Privacy fears at an all-time high, former Ontario privacy commissioner says
Federal privacy commissioner needs order-making powers, Ann Cavoukian says
Ontario's former privacy commissioner says concerns about digital privacy are at an all time high, and federal privacy commissioners need more power to protect people.
Ann Cavoukian, who is now leading the Privacy by Design Centre of Excellence at Ryerson University says governments and technology companies have a lot to do to protect people.
"People are getting fed up with it," she says. "You cannot have freedom without privacy, privacy forms the foundation of our freedom."
Cavoukian says she no longer has to explain why people should care about their privacy, and instead, people are asking what they can do to better protect themselves.
She says people are starting to understand that when you give up your personal information, companies and governments can have custody over your information and do whatever they want with it, including selling it to third parties without your consent or using it to track your activities.
Privacy measures need to be better "baked" into emerging technology as well, Cavoukian said.
She said when you integrate privacy measures early into technology, you minimize the likelihood of data breaches and privacy infractions, but current laws lag behind technological advancements.
"Do privacy proactively, bake it into the code, bake it into your data architecture, so it is seamlessly integrated with your operations and your technology," Cavoukian said. "That way you don't have to worry about it being forgotten — that's why you have to talk to tech people."
Government action is needed: Cavoukian
Cavoukian says since people are more aware of their privacy needs, it's up to governments to do more to protect them.
On the provincial level, the privacy commissioner has order-making power, meaning if anyone was in breach of the Privacy Act, the commissioner can order them to take certain actions.
She said it was beneficial to have that kind of power when she was commissioner.
"I barely used it because they knew I had this power, so I wanted to reach an informal resolution with them, which would get their buy in," she says. "If they didn't participate with me, I always had recourse. I could turn to order them to do something."
The federal privacy commissioner does not have that power, says Cavoukian.
She said without that power, the federal government can just ignore the recommendations made by the federal commissioner.
"This power shows organization that you have some piece to enforce the laws you oversee," says Cavoukian.
Cavoukian says for both levels of government, the one thing they can do more of is audits, which she says would put government and companies on alert in their practices in relation to privacy.
It would also give them an opportunity to "look under the hoods" and check out their privacy practices.
"If the federal commissioner had more power, he could go and inspect what companies are doing, rather than wait for complaints to arrive which would lead him to investigate," she said.
Acts need to be modernized, privacy office says
The federal Office of the Privacy Commissioner agrees.
In a statement to CBC, spokesperson Corey Larocque says the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) need to be modernized and has called for that measure.
"Given the interests at stake for individual Canadians, the Commissioner's view is that the starting point for modernizing Canada's privacy framework is to give it a rights-based foundation," he said in an emailed statement.
"The Commissioner has noted that privacy is more than a set of technical or procedural rules, settings, controls and administrative safeguards. Instead, it is a fundamental right and a necessary precondition for the exercise of other fundamental rights, including freedom, equality and, as we saw in the Facebook-Cambridge Analytica scandal, democracy."
He says the office's interpretation of the law should be binding to ensure enforcement.
"The Commissioner should be empowered to make orders and impose fines for non-compliance with the law," the statement read.
It went on to say, "organizations that do not act responsibly would be held accountable. It is not enough for an organization to say it is accountable. It must be able to show it is accountable."
Larocque says the federal government has recently announced it plans to review the Privacy Act and PIPEDA, which the office hopes will bring reform.
Cavoukian is set to talk about how the tech industry can do its part to protect privacy at the True North tech conference in Kitchener on Wednesday.