Canada’s privacy laws continue to be a long running joke after Google laughs of the strongly worded letter from the privacy commissioner.
Canada’s long running national embarrassment is continuing to sting the countries reputation (and no, I’m not talking about Pierre Poilivre this time). I’ve long advocated for privacy reform because it has been badly needed for years. To put things into perspective, Canada’s privacy laws are so bad, they are merely enforced with strongly worded letters. No fines. No jail time. No real repercussions of any kind. Just a strongly worded letter and a “don’t do that again” from a privacy commissioner or two. What happens when companies ignore those letters? Well, then they will receive another strongly worded letter. Perhaps it uses upper case letters or even a bold font. This along with a finger wagging from the privacy commissioner and an “oh you naughty boy” letter before the matter comes to an end.
The only way for there to be actual consequences is if the victims use their own resources to file a lawsuit against the company in question and sue for damages. That’s really the only time dollar figures come into question. In short, it’s up to the Canadian people to take the law into their own hands because the government isn’t really ever going to step in.
Now, to be fair, the situation is by no means the fault of the privacy commissioners across the country. As a matter of fact, I happen to know that they do a phenomenal job with the tools that they have. The problem is just how badly outdated the laws are and an overall reluctance on the part of the Canadian government to finally lift a finger and fix this glaring problem. To put things into perspective, last year, I wrote and article detailing 10 things that were a thing when privacy laws were last updated. The original Playstation and the N64 was the current the gaming consoles, people were downloading music on the original Napster, and Jean Chrétien and Bill Clinton were leaders of Canada and the US respectively. It is that sad.
Of course, in 2018, Europe did finally reform their privacy laws. This would be known as the General Data Protection Regulation (GDPR). In short, if you suffered from a data leak or a breach, you need to be forthcoming with that. If you were negligent in holding people’s personal information, you were going to be fined by the government. Those fines would actually be proportionate to the size of your company. Further, it lays out the standard for how you use and process personal information. You know, actual basic common sense codified into law. At the time, the hope was that it would issue a whole new era of respect for people’s privacy as other nations realize that they have fallen behind in the race to protect people’s personal information.
That ultimately didn’t happen.
In Europe, the GDPR continued to pay dividends over and over and over again. In fact, one of the major problems with the GDPR was that lawmakers completely underestimated just how bad the personal information situation actually was. Regulators were completely overrun with the number of cases they were dealing with and had to frantically hire more staff just to even try to tackle the tsunami of work that ensued. For some, it was actually shocking just how bad the situation had gotten before there was even an attempt to get things under reasonable control.
All of that alone should’ve have been more than enough to get a fire lit under Canadian lawmakers collective rear ends, but the reluctance to do anything about it, shockingly, continued. When the Clearview AI scandal was making the rounds in 2021 where the company was subjected to major fines in other countries, Canada’s privacy commissioner issued a strongly worded letter – a letter to which the company laughed off.
When the Cambridge Analytica scandal broke, Canadian privacy commissioners issued another strongly worded letter to Facebook, pointing out that Facebook did, in fact, break Canadian privacy laws. That company laughed off the letter as well. In response, the commissioners stepped out of their roles as commissioners and into the role as private citizens and went to the extreme measure of suing Facebook. To add insult to injury, in 2023, the court ruled that as far as Canadian privacy laws are concerned, Facebook did nothing wrong as far as the Cambridge Analytica scandal was concerned. Top put the outrageousness into perspective of that, the US used their patchwork privacy laws (which, in and of itself, is very bad) and managed to find a way to fine Facebook $5 billion over the very same scandal – a record breaking fine no less. The incompetence of the Canadian system is staggering.
One more example (and there are loads of others out there). When the Canadian RCMP were busted using malware in their investigations. In 2022, the privacy commissioner said that they were stunned at what they uncovered. In response, they… issued a strongly worded letter and a “don’t do that again” message. I could go on offering example of just how toothless these laws truly are, but I think you get the idea.
Every time a new breach in Canada made the news, eyes went to the government to see if this would finally be the one that would get the message to sink in that things needed fixing. Yet, even when Global Affairs was hit with a data breach, the Canadian government continued to hit the snooze button. At every turn, privacy reform was slow walked to ensure that it would never become law. Canadian’s, of course, have every right to be angry over this, but the message from the federal government is clear: they don’t give a damn about you. If a breach leads to 24/7 harassing phone calls or results in your bank account cleaned out, the governments response to that is fuck you, you’re on your own.
While there is a whole pile of evidence that overwhelmingly concludes that Canada needs privacy reform badly, apparently, we can add to that pile. Canada’s Privacy Commissioner took up a complaint against Google regarding whether or not Canadian’s have a right to be forgotten.
In short, the right to be forgotten is a legal tool that allows people to ask search engines to drop certain results about them. For instance, if there was a report out there talking about allegations made against, say, a business owner, then the follow-up reports conclude that the allegations had no merit and the case was dropped, it’s entirely possible that the original results of the allegations would still turn up in a search engine like Google. So, in that scenario, if there is a right to be forgotten, then that person can file a request to have the original reports not show up on that search engine.
Now, to be fair, this issue is a thorny one because the risk here is that people who have an ugly past might use this right to be forgotten to bury their wrongdoings as they try and censor reports about them. So, for instance, lets say another business owner has a long history of receiving sanitation and health violations at the workplace. That business owner was found guilty. Well, that owner could, in theory, use the right to be forgotten to sanitize the results from search engine and act as though those issues never occurred. In that case, an argument can be made that people should have the right to know about these things because it is in the public interest to know. So, you can see how things can get messy quick depending on the implementation. Where is that line between privacy and the public interest? That can very easily get blurry very quickly.
At any rate, right to be forgotten can fall within the realm of privacy given that it does deal with personal information about a person. For Canada’s privacy commissioner, that’s exactly why they decided to take up this case. From Teresa Scassa:
Canada’s Privacy Commissioner has released a set of findings that recognize a right to be forgotten (RTBF) under the Personal Information Protection and Electronic Documents Act (PIPEDA). The complainant’s long legal journey began in 2017 when they complained that a search of their name in Google’s search engine returned news articles from many years earlier regarding an arrest and criminal charges relating to having sexual activity without disclosing their status as being HIV positive. Although these reports were accurate at the time they were published, the charges were stayed shortly afterwards, because the complainant posed no danger to public health. Charging guidelines for the offence in question indicated that no charges should be laid where there is no realistic possibility that HIV could be transmitted. The search results contain none of that information. Instead, they publicly disclose the HIV status of the complainant, and they create the impression that their conduct was criminal in nature. As a result of the linking of their name to these search results, the complainant experienced – and continues to experience – negative consequences including social stigma, loss of career opportunities and even physical violence.
So, it sounds like this case would resemble the former example much more than the latter example. Interestingly enough, though, the question of whether or not the Privacy Commissioner could intervene in this case was even tested and court. Apparently, the Commissioner won:
Google’s initial response to the complaint was to challenge the jurisdiction of the Privacy Commissioner to investigate the matter under PIPEDA, arguing that PIPEDA did not apply to its search engine functions. The Commissioner referred this issue to the Federal Court, which found that PIPEDA applied. That decision was (unsuccessfully) appealed by Google to the Federal Court of Appeal. When the matter was not appealed further to the Supreme Court of Canada, the Commissioner began his investigation which resulted in the current findings.
So, hey, a good news story on the privacy front, right? Well, not quite:
Google has indicated that it will not comply with the Commissioner’s recommendation to delist the articles so that they do not appear in a search using the complainant’s name. This means that it is likely that an application will be made to Federal Court for a binding order. The matter is therefore not yet resolved.
Aha, so Google has the intent of breaking the law. So, what are the legal repercussions of this action? Yup, you guessed it, nothing but a strongly worded letter as far as the government is concerned. Why is that? Yup, you guessed it, the awful state of affairs with Canadian privacy laws:
Unlike his counterparts in other jurisdictions, including the UK, EU member countries, and Quebec, Canada’s Privacy Commissioner lacks suitable enforcement powers. PIPEDA was Canada’s first federal data protection law, and it was designed to gently nudge organizations into compliance. It has been effective up to a point. Many organizations do their best to comply proactively, and the vast majority of complaints are resolved prior to investigation. Those that result in a finding of a breach of PIPEDA contain recommendations to bring the organization into compliance, and in many cases, organizations voluntarily comply with the recommendations. The legislation works – up to a point.
The problem is that the data economy has dramatically evolved since PIPEDA’s enactment. There is a great deal of money to be made from business models that extract large volumes of data that are then monetized in ways that are beyond the comprehension of individuals who have little choice but to consent to obscure practices laid out in complex privacy policies in order to receive services. Where complaint investigations result in recommendations that run up against these extractive business models, the response is increasingly to disregard the recommendations. Although there is still the option for a complainant or the Commissioner to apply to Federal Court for an order, the statutory process set out in PIPEDA requires the Federal Court to hold a hearing de novo. In other words, notwithstanding the outcome of the investigation, the court hears both sides and draws its own conclusions. The Commissioner, despite his expertise, is owed no deference.
This is why I so frequently call Canadian privacy laws a joke. It’s because they are. Complaint letters from the Commissioner can be sent straight to the shredder and nothing will come from it. This leaves the victims of whatever infraction there is to be forced to either take matters into their own hands and sue or, as is probably the case in a lot of instances, not do anything at all and bear the ramifications of whatever damage is being done to them afterwards.
Yes, as Scassa points out, privacy reform can lead to unintended consequences. It is very possible to screw things up in the legislative process. The problem is that lawmakers have little interest in even lifting a finger to fix any of this. In fact, when privacy reform was tabled during the last government, it was blasted by privacy advocates as, at best, a half measure, sidelining many significant issues currently happening in the world of privacy. When it died on the orderpaper when the last election was called, the result was that Canadians got nothing out of the entire process on top of it all.
Now, here we are, 25 years after the last major privacy reform bill received royal assent, and Canadians are continuing to pay the price of the inaction from the federal level.
(Via @MGeist)
Drew Wilson on Mastodon, Twitter and Facebook.
Discover more from Freezenet.ca
Subscribe to get the latest posts sent to your email.
