Privacy law favours industry over individuals
In Tennessee Williams’s “A Streetcar Named Desire,” the tragic figure Blanche DuBois announces, as she is dragged off toward the asylum, that she has “always depended on the kindness of strangers.” Poor Blanche. Those strangers were men, and their kindness was only a mask for their desire to exploit her.
This moment is evoked by Bill C-27. The stated objective of Canada’s private sector data protection law reform bill is to balance the privacy rights of individuals with industry’s need to collect and use their personal data. In other words, it is about the vulnerability of individuals in the face of the desire of industry to get the data it wants within a data-lustful economy.
There is no level playing field between individuals and organizations when it comes to data. In order to access many of the services we depend upon (including banking and telecommunications) and increasingly across every human activity, our data are collected and we are tracked and monitored.
We sometimes “consent” to takeit-or-leave-it privacy policies, but there are fewer and fewer contexts in which we have meaningful choices. And our data are used in ways that go beyond providing basic services. Absent adequate data protection law, we are vulnerable; like Blanche DuBois, we must depend upon the kindness of strangers.
Data protection law is meant to set basic ground rules for data processors. In the EU’s General Data Protection Regulation, and in Quebec’s new privacy law, human rights are front and centre. They create a hard stop for certain activities, and a strong regulatory framework for others.
But strong regulatory frameworks are argued to slow down commerce and innovation, and Canada’s data users have lobbied hard for a soft, flexible approach to data protection. It is an approach premised on the idea that, by-and-large, industry is composed of good actors who have our interests at heart.
The predecessor to Bill C-27 — Bill C-11 — was condemned by former privacy commissioner Daniel Therrien as a “step backward” for privacy in Canada. Bill C-27 contains improvements over C-11— the government has listened to some concerns. However, it has clearly listened more to the concerns of industry. Human rights still take a back seat to commercial interests.
Privacy by design and by default are absent from the bill, which still does not cover the growing exploitation of personal data by political parties. The exception for use of personal information without knowledge or consent for “socially beneficially purposes” still has major holes and scant attention is paid to the flows of personal data across Canada’s borders.
Canadians are meant to be reassured by arguments that many major industry players in Canada are good actors who are responsible with personal data. This may be true. But responsible means compliant with data protection law, and it is easier to comply with a weaker law than with a stronger one.
Further, companies are driven to use data in innovative ways; greater access and more latitude is better for their bottom lines. Ultimately, it is to shareholders and not data subjects that they must account.
We are told that Canadians will benefit from a strong data economy. Yet, we also know that unrestricted innovation can come with devastating social and economic costs. Those platform giants that have become more powerful than governments also once lobbied for the kind of soft regulation that has allowed them to acquire their current power.
Not everyone is a good actor, and some so-called good-actors may be sloppy or inattentive when it comes to personal data. Protecting people against abuse and exploitation should not be seen as an innovation speed-bump.
We are told that the government has our backs. We can trust them. After all, trust is a pillar of the Digital Charter. But trust must be earned. Laws that facilitate data use without adequate protection do not build trust. Instead, they require us to depend upon the kindness of strangers.