Canada's federal, provincial and territorial privacy commissioners are calling on governments across the country to modernize access-to-information and privacy laws, which they say "have sadly fallen behind the laws of many other countries" in the face of rapid technological advancements.
“Most Canadian access and privacy laws have not been fundamentally changed since their passage, some more than 35 years ago,” reads a joint resolution made public Wednesday — and agreed to last month in Charlottetown, P.E.I. — by the commissioners.
They issued several calls to action, including that governments create a legal framework to ensure the ethical use of artificial intelligence and machine-learning technologies, and to ensure both public entities and private companies handling the personal information of Canadians be subject to privacy laws.
"The rapid advancement of technologies has had an impact on fundamental democratic principles and human rights, including access to information and privacy," the resolution says. "They further point out that Canadians have growing concerns about the use and exploitation of their personal information by both government and private businesses."
The commissioners are also calling on governments to strengthen their enforcement powers to levy fines or make orders against actors who violate privacy laws, and call for the right of access to information to apply to all public entities.
Critics have long called on the federal government to reform access-to-information laws, saying government departments routinely drag their heels on requests or withhold information.
"Canada's lax timelines, imposition of access fees, lack of a proper public interest override and blanket exemptions for certain political offices all contravene international standards for the right of access," the Centre for Law and Democracy, a Canadian NGO, said in its latest assessment of the country's freedom-of-information laws. "Canada's antiquated approach to access to information is also the result of a lack of political will to improve the situation."
Meanwhile, Privacy Commissioner of Canada Daniel Therrien said last year in his annual report that federal departments and agencies are under-reporting significant privacy breaches, which they are required to notify the office of the privacy commissioner (OPC) and the Treasury Board about.
The OPC said it received 286 public-sector breach reports during the 2017-18 fiscal year, but noted that an order question in parliament revealed a "half-dozen large breaches concerning as many as 6,000 individuals, where institutions didn’t notify those affected or our office."
Meanwhile, the OPC said last week it has received 680 breach reports affecting more than 28 million Canadians from private businesses in the past year, all made under the Personal Information Protection and Electronic Documents Act (PIPEDA). Until last year, data-breach reporting by private firms under the act was not mandatory.
"While there have been legislative advances made in some Canadian jurisdictions, work is still required to ensure modern legislation is in place across the country in order to better protect Canadians," the joint statement from the commissioners says.