When Chantal Bernier finished her reign in the Office of the Privacy Commissioner of Canada, she left the post at an interesting time – just before new privacy laws came into force within the country.
Bernier was interim privacy commissioner until Daniel Therrien took the reins earlier this summer. She has since moved on to Dentons Canada LLP, taking on the role of counsel with the law firm’s privacy and security practice.
We spoke to Bernier for a quick snapshot of what privacy looks like in Canada right now, asking what’s happening with Canada’s Anti-Spam Legislation (CASL). We also asked for her thoughts on Canadian intelligence agencies watching citizens’ social media and Internet activity, and whether the government should increase surveillance, in light of the recent shooting in Ottawa.
This interview has been edited and condensed for length and clarity.
Candice So: What I wanted to talk about first is CASL. I’ve been to a number of workshops where businesses and marketers are talking about CASL, and many of them seem pretty confused as to how to comply. A lot of them are also saying the laws are unfairly restrictive. But on the other hand, I see it from the consumer side where it may help cut down spam in an inbox. So what are your thoughts on trying to balance those two concerns?
Chantal Bernier: I think the best way to understand CASL is to summarize it to this – the purpose of CASL is to restore some user control over computer activity. And that is fundamental to the right to privacy at its core – the right to control what others know about you.
So I understand that industry finds the requirements to be cumbersome and even onerous. And indeed they are. But that is the new name of the game, especially if information is more accessible to them through electronic means. Consumers must be given control.
And so now, through CASL, rather than being inundated with unwanted commercial electronic messages, we would be given the choice to receive them or not, and rather than just having software installed on our computers, sometimes with our assisted clarity to understand the implications, we will now be given the opportunity to choose for the software to be installed or not.
So: I’m glad you mentioned the software. I think there’s been some confusion about that too among businesses. The rules don’t come into force until January 2015. How can businesses get started on becoming compliant with that?
Bernier: From a legal point of view, they have to understand the underpinnings of CASL … to restore a balance between the business needs to operate, and the individual right to privacy … What businesses should focus on is, how do we make sure we are ready, when it comes into force, to give users control over the installation of software?
So: That being said, for a lot of businesses, when they want to push out a patch or update, they’ll have to go through a whole process. But software moves quickly nowadays – will this slow anything down in terms of tech innovation?
Bernier: To me, the reference point is this – are we installing software that actually impacts the collection, use, or disclosure of the individual’s personal information? If it does materially impact it, then the user must consent.
The whole notion of consent is challenged on the Internet. And we see that. We see and we are guilty of agreeing just because we don’t want to bother reading the whole explanation to what we agreed to. So the whole notion of consent must be rethought to be effective on the Internet.
There are pathways to solutions though … towards reconciling a good user experience, meaning not being constantly interrupted during Internet use, and at the same time accessing informed, meaningful consent. For example, there could be very easy popups that in succinct language, describe the impact of saying yes or no, and have a clear button for yes or no. So that would meet the transparency principle, that meets also the consent requirements, and it doesn’t interrupt unduly the user experience.
So: To get back to CASL in terms of commercial electronic messages, I was seeing one report that said there have been around 120,000 CASL complaints [against businesses] so far, up til October … I feel there’s just no way the Canada Radio-television and Telecommunications Commission can deal with every single one of these complaints. Is this a sign CASL is working, or is it not effective?
Bernier: I will just speculate in answering you, so it has to be taken for just that. In view of the confusion I noticed, before the entry into force of CASL among business, I’m not entirely surprised that there are so many complaints. They can be attributable to confusion on the part of organizations that therefore continue to send commercial electronic messages, not realizing that they are in contravention of CASL. Or confusion among consumers who think the commercial electronic messages they receive are in contravention of CASL. I think we need to see the outcome of these complaints.
So: There are some rumblings we’ve been hearing about the government overstepping with snooping on Canadians’ social media accounts, as well as asking for subscriber data from telecom companies. Aside from speaking out against these things, is there anything that can be done to counteract that kind of activity?
Bernier: Well, first of all, I am disappointed not to have seen yet the guidelines from the Treasury Board secretary that were promised to Canadians after my recommendations in my January report … On the basis of an investigation I led that found two departments had indeed collected personal information from the social network activity of a Canadian. And what was most disconcerting was that the two departments did not deny it. They were just convinced it was lawful.
The matter of access to Internet information – the Supreme Court of Canada has, in my view, put an end to the discussion as to whether basic subscriber information is personal information or just phone book information … My and other privacy advocates’ view is that basic subscriber information was extremely revealing, way beyond phone book, because it’s the key to a person’s Internet activities, and therefore a person’s allegiances, interests, concerns, and sexual orientation, health, et cetera.
And the Supreme Court of Canada has made it very clear that indeed, basic subscriber information is protected because what matters is not just the information that is sought, but what that information reveals. And so we now have a clear direction from the Supreme Court of Canada in relation to protecting personal information on the Internet.
One of the recommendations I made was that telecoms companies document and make public the number of requests they receive from government authorities for basic subscriber information. So at the very least, Canadians are informed of the scope of this phenomenon, and therefore can exercise their right to claim accountability for it.
So: We’ve also been hearing a lot about Bill C-44, and how it’s bringing out potentially more powers for the Canadian Security Intelligence Service (CSIS). And with the shooting on Parliament Hill, we’ve been hearing some talk about perhaps more political support for that. What are your thoughts on that balance of getting more powers for CSIS?
Bernier: Bill C-44 in itself does not have particular privacy implications. What is notable in my view is that the first reaction of the government was to increase surveillance – the most intrusive privacy measure …[It shows], as many others in Canadian history of radicalization, significant mental health issues. I am disappointed to see the immediate focus on increased surveillance, and yet no mention of sitting down with the provinces and adopting an evidence-based policy to increase support to mental health and addiction.