How Is Privacy Supposed to Work in a Digital World?

Policy Brief by Georgia Evans.

Introduction

‘A man’s home is his castle.’ This is the foundation of privacy in common law. It implies that what happens in a home is no one else’s business, and that all men (yes, just men at first) are free from being observed or interfered with in their households. Time and technology have made the right to privacy far more complicated. The exponential growth of the Internet, mobile phones, social media, and modern surveillance technologies have placed an emphasis on the right to privacy and the need for strong personal data protections in the rapidly changing digital age.

Privacy Law in Canada

Privacy is a qualified human right, one with limits and unequal protections across the globe. Articles 12 of the United Nations Declaration of Human Rights guarantees this right, [1] as does Article 17 of the International Covenant on Civil and Political Rights [2]. As a signatory to these, Canada has expressed that privacy is a human right. In the Charter of Rights and Freedoms, this right is developed through ss. 7 and ss. 8. Section 8 states that “everyone has the right to be secure against unreasonable search or seizure,”[3]. Section 8 jurisprudence has developed in a law enforcement and criminal context. Section 7 states that “everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice,”[4]. In terms of privacy, this section has been realized through judgments about bodily autonomy [5]. For example, Section 162(1) of the Criminal Code criminalizes the surreptitious recording of others in sexual or sexualized situations where they would have a reasonable expectation of privacy [6], which is in accordance with Section 7.

The Office of the Privacy Commissioner (OPC) is responsible for the protection and promotion of Canadians’ privacy rights. The Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) are the federal laws meant to protect privacy through the proper handling of personal information. In Canada, personal identifiable information (PII) includes information such as race, religion, financial information, education and work history, and identifying numbers such as a driver’s license and Social Insurance Number that can be attributed to a given person [7]. The Privacy Act legislates how the federal government can collect and use personal information, whereas PIPEDA legislates the activities of businesses. PIPEDA is meant to ensure that businesses follow ten Fair Information Principles, which are meant to ensure that individuals’ provide meaningful consent for the collection and use of their data, businesses limit the use of this data, and protect the data while they possess it [8].

Data Protection in the Digital Age

While data protection is just one component of the right to privacy, it is vital in the 21st century. As the digitization of society accelerates, an ever-growing amount of personal data points are available to a number of businesses for use. Data, or so the saying goes, is the new oil [9]. Surveillance capitalism necessitates the harvesting of data and manipulation of personal attributes learned from it for monetary gain through attention control and ad revenue.[10] As the use of artificial intelligence, machine learning and 5G networks expand, personal data protections are more and more important to guarantee the right to privacy.

Hallmark legislation in the digital age is the European Union’s General Data Protection Regulation (GDPR). Passed in 2018, it articulates the responsibilities for data controllers and data processors in the processing of a subject’s personal data [11]. The protection and accountability principles of the GDPR are lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability [12]. Data subjects, the people whose data are collected, have a number of rights under the GDPR. These include the right to be informed about the use of data, the right of access to personal data collected, the right to erasure of said data, the right to restrict processing, the right to data portability, the right to object, and various rights in relation to automated decision making and profiling [13]. If parties are not compliant, such as Grindr’s violation in late January [14], they are liable of fines up to 4% of global revenue depending on the severity of the infringement [15]. PIPEDA has long received criticism for having weak compliance mechanisms compared to the severe fines levied for GDPR infringements. PIPEDA’s inability to keep up with the data and economy and fears of losing adequacy status have in part inspired its reform. This fear was compounded by the Schrems II judgment, where the Court of Justice of the EU ruled that the data protections afforded by the United States were inadequate and halted some transatlantic data transfers [16].

Bill C-11

As one of his final acts as Minister of Innovation, Science, and Economic Development, Navdeep Bains introduced Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts. When implemented, the Consumer Privacy Protection Act portion will replace PIPEDA and the Data Protection Tribunal Act will establish an administrative tribunal to hear appeals of decisions made by the Privacy Commissioner and impose penalties for infringements against the Act [17]. Through Bill C-11, the right to explanation, the right to access personal information, and a modified right to erasure will be provided to Canadians [18]. Data portability, the ability of individuals to control their personal data and move data from one provider to another, is another key aspect of Bill C-11. These provisions, as well as the increased compliance mechanisms are well needed in the data economy. Teresa Scassa, the Canada Research Chair in Information Law and Policy, argues that while it is an important proposal for data protection, there are key issues that will make the process to receiving royal assent difficult [19]. Many of the exceptions for obtaining individuals’ consent are borne out of a protection of business interests rather than privacy rights. One example is how businesses need not obtain consent for personal information “necessary for the safety of a product or service that the organization provides or delivers,”[20]. Given the sheer volume of devices connected to the Internet, including cars and medical devices, this exception creates ripe opportunities for businesses to collect too much personal data. While many of the provisions of Bill C-11 are needed for data protection, it is far off from safeguarding the fundamental right to privacy that Canadians are entitled to.

1. “Universal Declaration of Human Rights,” December 10, 1948, United Nations, https://www.un.org/en/universal-declaration-human-rights/

2. “International Covenant on Civil and Political Rights,” December 16, 1966, United Nations Office of the High Commissioner, https://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx

3. Canadian Charter of Rights and Freedoms, s 8, Part 1 of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (UK), 1982, c 11.

4. Canadian Charter of Rights and Freedoms, s 7, Part 1 of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (UK), 1982, c 11.

5. Meg Lonergan, “Privacy in the Information Society,” (Lecture, Carleton University, Ottawa ON, February 08, 2021).

6. Criminal Code, RSC 1985, c C-46, s. 162(1).

7. Office of the Privacy Commissioner, “Summary of privacy laws in Canada,” Office of the Privacy Commissioner, Date Accessed February 24, 2021, https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/

8. Personal Information Protection and Electronic Documents Act, SC 2000, c. 5, (CanLII). https://canlii.ca/t/7vwj

9. The Economist, “The world’s most valuable resource is no longer oil, but data,” The Economist, 2017, https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

10. Ronald J. Deibert, Reset: Reclaiming Internet for Civil Society, (Canada: House of Anansi Press, 2020): 35-80.

11. European Parliament and Council of European Union, Regulation (EU) 2016/679, 2016, (EurLEX), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

12. Ibid, Article 5.1-2.

13. Ibid, Articles 12-13.

14. Natasha Lomas, “Grindr on the hook for €10M over GDPR consent violations,” Tech Crunch, January 26, 2021, https://techcrunch.com/2021/01/26/grindr-on-the-hook-for-e10m-over-gdpr-consent-violations/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAMlOx3tm8UtIPzUyAPaWG48Ct2UQMOuqKvkOWKINptsNphn7CBt5XvhwUMzY-WdWj8Osgd7D0dPTKuNI_SM2CcZst3p8a3ytfeYAiCTAYlGHXG30sCxwBbuwJJrOEuS92E1wQ9F_tIcWOss86PudMlUXmZmAZmxzun-aolE2YkQ0

15. European Parliament and Council of European Union, Regulation (EU) 2016/679, Article 83, 2016, (EurLEX), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

16. Howard Solomon, “EU ruling on US agreement may nudge Canada to update our privacy law: Cavoukian,” ITWorldCanada, July 17, 2020, https://www.itworldcanada.com/article/eu-ruling-on-us-agreement-may-nudge-canada-to-update-our-privacy-law-cavoukian/433319

17. Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 2nd Session, 43rd Parliament, 2020, https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading

18. Bill C-11, ss. 62-63.

19. Teresa Scassa, “Replacing Canada’s 20-Year-Old Data Protection Law,” CIGI, December 23, 2020, https://www.cigionline.org/articles/replacing-canadas-20-year-old-data-protection-law

20. Bill C-11, s. 18(2(d)).