Canadian privacy law has got you covered, but here’s why it simply isn’t enough
From limited digital rights, to little enforcement, find out why Canada's privacy laws are in serious need of an overhaul.
This is the first of two blogs that looks at the privacy rights that are available to Canadians and how they compare internationally. The second blog is available here.
As more companies go digital and tech giants such as Facebook and Amazon dominate our households and smart devices alike, the privacy of people in Canada is increasingly compromised. More than ever before, we continue to be the victims of corporate data breaches. Without our knowledge or our consent, our data becomes a transaction between organizations that hold our personal information and the third-parties they sell our data to. Given all these instances where we are often unknowingly vulnerable, are Canadian laws keeping up to protect us in an ever-evolving and exploitative digital landscape?
The answer is more nuanced than a simple yes or no. For starters, yes — laws exist to protect Canadians and their data privacy. The more crucial question is are Canadian laws protecting us enough? And, are we equipped with the mechanisms to take initiative and protect ourselves?
Current Canadian privacy laws fall short in protecting people in Canada and giving them agency over their own data. The Privacy Commissioner of Canada has little authoritative power to administer penalties to companies violating our fundamental right to privacy. And there is a lack of incentive for companies to make their privacy policies accessible and understandable. To delve into these dilemmas further, let’s explore how Canada’s current privacy laws protect us.
Canada’s Current Privacy Laws
Federally, the main statute set in place to protect Canadian privacy is the Personal Information Protection and Electronic Documents Act (PIPEDA). Under PIPEDA, there are fair information principles that include consent and accountability. While this statute is meant to protect our personal information, it is enforced by the Privacy Commissioner of Canada, who is not granted the authority to enforce penalties against companies who violate PIPEDA principles. Rather, the Privacy Commissioner of Canada acts as an ombudsperson who can only promote privacy rights but does not have any power to administer fines. Unfortunately, the absence of harsh punishments has prompted Big Tech companies such as Facebook to neglect improving their business practices to better serve the interests of people in Canada and their privacy. It is also important to note that PIPEDA protects the personal information of people in Canada in a commercial context, which excludes non-commercial instances where personal information might be exploited.
Bill C-11 was recently proposed in an effort to modernize and update PIPEDA. Bill C-11’s amendments were proposed in order to update commercial privacy rights to better suit a digital landscape. While these changes would provide more enforcement power to the Privacy Commissioner, Bill C-11 would have also expanded the number of instances where obtaining consent can be waived – such as when organizations are working with allegedly de-identified data. While de-identified data protects user anonymity, it is quite easy to re-identify that data in an era of Big Data and Artificial Intelligence. Bill C-11 also focused solely on a commercial context. As a result, the privacy practices of non-profit organizations and political parties were not covered nor included. With a focus on commercial organizations, user privacy was positioned as a consumer right rather than a human right. But shouldn’t the loss of security and lack of agency over one’s personal information position privacy as a human right?
PIPEDA and C-11 are both publicly available for people in Canada in order to learn more about how their data is managed and protected. To learn more about your data privacy rights, you can request access to your personal data through Data Access Request (DAR). If you submit a DAR, companies are required by law to grant you access to the information they have collected about you. Despite the ability to do so, very few people in Canada send DAR requests or even know what they are. Why is this the case? DARs are vastly under-promoted as a public resource. Not only are DARs under-promoted, but the absence of a uniform and accessible method to send DARs across companies deters people in Canada from having the opportunity to sufficiently use this right.
Barriers of Access to Canadian Privacy Laws
So if we have opportunities to weigh in on online consent or regain control over our data, why is it so difficult to exercise these rights? There are many barriers to accessibility that would need to be addressed to both modernize PIPEDA and allow it to be better employed in the best interest of people in Canada and their privacy. According to the Citizen Lab, a research lab based at Munk School of Global Affairs at the University of Toronto, the primary barriers to requesting DARs are the costs associated with access and the identity verification procedures that are required for obtaining one’s personal data. For starters, many companies charge fees to individuals who wish to obtain their data. When affiliated costs aren’t an issue, the extensive identity verification processes pose other concerns. In the process of requesting one’s data, many individuals would have to provide even more personal information, such as phone numbers, email addresses, or ID photos. By verifying that the individual who is requesting the data matches the one on file, a person consequently compromises their privacy even further.
Another important dilemma is if consent can be reasonably inferred when second parties are involved, like when a company shares your data with an external entity. Though there are particular instances where explicit consent is obtained from users, we should be questioning implicit requests for consent as well. While many companies present “Terms and Conditions” or other privacy policies that outline the sharing of user data with second parties, these texts are often long and complex, discouraging many users from reading them. For those who do decide to read the documents, the legal jargon used may leave them feeling even more confused and uninformed.
What Should Be Done Now?
By taking a larger stand to compel companies to modify their privacy practices, Canadian privacy laws such as PIPEDA will be able to do more to protect us and advocate for our consent in data collection practices. The time for legal reform is now, and it has never been more important to put people in Canada and their human right to privacy front and center.
Proshat Nouri is a fourth-year Media and the Public Interest student at Western University. With an academic background in network capitalism and political economy, Proshat has extended this research by working with OpenMedia to explore privacy legislation both in Canada and internationally, as well as legal reform to better protect Canadians and their data.