Privacy czar pushes for stronger laws, more funding
OTTAWA • In his most pointed plea to date for federal action, Canada’s privacy watchdog says there is an urgent need for stronger laws to protect personal information — and for more money to help enforce them.
Canadians cannot afford to wait several years until well-known shortcomings in the laws are fixed, privacy commissioner Daniel Therrien said in his annual report, tabled in Parliament on Thursday.
Therrien cited headlinegrabbing privacy lapses involving Facebook and Equifax over the past year to highlight his disappointment with the government’s “slow to non-existent” response to rapidly emerging threats.
Canada’s privacy legislation “is quite permissive” and gives companies wide latitude to use personal information for their own benefit, he said, adding that “the time of self-regulation is over.”
“To be clear, it is not enough to ask companies to live up to their responsibilities. Canadians need stronger privacy laws that will protect them when organizations fail to do so,” Therrien’s report says.
“Respect for those laws must be enforced by a regulator, independent from industry and the government, with sufficient powers to ensure compliance.”
Therrien, who currently makes non-binding recommendations to organizations in public and private sectors, is looking for order-making powers, the ability to levy fines and authority to conduct inspections to ensure compliance with privacy laws.
Treasury Board President Scott Brison said Thursday he shares “the objectives of strengthening the privacy regime, which is why we are introducing an action plan in the coming weeks to do exactly that.”
Brison offered no details, but said Therrien’s views would be important.
Innovation Minister Navdeep Bains pointed Thursday to federal regulations slated to take effect in November that will require companies to report all privacy breaches presenting a real risk of significant harm. “So clearly that demonstrates we’ve taken some action.”
Therrien said the significance of the step is diminished by the absence of any new funds for his office to analyze breach reports, provide advice on how to avoid risks and verify compliance.