The Prime Minister’s announcement last week that he has recommended Assistant Deputy Attorney General, Daniel Therrien, to be the next Federal Privacy Commissioner should give us cause to reflect on what the Federal Privacy Commissioner actually does and what skill sets are necessary. I have written about this on a number of occasions. The job is complex, multi-faceted and requires considerable expertise in many fields. Internationally, and in Canada, Privacy or Data Protection Commissioners play at least eight overlapping roles: ombudsmen, auditors, consultants, educators, policy advisers, negotiators, enforcers and international ambassadors. The roles are complex and sometimes contradictory (See Bennett and Raab, The Governance of Privacy).
The job advertisement for the current post recognized these multiple roles: “The Commissioner’s powers to further the privacy rights of Canadians include: investigating complaints; conducting audits and pursuing court action under the Privacy Act and PIPEDA; publicly reporting on the personal information-handling practices of public-and private-sector organizations; undertaking and publishing research related to the protection of personal information; and promoting public awareness and understanding of privacy issues.”
So gone are the days when the Privacy Commissioner can rely solely on legal expertise, applying the black letter of the law to each problem. Legal skills are, of course, a huge asset. But the modern Privacy Commissioner needs also to know about the range of other policy instruments that might be brought to bear on this increasingly challenging, complex and global problem, including public education, technological solutions, and management and accountability mechanisms. The federal Privacy Commissioner, unlike the provincial Commissioners, does not have order-making power, and so must rely on persuasion. And the power to persuade stems directly from the respect in the community for that individual’s knowledge and neutrality.
There is now a wide-ranging community of experts and officials in Canada that give serious thought to privacy in all its dimensions. These include: provincial privacy commissioners and the staff in both the federal and provincial offices; a large group of corporate privacy officers; civil libertarians and consumer advocates; journalists; and a widely respected group of academics from many disciplines.
Of all my contacts in this network, not one that I have spoken with over the last few days, had ever heard of Daniel Therrien. Nobody has met him at one of the many privacy conferences in Canada or overseas. As far as I know, he has never spoken at one of these conferences. He has a very low public profile. All we know is that he has been a career lawyer within the Justice Department, and has been Assistant Deputy Attorney General with responsibilities for public safety, defence and immigration since 2005.
The focus of the criticism so far has been along the lines of the “fox in charge of the hen house” theme. Thomas Mulcair pointed out that “it would be imprudent to place a former civil servant in charge of warning the public about policies he helped design and implement.” These concerns are serious and legitimate. But past experience does not necessarily lead to future actions. Public safety and law enforcement issues are also complex and nuanced. No doubt Mr Therrien brings some valuable experience on these kinds of questions.
But what else? From the brief sketch of his record, it would appear that his experience is extremely narrow. Many of the skills that we now expect of a modern privacy commissioner do not appear in his resume. So, if I were on the Standing Committee on Access to Information, Privacy and Ethics (ETHI), asking him questions this week, this is what I would want to know about his readiness to do the job.
Reactive of proactive? The traditional role of the ombudsman, the resolution of complaints, is central to any effective oversight of personal data protection, even though it can also be a time-consuming and significant drain on scarce resources. What, then, is the appropriate balance between this reactive role, and the more proactive, broader policy role of the Office of the Privacy Commissioner (OPC)?
What about more proactive organizational audits? Commissioners may have suspicions about the personal information practices of a particular organization that arise from a number of sources, leading to the conduct of more general audits of the organization or of a particular technology? How best to manage the audit process? How does the office decide who should be audited?
How to balance the advisory with the enforcement role? Privacy Commissioners constantly give advice to individual data custodians on how to comply with data protection laws and principles. Consultation and advice are normally regarded as preferable to adversarial relationships between the regulator and the regulated. But if a business came to the office looking for advice about the legality of a particular service or technology, what would he do?
What does he think about mandatory data breach notifications, included in Bill S4. How do you provide both the carrots and sticks to reduce the appalling frequency of data breaches in public and private organizations?
And what should be the appropriate legal standards for government access to private sector data, as currently being debated in Bill C-13?
How would he try to encourage a culture of privacy protection in an organization? Resources need to be invested in educating organizations about privacy protection. How best to reach out to organizations, especially in the private sector. What does he think about the usefulness of Privacy Impact Assessments (PIAs)? When should they be conducted and by whom? What role should the OPC play in reviewing PIAs?
Public education is a very important role for the Privacy Commissioner. What thoughts does he have on how best to reach out to Canadians, and especially young Canadians? What thoughts does he have about how best to give a speech about privacy? What is the role of the Commissioner in engaging with the public on privacy issues? What messages work? What messages don’t work? What has he read concerning the broader philosophical importance of privacy for democratic societies?
The OPC is expected to conduct studies relating to special privacy problems, some lengthy, others shorter and more frequent. What are the most pressing privacy problems facing Canada today, worthy of research and analysis? How would he decide on the priorities of the highly successful Contributions Program, initiated by Jennifer Stoddart? The Commissioner is empowered to report to Parliament and comment on any matter within the scope of his powers, duties and functions. How will he determine the matters to comment on, when, and to whom?
At what point would he go public on an issue? Would he continue the practice of not naming the respondents to complaints under PIPEDA? Would he continue to only publish the summaries of the investigation reports under PIPEDA?
Much can be achieved in anticipation of policy and system development if privacy protection is built in at the outset, rather than bolted on afterwards. What does he think about “Privacy by Design”? How might he work with Canada’s IT sector to encourage privacy-enhancing technologies?
What views does he have about the challenges posed by the processing of personal data online? How do you define personally identifiable information in a networked environment? What levels of personal control are appropriate for user-generated content on social media platforms? What are his views about the “right to be forgotten”? What views does he have about the protection for locational data?
The ad also stated that “the candidate would have knowledge of the global nature of privacy and data protection. Knowledge of privacy regimes in other jurisdictions– provincial, territorial, national and international — would be considered an asset.” So what does he know about privacy regimes elsewhere? How would he engage with the network of provincial information and privacy commissioners? What issues might be appropriate for joint federal/provincial coordination?
Privacy is obviously a global problem. Under Jennifer Stoddart, the Office of the Canadian Privacy Commissioner, became highly regarded on the international scene. How would he seek to collaborate with his international colleagues on questions of common concern? What role would his office play within the Global Privacy Enforcement Network? What is his view of Canada’s role in the current international debate about law reform in the EU, about the US-EU Safe Harbour Agreement, and about the OPC’s role in the Asia-Pacific region?
I could go on.
It may be that Mr. Therrien has already give serious consideration to these, and other, issues. But frankly very little in his background or experience would suggest that his understanding about privacy goes much beyond the Canadian public sector, and issues of public safety. On the surface, it looks as if he has little knowledge of the many issues faced by the private sector; little knowledge of the broader international privacy agenda; little background in IT; and little experience of being in the public spotlight. Contrary to the government’s assertions, there are plenty of questions about whether Mr. Therrien is qualified to be the Privacy Commissioner of Canada. There are a lot of “known unknowns”….
One might argue that he will have a dedicated and experienced staff to bring him up to speed. But the Privacy Commissioner needs to set the tone and direction of the office. The public has a right to know about his broader views about privacy and about his strategic visions for the OPC, in Canada, and internationally.
The selection process for the Privacy Commissioner has, so far, been highly secretive. We now know some more about the process, and about the seemingly more experienced candidates who were considered and rejected. Now is the time for Parliament to do its job, and to discover exactly what Mr. Therrien knows, and does not know, about this complex and important subject.