Canadian companies still aren’t doing enough to respect the privacy of residents, the federal privacy commissioner said in an interview marking Data Privacy Week.
“In our annual report … we saw a number of instances where there are still shortcomings in terms of how privacy is considered,” Philippe Dufresne said Monday.
In particular, he cited four cases from the report for the 12-month period ending March 31, 2022:
— a joint investigation with provincial privacy officers in Quebec, Alberta, and B.C. found Tim Hortons’ mobile app inappropriately tracked and recorded its customers’ movements every few minutes of every day, even when the app was not open. The collection of what the report called “vast” amounts of location information was not proportional to the benefits the company may have hoped to gain from better-targeted promotion of its coffee and other products. Customers’ consent for collecting that data was done through “unclear, and in certain circumstances, misleading statements;”
— a Rogers Communications customer was enrolled in its Voice ID voiceprint biometric authentication program without her consent. In fact, after discovering she had been enrolled, the customer called Rogers and once again opted out of the program, only to discover that she was still in it. Rogers agreed to get express consent from individuals for this program;
— trucking firm Trimac Transportation Services Inc. had installed dash cameras in its vehicles that continuously recorded audio and video without drivers’ consent. Video and audio clips transferred to Trimac were available, with limited safeguards against unauthorized access, to more Trimac employees than necessary. The company agreed the audio recording should only be active when a driver is on-duty or driving, and to limit the availability of the recordings;
— a Quebec company authorized by the federal government to administer mandatory COVID-19 tests at the Montreal-Trudeau airport used its position to send marketing emails to 147,000 travelers it tested without their consent. The company wrongly thought it had established a “business relationship with arriving passengers and thus relied on implied consent to send email ads,” the report said.
The four examples Dufresne cited involve improperly collecting personal data without proper consent. The website of the Office of the Privacy Commissioner says that under the federal private sector privacy law known as the Personal Information Protection and Electronic Documents Act (PIPEDA), “organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information. Consent is considered meaningful when individuals are provided with clear information explaining what organizations are doing with their information.”
SIDEBAR: PIPEDA applies to federally-regulated commercial firms and companies in all provinces and territories except in B.C., Alberta and Ontario. Here’s a brief outline of what businesses should and shouldn’t do.
During Privacy Week, business and IT leaders should be thinking about what they can do to create a stronger culture of privacy in the workplace and in Canadian society, Dufresne said. “When I was appointed privacy commissioner [last summer] I put forward a vision of privacy that recognizes privacy as a fundamental right, privacy in support of the public interest and Canada’s innovation and competitiveness, and privacy as an accelerator of Canadians’ trust in their institutions and their participation as digital citizens.”
“That means treating privacy as a priority,” he said, “not as an afterthought, as a mere regulatory obligation, but something that is fundamental to individuals and society.
“For organizations, that means conducting privacy impact assessments in appropriate cases to ensure privacy risks are identified and mitigated. It means asking questions and making sure that they are only collecting, using, retaining and disposing of personal information to the extent that it’s demonstrably necessary and proportional to achieving the organization’s legitimate purposes.
“It means that individuals must be properly trained within the organization so that not only do they have good policies, but they are implemented properly and followed through. It means putting up safeguards to protect information against what we are seeing more and more in terms of data breaches and increased threats. And it means leaders recognizing and putting forward a vision of privacy that treats it as a fundamental right and not as an obstacle to the pursuit of an organization’s objectives — whether it’s innovation or economic — but as an asset, something that will support and strengthen those goals and ultimately increase Canadians’ trust in organization and society.”
While Dufresne calls for privacy to be a fundamental right, that’s not what the Liberal government has proposed in its overhaul of PIPEDA, known as Bill C-27. Dufresne said he will outline his detailed opinion on the proposed legislation to Parliament. He didn’t call for amending the Charter of Rights and Freedoms, however, he did say privacy should have “special status” if there is a conflict with other interests.
The government has said that the importance of privacy protection is mentioned in the legislation’s preamble.