.
“Lawyers are doing more and more things online; they’re storing information in the cloud, potentially, in some cases. We have to be far more conscientious when we do that to ensure, for example, that a cloud provider is making proper provision for the data and ensure that the privacy rights of clients are properly protected.”
Therrien agrees that Canada’s lawyers should take a close look at their own practices.
“We know that the legal profession, as holders of important, sensitive information for their clients, are not all taking the sufficient precautions to safeguard that personal information.”
“That’s certainly a sign that we see from our work that the legal profession generally needs to improve its knowledge. Although, I think in terms of awareness, we’re probably far better than we were just a few years ago.”
Lawyers should put privacy on their due diligence checklist, says Bernier. “When they look at all the legal risk analysis for their customers, they must have that on top of the list because of what is at stake in terms of reputation, in terms of penalties, in terms of risk of litigation if something goes wrong.”
Privacy lawyers should adopt a more transparent approach, Bernier adds.
“Privacy policies are not about covering your client’s butt. They are about being transparent about your client’s information management practices so that your clients’ customers are meaningfully informed and engaged in that contract whereby they provide personal information to your client. It has to be customer focused and it has to be in friendly terms — not a contract in legalese terms.”
Gratton says Canadian privacy law has evolved over the past 20 years. Where once it was a client simply looking for a privacy policy for their website, now there are new challenges in the wake of the GDPR and the Cambridge Analytica scandal.
“Now it has become something totally different.”