Access and privacy are two sides of the same coin, regulating how data and information are collected, used and disclosed. Mediating the clash between them is an ever-critical and challenging policy imperative. In an era of digital governance, both play a critical role in how our rights and freedoms are restricted and realized.
Back in the analogue era, in 1983, Parliament enacted two statutes, the Access to Information Act and the Privacy Act, in an attempt to strike the right balance regarding information in government hands. One act provided access to records under the control of the government; the other governed how the federal government handled individuals’ personal information.
As the Supreme Court later noted, together these acts formed a “seamless code.” This is plain from the text of the statutes as well: the two laws reference one another in detail, establish comparable regulators and even specify that the information commissioner can become the privacy commissioner, so the same person can hold both watchdog roles.
They also share another important element: both acts are terribly out of date.
Neither law has been meaningfully updated since its passage over four decades ago. Countless ministerial, parliamentary, watchdog, academic and civil society reviews have identified many of the same shortcomings and proposed many of the same reforms.
Now, two sorely needed reviews are trying to address some of these problems, both being framed as efforts at “modernization.”
The review of the Access to Information Act launched last June, though initial results have been worrying. The information commissioner has openly characterized the review as showing a “lack of ambition,” reflecting “an insufficient appreciation of the seriousness of the challenges facing Canada’s access to information system.”
The review of the Privacy Act also has its problems but has generally received a warmer welcome. However, it is the dissonance between the two reviews that may raise the biggest concerns about how access and privacy rights will operate in practice.
One proposal in particular stands out: the federal government’s intention to take requests for personal information — currently handled through the Privacy Act, with complaints adjudicated by the privacy commissioner — and to shoehorn them into the system governed by the Access to Information Act, where complaints go to the information commissioner.
This would be no small change, since approximately 75,000 Canadians make such requests for their personal information each year.
Unfortunately, the Office of the Information Commissioner is already overloaded with complaints in requests for access to general records. Last year, it received half of the privacy commissioner's budget ($18 million compared to $36 million) despite processing almost twice as many complaints (3,626 compared to 1,725).
Moreover, the majority of complaints that the privacy commissioner handled (1,279) entailed requests for personal data. So under a regime where those privacy complaints are then directed through the Access to Information Act, these would presumably become the responsibility of an already overburdened information commissioner.
The information commissioner’s current investigations are already egregiously long. More than 10 percent of her investigations pre-date 2024, and some recently stretched over a decade long. Most complaints the commissioner receives also concern time delays in the processing of access requests by government institutions. And the commissioner highlighted that the government’s policy approaches in the ongoing review do little to address this problem.
Under a new regime, Canadians will have to do what they do best: wait.
Indeed, individuals seeking access to their personal information may end up waiting a long time under the new reform, since the information commissioner’s decisions are a prerequisite for going to court to secure a final adjudication of one’s access rights. That would also likely slow down disclosure of media requests for government information, further undermining journalists’ use of the access system.
The newly proposed requirements would also likely slow the information commissioner’s ability to issue orders. She would also be required to take into consideration “any evidence” that a government institution “did its best to respond to the request” as a new criteria for issuing orders. That would further dilute her ability to issue orders in privacy-related complaints.
In short, watered-down access would have negative knock-on effects for privacy. This is why the access review, in particular, needs a reset, with an objective review rather than a government-led effort that omits many of the areas flagged by the commissioner as needing urgent reform.
In fact, an objective review is exactly what Prime Minister Carney promised on the campaign trail. That objective review should be led by a well-respected Canadian with real independence, such as a former federal judge or Information or Privacy Commissioner. A review of this kind found great success in Newfoundland and Labrador; it is an example worth following. That review revolutionized their provincial system into “one of the most robust access to information regimes in the country.” It directly tackled many of the areas of concern at the federal level now, such as time delays.
As data and information become core aspects of digital governance, effective governance of both access and privacy has become more essential than ever before. Neglecting their interconnected nature is not an option if we are going to have either.