Bill C-11, criticized by current privacy commissioner, died on order table when election was called
There will likely not be any new federal privacy legislation tabled in Parliament until the appointment of a new federal privacy commissioner in the coming months, says former privacy commissioner Jennifer Stoddart.
Speaking at a privacy and cybersecurity webinar put on by Fasken last week, Stoddart, now a strategic adviser at the firm, told the 1,400 who had signed up that while she has no particular inside knowledge, a new commissioner will probably be named soon.
The term of the current privacy commissioner, Daniel Therrien, which was last year extended for one year, ends in June. He has been in the position since 2014, and it is likely a new commissioner will be appointed. The government will “not table any legislation until that person has taken over,” said Stoddart, who was privacy commissioner from 2003 to 2013.
She said that given the current commissioner’s criticism of Bill C-11, a piece of privacy legislation that died on the order table when the federal election was called last summer, the government will likely prefer to wait until the new commissioner “has the time to recommend [their] suggestions” on a new bill.
Therrien’s criticism of Bill C-11 was “very strong,” so the next time privacy legislation is contemplated, sufficient time would be needed for a new commissioner to weigh in. She added, “you can’t have a commissioner attacking your legislation right out of the starting gate.”
Fasken partner Daniel Fabiano agreed, saying “that makes a lot of sense,” giving a new commissioner the opportunity to “at least review and comment before it before it gets released.” As a result, Fabiano said, it “could likely be many months away from seeing what the federal regime [on privacy] is going to look like.”
In November 2020, the federal government tabled Bill C-11, a replacement for the current regime under the Personal Information Protection and Electronic Documents Act (PIPEDA). At the request of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, Therrien shared his thoughts on the bill, calling it “a step back overall” for privacy. His submission also set out more than 60 recommendations, including the following concerns:
- The bill would have weakened the accountability provisions by leaving organizations to self-regulate.
- The exceptions it proposed to the requirement of obtaining consent for the collection, use or disclosure of information are too broad or ill-defined to promote responsible innovation.
- The legislation would have prioritized commercial interests over the privacy concerns of individuals
- An assertion that the list of violations that could lead to administrative penalties is too narrow. It does not include obligations related to the form or validity of consent, the exceptions to consent, or violations of the accountability provisions.
- His belief that creating a tribunal (to review his exercise of power) adds an unnecessary layer to the process. He recommended that the commissioner be empowered to impose the penalties directly rather than making a recommendation to the tribunal.
Fabiano also noted that privacy commissioner Therrien has been using his enforcement powers regularly and “maximizing the tools that he has at his disposal,” the main one being able to “name and shame” organizations that breach the current federal privacy laws.
“I think some findings in the last year or so are suggesting that the commissioner’s patience is really running thin, particularly with large organizations that really just haven’t gotten the message around data security and proper privacy practices,” Fabiano said.
“So, one of the trends, more than ever, is that larger organizations are more likely to take a reputational hit when they’re called out by name, he said, and criticized by the commissioner if a complaint against them is deemed to be well founded.
Stoddart and Fabiano also discussed a new trend of provincial privacy commissioners working together more as part of a joint investigations.
For example, today Therrien is set to appear before the House of Commons Standing Committee on Access to Information, Privacy and Ethics regarding the use and impact of facial recognition technology. Information and Privacy Commissioner of Ontario Patricia Kosseim and Diane Poitras, president of the Commission d’accès à l’information du Québec will also appear before the committee.
At the same time as the commissioners are making appearances before the standing committee, the heads of all of Canada’s privacy protection authorities will publish a joint statement calling on parliamentarians to modify laws on facial recognition. The authorities will also publish final joint guidance for police agencies on using facial recognition in the context of current laws, “which are not sufficiently protective.”
The publication of these documents follows a public consultation launched in June 2021. The inquiry followed an investigation into Clearview AI that found the private sector platform was involved in mass surveillance. A separate investigation found the RCMP’s use of Clearview unlawful since it relied on the illegal collection and use of facial images.
Fabiano noted that while joining forces and running an investigation together is “clearly more efficient,” the inquiry into Clearview AI “did have some cumbersome elements,” because while the commissioners “rallied around the recommendations,” they diverged in their orders.
For instance, Alberta required Clearview AI to report on steps that it was taking to comply. At the same time, Quebec ordered Clearview AI to “destroy all the images and identifiers that were collected without consent and do it in 90 days of the order.” That latter order course is now being contested in the Quebec courts.”
Fabiano added: “I wonder whether the companies that are subject to these [kinds of] divergent orders might be able to point to the divergence in terms of challenging the commissioners, in this case, Quebec, that are imposing more aggressive orders.”