CIPPIC appeared today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics (ETHI) in its ongoing review of Canada's aging Privacy Act. The Act regulates the federal government's handling of personal information, comprising a central component of Canada's privacy framework. However, it has not received any substantial updates since its introduction in the early 1980s, despite tectonic shifts in the incentives animating government data-related objectives as well as in the technological capability to achieve these objectives. In addition, the government has introduced numerous laws designed to update and expand its ability to collect, use and share private data since the 1980s, including laws specifically designed to address technological developments. In the face of this one-sided expansion of state capabilities, the Privacy Act has simply not kept pace, and is in serious need of modernization if it is to continue to effectively meet its objectives to protect individual privacy rights, facilitate government accountability and safeguard public trust.
CIPPIC's recommendations sought to address key gaps in the Privacy Act, while adding principled protections that will help the Act stay relevant in the future. This includes the addition of principled limits on how long data can be reasonably kept by the government. There is currently no such explicit obligation in the Privacy Act, despite the fact that retention limitations are a hallmark of data protection regimes. An over-riding reasonableness obligation is also necessary, as it would ensure government data practices remain proportionate and in alignment with Charter values. CIPPIC also called for addressing central shortages in the Act's transparency framework, including the incorporation of statistical reporting obligations attaching to all law enforcement electronic surveillance powers, and a general 'openness' obligation compelling the government to proactively explain its privacy practices. Additional recommendations addressed the need for mandating reasonable technical safeguards, a mandatory data breach notification regime and formalizing privacy impact assessment requirements.