Therrien: privacy reform urgently required

Canada's federal privacy commissioner has urged his government to update the country’s privacy regime, saying the covid-19 crisis has made the need for new laws more urgent than ever.

Daniel Therrien, head of the Canadian Office of the Privacy Commissioner, said in remarks to the Canadian House of Commons science and technology committee late last week that there are too few protections in Canadian law against abusive data practices. 

Therrien outlined six principles for designing and using covid-19 contact-tracing apps in a way that would protect data rights – saying that if these principles were followed, the apps could protect both public health and privacy.

He told the committee that data collection carried out through contact-tracing apps must be necessary and proportionate. In practice, he said, that means they should be science-based, necessary for a specific purpose, tailored to that purpose, and likely to be effective.

But he added that the law as it currently stands means that some principles, such as necessity and proportionality, are not legally enforceable. The Canadian federal privacy framework is based largely around consent, which observers – including the Canadian government itself – have argued is not suited to modern data protection requirements.

“So, for instance, nothing currently prevents a company from proposing an app that is not evidence-based and us[ing] the information for commercial purposes unrelated to health protection, provided consent is obtained, often in incomprehensible terms,” Therrien told the committee on Friday. “A government could also partner with that company.”

Therrien argued that there is an “urgent” need for “laws that allow technologies to produce benefits in the public interest without creating risks that fundamental rights such as privacy will be violated”. 

Those principles should be enshrined in laws governing both public and private sector privacy, given the growing role of public-private partnerships, he said. Canada has separate federal data protection laws for the public and private sector.

Therrien’s comments are not the first time he has criticised Canada’s existing privacy laws. In November last year, alongside the country’s provincial data regulators, he called on the country’s government to modernise its data protection laws. Observers said at the time that the call for modernisation was likely driven by an upcoming European Commission review of the Canadian adequacy decision.

The commissioner also told GDR on the sidelines of the 41st International Conference of Data Protection and Privacy Commissioners in October last year that it would be “very desirable” for Canada to change its data protection legislation in light of the impending review.

Other privacy and data protection regulators around the world have also advised their governments on contact-tracing apps – though approaches have diverged.