Reflections on Five Years as Privacy Commissioner

Remarks at the 2008 Privacy Invitational Strategic Forum

Cambridge, Ontario
November 6, 2008

Address by Jennifer Stoddart
Privacy Commissioner of Canada

---

Introduction

Good evening and thank you for inviting me to be here with such a distinguished group of privacy experts.

The organizers of this event have given me what can politely be described as a challenging time slot – right before dinner, in front of a hungry crowd that is undoubtedly tired after a long day of discussing weighty privacy issues!

So, what to talk about? 

It recently occurred to me that I will be celebrating an important anniversary in the coming weeks – five years as Privacy Commissioner of Canada. 

When I think about the five years that have just zipped by, what’s most notable is the dramatic change I’ve seen in my own Office and in the wider privacy landscape. Tonight, I’d like to share a few reflections on my tenure as Commissioner.

I arrived in Ottawa on a snowy, bitterly cold December day to an Office that was only beginning to recover from trying times. Quite frankly, I remember those early days as surreal. 

I was running an Office whose administrative powers had been seriously curtailed.  We couldn’t hire staff – the Public Service Commission had to do it for us.  The PIPEDA implementation part of our budget was about to lapse. We were consumed by questions from the RCMP, the Auditor General and other investigative bodies that had quite literally set up shop in our office.

It took a lot of hard work, but we were able to get our house back in order.  Happily, the focus of my Office is back to where it should be: on protecting the privacy of Canadians.

My Office has transformed over the last five years, but so too has the world of privacy issues. 

New information technologies and new implications of 9-11 are creating potent and novel threats to privacy.  We live in an unprecedented period of transformation for privacy. 

Our conference organizers kindly gave me free rein in terms of a subject for this evening.  Given these trying times for privacy, I had plenty of possible topics to choose from. 

It’s my fifth anniversary, so I ultimately decided to share some thoughts on five issues which have been important themes throughout my tenure to date.

1. The Changing Nature of Privacy Issues

Let’s begin by looking at how privacy issues are changing.

Traditionally, privacy issues have arisen in the context of interactions between one person and an organization.  They have come to light as a result of a complaint by an individual.

More and more often, however, the most important privacy issues are arising from systemic threats resulting from rapidly advancing information technologies.  The Internet is the most obvious example, but consider the impact of surveillance technologies … nanotechnologies … RFIDs … social networking … behavioural on-line marketing and so on.  

Privacy risks related to these types of new technologies affect all of us in a pervasive way and on a daily basis – but in such a complex and obscure manner that, in most cases, the average person doesn’t even know about them – let alone complain to my Office about them.

Data protection authorities around the world are recognizing that this is where our efforts must be directed if we are to have any chance of curbing the most significant emerging privacy threats.

I would like my Office to put a greater focus on systemic issues through research, public education, Commissioner-initiated complaints and audits.  Under our current model, however, complaint-driven investigations consume a tremendous amount of resources. Despite our efforts to shift focus, investigative delays persist.

Other data protection authorities – in Europe, Australia and New Zealand, for example - are finding similar challenges with the need to deal with all complaints received, regardless of their nature or seriousness.

All of us are concerned that, without the ability to dismiss some complaints early as serving no public interest or warranting no further investigation, we find ourselves unable to deal effectively with the growing number of systemic issues that face us.  As a result, many data protection authorities are seeking to exercise discretion in investigations.

I have asked the government to consider granting my Office this kind of flexibility under both PIPEDA and the Privacy Act.

I thank those of you who have written Industry Canada to support this idea.
It would be of tremendous benefit to have greater discretion to accept complaints and/or discontinue complaints if their investigation would serve no useful purpose or are not in the public interest.

This would allow us to better focus limited investigative resources on privacy issues that are of broader systemic interest.

Systemic issues often involve the most important threats to Canadians’ privacy rights.  We need to address these risks as they begin to emerge – not, after the fact, when an information technology is firmly in place.

I should also make the point in passing that, while many emerging privacy issues are extremely complex, some of the old, simple ones have not gone away.

People still don’t want to be called by telemarketers at dinnertime!  They made that point loud and clear when the long-overdue Do Not Call List was launched September 30.  At one point that day, 80,000 people were trying to access either the do-not-call website or phone numbers.  The system was absolutely overwhelmed and had to be shut down to protect its integrity.  I’m told that the flood of Internet traffic slowed down all federal government websites.

As a privacy advocate, I was heartened by the fact that Canadians took such a dramatic collective stand.  It illustrated that Canadians really do care about their privacy and the protection of their personal information.

My own numbers are on the new list.  This will come as a relief to the unsuspecting telemarketers who have called my home over the years only to be frightened away by an irate woman complaining about privacy invasions!

2.  Connection between Privacy and Security

I would also like to say a few words about data breaches – and in particular the need for all of us in the privacy business to develop closer relationships with security experts.

All evidence suggests that organizations are not doing a good job at preventing data breaches.  Technological advances mean that mountains of personal information can be held in a single database … on one laptop … even a thumb drive small enough to tuck into pocket. 

These are increasingly tempting targets for identity thieves and fraudsters.

Too often, we see data breaches occurring because of simple errors such as an employee’s failure to follow company policies – leaving an unencrypted laptop in the car, for example. Our TJX investigation showed that even a corporate giant can fail to adhere to elementary rules of privacy protection. 

Mandatory breach notification will no doubt go some ways to improving the situation.

A requirement to tell people when things go wrong will act as an added incentive for businesses to ensure that personal information is properly protected.

Spending money to get security right is a worthwhile investment.  Gartner, the US-based IT research company, says a company with 10,000 or more customer accounts can spend – in the first year – as little as $6 dollars per account for data encryption alone, or up to $16 for data encryption, host-based intrusion prevention and security audits. 

Compare that with Gartner’s estimate of a cost of at least $90 per compromised account.  A Ponemon Institute study suggested the per-account cost after a data breach is closer to $200. 

The cost-benefit analysis should be pretty easy!

But I need to add a note here: Be careful about the protective measures you choose.

While there has recently been a lot of talk about privacy enhancing technologies, organizations need to ensure that the solutions they are examining really meet the test.  These technologies are at different stages of development.  Some are ready for prime time – some are not. 

These are a few of the areas where we need to see the privacy and security worlds working together more closely.

3. Workplace privacy

Workplace privacy issues have long been a challenging issue for my Office.  However, in the last five years we are slowly seeing the emergence of a better understanding of what is – and is not acceptable – in the workplace.

In particular, I’d like to acknowledge the good work of Quebec, Alberta and B.C. in this area.  Rulings from those provinces have greatly contributed to this greater clarity in employer-employee privacy issues. 

My own Office has published a dozen PIPEDA findings on employee surveillance since December 2003.  These have addressed, for example, the recording of employee telephone calls, as well as the use of new technologies such as biometrics and GPS.

The courts have also fleshed out employer-employee privacy rights in a number of cases.
A recent Federal Court decision goes some way to clarifying the status under PIPEDA of e-mails exchanged in the workplace. 

The case involved an employee of a telecommunications company who requested access to all e-mails that the company held about him.  He complained to my Office when he received what he considered to be an incomplete response to his request. 

The telecommunications company took the position that any e-mails not provided to the complainant were “personal e-mails” and therefore not caught by the Act. 

Although my Office did not agree that "personal e-mails" could not be subject to PIPEDA, we considered the complaint resolved for reasons related to the company's retention period.  The complainant, not satisfied with this conclusion, took the issue to Federal Court.

The Court agreed with us that e-mail messages concerning a person constitute personal information under PIPEDA.  The Court also concluded that if e-mails are exchanged for purely personal purposes and are not used or disclosed in connection with the operation of a business, they do not come under the Act. 

Some have been quick to characterize this as a significant carve-out of "personal e-mails" from PIPEDA.  I would caution, however, that the finding must be understood in the context of the specific facts of the case.  I would also suggest that, going forward, assessments of whether supposedly "personal e-mails" fall under the Act will need to be undertaken on a case-by-case basis. 

While the mere fact that an e-mail is automatically stored on an employer's server because it was sent or received using a workplace computer does not make the e-mail accessible under PIPEDA, an attempt to distinguish between "personal" and "business" e-mails may impose an additional step when organizations respond to access requests. 

If, for example, an e-mail concerning an individual employee is sent by one employee to another in the course of an employer's business, or if the employer receives an e-mail from a third party concerning an employee and that information is used by the employer in its business operations – those e-mails will be accessible by the employee under PIPEDA. 

As the Federal Court underlined (and as my Office has previously indicated), any distinction between personal and business purposes does not absolve organizations of responsibility for employees who use their position within the organization to collect, use or disclose personal information for their own purposes.

4.  International information flows

Privacy issues are international issues.  You may remember a certain Maclean’s cover story which dramatically underlined the need for cross-border enforcement.

Rapidly growing transborder data flows mean that the only way we will be able to protect Canadians’ privacy rights in the future is by working with other countries to ensure adequate levels of protection for personal information around the globe.

This past spring, a Parliamentary committee and Treasury Board agreed to give us more money to support our international work – very important recognition of the need for global privacy solutions.

The search for these global solutions is not without its challenges.  It can be difficult to bring countries with different approaches together.  I have always stressed the need to bridge these gaps and drop any “my-law-better-than-yours” attitudes. 

Our goal should be an equivalent level of level of basic protection around the world – one that reflects legal and cultural differences.

The Organisation for Economic Cooperation and Development (OECD) has been a key player in developing global solutions to privacy and security issues. The efforts of the OECD Working Party on Information Security and Privacy – which I’ve been honoured to work with – are aimed at ensuring that the global flows of information are adequately protected.

The OECD Recommendation on Cross-border Privacy Co-operation adopted last year was a positive step forward.

Important work is also taking place within Asia-Pacific Economic Cooperation in terms of implementing the APEC Privacy Framework.

While there has been important progress, we still have a ways to go on the international front. 

For example, I am concerned that some major players whose approach to data protection does not fit the traditional model – notably the United States, Japan and China – are being left out of discussions at international data commissioners' conferences.

5. Five Years of PIPEDA

I became Commissioner just as the phase-in of PIPEDA was completed.

Back then, some organizations covered by the legislation were warning the sky was falling: PIPEDA was too complicated, overly onerous and would result in “exorbitant” costs.  One health care organization claimed patient care in Canada would be “seriously diminished.”  Others used words such as “ludicrous” and “fundamentally dumb” to describe the legislation’s fallout.

PIPEDA has now been in full force for almost five years and I think most would agree the legislation’s drafters struck the right balance.  I don’t hear a lot of grumbling anymore; organizations have recognized that PIPEDA’s requirements are not going to bankrupt them and do not require drastic changes in business practices.

A recent study by IDC, an international IT and industry consulting firm, found that PIPEDA is replacing the U.S. Sarbanes-Oxley Act as the top governance, risk, and compliance focus of Canadian organizations.

Although I have ongoing concerns about some organizations not doing enough to protect personal information – and I’ll come back to that in a moment – the level of compliance with PIPEDA has been generally quite good.  A poll commissioned by our Office last year found that two thirds of businesses of all sizes – 67 per cent – had fully implemented policies on the collection, use and disclosure of personal information. 

One change I would like to see sooner rather than later is mandatory breach notification.  With the election now behind us, I hope that updating PIPEDA will be a priority in Parliament. We need a legislated requirement for data breach notification as soon as possible. 

Meanwhile, I have already begun thinking about the next PIPEDA review.  As you know, the legislation mandates a review take place every five years. 2010 is only 13 months away.

It was clear to me that the last review was not the right time to look at major changes.  My Office needed some breathing space after a very difficult period and we needed more time to see how PIPEDA was working.

However, looking ahead, I believe we should be asking questions about whether more substantive changes would make PIPEDA more effective.

Data protection authorities around the world are undertaking this kind of exercise.  Indeed, we are seeing a worldwide dialogue about the best way to protect privacy in our new world.

In the UK, Commissioner Richard Thomas has commissioned the Rand Corporation to review the European Data Protection Act. 

Commissioner Thomas has said the current approach is failing to meet the challenges of transborder data flows and the dramatic growth of personal information online.  I applaud him for launching this forward-looking exercise.

The British Parliament recently empowered the UK Commissioner’s office to impose substantial fines on organizations that deliberately or recklessly commit serious breaches of the Data Protection Act.

The Australian Law Reform Commission has just completed an extensive review of privacy protection in that country. 

And a number of countries with rapidly developing economies – notably China – are beginning to think about how to protect personal information.

Here in Canada, one of the issues we might want to examine seriously in the coming years is whether the Privacy Commissioner should have order-making powers.  This is an issue constantly raised by privacy advocates.

I am commissioning a paper to explore the implications of moving to a model where the Commissioner would have order-making powers.   For me, the jury is still out, but I believe this is something that should be examined objectively.

A separate issue that is of increasing concern to me is transparency. 

Unlike legislation in many other data protection authorities, PIPEDA dictates a restrained approach to naming the organizations we investigate.  Other than the occasions when we have been forced to go to court, I think I can count the organizations we’ve named publicly on one hand – generally because they have been named in the media beforehand.

However, delays in responding are also contributing factors.  Our lengthy investigation times are unacceptable – which I readily admit.  They mean that an organization can drag its heels. 
Anonymity is ensured during and after the investigative process unless, very exceptionally, it ends up in court.

As I said, this is something I am just beginning to think about – but I think it is worth asking questions around whether such an opaque process serves the best interests of privacy regulation.

Conclusion

Before closing, I want to tell you what a privilege it has been to be Privacy Commissioner these past five years.  The issues my Office deals with are constantly evolving.  Each day brings an important new challenge.

I want to take this opportunity to thank all of you for your broad and enlightened support for PIPEDA.  Your cooperation and the ideas you bring forward to my Office are extremely important to me and the Assistant Commissioners.  We have established an approach to data protection that is looked to as a model around the world.

I have two more years left in my mandate and I look forward to continuing to work with you.