Thank you very much, Mr. Chairman. I'm pleased to be here.
I am a professor of political science at the University of Victoria. I'm currently on sabbatical leave at the University of Toronto, so I haven't come all the way from Victoria today.
I have written or edited a number of books on the subject of privacy protection, both comparatively and historically, and that's my expertise. I'm generally known for my comparative work on privacy governance in both the public and the private sectors.
I'd like to begin by saying something about the history of the Privacy Act and why it came into being, because I think that historical context is important.
At the time the act was passed, Canada was only one of a handful of countries, most of which were in Europe, that had passed any form of privacy protection legislation. It was enacted with little public media or parliamentary debate. To a large extent, it was motivated by the associated passage of the Access to Information Act and the need to ensure that both acts were compatible with respect to exemptions.
The title is a misnomer. The law addresses just a subset of the multiple issues and concerns embraced by the word “privacy”. It's more properly regarded as a data protection statute. That's the word that's typically used in Europe to cover the regulation of the collection, processing, storage, and disclosure of personally identifiable information.
As the Privacy Commissioner and many others have pointed out, the Privacy Act is in dire need of modernization. It is a first-generation statute, and two or three other generations have evolved since. The lack of reform has also meant that a good deal of the content of the regulation is contained in an accumulation of Treasury Board Secretariat guidance that can sometimes be ignored or selectively interpreted.
The act is also based, in my view, on the dated assumption that government information is contained in neat data banks and can be listed, managed, and regulated. It's also based on the false assumption that the chief threat to privacy came from state bureaucracy rather than from the private sector. There are now over 100 countries in the world that have some form of comprehensive data protection law, and virtually all of them cover the practices of both corporations and government.
Given our complex federal system, that was never going to be an option for Canada. We are stuck with some legacies that are difficult to escape from. In my view, the general task here is to amend the law in such a way that the basic privacy principles remain intact, which embraces the more contemporary ideas about how to protect personal data in a networked environment in which personal data can be shared instantaneously and easily between and within organizations. The main difference between the laws that were passed in the 1980s and the 1990s and those that were passed in the 21st century is that contemporary law now embraces a full range of different tools or instruments for privacy.
I am in general agreement with what the Privacy Commissioner said to you in his submission of March of this year. I do not disagree with any of the suggestions that he made, but I would like to focus in the time remaining on four areas of reform mentioned in his submission: data breach reporting, privacy impact assessments, the overall powers of the Privacy Commissioner, and the question of information sharing.
I also have some final comments on the capture of personal data by federal political parties. I know this was something you've asked witnesses about in your previous sessions. I have written about that extensively. I've researched it and I want to make a few comments about it.
First, with regard to data breach reporting, the frequency of data breaches in the federal government is quite striking. Data breaches cost money and they damage trust and reputation. Mandatory privacy data breach notification is now a feature of modern data protection law. It's now required under some conditions for Canada's private sector under the amendments to PIPEDA.
It's also crucial, in my view, to combine the stick of mandatory data breach reporting with a carrot that says that if you've taken proper technical measures and safeguards to protect that data through encryption, then it's not that you get out of jail free, but you just have to do less in terms of reporting.
Organizations and agencies need to be incentivized to encrypt data. Therefore, I would strongly suggest that any mandatory data breach reporting requirement be accompanied by appropriate legislative requirements for physical, organizational, and technical safeguards similar to those that are found in PIPEDA.
Second, privacy impact assessments, or PIAs, have been a feature of the privacy protection landscape since the late 1990s, and Canada was one of the first countries to think seriously about this issue and their appropriate role. Ideally, they should be a recurrent process, an ongoing process, rather than just a checklist. They're designed to be an early warning, and they're particularly critical when programs and services that have potentially significant implications for privacy are being contemplated or amended. Experience suggests, however, that they are more likely to be effective when they're embodied in existing administrative procedures, such as technology procurement, budgetary submissions, and so on.
The OPC has reported that the quality of PIAs in the federal government is very uneven because there's no legislative requirement to conduct them, as there is in other countries and in some provinces. I therefore strongly support the OPC's recommendation that the current TBS guidance be given statutory force.
Thirdl, with regard to the powers of the Privacy Commissioner, when the Privacy Act was passed, there was little contemplation that the commissioner would be anything more than a standard ombudsman within the general parliamentary tradition, and an awful lot of the text of the Privacy Act is about the complaints investigation process. That is extremely important.
One take-away I'd like to give to you here is that comparatively, through my experience and research, the most important powers of a privacy commission are those that are proactive and general or systemic, rather than those that are reactive or individual-based. I would like to see the act reformed in such a way that some of the more proactive powers are included in the legislation. That includes order-making power. The commissioner can only make non-binding recommendations; he cannot compel a public body to take or cease any action without recourse to the courts.
I know there's been a lot of debate about this point over the years. I am encouraged that the Privacy Commissioner has now come around to the view that he does require order-making power such as that exercised by the commissioners in B.C. and Alberta. I think it's a natural progression.
The commissioner should obviously be given an explicit public education and research mandate, the same as that provided under PIPEDA. He does that anyway. It's not in the law. It shouldn't be controversial. A government agency should also be given the requirement to consult with him on draft legislation and regulation with privacy implications before they're tabled. He suggested that. It's a natural thing to do. It shouldn't be controversial.
Finally, on information sharing, the Privacy Act, in my view, has been ineffective in regulating the sharing of personal information among government agencies. I say more about this in my testimony. I won't go into any great depth here. The OPC has recommended that any sharing of information among agencies be made in a written manner. The problem, in my view, is the so-called “consistent use” exemption, which was originally intended as an exceptional circumstance—just those exceptional circumstances when agencies need to share data when they didn't think about it and it wasn't included in the Info Source database.
If you look at Info Source now, you see a whole range of consistent uses that are listed. I think it's got out of control and I think it needs to be reined in. There should be written requirements, and so on.
Finally, if I may, I'd like to say something about the capture and processing of personal data by federal political parties. I understand that the committee has been interested in this question. I'd be interested in answering any questions you have about it. I wrote a report on this subject for the Office of the Privacy Commissioner back in 2012, and I actually testified before this committee two or three years ago when you were interested in social media and social networking in relation to this subject.
Political parties are largely exempt from Canadian privacy laws. They're not covered under PIPEDA or substantially similar provincial laws, with the exception of the Personal Information Protection Act in B.C. They're not government agencies, they're not covered by the Privacy Act, and they're largely exempt from CASL, the spam legislation, as well as from the do-not-call regulations administered by CRTC.
Thus, for the most part, individuals have no legal rights to learn what information is contained in party databases, which are extensive; to access and to correct those data; to remove themselves from the systems; or to restrict the collection, use, and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, or to control who has access to it.
I am not arguing that the Privacy Act is the appropriate statutory vehicle to deal with this problem, and there are also problems with bringing parties under PIPEDA, but as I've done a lot of research on this subject, I just want to alert you to the fact that this is a huge gap in the Canadian privacy regime, and, in my view, and that it requires some urgent resolution.
I'll leave it at that for now. Thank you very much for your attention. I look forward to your questions and I hope to submit a longer submission later in the process.