CC BY | Pete
By Ken Rubin
A little-known parliamentary review of Canada's antiquated 1982 Privacy Act is underway. Their task is daunting: just how do you combat or at least slow down widespread “legal” and illegal sharing of and access to personal data, mitigate against “big data” mining, and restrict data profiling? Canadians are increasingly looking for more access to and control over their own personal information.
Privacy Commissioner Daniel Therrien's recommendations are the first in; some have merit but others simply reinforce the status quo. They are bound to disappoint those challenging the intrusive nature of Bill C-51 who would want to go further. There is not much there, for instance, on biometric identity matching, or that puts a stop to online snooping and mining, restricts the growing use of secretive newer surveillance technologies like the Stingray cell phone listening devices, or prevents the increasing sharing of Canadians’ personal data with foreign authorities.
Nor is there much in the way of remedies proposed against what Edward Snowden revealed in the way of over-the-top secretive mass surveillance trolling, or any regulatory suggestions on how to handle the increasing amount of personal data housed or transmitted via the United States captured under its Freedom Act or the personal data held by international intelligence gathering groups to which Canada belongs, particularly the Five Eyes group.
Therrien is a former senior Justice Canada lawyer who handled public safety files including at Canada Border Services. Since his controversial appointment over a year and half ago, he has maintained a fairly low profile.
His recommendations are mostly modest and housekeeping in nature. He calls for the thousands of personal data sharing agreements to be in writing and subject to some guidelines. He calls for transparency, with very little detail, wanting his office to be notified or all new or amended agreements. But it is not that clear how affected Canadians will benefit unless he can intervene to set aside or reject such agreements as too broad or order the full details to be made public.
He also wants prompt, mandatory reporting of public sector personal data breaches to his office with some selective notification of those affected, and for legal obligations to safeguard against such fairly regular breaches. But he sets out no enforceable binding order and penalty powers for his office despite the fact that such breaches occur fairly regularly.
Therrien at this juncture rejects his office having binding order powers and instead believes giving agencies ten days to comply with his recommendations or otherwise they must apply to the courts to defend their positions will work.
It is not clear how this would play out in practice. It is based on the assumption the courts will have the expertise and somehow quickly hear and enforce his voluntary (and not always the best) recommendations. And will privacy advocates with yet better positions and remedies be able to intervene at the Court as well? Would enforcement powers not be a more effective way to restrict privacy invasions, and regulate transborder data flow? This is the approach used in many of the over one hundred other data protection laws around the world.
To his credit, Therrien is recommending that both he and all Canadians have expanded grounds to go to court, including improper collection and use of personal data. That goes beyond the courts now only being able to hear cases about access to blocked individuals' personal files.
This is a welcome suggestion but his office also needs wider investigative powers to review matters involving transborder data-flow and meta-data collections. It would have helped too if he had suggested that individuals and groups bringing such privacy violation cases to court be given resources to sue the government.
His recommendations for an explicit education and research mandate with an ability to report more frequently on emerging privacy and technology public interest issues, for the government to better consult him on relevant legislation, and for mandatory government privacy impact assessments, helps reinforce his office's work. The suggestion of having mandatory parliamentary reviews every five years to keep the legislation up to date could help us all hold the government to account, and avoid the situation we are in now, with no substantive change in 34 years.
But he does little to redraft and limit the many exemptions blocking individuals getting personal information, and wants to introduce in his office, of all places, the right to vet and decide not to hear “frivolous” complainers. His office also needs to be subject to reporting complaints filed within 60 days as there are currently lengthy backlogs which are detrimental to complainants and pressing privacy matters.
He does not recommend giving individuals any mandatory rights of consent for the government's collection and use of their information and leaves questions aside, for instance, about dealing with contentious no-fly listings.
He does seek to extend coverage to personal records to the PM and Ministers’ offices and wants to include allowing non-citizens to get access to their personal records. But he backs off when it comes to handling review of political parties' use of personal data.
He does not directly recommend, as his predecessor Jennifer Stoddart did, that unrecorded information such as personal biological samples, including DNA and iris scans, be covered. Or that volatile data like radio frequency identification chips (RFID) data or Stingray data be explicitly covered by privacy legislation.
He recommends no change to the existing public interest balance found between the Privacy and Access to Information Acts, yet this means continuing, for instance, to allow public employees to hide their salaries and perks or tax haven offenders to remain unnamed.
He recommends that the Privacy Act remain closely tied to the Access to Information Act even though that combination hinders both acts growing and could, ultimately and detrimentally, lead to putting oversight of both acts in the hands of one commissioner. Joining both acts so closely together destroys their opportunities of developing more fully their separate and at times conflicting public interests, one for pro-active disclosure and multi-transparency tools and accountability practices, the other for restricting privacy invasions and enhancing data sovereignty.
In order to have a greatly strengthened data protection act, separate from access legislation, the Commons Privacy Committee must consider bold changes to the Privacy Act in conjunction with improving the Personal Information Protection and Electronic Documents Act (PIPEDA). The threats under both acts are similar, the remedies the same and the object the same: that Canadians want more control on what personal data third parties, from police to marketers, can access.
Canadians want comprehensive data protection legislation that allows for the rollback of secretive data-sharing, matching and mining. They want restrictions and reductions on the numerous “authorized” third parties having access to their personal data. They want to know where their data goes, and when it is breached. And they want a Privacy Commissioner, along with specially trained privacy counsels, empowered to back them up and fight those fights with and for them.
It will now be up to privacy advocates to come forward and suggest a stronger legislative framework that greatly improves on Therrien's modest recommendations. Getting a tougher, more credible privacy protection act fit for today's challenges should be what the Commons Access to Information, Privacy and Ethics Committee strives to put in place and what the government should adopt by 2017.