Business Council of Canada Pushes Against Updating Canadian Privacy Laws Drew Wilson | March 23, 2020 The Business Council of Canada published a report urging the government to step back any effort to bringing forth badly needed privacy law reforms. More than a decade ago, Canada pushed itself as a global leader in personal privacy. From the Canadian perspective, having privacy commissioners represented a symbol for how Canada is leading the way in terms of having respect for consumer privacy. Not only does Canada have a federal privacy commissioner, but also provincial privacy commissioners who are charged with keeping tabs on how privacy is respected and raising awareness on these issues as well. Indeed, there was a time when this scenario meant that Canada is a global leader in privacy. Unfortunately, this situation has gradually become outdated. A privacy breach is no longer exclusive to some malcontent employee grabbing a fist full of file folders from the cabinet and walking off the property. A data leak is no longer exclusively from a company failing to properly shred documents or leaving a box of documents randomly somewhere. In fact, a security incident affecting more than 100 people is no longer considered a massive security incident. We now live in a digital world where gigabytes of data can be transferred onto a USB stick. Personal information is now almost exclusively handled in electronic fashion. Now, a data breach can expose hundreds of thousands of users in one fell swoop. All it can take is a hacker to break into a server and downloading an entire database. A data leak can involve someone dropping a backup onto an unsecured cloud server (which happens at a pretty disturbing rate, actually) and exposing millions. With this new reality, different countries have adapted with more stringent new laws. Examples of these new laws can entail requiring companies to properly secure their data through encryption or not leave it randomly lying around on an unsecured server for crying out loud. In addition to this, stiff new penalties are also often introduced (GDPR being an example). One outlier to updating privacy laws to handle this new reality is Canada. With countries issuing heavy fines against companies who violate privacy laws, Canada’s position on the world stage has gone from global leader to global laughing stock. This is because while some countries are handing out billions or millions in fines, Canada is stuck with privacy commissioners handing out strongly worded letters to companies, urging them to “don’t do that again!” In fact, the farcical situation in Canada has led companies to begin saying, “or you’ll what?” In one instance, two commissioners effectively admitted to that brazen response with, “Or, as privacy commissioners, we’ve… got nothing. Yeah, absolutely nothing.” In response, the commissioners stepped out of their roles and into the roles of private citizens and sued. In fact, the privacy commissioners powers are so bad, companies being hit with breaches are going to the extreme of suing the commissioners to block investigations if you can believe it. Canada has gotten to the point of having to legally ask whether or not commissioners have the power to even investigate an incident, let alone knowing that they can’t do anything about it other than issue a strongly worded letter. This massive loop hole has become Canada’s international embarrassment. It’s a complete lack of ability to enforce the law. So, unsurprisingly, many are calling on the government to implement badly needed reforms. At the very least, do something to reasonably catch up to almost every other country in the world such as, ideally, Europe. In fact, such an effort received broad party support during the last election. Indeed, the need is very much needed. Earlier this month, Koodo suffered a data breach with customer information exposed. There’s the questions surrounding RCMP members using Clearview AI. There’s the massive Desjardins data breach which somehow managed to involve more than 100% of their customer base. Another incident that involved Canadians is the CapitalOne data breach. Who could forget the massive Marriott Hotels data breach? Of course, after the election was over, interest dwindled to the point of the Canadian government expressing dis-interest on the topic as if to say, “Why are you asking? Is privacy important or something?” With COVID-19 pretty much becoming a 24 hour news story, interest in privacy has become, at best, a foot note. This regardless of the fact that reforming privacy laws are badly needed. Now, it seems that some are attempting to stamp out any last lingering motivation to fix this gaping hole in the law. The Business Council of Canada has issued a report urging the Canadian government to not only stop their plans on bringing in any semblance of real accountability, but also to even relax the laws even further. The report in question is entitled Data Driven: Canada’s Economic Opportunity. From Michael Geist: Yet despite stating that a “foundation of trust requires a policy framework that ensures high levels of data protection”, its recommendations consistently advocate for a cautious approach that would leave Canada lagging behind. For example, Mr. Bains’ Digital Charter calls for stronger enforcement powers that include granting the Privacy Commissioner of Canada the power to order companies to stop non-compliant activities, increasing penalties, and establishing statutory damages for some offences. The Business Council has a much different vision, noting that its companies said the government should move “carefully” on the issue and cautioning “against adopting the overly prescriptive approach” found in the European Union. It therefore only recommends “providing the Office of the Privacy Commissioner with limited new powers to order organizations to cease activities that threaten imminent material harm to an individual.” That standard – limited power only in instances of imminent material harm – would render the Privacy Commissioner’s new order making power virtually meaningless. The same is true for the right to be forgotten, which would require the removal of search results that are “inadequate, irrelevant or no longer relevant.” The Business Council is only willing to back a “limited right” for the right to be forgotten. Similarly, algorithmic transparency is supported only if “the requirement to do so is limited.” While the Business Council wants to limit new privacy rights, it seeks no limits on corporate transfers of personal information across borders. Indeed, the report argues that Canada is too small to establish a full requirement to store data domestically (known as data localization). It instead supports ensuring that all trade agreements feature a ban on data localization requirements. In fact, the report even recommends establishing new flexibilities around the notion of obtaining informed consent for the collection, use and disclosure of personal information. As an alternative to statutory requirements, the report envisions the Privacy Commissioner of Canada working with the government to maintain a list of industry codes, standards, and certifications. Companies would be permitted to use compliance with these codes as evidence that they meet their privacy law obligations. If the approach becomes law, big businesses would be free to establish their own government-approved industry standards as equivalent to privacy law. So, in essence, the push is to effectively get government to completely butt out of the whole privacy debate. The government somehow should play little to no role in protecting Canadian privacy and that the private sector will somehow make things all better all by themselves. This in spite of the fact that it’s the private sector’s negligence that is a leading cause of consumer’s personal information being dumped by hackers onto the dark web for a quick buck at frightening regularity. The reality is that Canada is quickly becoming lawless in the realm of privacy. As companies simply shrug off these massive security incidences as no big deal, we are now seeing them effectively saying that government should play an even smaller role in enforcing privacy. If anything, this report is advocating policies that would only exacerbate the Canadian privacy crises. Drew Wilson on Twitter: @icecube85 and Facebook.