cyber security Cyber Security and Emerging Threats Katherine Todd

Canada’s Lacking Data Privacy Protections

Since the dawn of the internet age, Canadians use and rely on personal computers and smart devices for everyday tasks and interactions. Internet use, however, requires that users’ personal data be stored online. This begs the question, how is this personal data protected?

In the 2020-2021 Survey of Canadians on Privacy-Related Issues, almost 90% of respondents expressed concern about Canada’s apparent lack of robust data privacy protections. These privacy concerns centered around individuals’ ability to choose what information they share with other people. Being able to control the privacy of one’s information allows individuals to live without being afraid of what other people may think of them. For example, the COVID-19 pandemic forced Canadians to rely on digital interactions when the government instructed them to conduct business and socialize ‘virtually’ to avoid contracting and spreading the virus. This dramatic shift to online living has brought attention to data privacy issues associated with internet use.

Personal data sets have become a goldmine for governments and businesses to track, monitor, and analyze to predict voting and purchasing patterns. Since the 1990s, approximately 80% of internet-based businesses have profited from selling personal data. Businesses tend to frame their harvesting of personal data as consensual, claiming that individuals give them their data for free to use their services. In reality, this exchange of data is more coerced than consensual. Individuals are forced to choose whether to ‘opt-out’ of using said service and having their data collected or to ‘opt-into’ using the service and thereby have their data exploited.

Governments also benefit from this type of data collection and analysis, but unlike businesses, they face an ethical conundrum as they are supposed to protect individuals’ privacy from possible infringements. The Government of Canada acknowledged the need for data protection legislation in 2019 when it created a Digital Charter that discussed how best to protect privacy in the newly digitized world. This Charter, however, is not legally binding and has not provided a much-needed legislative update to address concerns about Canadian citizens’ privacy in the internet age.

Canadians’ privacy is currently protected by domestic, constitutional, and international rights and laws. Domestically, the 1984 Privacy Act protects individuals’ personal information from government misuse. The 2001 federal Personal Information Protection and Electronic Documents Act regulates how privacy is to be treated in all commercial activities, and provincial legislation like Alberta’s 2003 Personal Information Protection Act regulate privacy within commercial affairs in the provinces. Constitutionally, a right to privacy has been found to exist in both “Section 7, (the right to life, liberty and the security of the person), and Section 8 (the right to be secure against unreasonable search or seizure)” of the Canadian Charter of Rights and Freedoms. In the 2013 Supreme Court of Canada case R.v. Vu, the Court implied that an individual’s right to privacy also extends to digital data. Internationally, Canada has endorsed several treaties such as the 1948 Universal Declaration of Human Rights, the 1966 International Covenant on Civil and Political Rights, and the 1990 Convention of the Rights of the Child that all acknowledge the existence and importance of a right to individual privacy.

Although there are these existing protections for Canadian citizens’ data privacy, the country’s privacy legislation is no longer current. It has not been updated since the early 2000s, leaving data privacy vulnerable in our increasingly digital world. The international treaties that Canada has signed acknowledging a fundamental right to privacy have not been effectively translated into domestic laws or constitutional amendments. With the use of artificial intelligence, facial recognition technology, and other advanced computing technology becoming commonplace, Canada needs new legislation that specifically protects citizens’ data privacy.

The federal government attempted to introduce new digital privacy legislation in 2020 when it proposed Bill C-11, the Digital Charter Implementation Act. The bill sought to enact recommendations from the Digital Charter, providing consumers with protections such as data mobility, a right to have one’s data deleted, and algorithmic transparency. It also aimed to align Canada’s privacy policy with that of the European Union, where personal data is diligently protected by the 2018 General Data Protection Regulation. However, Bill C-11 never proceeded past its second reading or received royal assent. In June 2022, the government introduced a newly amended version of Bill C-11 called Bill C-27. It, like Bill C-11, aims to amend the Personal Information and Data Protection Tribunal Act as well as the Consumer Privacy Protection Act. However, this time it also includes enacting an Artificial Intelligence and Data Act. This act would regulate how AI collects personal information and require businesses using AI to account for potential issues like biased output.

Although Canadians have a constitutional right to privacy, and Canada recognizes privacy as a fundamental human right, there is currently no legislation that specifically protects data privacy. New data privacy legislation, such as Bill C-11 or Bill C-27, is needed in Canada to protect citizen’s personal data explicitly. Not only is the misuse of data becoming a major concern among the populace, but Canada’s trading partners like the EU also require Canada to update its user data protections to share data with European businesses. Bill C-11 was a step in the right direction, but even it failed to address concerns about political and governmental organizations’ use of personal data, data security, and user consent. Bill C-27 now offers a new glimmer of hope for Canadians’ privacy in the digital age.

Image copyright: Image of a lock on top of credit cards and a laptop keyboard by Towfiqu barbhuiya on Unsplash

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.

Katherine E. Todd
Katherine E. Todd is a Junior Research Fellow at the NATO Association of Canada, a Master of Public Policy Candidate at the University of Toronto’s Munk School, and a Sub-Lieutenant in the Royal Canadian Naval Reserves. In 2022, Katherine was the host of a podcast called Voice Above where she’s interviewed expert guests about current affairs, a delegate at the Oxford Diplomacy and Geopolitics Forum and North American and Arctic Defense Security Network’s Emerging Leaders Week, and a journalist for the Varsity Newspaper’s Comment, Arts and Culture, and Features sections. In May 2022, she graduated with high distinction from the University of Toronto with a Bachelor of Arts with honours, specializing in political science and minoring in public law. Upon graduation she was awarded with the prize for top political science graduate, the Department of Political Science Leadership Award, and the University of Toronto's undergraduate Award of Excellence (the John H. Moss Scholarship). Katherine's research interests are in Quebec-Canada relations, nationalism and populism, migration studies, privacy and property rights, security, and public policy for emerging technologies. You can connect with Katherine at todd.ke@outlook.com or https://www.linkedin.com/in/kate-e-todd/.