Time of ‘self-regulation’ is over, privacy czar says in push for stronger laws

OTTAWA — In his most pointed plea to date for federal action, Canada’s privacy watchdog says there is an urgent need for stronger laws to protect personal information.

Canadians cannot afford to wait several years until well-known shortcomings in the laws are fixed, privacy commissioner Daniel Therrien said in his annual report, tabled in Parliament on Thursday.

Therrien cited headline-grabbing privacy lapses involving Facebook and Equifax over the last year to highlight his disappointment with the government’s “slow to non-existent” response to rapidly emerging threats.

Canada’s privacy legislation ”is quite permissive” and gives companies wide latitude to use personal information for their own benefit, he said, adding “the time of self-regulation is over.”

“To be clear, it is not enough to ask companies to live up to their responsibilities. Canadians need stronger privacy laws that will protect them when organizations fail to do so,” Therrien’s report says.

“Respect for those laws must be enforced by a regulator, independent from industry and the government, with sufficient powers to ensure compliance.”

Therrien, who makes non-binding recommendations to organizations in the public and private sectors, is looking for order-making powers, the ability to levy fines and authority to conduct inspections to ensure compliance with privacy laws.

Treasury Board President Scott Brison said Thursday he shares ”the objectives of strengthening the privacy regime, which is why we are introducing an action plan in the coming weeks to do exactly that.”

Brison offered no details, but said Therrien’s views would be important.

Innovation Minister Navdeep Bains pointed Thursday to federal regulations slated to take effect in November that will require companies to report all privacy breaches presenting a real risk of significant harm. “So clearly that demonstrates we’ve taken some action.”

Therrien said the significance of the step is diminished by the absence of any new funds for his office to analyze breach reports, provide advice on how to avoid risks and verify compliance.

He lamented that his budget doesn’t allow for timely advice to the public on dozens of emerging issues — such as the federal use of artificial intelligence.

“If we do not have more funding, obviously we’ll continue to do the best we can with the money we have,” he told a news conference.

On one key issue, Therrien said he plans to ask the courts whether federal laws require Google to remove web pages from its mammoth search engine.

The move is aimed at providing clarity over the legality in Canada of what advocates call “the right to be forgotten.”

Therrien’s office takes the position that existing Canadian law gives people the right to ask search engines like Google to de-index web pages and to ask websites to remove or update content that contains inaccurate, incomplete or outdated information.

Google argues the privacy law for private-sector actors doesn’t apply to its search engine and that requiring it to de-index web pages would be unconstitutional.

To settle the matter, Therrien says he plans to file a reference with the Federal Court to clarify whether Google’s search engine is subject to the Personal Information Protection and Electronic Documents Act before delving deeper into complaints about search results.

Peter Fleischer, Google’s global privacy counsel, says removing lawful information from search engines limits access to the most relevant results, and he suggests a right to be forgotten would infringe on freedom of expression.

He expects the matter to end up in the Supreme Court of Canada.

“It’s the kind of question that likely would go all the way to the top court,” Fleischer said in an interview. “So we welcome it.”

— Follow @Jim Bronskill on Twitter

Jim Bronskill, The Canadian Press

privacy