Canada needs stronger data protection laws now

The recent revelation by the CBC that the personal online browsing habits of holders of the ironically-named TD Canada Trust Visa could be recorded by the bank, including Google searches, videos watched, social media activity, and nearly everything else, demonstrates that the Personal Information Protection and Electronic Documents Act (PIPEDA), which is supposed to be protecting Canadians from this sort of thing, is so lax as to be essentially useless. Although TD Canada has apparently said since the news broke that they wouldn’t track personal information, one gets the definite impression that they are mostly sorry for having gotten caught. Our government needs to rectify this situation as soon as possible, and it should be using European data laws, which are the strongest in the world, as a model.

Why is online privacy is so important? Beyond the obvious creep factor involved here, it has been established by the UN [PDF] that privacy is a major component of freedom of expression, as enshrined in Section 2(b) of the Charter of Rights and Freedoms. The reason it feels wrong when your bank spies on you is because it’s a violation of your Charter rights. You can’t feel free to access information, do research, or write about what’s on your mind if you’re worried that government or businesses are peering over your shoulder. The very idea is repressive and abhorrent. It’s even more frightening when you realize that it’s already been happening without your knowledge. Online surveillance is silent and invisible, but it’s having an impact on our lives that increases with every transgression.

Opponents of strong privacy laws might claim that because customers opted in, they waived their rights under PIPEDA. But how many holders of the TD Canada Trust Visa read the 66 pages of fine print that came with it? TD Canada was very sneaky in the way they tricked people into giving up their right to privacy. This kind of thing should be illegal, and if we had European-style data protection laws, it would be.

In Europe, the Data Protection Directive, established in 1995, prohibits this from happening. The laws governing data retention state that businesses may not seek information on a data subject (that’s you and me) unless it is directly related to the reason they are doing business together, and even this can be done only if the subject has given their express permission. It’s opt-in, rather than opt-out. The arbitrary, TD Canada-style collection of unrelated data is forbidden altogether. Data may not be retained any longer than is necessary. Data subjects have the right to request their files at any time, in a format that is readable to them, and they have the “right to be forgotten.” In 2017, with the passage of the General Data Protection Regulation, these laws will become even stronger. All member states will be bound by them, and businesses who violate them will be subject to severe penalties.

Our government is not looking out for Canadians nearly this well. In fact, under Stephen Harper, it became apparent that not only is the Canadian government apathetic about protecting our privacy, it has been an active participant in violating it, time and time again.

The most glaring example of this is the Trans-Pacific Partnership, or TPP. Many Canadians are not aware of the privacy-related issues around this proposed agreement, currently the subject of hot debate by people in affected countries, and of a review by the new Trudeau government. Under the TPP, Canadian businesses would be prohibited from insisting that data about people in Canada be stored only on Canadian servers, which would make it subject to Canadian privacy laws, such as they are. When personal information can be stored anywhere, in any TPP-member nation, it’s not protected by any privacy laws at all. It could be stored in the US, for example, which means, since there is no single comprehensive federal data protection law there, that your sensitive details are sand in the wind.

Because of intelligence-sharing arrangements between Five Eyes governments, as well as information-sharing agreements between TPP signatories, this would make your health history, your credit problems, your video-viewing habits, and your Facebook likes all freely available to any corporation or government agency who wants them, including banks, border guards, your employer, and the police, to name just a few. When one considers everything else that can be deduced about you from this information, such as your sexuality, your political opinions, your detailed financial status, and even to a certain extent your private thoughts, one realizes that we don’t have to worry any longer about a Big Brother-type of future. We are already living in it. The question we should be asking ourselves now is: how is this information already being misused, and how can I begin to protect myself?

We should not have to curtail our online activity simply because we are worried our bank or our government will know too much about us. That is the very definition of repression, and yet that is the situation many of us are faced with. It should be clear at this point that the corporations with whom we do business, and the government who is supposed to represent us, are the adversaries of our privacy, which once again is a natural human right.