First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Where does Canada stand on privacy?

court-order-privacyCanada faces some of the same challenges confronting many Western democracies. The Edward Snowden revelations on the alleged span and scope of U.S. electronic surveillance programs exposed similar activities in other countries operating under the auspices of law enforcement and national security. Canada, like many of these countries, must answer a fundamental question: How does it achieve its law enforcement and national security objectives while also protecting and respecting the privacy rights of its citizens?

A recent Canadian Supreme Court ruling illustrates the struggle in balancing efforts to deter crimes and thwart security threats with the need to protect individual privacy rights. The justices in that case ruled law enforcement officials must first obtain a judge’s permission before they can seek a customer’s data from Internet service providers (ISPs). Moreover, they stated, “anonymity is vital to personal privacy in the digital age. Given this ruling and the nation’s growing privacy concerns, we believe that Canada will need a respected, empowered and unbiased federal privacy commissioner to serve as a strong advocate for privacy rights in the future.”

Therrien as govt’s pick for Privacy Commissioner

Prime Minister Stephen Harper’s decision to select Daniel Therrien as the next federal privacy commissioner has caused many parliamentarians and privacy advocates to question the Canadian government’s commitment to the protection of individual privacy rights. The basis of their concerns stems from several factors, including that, as a former Justice Department lawyer, Therrien had a key role in shaping the Harper government’s national security policies and its information sharing policies with the U.S. Moreover, Therrien has never served as either a federal or a provincial privacy commissioner, which we feel could bring into question his ability, inexperience or his neutrality in protecting Canada’s privacy issues objectively. We agree with some in the community who are unsure if Therrien is the right person but will reserve final judgment until he has had sufficient time to serve in this capacity.

Therrien will not have much time to prove that he can lead the Office of the Privacy Commissioner of Canada effectively. In his favor, he has demonstrated a willingness to challenge controversial legislation with potential privacy implications early in his tenure. The concerns raised by Therrien regarding C-13, the “cyberbullying bill,” during an appearance before Parliament serves as an indication of his willingness to engage his former bosses on controversial legislations that might impact individual privacy rights. He will have to demonstrate the same fortitude in the future as he interprets other potentially controversial legislation.

About those dangerous Bills, C-13 and S-4

The Canadian Parliament is considering the passage of two bills that are of immense concern to Canadian academicians, privacy advocates and Canada’s opposition parties.

C-13 seeks to broaden Canadian police powers in combatting online crimes while also protecting children from cyberbullying. We agree with both Therrien and Ontario Privacy Commissioner Ann Cavoukian that the Canadian Parliament should separate the two bills. Cavoukian states in a strongly worded letter to House of Commons Justice Committee Chair Mike Wallace, “The time for dressing up overreaching surveillance powers in the sheep-like clothing of sanctimony about the serious harms caused by child pornography and cyberbullying is long past. To date, the Harper government has rejected any revisions to the bill, despite the recent Canadian Supreme Court ruling against warrantless searches. Many in the privacy community will continue to monitor the Harper government’s decisions regarding C-13 and its potential impact on Canadian individual privacy.”

S-4, also known as the “Digital Privacy Act,” greatly expands wireless access to subscriber data to law enforcement officials, corporations and others in response to potential privacy breaches. One of the more troubling aspects of this bill is that it would allow ISPs to share subscriber data “with any organization that is investigating a possible breach of contract, such as a copyright violation, or illegal activity.” Unfortunately, the Canadian Senate passed S-4 despite the widespread opposition to the bill, as well as the recent Canadian Supreme Court ruling against warrantless searches.

The future?

We believe the Canadian privacy model has the potential to bridge the chasm that exists between the EU’s comprehensive and the U.S.’s sectoral privacy models. We are somewhat concerned about the recent Article 29 Working Party’s recommendation to the EU Commission regarding its consideration whether Quebec’s provincial data protection law is adequate. A ruling of inadequacy could also place in question the “adequacy” of the Canada’s Personal Information Protection and Electronic Documents Act and the other Canadian provincial data protection laws.

We are also extremely concerned about the Harper government’s actions to enhance law enforcement and national security at the expense of Canadian individual privacy rights and protections. We hope the current administration and its privacy opponents can reach reasonable compromises that allow both groups to achieve their desired outcomes.

We remain cautiously optimistic that Daniel Therrien will prove his critics wrong and will serve as an unwavering proponent for individual privacy protections in Canada for years to come. Despite our optimism, we anticipate that Canada, much like other Western nations, will continue struggling to reconcile its need for enhanced law enforcement and national security powers against the need to protect the unalienable individual right to privacy and freedom of expression for Canadians. We anticipate the Harper government will continue to propose bills, like C-13 and S-4, and also pass laws that infringe upon the individual privacy rights of Canadian citizens. Finally, we believe the Canadian Supreme Court will eventually challenge the constitutionality of bills, like C-13 and S-4, should they ever become laws.

By Chris Stevens, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM, CIPT, and Steve Holland, CIPM

Chris Stevens, CIPP/US, CIPP/E, CIPP/G, CIPT, CIPM, of Carpe Diem Strategic Services is a retired U.S. Army intelligence professional with over 30 years of national intelligence, national security, information security, information privacy, operational security and strategic intelligence experience.

Steve Holland, CIPM, of Carpe Diem Strategic Services is a retired U.S. Air Force intelligence professional. He has 35 years of national intelligence, national security, information privacy, identity intelligence and cybersecurity policy and strategy experience.

Republished with permission from the International Association of Privacy Professionals (IAPP)

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments are currently closed.

One thought on “Where does Canada stand on privacy?
  • If Mr. Therrien is from the “counterspy” side of the house, I would hope he’d want to see the previous norms restored: spies actively spy on one another, and concentrate on identified enemy countries and multinationals. At the same time, counterspies help companies to build more penetration-resistant systems

    [Disclosure: a former boss worked closely with CSE to see if he could build TEMPEST low-snoopability into otherwise quite ordinary desktop computers. One of our customers was a government department who was concerned about various of the security problems of the day]