The Conversation Canada article by TRU Law faculty member Robert Diab
Despite early predictions that the internet would spell the end of privacy, it continues to be vital to who we are. Without privacy, we couldn’t sustain relationships or maintain our dignity or sense of self.
Yet our privacy is constantly threatened by ubiquitous surveillance and data collection by tech platforms, retailers, the police and other state agencies, as well as hackers and criminals.
Does privacy law in Canada do enough to protect us from these threats?
To help you decide, it may help to clarify the main features of the legal landscape — when public and private entities can infringe your privacy and what happens when they do.
A constitutional right to privacy
Canadians receive protection from police and other government institutions under the Charter of Rights and Freedoms. And while the word “privacy” appears nowhere in the document, Section 8 still gives Canadians the right to be “secure against unreasonable search or seizure.”
Our highest court drew upon the Fourth Amendment case law in the United States to hold that police engage Section 8 when they search or seize something over which we have “a reasonable expectation of privacy.”
Courts have held that we have a privacy interest in anything that reveals intimate information about us, our lifestyle choices or our “biographical core.” This includes obvious things, like the content of our pockets, homes and digital devices — but it also includes less obvious things like our DNA, breath samples or subscriber information attached to our internet service provider accounts.
Where we do have a reasonable expectation of privacy in a place or thing, police generally need a warrant to search or seize it. In many cases, however, they don’t. They need only be authorized by law to carry out the search. The law, in turn, must be reasonable in striking an appropriate balance between law enforcement interests and personal privacy.
When police obtain evidence without a warrant, or act without authority, a court can exclude the evidence at that person’s criminal trial — though, in some cases, it may decline to do so.
Privacy in the private sphere
The Charter sets limits on what government officials and agencies can do to infringe on our privacy, but more often our privacy is threatened by private entities that gather data or information from us. What are the guardrails in place here and what are the consequences for violating them?
We have federal and provincial statutes to deal with privacy incursions by commercial entities. In some cases, we can sue civilians or businesses in court for breach of privacy.
The most important of these tools is the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which contains rules about collecting, using and disclosing personal information by private sector entities in Canada.
PIPEDA applies to a wide range of commercial activity across all provinces, from large retailers to online platforms. British Columbia, Alberta and Québec have their own privacy laws that cover matters to which PIPEDA does not apply.
The main obligation in PIPEDA is that a company may not collect, use or disclose information about us unless they have our informed consent and use, or share it, for an identified purpose. The act empowers individuals to access information about themselves and to correct inaccuracies.
The Privacy Commissioner of Canada enforces the act, but has often complained of the weak tools at their disposal for doing so.
A better future for personal privacy?
Currently, parliament is debating the passage of Bill C-27, which would largely replace PIPEDA with the Consumer Privacy Protection Act (CPPA).
The new act will impose more stringent penalties for breaches and give authorities more enforcement tools. But it may also expand the scope of what private entities can do with our data by permitting with benefits “proportionate to” the impact on, or loss of, privacy.
At least one commentator believes the Privacy Commissioner of Canada will continue to permit data collection by social media companies and search engines for advertising purposes under the CPPA. But the act will require companies to be more explicit with us about how they intend to use our data.
The CPPA also includes a novel “right of deletion” for information obtained in violation of the act or where consent is withdrawn. Yet this would not amount to a “right to be forgotten,” given an exception in the act for search engines acting with a legitimate interest.
This covers only some of the many tools in Canadian law for protecting personal privacy. But if this survey makes one thing clear, it’s that for Canadians, privacy is far from dead.