Safeguarding Privacy in Canada: A Call to Action
UNHCR
By Aaron Shull
April 3, 2024
This article was first published by the Centre for International Governance Innovation and has been posted by Policy with CIGI’s approval.
During his keynote address at the 25th Annual Vancouver International Privacy and Security Summit, Philippe Dufresne, the Privacy Commissioner of Canada, emphasized the significance of privacy as a fundamental right in the digital era. Commissioner Dufresne highlighted that in a time defined by the widespread use of digital technologies, “safeguarding privacy stands as one of the paramount challenges of our era.” To address this challenge effectively, the commissioner outlined three essential components that define privacy in the digital age.
First, privacy must be considered a fundamental right, and there must be fair and enforceable remedies for breaches of that right. After all, it’s a truism that a right without a remedy is no right at all. In this way, he contends, “Privacy is a fundamental right because personal information is a core part of who we are as individuals, and respecting privacy rights is essential to our dignity and to the enjoyment of other fundamental freedoms.”
There are three primary challenges to realizing this goal of principled enforcement against the private sector. The first is that the federal privacy laws, and the portion of federal law that deals with the private sector, focuses on data protection and not the exercise or enforcement of a broad suite of privacy rights. In this way, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out an important principles-based framework that includes a number of meaningful practices related to obtaining consent, limiting collection and ensuring accuracy related to personal information.
But the focus of the legislation is data protection — examining how personal data is collected, stored, used and shared. When it comes to enforcement and remedies, the focal point tends to be on resolving the data protection practices of various companies, rather than on addressing a purported violation of the fundamental right to privacy.
Another challenge is that the existing model is based on the legal fallacy of consent. Almost everyone has scrolled through the Byzantine terms and conditions of this or that app or service, only to click “I agree” with absolutely no idea of what they are agreeing to. These are design strategies aimed at enticing users to swiftly accept while overlooking links to important policy documents. Jonathan Obar, the York University professor who founded BiggestLieOnline.com, characterizes this approach as a mechanism to steer us toward shopping and entertainment, where profits are generated.
More specifically, in one study of university students — among the most educated people in society — researchers sought to assess how individuals reviewed the privacy policies and terms of service of social media platforms. The researchers created a fake platform called “NameDrop” and reviewed the behaviour of prospective participants. They examined how many users read the terms of service or privacy policies, versus the number who opted to “click join,” versus how many declined based on the number of “gotcha clauses,” including that their data would be shared with the National Security Agency and their employers. One such term was that participants would be required to provide their first-born child as payment for the service. Yet fully 98 percent missed those terms. If we are to truly recognize privacy as fundamental in the digital era, we need to be honest about the shortcomings of the consent-based model.
Yet another challenge is that the true recognition of privacy as a fundamental human right, and the corollary enforcement mechanism, stands in opposition to the primary objective of major platform companies: monetizing data. This concept, extensively analyzed by Shoshana Zuboff in her 2019 book The Age of Surveillance Capitalism, exposes an economic model that exploits human experiences for commercial purposes. Indeed, it directly shapes the “human futures” market by forecasting and tailoring individuals’ future behaviours through the analysis of vast amounts of personal data derived from online activities and connected devices. Rigorous and enforceable privacy rights would make this more difficult. Consequently, enforcement efforts will meet well-financed and well-organized corporate opposition.
If privacy is meant to be treated as a truly fundamental right in the digital age, that will need to be reflected in domestic law. But neither PIPEDA nor its proposed successor, Bill C-27, go far enough in this regard.
The second component set out in the commissioner’s vision emphasizes the importance of privacy in advancing both the public interest and Canada’s innovation and competitiveness. Contrary to a public narrative often offered by tech companies, that robust privacy rights will stifle innovation, these rights actually support Canada’s innovation and competitiveness. A focus on privacy can drive the development of new technologies for data protection. In this way, growing concerns about data collection in artificial intelligence and big data sectors have spurred at least some inventors to prioritize privacy in their products. This fosters consumer trust and raises the competitive bar in the industry.
A third critical component for cementing privacy as fundamental in 2024 — and beyond — is that it must be acknowledged as integral to strengthening trust in institutions, including their digital aspects. According to data from the most recent cycle of the Canadian Social Survey — Quality of Life, Renter Experiences and Trust, conducted from October to December 2023, public confidence in the federal Parliament is the lowest of all institutions surveyed, with only 28 percent of the population reporting high confidence in that institution. When individuals trust their privacy rights are safeguarded, it only stands to reason that they will be more inclined to participate freely in digital life and the digital economy, hopefully increasing the waning trust in institutions.
In setting out these three pillars, Commissioner Dufresne gets it all right. But more is needed. Canada requires significant legislative change beyond what is currently set out in PIPEDA (or in Bill C-27, the government’s new AI and privacy bill). What’s also needed is a better understanding of how international human rights law already applies within Canada. A fundamental consideration is that the right to privacy cannot be considered in isolation; rather, it must be informed and buttressed by other human rights.
If privacy is meant to be treated as a truly fundamental right in the digital age, that will need to be reflected in domestic law. But neither PIPEDA nor its proposed successor, Bill C-27, go far enough in this regard.
Legislative changes are required
At present, there are efforts aimed at updating the legislative regime for the private sector in Canada. If passed, Bill C-27 — known in full as An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts — would significantly reshape the landscape of privacy law in Canada.
Bill C-27 would encompass several key elements — certainly not limited to this list. First, there will be an expansion of consent requirements, empowering individuals with more control over the collection, usage and disclosure of their personal information. Organizations will be mandated to obtain explicit and meaningful consent before accessing personal data. Additionally, there will be a focus on increased transparency, requiring organizations to furnish clear and easily accessible information regarding their data practices.
Individuals will also be granted the right to access and rectify any inaccuracies in their personal data held by organizations. Further, individuals will have the right to request the disposal and erasure of their personal information in certain scenarios. Unauthorized collection and use of personal data will also be strictly prohibited. To enforce these regulations, the Privacy Commissioner of Canada is to be equipped with new enforcement mechanisms, including the ability to levy significant penalties for non-compliance.
Another aspect is the inclusion of the private right of action, which enables individuals to pursue legal action when their privacy rights are violated. This provision empowers individuals to directly hold organizations accountable and seek compensation for any harm resulting from privacy breaches. It also introduces increased complexity and liability for organizations that fail to comply with privacy regulations.
Nevertheless, the bill has faced numerous criticisms, with the Centre for Digital Rights notably pinpointing several areas for enhancement in its October 2023 report on Bill C-27. These include the necessity of reinforcing valid consent by reintroducing the “understanding” requirement from PIPEDA’s section 6.1 into section 15 of the Consumer Privacy Protection Act. Moreover, there is a call for the establishment of a “legitimate interests” principle prioritizing individual rights over commercial interests, as well as a clear definition of “sensitive information” and strengthened protections for minors. Addressing privacy risks to democracy and extending coverage to federal political parties are also highlighted as crucial improvements. In addition, the report suggests outlining specific prohibitions on certain data collection purposes and abandoning plans for a rigid Personal Information and Data Protection Tribunal in favour of more adaptable enforcement mechanisms. Also, there is an emphasis on enhancing whistle-blowing provisions and implementing a self-reporting program for organizations.
Another criticism is that Canada has been too slow out of the gate. The pressure is on for companies handling consumer data, with rising incidents prompting more governments to introduce new regulations. The General Data Protection Regulation (GDPR) in Europe has been particularly impactful, shaping global data protection standards through the “Brussels effect.” As more countries adopt GDPR-like privacy laws, a standardized approach is emerging, solidifying Europe’s framework for managing personal information. This has the ancillary effect of placing Canada in the rule-taker, not the rule-maker, category.
Perhaps the most significant criticism of Bill C-27, if it is to be the primary mechanism for the domestic recognition of privacy as a fundamental right, and to create the necessary remedies for breaches of that right, is that it simply does not do enough.
At present, the bill’s preamble says that “the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada.”
As a consequence, it has been said by the Privacy Commissioner that “the preamble does not go far enough in recognizing the fundamental right to privacy and could create a challenge for the courts when assessing economic interests and privacy….Bill C-27 should go further in recognizing privacy as a fundamental right.” Recognizing privacy in this way would put it on an appropriately strong foundation domestically, and it would give effect to Canada’s international commitments.
Eleanor Roosevelt displays the UDHR, 1949/FDR Library
Privacy as a fundamental right exists because of international law
The fact is that international human rights law already provides a clear and universal framework for the promotion and protection of the right to privacy — one from which Canadian legislators could draw. The right to privacy is enshrined in the following:
- the Universal Declaration of Human Rights, article 12;
- the International Covenant on Civil and Political Rights, article 17;
- the Convention on the Rights of the Child, article 16; and
- the International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families, article 14.
Also, we should note here that the right to privacy is embedded in two different domains of international law: both treaty and customary. Indeed, it has been argued that the right to privacy, and in particular data privacy, can be considered a binding principle of customary international law. This is not esoterica important only to international legal scholars. Rather, it’s practical: the basic rule under the Vienna Convention on the Law of Treaties is that only those states that have ratified a treaty in question are bound by it. In many instances, states can also add “reservations” when signing an agreement, which can qualify its application.
By contrast, customary international law does not require a signed treaty. Rather, these are international legal obligations that arise over time by virtue of continual international practice. Basically, states behave a certain way for so long that they become compelled to behave that way. The relevant point here is that — outside of very narrow circumstances — customary rules are binding on all states.
As such, it’s clear that privacy is among the most fundamental of human rights, protected by both customary law and treaties. In effect, it is ingrained in the very fabric of international law and governance practice. It is an essential element of our shared humanity.
The Supreme Court of Canada (SCC) described the place of human rights well in Nevsun Resources Ltd. v. Araya. The SCC said, “Modern international human rights law is the phoenix that rose from the ashes of World War II and declared global war on human rights abuses. Its mandate was to prevent breaches of internationally accepted norms. Those norms were not meant to be theoretical aspirations or legal luxuries, but moral imperatives and legal necessities. Conduct that undermined the norms was to be identified and addressed.”
The SCC went on to note that “Canada has long followed the conventional path of automatically incorporating customary international law into domestic law via the doctrine of adoption, making it part of the law of Canada.” In other words, customary international law is automatically adopted into domestic law without any need for a new piece of legislation. As such, according to the SCC, “The fact that customary international law is part of our common law means that it must be treated with the same respect as any other law.”
Given that privacy as a fundamental right is already part of Canadian law, it only makes sense to clearly and unequivocally give effect to that right through Bill C-27, so that parties are not left with recourse to common law.
Privacy and the dynamic interplay with other rights
Meeting the challenge of safeguarding privacy in the digital era will require an explicit and strong connection between the right to privacy and other human rights. Take, for example, the right to freedom of thought, which is integrally connected to privacy.
In practice, the right to freedom of thought includes three key elements, which the author and Susie Alegre describe in greater detail in a forthcoming publication for CIGI’s project on freedom of thought, Legitimate Influence or Unlawful Manipulation? These three key elements are:
- the freedom to keep our thoughts private so that we may not be coerced into revealing them;
- freedom from indoctrination or influence on our conscious or subconscious mind through manipulation; and
- the prohibition on penalizing a person for their thoughts or opinions.
This area is rife with potential threats to privacy, and that peril is growing. Eye-tracking technology revolutionizes user interaction by enabling seamless navigation of device interfaces through eye movements. It detects presence, tracks gaze in real time and utilizes various components such as cameras, light sources and machine-learning algorithms to interpret eye data, including pupil position and direction. From an accessibility standpoint, integrating eye tracking represents a significant advancement, offering an alternative interface for individuals with physical disabilities. However, similar to how retail displays influence purchasing decisions, marketers can exploit eye tracking for gathering user-attention data, providing insights into preferences and behaviours. Real-time monitoring facilitates precise adjustments to maintain user engagement. When a system aims to manipulate and control user thoughts and actions through such means, it constitutes an invasion of privacy by undermining the right to keep thoughts private, achieved through excessive data collection or misuse of data. The balance between user privacy and system utility is determined by providers; left unrestricted, it will favour utility.
Freedom of thought, therefore, is an essential plank of the international human rights framework. This inviolable freedom has been described as “the foundation of democratic society” and “the basis and origin of all other rights.” And it is intrinsically connected to the corresponding right to freedom of expression and opinion that provides the social backdrop crucial to critical and intellectual thought. It includes the right to freedom of information. But the right to freedom of thought has also been described as a “forgotten right,” languishing as it does based on the assumption that no one can get inside our heads, so we needn’t worry about it. If that were ever the case, it isn’t any longer. Recent developments in emerging technologies give us cause to reflect on the urgent importance of the right.
As such, privacy is not an isolated right. There is a dynamic interplay with other rights, and they must be used in a mutually reinforcing manner as technology becomes more and more advanced.
A framework that matches the moment
Commissioner Dufresne set out the three essential components that will be needed to distinguish privacy as a fundamental right in the digital age. Privacy must be considered a fundamental right, and there must be enforceable remedies for breaches; it must be seen as a key pillar in advancing the public interest and Canada’s innovation and competitiveness, and it needs to buttress trust in institutions.
To give effect to these essential components, legislative changes are required that go further than PIPEDA or Bill C-27. This process cries out for a careful reading of existing international human rights law and a firm understanding of how those rights play out in Canadian domestic law. Finally, it requires engaging in the dynamic interplay between different rights, especially privacy and the freedom of thought. In this new era, data-driven technologies will penetrate almost every aspect of life in Canada — it is time for a rights framework that matches the moment.
Aaron Shull is the managing director and general counsel at CIGI.
This project has been funded by the Office of the Privacy Commissioner of Canada (OPC); the views expressed herein are those of the author and do not necessarily reflect those of the OPC.
The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.