The Every Lawyer

After the Pandemic: Modernizing our data privacy laws

Episode Summary

Yves Faguy discusses privacy law and data protection with privacy and cybersecurity lawyer Sinziana Gutiu.

Episode Notes

Bonus Episode presented by CBA National, After the pandemic: The future of justice, Ep 7

Yves Faguy discusses privacy law and data protection with privacy and cybersecurity lawyer Sinziana Gutiu. 

Gutiu shares her insights into trends shaping the privacy debate at home and abroad, the impact of the Schrems II ruling, Quebec’s effort at updating its privacy law regime, and coming tech developments that we should be thinking about while crafting new laws.

To contact us (please include in the subject line ''Podcast''): national@cba.org

Please subscribe, rate and review our podcast if you are enjoying it on Apple Podcasts.

Episode Transcription

Yves Faguy: You are listening to the Canadian Bar Association National Magazine

Yves Faguy: Hi, I’m your host Yves Faguy and the Editor-in-chief of CBA National Magazine. Welcome to After the Pandemic, where we discuss emerging issues in law in a world transformed. In less than a year, COVID-19 has provoked a lot of conversations about the need to update our laws, to the demands of a modernizing society, with a growing list of new legal challenges. The solutions are not always entirely clear, but there is a sense out there that it could be a catalyzing event. An opportunity presented to us, to take stock of the world and adapt the way we organize and govern ourselves. Over the next few months, we will be looking at different areas of law and asking our guests what changes they would like to see in their area of practice to make the law fit for purpose. This month on the podcast, we’re discussing privacy law with Sinziana Gutiu. She’s a privacy and cybersecurity lawyer who is leading a number of privacy and regulatory compliance programs at Telus, specifically on GDPR, the European data regulation, anti-bribery and corruption and completion law. Sinziana sits on the Canadian Advisory Board for the International Association of Privacy Professionals. She’s the former co-chair of BC’s CBA Freedom of Information and Privacy Law Section, and the current secretary of the CBA National Privacy and Access Section. And as if that wasn’t enough, she has recently joined the ranks of lawyering moms, so, congratulations, Sinziana, and thank you for joining us and taking the time to speak with us. Welcome to the podcast.

Sinziana Gutiu: Thank you so much for having me.

Yves Faguy: So we’ve asked you here today to help guide us in understanding some of the challenges we’re up against as the Canadian Government and some provinces embark on what promises to be, I think it’s fair to say, one of the biggest pushes to update our data protection and privacy laws in roughly, what, 20 years?

Sinziana Gutiu: Yeah.

Yves Faguy: And so Daniel Therrien, also just by way of context, Canada’s Privacy Commissioner, recently said the pandemic has accelerated the digital revolution, bringing both benefits as well as risks for privacy. So having said all this, I’m wondering if you can start by giving us the state of play. What are the big legal trends shaping the privacy debate today, here at home and abroad?

Sinziana Gutiu: Thank you, Yves. To start, I just want to do the usual disclaimer. I’m just here presenting my own views, not those of my employer or really anyone else’s. So to start off, we’ve seen a lot of action in Canada when it comes to consultations, but not too much lately in terms of actual law reform. So now finally, whether it’s because of COVID, whether it’s because of other reasons like breaches making headlines, or the GDPR has seen some significant action abroad, we are seeing some amendments starting to be tabled. Canada and – well, the international community altogether, has been struggling with some key issues lately, that being artificial intelligence, machine learning, how do you regulate that, what about the ethical implications, how do you stay transparent. Facial recognition technology is another big trend that is pushing for some sort of regulation.

When it comes to facial recognition technology, or FRT, there’s even people who say don’t bother regulating, just ban it altogether, it’s far too problematic, especially when we’re talking about it being used by police or by national security agencies. So these are just some of the examples of what’s pushing legislation to be brought forward, what’s pushing some of the consultations. Provincially we’re seeing some key developments. British Columbia has started its legislated six-year review of BC’s Personal Information Protection Act, which is the Private Sector Act. And for those interested, the CBABC Freedom of Information and Privacy Section actually put forward submissions to the review committee on that point, but that’s something that’s happening in BC, it’s a legislative review, so every six years that’s bound to happen. However, BC recently called an election, so there’s a question – how is this going to affect the work of the committee? Is it going to interfere with it in some way?

Over on the east, more east side of Canada, the Ontario Government launched a consultation to create its own provincial private sector – privacy legislation. Right now businesses in Ontario, generally speaking, are governed by the Personal Information Protection and Electronic Documents Act, which is the federal privacy act. Ontario’s government is thinking is it the time for us to have our own like British Columbia and like Alberta have their own? And probably the proposed amendments that are making the biggest splash right now in Canada are the Quebec Bill 64 tabled amendments. They involve all sorts of different legislation that touch on privacy, but a focus right now I think is – to the business community is changes to the private sector Quebec Privacy Act. So that’s just a quick overview of what’s happening provincially. Federally the government has been looking at amending PIPEDA for some time now.

There were the digital consultations last year, and all sorts of different committees being struck on the eye  to help the government figure out how to tackle some of these technological beasts. And from what I’m hearing, there is work underway to amend – to prepare those amendments to PIPEDA and hopefully – I heard some buzz that they might be tabled in October or in November. So a lot of excitement there as well. The CBA National Privacy and Access Section actually made some submissions back in December in response to the government’s Digital Charter consultations. So the CBA definitely has their own views on what should go in the – that section has its own views on what should go in the amendments.

And of course internationally the GDPR, the General Data Protection Regulation, which you’ve already mentioned, is Europe’s privacy law, and it celebrated its two-year anniversary this past May. And it’s seen some key decisions that actually impact Canadian companies. So that’s just a little bit of an overview of what’s happening in Canada, provincially and abroad.

Yves Faguy: Thanks for that, that’s a great summary. And so let’s step back a little bit. Let’s talk a little bit about trust. Because we know that a number of those FANG companies – Facebook, Twitter, Google, Amazon, just to name a few – they’ve been facing increasing problems on the trust level because of issues surrounding loss of privacy, how people’s information is being used. How much is that factoring into these efforts at updating our laws, here and around the world?

Sinziana Gutiu: I definitely think it’s one of the factors. I mean – well, let me ask you. Have your friends dropped off social media? Are you seeing people used to use Facebook and don’t anymore?

Yves Faguy: Absolutely. Quite a few.

Sinziana Gutiu: So I think individuals are really becoming more educated about their privacy, and as a result of that they are more critical of what happens with their information. So I would definitely agree with you, I think that customer trust in Canada is … You could say at an all-time low. And I’m not just throwing that around. There was an actual study done by the University of Victoria School of Business that provides a glimpse into what’s happening in Canada when it comes to brand trust. This is a study that looked at over 300 companies across 27 categories, and used online surveys. Pretty credible study, as far as I could see. And not surprisingly, they found that privacy was a pretty key factor that affected brand trust. For example, they saw that Google suffered a significant drop in the overall brand trust rankings. They plummeted – I think they were in the top 20 or something, and they plummeted to mid, low 200s of the 300 surveyed brands. And in fact, in 2017 it was one of the top 20 most trusted brands.

And it’s no surprise, right? We’ve had the Toronto Smart Cities controversy happening with Alphabet, which is a Google related company. The Federal Court reference brought by the Privacy Commissioner on de-indexing and Google claiming that they’re not so sure PIPEDA applies to them when it comes to this issue. So individuals are being impacted. Even Amazon, which is a company that during COVID is seeing a lot of growth, despite the fact that the study found individuals’ trust in Amazon is declining, but they’re still using the service more. So definitely I would agree, customer trust is at an all-time low. But these examples of Amazon and Google kind of tell us that whether or not the laws are in place, companies will operate their business. And if there aren’t adequate laws in place, it’s up to companies to kind of go ahead and regulate themselves, right?

So when some form of regulation happens either way, I mean, there are those companies that do the right thing, put their customers first, allocate significant resources to privacy protective measures. Others, other companies see it more as a marketing tool. And really when you see these big companies that have the resources that could protect privacy and could put their customers first, and they don’t, it really raises a question of what about the little guys. What about the smaller businesses that maybe don’t have as much resources to do the right thing even if they wanted to?

Definitely I would think appropriate privacy laws have helped level the playing field for businesses of all sizes when it comes to data and privacy. And this trust deficit is one of the things, I think, that is driving the government to put forward amendments, right? You have the GDPR, we’re looking across the water, and seeing significant privacy developments happening overseas that impact Canadian companies and the Canadian economy. Decisions, court decisions from the EU like the Schrems II decision, again, also impacted Canadian companies.

Yves Faguy: One of the tricky things about privacy is that our relationship to it is cultural, to some extent, and I think that complicates our efforts to bring our laws in line with those of other jurisdictions. And the Schrems decision is an interesting one – perhaps you can tell us a little bit about that. Basically it’s a big decision in July, the EU Court of Justice invalidated the adequacy provided by the EU US data protection shield, as I understand it. So that’s the Schrems II ruling. So what happened here, and why should we …? How does it impact us here in Canada?

Sinziana Gutiu: Sure, yeah, it’s … It certainly does. And it impacts companies – it’s important to emphasize that the impact is on companies that transfer data outside of the EU. So personal information belonging to individuals in the EU being transferred out of the EU. So under EU privacy law, personal data can only be transferred outside the EU if the receiving country provides what’s called an adequate level of protection. There’s different ways to have this adequate level of protection, and GDPR provides different mechanisms to achieve that. Canada, for example, has something that’s called adequacy, so this means that the EU Commission has looked at PIPEDA – this is pre-GDPR times – and said this act is very similar to our EU privacy laws, you can transfer data from the EU to Canada without any additional mechanisms.

Now, with the US, initially in 2015, which is the Schrems one decision, there was the safe harbour agreement between the US and the EU that facilitated that exchange. It was invalidated, now we have Schrems II, which looked at the privacy shield, and the court said that privacy shield is invalid. Another mechanism that facilitated the flow of information across borders from the EU outside is what’s called standard contractual clauses. So these are, as the wording suggests, just standard clauses that can be used by businesses to set out very clearly what has to happen to the data, how it would be protected, and these got the stamp of approval from the European Union. So the decision essentially said you can’t use the privacy shield to send data from the EU to the US.

So if you are a Canadian company that’s moving data from the EU to the US, and you had this privacy shield certification, which was a whole process – you had to jump through these hoops and get the certification – can’t rely on it anymore. Furthermore, if you’re relying on the standard contractual clauses, you can’t really do that anymore without doing additional due diligence because the EU Court of Justice said the national security laws in the US and the redress mechanisms that individuals have are inadequate. You can put whatever you want in those standard contractual clauses. At the end of the day the US government is able to go in there and access the data, and there aren’t really independent – there isn’t really independent oversight. But essentially you have to undertake an assessment to determine that the jurisdiction you’re sending the data to has adequate laws, and that the standard contractual clauses themselves can actually be upheld, they have force over there.

For Canada, as I mentioned, we have adequacy, so PIPEDA received adequacy standing, and it’s kept getting renewed. But with the review coming up – I believe it’s next year sometime – that standing may be reconsidered. And since the passing of the GDPR, since it’s been in force, the actual process for determining adequacy has changed. So as I mentioned before, only PIPEDA had that standing, the adequacy standing. Now it’s a more holistic process. So they’re going to be looking at Canadian provincial privacy laws, they’re going to be looking at Canada’s national security laws, the role of the Canadian Securities Exchange, CSE, Canada’s participation Five Eyes, exchange of data with the US. So it’s a much more holistic analysis to figure out does Canada as a country provide adequate protection for the data of individuals in the EU when it’s being transferred.

Yves Faguy: At the same time, you mentioned Quebec’s Bill 64, which, again, aims to overhaul the province’s privacy law regime. My understanding of it is that it is in large part inspired from the GDPR, although I’ve also heard complaints coming from some quarters that in some areas it goes even further. What are your thoughts about it, and is Quebec taking the right approach on this?

Sinziana Gutiu: It has good intentions behind it, but the reactions are that it doesn’t necessarily achieve a practical, balanced approach to privacy regulation. I can give you some examples. For example, consent, when it comes to consent, right? The GDPR has lots of different tools in their toolbox to authorize the processing of data. Consent is just one of those mechanisms. There’s contractual necessity, the legitimate business interest, vital interest, public interest. Bill 64 relies heavily on consent. It is really the default authority for processing. And on top of that, it requires separate consent for each specific purpose that the data’s been put to, the personal information has been put to.

GDPR doesn’t require that separate consent. And there’s no implied consent in the bill. We see implied consent in PIPEDA, we see it in BC, provincial legislation for the private sector. This creates inconsistency within Canada, forget the GDPR but within Canada itself, where it’s frustrating to businesses. If I’m putting a policy out there, if I’m trying to do business across Canada I’m going to have to do things a little bit differently in Quebec, which would mean additional cost and additional considerations.

Yves Faguy: On this issue of consent, though, how is it working in Europe with the GDPR? Because I understand the whole idea of GDPR was to give users control over their data again, and give people the control ever their own personal data. But this whole issue of consent, do we expect too much of consumers in terms of them actually actually giving informed consent to others who would use their personal information for commercial purposes? And how do we address that in a meaningful way in our attempts at updating our privacy laws?

Sinziana Gutiu: Yeah. So consent is a challenge. Right? There’s consent fatigue, consumers being asked to read pages upon pages of privacy policies, which is not realistic when you’re using so many different services and products. The sophistication of consumers, the demands on that is pretty high. Some consumers may not be able to understand the legalistic language. So it’s certainly a challenge. But when it comes to implied consent, I think there’s kind of a practical implication here, right? At the end of the day, implied consent should be something that’s reasonable, that is consistent with why you’re getting that service, what you’re expecting to receive as a consumer. We’ve had some cases in Canada, like the RBC v. Trang decision where we see implied consent looking at contextual circumstances, right? What do you expect in the context of the service that you’re using, given the information you’re providing, and how it’s being used? Would you expect your information to be used in a certain way?

Implied consent can be a great way of facilitating use of the data, but again, it has to be in a way that the individual reasonably expects it to be used, and has to be consistent with why they’re giving that information in the first place. So it’s an important tool. Again, what I like about the GDPR is that consent is one of many other mechanisms of allowing the processing of the data. So overreliance on consent or implied consent – there’s a big door there for claims of implied consent, when really it’s a secondary use. So overreliance on consent is just not working. I don’t even think that’s a controversial view to have that consent on its own as the main, only mechanism to provide authority for processing personal data, that that is working. I don’t think that’s something new. I think it’s a problem, and I think the Privacy Commissioner has provided consultations on consent, on how to do things better, so there’s a lot of information out there on how we might be able to add more tools in the toolbox.

Yves Faguy: I want to get to the Privacy Commissioner, but I’m wondering – should provinces like Quebec be experimenting with privacy legislation in a sort of laboratories of democracy kind of way? Or should there be more coordination with the federal government? I mean, how important is it for everybody to get on board and develop consistent legislation?

Sinziana Gutiu: I think it’s extremely important, and I don’t think that’s a controversial view. The federal Privacy Commissioner himself in the submissions to the Quebec government in response to the bill expressed support for using the GDPR as a source of inspiration, but he said be careful going too far beyond the GDPR for consistency reasons, essentially, right? And for businesses who operate across provinces within Canada, they already have to be mindful of BC and Alberta’s Personal Information Protection Acts, if you’re in the health sector there’s additional health legislation you have to be aware of. Potential legislation in Ontario, depending on how things go there. So all of that – I mean, it’s important to have a level playing field for businesses. And again, bigger companies may be able to navigate that they can hire lawyers in different jurisdictions and figure it out.

But for facilitating competition, for encouraging businesses to come and provide their services and goods in Canada within specific provinces, consistent legislation is really important. And it doesn’t have to mirror itself, but the material aspects of the law should be quite similar. Breaches are – privacy breaches are an area where companies really struggle to figure out what’s my threshold for notification, right? For PIPEDA it’s a real risk of significant harm and breach of security safeguards. That’s pretty consistent with BC PIPA and Alberta PIPA, even thigh BC PIPA does not require notification, right? So you’re having to be mindful about all this. Throw in there the GDPR if you’re doing business internationally, which has a different … Bit of a different threshold for the breach. And also for notification to the protection authorities. So, you know, Quebec Act has its own spin on this, confidentiality incident that presents serious risk of injury.

So juggling all these different thresholds and requirements is difficult, and it essentially results in resources going to just coordination between multiple regulators, versus an actual response that is meaningful to the breach and to protect individuals affected, and contain the breach and all of that. So consistent legislation is important, not just from a commercial perspective and encouraging trade perspective, but also from the individual perspective. And breaches are just one example of that. Individuals who know what they can expect, they know what their rights are, they don’t have to think, oh, well, I’m now a resident of this province or I’m using this service. What does that really mean for me? So it’s very, very, very important.

Yves Faguy: There’s also the matter of enforcement. For years Privacy Commissioners themselves have been telling us that they don’t have the power or the resources to enforce these rules. They’ve tried slapping certain companies on the wrist, and there’s a sense that they’re somehow powerless in confronting, for example, tech giants who have ignored those requests to fix or address specific privacy issues. Where do we need to go in terms of equipping our Privacy Commissioners with enforcement powers?

Sinziana Gutiu: The answer to that question will depend on who you ask. I think the views on this particular topic, even within the privacy law itself, are quite divided.

Yves Faguy: Let’s start with what’s the case with not granting them enforcement powers? I think that’s – I think a lot of people have a hard time getting their heads around that – and I’m talking about non-privacy people. But why would we not equip them with enforcement powers?

Sinziana Gutiu: Yeah. I think that argument is really, really well set out in the CBA privacy and access sections, December 2019 submissions to – in response to the Digital Charter, it’s called “Strengthening Privacy for the Digital Age: Response to Proposals to Modernize PIPEDA.” And I’m going to summarize them this way. I’m going to say that the argument is that the ombudsman model for the OBC – it works well. And that its effectiveness will suffer it transforms into a more prosecutor or enforcer model. That the courts are really the best place for awarding any remedies, for determining remedies. When you look at the statistics, the number of complaints are generally down. Individuals and companies have better awareness about the rights and the obligations that are out there. The commissioner has other tools in the toolbox that are not used, like audits, and there are alternatives to enforcement, right?

Like you can focus more on policy, you can focus more on guidance, on procedural safeguards. You can have more effective investigations and audits. You can, for example, limit the OPC Cessation of Records Preservation Orders. You can have a more direct route to the Federal Court. You can have new offences for the Attorney-General to prosecute. And at the end of the day – the OPC’s annual report was recently issued – this view that it’s not really needed could – the argument is that it is – it could be supported by facts. For example, only 2 percent of the OPC’s complaints were well-founded. That means that 98 percent of them were resolved with the existing tools. That they were mediated, discontinued, resolved, that they were settled after investigation, or not well-founded. And the government’s Digital Charter itself suggested that maybe we need something separate altogether, like a privacy tribunal.

So I think that to summarize that view it’s that there is just different ways to do it, and – that may be better, and the tools that the commissioner has in his toolbox have not all been used. But at the same time, to look on the other side, right? And you’ve alluded to this. We have this clear example of Facebook. Right? The OPC investigates Facebook, issues a decision. Facebook tells the commissioner we’re not really interested in what you have to say. And then we have the Competition Bureau coming out, right? And they look at it too, and they can slap Facebook with a fine of 9 million, right? They can provide that penalty, they have that teeth. And that’s just one example. The other point to that is requiring individuals to go through the whole court system, that’s a barrier for access to justice at the end of the day. And the other point to this – and it’s kind of a high level argument – it’s that law reflects our social values.

If our Privacy Commissioner does not have the ability to enforce its decisions and enforce the act, then what does that say about Canada and what federally we think about privacy, and how important is it, really? But again, it might be a question of role. Maybe that’s just not the best role for the commissioner. And you also have the question of resources, right? Let’s assume that the commissioner gets these powers. There’s always the question of resources. How are they going to be able to actually do their job? We saw some of this when the breach reporting requirements came into force and the commissioner saw an increase in the number of breach reports, and be able to handle those, respond to those and investigate those. Even across the EU, a data protection authority like the Information Commissioner of the UK has a multimillion dollar budget, hundreds of staff, right? And that’s the case with some other data protection authorities in the EU as well.

But this Schrems decision now we mentioned before, it puts pressure on data protection authorities to get in there and look at what’s happening with the transfer and the mechanisms. Are they authorized properly? That is expected to require these data protection authorities to have additional resources now to look into those things. So the question of resources is also one that has to be put in play here when we’re talking about enforcement powers and what’s the right thing to do.

Yves Faguy: All right. I have another – a final question to conclude our interview here. We want to redesign our privacy laws, I’m imagining, with a view to the future. And I’m going to bring in two ideas here. On the one hand, we have all these technological developments that keep on emerging, and I’m imagining that we have to keep some of these in mind. You mentioned earlier artificial intelligence. In previous conversations we’ve spoken about internet of thought, which is an interesting concept. And how can we …? How should we be designing these new privacy laws bearing those emerging uses of our data in mind, and how should we be thinking about effective privacy by design?

Because this is a concept that I think was coined by Ann Cavoukian, but has also – that has also played a significant role in how the GDPR was conceived. How do we think about these two things at the same time, and how do we move forward in terms of developing privacy legislation that is effective for people, but that will be durable for the coming decades?

Sinziana Gutiu: I think that definitely the laws have to be flexible. And what Canada’s been doing, arguably, is a really good approach: keeping it principles based, or keeping our laws principles based. Like PIPEDA is already doing. Versus a more prescriptive approach. So focusing more on the what. What is it that organizations should be doing? What kind of rights should individuals have? And allowing the how to be shaped by the needs of the times and the demands of the technologies. So definitely avoiding laws that are too prescriptive. Privacy by design is an amazing step in the right direction. There’s different conceptualizations of what privacy by design means – you’ve mentioned Ann Cavoukian’s privacy by design seven principles that actually has a certification mechanism with it, companies can go and get certified, and they follow up with them, make sure that they’re continuing to implement those seven principles.

GDPR Article 25 has that as a legal requirement in how the technical and organizational measures that protect the information are created, are operationalized. The Quebec Bill 64 also focuses on this aspect of privacy by design, in its own way. So privacy by design is definitely a step in the right direction, because what that means for companies is you want that tone from the top, your C-Suite has to be allocating the resources, be very focused. You need close communication between your privacy folks and your engineers and your programmers, and collaboration and really baking privacy design in default, too, within each product or service making it consumer focus. So all of that is good. But what concerns me, looking forward – and you mentioned one example of potential future technology, this internet of thinking –

Yves Faguy: What is internet of thinking? Just briefly.

Sinziana Gutiu: This is a concept that was initially discussed by Ray Kurzweil, and he’s an engineer, futurist author and inventor. And the idea is – it’s a bit sci-fi. Theoretically it’s establishing a direct communication pathway between the brain and an external device or a cloud, so connecting the neurons and synapses in the brain to cloud computing networks. It’s like internet of things, but now connected to thoughts. So it’s quite forward future looking, but we see signs of it. Like we already have smart pills for digital – chemotherapy pills that actually combine chemotherapy drugs with a sensor, and then you take that pill and it records information about drug dosage, rest activity, heart rate, etcetera, and sends it to designated health providers. So there’s different examples of it that kind of suggest that’s where things might go, that’s where the next level is.

But what concerns me – and an example is when I look at the new initiative from the federal government to tax companies that use the data. What concerns me is the way that we’re conceptualizing data and privacy, I think it’s the wrong approach. Essentially it’s being conceptualized as a commodity – and we hear that data is the new oil. There’s a lot of people who disagree with that way of summarising data, and I’m one of those people. I don’t believe that data is something that is a limited resource that should be taxed that the government can profit from, you know, when companies use information this way, or misuse it, or whatever. So I think that conceptualizing data as an oil is problematic as well.

Yves Faguy: Why? Because it belongs to us?

Sinziana Gutiu: It’s not – first of all, it’s not a limited resource. Data is everywhere. Oil is a limited resource. It’s … Data is renewable, right? Oil, not so much. Data can be easily reproduced and disseminated. And it can’t really be owned in the same way as a tangible object. Like if I happen to be an oil baron, and I get all this oil, I can sell it. There’s things I can do with it. If I get access to Facebook’s data, I think most people would not really know how to turn that into money. So you need a whole ecosystem. So I’ve been thinking about this, and I’ve been thinking, well, what is it more like? And so far I’ve arrived at the conclusion – I may change my mind later about this – is that in some ways data is more like air. Right? It’s all around us. It’s an essential part of life. You can’t really function, you’re always leaking data when you’re online and doing different things. It comes with a whole ecosystem, because, as I mentioned, you need a whole ecosystem to make data work. It’s renewed and replenished constantly.

But it can be polluted, right? It can even be deadly. If a hacker gets your information, you can have fraud, you can have stalkers breach their orders, and people can die, and have died, because the data got in the wrong hands. And it must be protected. And when it comes to ownership, you know, you do – nobody owns all the air in a particular area, but at the same time some air has to be yours. Right? To breathe it and so that you can function as an individual. So just like that personal information data has to belong to you, to a certain extent, but at the same time it’s out there, because you’re putting it out there. So, I don’t know, this is just kind of a fun little brainstorming and trying to figure out what’s the right way to think about data, but I do think that thinking about it as a commodity is problematic.

And really at the end of the day the right to be forgotten, issues about online reputation, the Cambridge Analytica scandal, these questions about your access to information, can really influence your opinions, your decisions, the way you vote, right? Not just the choices you make about what products to buy and what you’re interested in, but really how you navigate your life and the decisions you make. So privacy is also becoming more about autonomy, about your freedom of thought, avoiding eco chambers, right? So there’s a lot that has changed since the days of the Charter of Rights and Freedoms section 8, search and seizures, and privacy being seen as a way to protect secrets. It’s evolved; it went through this transition phase of it being the right to be left alone, now it’s your right to control your data.

And it’s almost moved on to that next phase where it needs to be conceptualized as a way to exercise autonomy, to protect from manipulation. And so I don’t know what the right way to legislate based on that is, but I think that these consultations that are happening are really, really, really great. And the more diverse perspectives, inclusion of academics, people who kind of step back from the everyday of business and everyday of government, to rethink and look to the future, I think that’s really, really important. So engaging in that dialogue as these laws are being created, and structuring consultations as broadly as possible to figure out the right way forward.

Yves Faguy: Well, I think that’s a great way to end our interview. Thank you so much. I’ve been talking with Sinziana Gutiu, privacy and cybersecurity lawyer. That was a fascinating conversation. I think the takeaway here is that we don’t have all the answers about exactly how we have to reconceive our ideas about privacy and data security, but we can’t do it hermetically from the rest of the world. And whatever we do needs to be effectively enforced. Thank you, Sinziana, for joining us.

Sinziana Gutiu: Thank you so much for having me.

Yves Faguy: You can hear this podcast and others on our CBA channel, The Every Lawyer, on Spotify, Apple Podcasts, Google podcast, and Stitcher. Subscribe to receive notifications for new episodes. And to hear us in French, listen to our Juriste branché podcast. If you enjoyed this episode, please share it with your friends and colleagues. And if you have any comments or feedback and suggestions, feel free to reach out to us on Twitter @CBAnatmag and on our Facebook page. And check out our coverage of legal affairs nationalmagazine.ca. A big thank you to our podcast editor Ann-Catherine Désulmé. And thank you all for listening to this month's episode of after the pandemic, we'll catch you next month.