According to the Office of the Privacy Commissioner of Canada, more than 90 per cent of Canadians have expressed some level of concern about the protection of their personal privacy.
There are legitimate reasons to be concerned. Privacy may be a quasi-constitutional right, but it does not receive the protection that it deserves. For example, consider the fact that the Privacy Act, the law that governs how personal information is collected, used and disclosed by the federal government, has not been substantively updated since it was enacted in 1983.
In the words of the OPC, there is a “very crucial need to overhaul” the act.
A number of reports have also called for reform over the years. Most recently, our current Standing Committee on Access to Information, Privacy and Ethics recommended 28 measures, including a necessity and proportionality standard for the government’s collection and retention of personal information.
Our committee has also recently examined the Security of Canada Information Sharing Act, one of the acts created by then Bill C-51. We found that the definition pursuant to which information can be collected is too broad, that necessity and proportionality should apply and that expert review of information sharing is required.
The Canadian Security Intelligence Service is already limited to receiving information that is “strictly necessary” and other security agencies should be subject to a similar standard. There is no doubt that information is the lifeblood of national security. But for that very reason, security agencies have a tendency to overstep their bounds, and two recent examples should give us pause.
Consider that police agencies, including the RCMP, have collected data using International Mobile Subscriber Identity, or IMSI, catchers (colloquially known as stingrays) for years, but they have repeatedly refused to acknowledge their use. These devices capture data from all cellphones within a certain proximity, including from innocent Canadians, and raise obvious privacy concerns. Recently, the RCMP has confirmed its use of stingrays, including at least 19 times in 2016 and 24 times in 2015. Other countries have rules to govern the use of stingrays and any data collected, and Canada should follow suit. Germany, for example, has regulated stingrays since 2001, including obligations on law enforcement to annually report the use of stingrays.
Former Ontario privacy commissioner Ann Cavoukian has rightly called for the deletion of data collected from innocent Canadians. Our laws should not be silent.
Improper data retention is not new. Last fall, Federal Court Justice Simon Noël held that CSIS had not only breached its duty of candour to the court by failing to disclose the operations of a data analysis centre established in 2006 but further held that CSIS had retained and used data beyond its legal mandate.
Noël noted that the law restricted CSIS to collecting data that is “strictly necessary” and reasoned that “the principle of strict collection must be reflected in the retention of that information.” Yet, CSIS had retained information beyond that standard. In spite of this ruling, all indications are that CSIS has not yet destroyed the data it was found to have improperly retained.
Beyond national security, our committee is now studying privacy in the private sector through our review of the Personal Information Protection and Electronic Documents Act. This legislation was enacted in 2000, and due to its principle-based approach, does not need the same overhaul as the Privacy Act.
Our government has already moved forward with mandatory breach reporting, and we’re now examining other potential changes, including empowering the OPC with order-making powers or an administrative monetary penalty regime.
There are also concerns that our current model of informed consent needs updating. The majority of Canadians admit to not reading privacy policies for mobile apps, and a recent privacy sweep — in which 25 privacy enforcement authorities participated — found that privacy communications of Internet-connected devices are generally poor and fail to inform users about exactly what personal information is being collected and how it will be used. It is difficult to reconcile these facts with the goal of meaningful consent.
This is especially important as more devices collect more information about our lives. From smart meters that track our energy consumption to fridges that track what we eat, Cisco Systems estimates there will be 50 billion connected devices by 2020. As a consumer, I want convenience and will trade some of my privacy. As a citizen and as a lawyer, I want laws that substantively protect my privacy.
In general terms, we should mandate privacy by design. Governments and third parties ought to anonymize our personal information, and our government should follow Australia’s example and make it an offence to re-identify published government data sets. We should also look beyond the law to protect our data.
Take Estonia. On the one hand, it has embraced big data through maintaining a national register with a single unique identifier for all citizens and residents. Customer service is improved and information is exchanged more easily. On the other hand, the same system ensures that citizens can correct or remove data easily and can see which officials have viewed their data.
In summary, we need to embrace new laws and new technology. We need not sacrifice our privacy.
Nathaniel Erskine-Smith is the MP for Beaches-East York in Toronto and the vice chairman of the House of Commons Standing Committee on Access to Information, Privacy and Ethics. He is also a lawyer who practised commercial litigation in Toronto until his election to government in 2015.