Setting the Priorities for the Office of the Privacy Commissioner: A Conversation with Stakeholders

Summaries of privacy issues for discussion

Halifax / Toronto / Edmonton / Ottawa / Montreal

(January - February 2015)


Economics of Personal Information

Overview

Data generated digitally has created novel economic and social opportunities for organizations and individuals, and it is important for Canadian businesses to remain competitive in a technological market that fosters and rewards innovation. The Government of Canada recently released its strategy for growing the digital economy through funding programs that will, for example, increase broadband to rural populations. Expanding Internet connectivity in Canada can help strengthen the economy and also has the potential to improve the lives of individuals.

Many online services are offered at no cost to the users, and this has become the baseline business model for the Internet. Users register for applications and access to free company offerings. What is left unstated for individuals is the underlying nature of the transaction — namely, that users are trading information about their usage, contacts and interests across a range of online activity. That history of interaction and personal profiles can then be collected, mined, tracked, and traded. The commercial insights gleaned — from social profiles and demographic data, web search logs and purchase histories, to voice, text, and photographic communications — is what ultimately pays for online offerings, applications and services.

Commercial Advertising
  • Cookies
  • Online Tracking
  • Online Behavioural Advertising
User Agreements
  • App Economy
  • Websites
  • Digital Programs (Itunes, etc.)
  • Non-Digital Agreements
  • "Consumer Consent Models"
Online Services
  • Email Services
  • Web Search Engines
  • Social Media & Networks
  • Cloud Computing
  • Data Brokers
  • Big Data

The same holds true for the burgeoning mobile Web and smartphone market. A complex corporate ecology has developed worldwide — from advertisers to app and platform developers to manufacturers and infrastructure firms — which pivots on the collection and leverage of device location data and the communications metadata generated by digital networks. We are in an age where personal data is the new oil — a resource that can be extracted with ease, at relatively low costs, to be refined for commercial purpose.Footnote 1 This has created an imbalance in terms of who ultimately controls such information. Online business models that leverage personal information as a commodity remain largely hidden from the public, while at the same time, individual engagement online or with other digital technologies has become less and less a choice for most people. Individuals increasingly rely on digital technologies to work, shop, and communicate as non-digital options dwindle away.

Even after two decades of mainstream internet interaction, individuals find that the privacy protections we enjoy offline seem absent online. For instance, online search engines have absorbed many functions of the public library, business and telephone directory, reference books or maps. However, unlike "offline" libraries, search firms are not required by law, regulation or professional codes of conduct to ensure strict user confidentiality.Footnote 2 To give another example, both clientele and regulators would be seriously concerned if credit or insurance companies frequently altered terms and conditions, yet this is standard practice with online applications. Finally, before modern fibre-optics bandwidth and cheap, reliable data storage, public and private records with sensitive information had a relative protection (practical obscurity) by virtue of physical barriers and computational limits that made aggregate analysis difficult. The emergence of data brokers, analytics and Big Data has erased that natural protection, leading to the mass digitization of paper records along with the collection of digital data in order to sell and package information for specific purposes.

The current economic model built for the online world is opaque, predicated on personal data, and operates in ways that challenge the tried and tested legal protections and traditions afforded to the offline realm. As a consequence it is difficult for the average user of information technologies to understand and meaningfully consent to these agreements or business practices.

Potential privacy impact

While acknowledged at an academic level, the lasting privacy impacts of wholesale conversion of personal information into a commodity have not been widely discussed. These after-effects are emerging slowly as companies continue to expand and innovate at the global level. One likely outcome (already apparent) is a gold rush (free-for-all) mentality in the information industry. Such a gold rush mentality incentivizes organizations to harvest as much personal data as possible, before adequate public debate, securing commercial control to that asset/information at the expense of user control. It also leads to an underdeveloped debate on consumer rights in connection with data protection laws and standards.

Another obvious side-effect is that granting increasingly disproportionate control to companies over personal information narrows consumer choice and makes individuals evermore visible and susceptible to influence. The business model that has developed online tends to remove privacy in favour of accumulating greater details about the everyday lives of individuals. The collection of personal details for commercial purposes often leads to the creation of profiles that are used to categorize potential customers based on assumed characteristics of groups they are associated with. User profiles also serve to target advertisements based on inferences about their interests and discern among the groups of people who can afford products and those who cannot. In short, the tools afforded to protect privacy in virtual space require technical "know-how," business savvy and, in many cases, a disposable income. As a consequence, the current economics of information and privacy can be a source of injustice to those lacking digital literacy or the financial means to protect a fundamental human right.

Some Additional Background

Government Services & Surveillance

Overview

Information Sharing
  • Public-Private Sharing of Data
  • Sharing between Commercial Organizations
  • Sharing amongst Governments & within the Government of Canada
  • Open Data
Organizational Surveillance
  • Cyber-security
  • Mega-Events
  • Exigent Circumstances
  • Border Security
  • Private-Public Partnerships
Privacy Oversight & Democratic Controls
  • Transparency & Accountability
  • Public Reporting
  • Parliamentary Oversight
  • Legislation Impacting Privacy
  • FATCA & Tax Agreements
  • Bi-/Multi-Lateral Agreements

One of the core modes of operation and primary functions of governmental institutions is to gather information. Few would argue the point that rational public policy and evidence-based decisions — whether they involve social programs, tax policy or even use of military force — should be made without timely, accurate, representative information. This imperative is even more central where state intervention into the lives of individuals takes place, because the information that is gathered and weighed can be personal and even highly sensitive. Without timely and accurate personal information on citizens, the reality is that modern public services can be very difficult to design and deploy.

At the same time, the Government of Canada continues to explore more efficient ways of improving programs and enhancing service delivery by adopting new technologies and increasing information sharing between departments, governments, and jurisdictions. The value in this for Canadians can be great. The risk, however, in modernizing government services is security breaches, and also the potential to create profiles that are used and shared for a host of purposes, including for law enforcement. Along with the increase in government use of modern communication technologies (e.g. social media, analytics, and web-based services),Footnote 3 there is a movement towards making databases open, spurring further privacy risks.Footnote 4

Similarly, governments worldwide have spent the past decade amassing personal information and transactional data to combat threats to safety and security, including cyber-security. The new forms of security threats to democratic states — from cyber-attacks to criminal networks spread throughout the world — create a challenging environment for governments to confront. In the past year, headlines exposing the U.S. National Security Agency's surveillance practices and the global network of mass surveillance programs have dominated the attention of many around the world.Footnote 5 The widespread disclosures and public debates have led many prominent academics and privacy advocates to redouble calls for greater transparency and accountability from Canadian intelligence agencies and private sector companies. Editorial pages, opinion polling and public petitions have reiterated these concerns, stressing the pivotal importance of independent judicial oversight, the democratic gap represented by the lack of dedicated parliamentary oversight, and the need for key legal reforms to properly limit the disclosure, collection, and use of personal information. Even seemingly innocuous data, like metadata, can be very revealing of sensitive personal information.Footnote 6

Potential privacy impact

Democracies such as Canada rely upon on a well-informed citizenry, a transparent and accountable government, as well as enshrined and observed rights and freedoms. This clearly includes the right to privacy. Jurists, legal scholars and advocates working in the field have long argued that uncontrolled electronic surveillance (where carried out by security authorities, intelligence agencies and/or private contractors) work in a fashion that erodes due process, inverts traditional fair information practices and subvert other rights. One need look no further than this year's Supreme Court decision in Spencer to find these cautions articulated.Footnote 7

Just as government surveillance invades individuals' privacy, so too does the trend toward greater information sharing agreements across and within borders, between and among public and private agencies. Digital data is increasingly shared for an ever-broadening range of purposes: immigration control, border security, law enforcement, fraud detection, traveller monitoring, health surveillance, etc. The risks to privacy include whether the information has been shared with the right organization, in the correct way, and for the appropriate purpose.

Some Additional Background

Protecting Canadians in a Borderless World

Overview

In a globally networked and integrated economy, the era of Canadians' personal information being housed in Canada alone have long since passed. The financial services, insurance, credit, travel and transportation industries all generate massive amounts of personal information on customers — and corporate records migrate quickly abroad when companies seek to drive down computing, storage and data retention costs. It is, therefore, incumbent to work with authorities outside our borders in order to protect that information when it leaves Canada. There is however the added challenge when dealing with jurisdictions that have no data protection authorities, or have considerable weaker privacy laws, making Canadians' personal information abroad even more vulnerable.

At the same time, it is often the case that individuals worldwide are dealing with similar privacy threats when it comes to the technological systems, platforms, and web-based services of commercial organizations operating globally. Likewise, governments are banding together to exchange information about international travellers and potential risks, with implications for the privacy of all people. As information moves globally throughout the digital infrastructure — from social networks to the cloud services of companies — the jurisdictional bounds of privacy laws in Canada, and elsewhere, are not easily parsed out.

Protecting Canadians' personal information in a borderless world also involves participating in international organizations that work towards developing international policies, standards and norms, such as the Organisation for Economic Co-Operation and Development (OECD), Asia-Pacific Economic Cooperation (APEC), and International Standards Organization (ISO). Failing to appreciate the global nature of privacy threats could serve to undermine effective solutions to protecting Canadians' personal information whether here or abroad.

International Networks
  • OECD; GPEN; APEC; APPA; M3AAWG
  • Asia Pacific; Berlin Group; London Action Plan
  • Common Thread; Privacy Authority; La Francophonie
Global Privacy
  • Privacy issues are borderless
  • Canadian solutions may require Global Frameworks

For example, if there is a widespread data breach or major changes in a single company's terms and conditions, individuals can be affected globally. It is no longer useful for data protection and privacy authorities to investigate these matters separately, nor is it an efficient use of finite resources, nor does it always result in efficient outcomes.

In this context, the OPC has joined with privacy protectors internationally to take joint action to improve online privacy practices. Such was the case when in 2010 the OPC, alongside others, became members of the Global Privacy Enforcement Network (GPEN), which is designed to facilitate cross-border cooperation in the enforcement of privacy laws. Shortly afterward, PIPEDA was amended to allow the OPC to share information with other data protection authorities with similar responsibilities. In total, the OPC has signed six bilateral cooperation arrangements with Germany, Ireland, the Netherlands, Romania, U.K., and Uruguay, and also one multilateral privacy enforcement arrangement, known as Asia-Pacific Economic Cooperation (APEC).

While our Office in conjunction with other privacy authorities worldwide has made great strides in improving international cooperation, there is still much work to be done in the arena. Understandably, there are challenges to overcome when working together, such as the differences in privacy laws around the world. Additional challenges include building mechanisms to share information multilaterally with data protection authorities worldwide, which also requires establishing trust so we are comfortable working together.

Potential privacy impact

International cooperation can lead to improved online privacy practices having real impacts for Canadians. For instance, our Office recently collaborated with the Dutch Data Protection Authority to investigate the information-handling practices of U.S. mobile app developer, WhatsApp. We discovered security vulnerabilities in the popular mobile messaging platform. At the time of our investigation, the app was transmitting its users' messages without encryption, leaving messages potentially susceptible to electronic eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. As a result of our joint investigation, the company began encrypting messages in September of 2012.

Another dimension to protecting Canadians' privacy in an increasingly borderless world involves lending expertise and helping build capacity in jurisdictions without well-established data protection authorities, or without strong privacy laws. Our office, for example, has hosted staff from newly established enforcement authorities to give them a first-hand look at how a privacy commissioner's office functions. We have also shared the technical expertise we have developed in the online world with small, newly established authorities. In this regard, we have helped these authorities build their own technical analysis labs by showing them how our own lab operates, the equipment we use, and the expertise we require. By working and engaging internationally with other authorities in the process of strengthening their data protection regimes, we can provide our expertise and legislative traditions to influence the process and ultimately better protect Canadians' personal information abroad.

Developing coordinated policy at the international level can help shape and improve the privacy norms and standards around the globe, in turn benefiting the protection of Canadians' personal information. Since threats to privacy are increasingly globalized, joining international organizations that provide a platform for policy development can help us find solutions to common problems.

Some Additional Background

Reputation & Privacy

Overview

As we engage professionally and personally online, more and more information is being posted about us by others and ourselves. Our digital trails also tell a story of us. While we may present ourselves online as we wish to be portrayed at a point in time, it can ruthlessly persist on the internet, or on a company's server, refusing to evolve even as we ourselves change overtime. A key component of human development, after all, is the ability to evolve and change one's ideas, beliefs, or opinions. The myriad of information that is generated online about our lives is virtually impossible to contain, contextualize or erase, leading to concerns over the impact this could have on our reputation.

Broadly speaking, for most people, reputation signifies our public persona, or how we want to be represented, and is thus an integral part of how others come to define us. In an increasingly digitized society, individuals are becoming defined by their purchasing histories, social media profiles, online comments, web surfing patterns, and much more. Individuals may wrongly assume that the personal information they share with a small circle of friends will not be disclosed to others without their permission. Or they may assume that they can anonymously express themselves online or explore certain websites, when in fact their identity can be linked to their activity.

Online Reputation
  • Shaming Websites
  • Digital Memory ("Right to be Forgotten")
Education & Online Life
  • Digital Literacy
  • De-identification & Anonymity
Profiling
  • Lack of Transparency
  • Access
  • Personalization ("Self Profiling")
  • Potential for Discrimination
Vulnerable Populations
  • Child Protection
  • Mental Health History
  • Social Activists
  • New Canadians
  • Minorities
  • Elderly

Reputational risks are furthermore amplified as individuals post information about others, compromising people's control over how they are represented. Consider the phenomenon of "revenge porn" whereby individuals publicly share, without consent, the sexual photographs of usually ex-partners to shame or embarrass them, or the extreme practice of cyberbullying to deliberately harm, harass, or smear the reputations of others. This spurs questions about how to suppress and refute negative information about oneself (e.g. the "right to be forgotten" debate), and also where the boundary lies surrounding free speech. The impact of these reputational smear campaigns can cause significant emotional suffering. Once a reputation is tarnished online, it is extremely challenging to repair. There is also the potential for greater impact on the reputations of vulnerable populations, such as children, teens, and others, who have less control over their digital information.

Organizations, employers, and small-scale commercial enterprises are also coming to rely on digital records they collect, store, and trade about us, or obtain from us. Hence there is an organizational component shaping one's reputation as well. Organizations argue that they have a legitimate need to meaningfully interpret and categorize large amounts of digital data amassed about individuals in order to provide a service. Hence, the creation of profiles tends to reflect particular sets of criteria relevant to the organization's needs. In the commercial sector, individuals may be profiled according to their socioeconomic worth, their employment potential or their sexual orientation, for example. The lack of transparency and accountability surrounding these classifications can be the source of anxiety for some who are unsure about the impact it can have on their lives.

It is also the case that companies design their websites to be personal. The more personal, the greater the monetary value for the company. Individuals in turn personalize interests about themselves on the Net in effect building a demographic survey that is visible to friends, but also to the prying eyes of third parties. In such a context, how can individuals control the assumptions being made about them and how their information is being used by others? Often malicious intent or organizational error is not even required to create risk to individual reputation. New online channels, mobile technologies and graphical interfaces can also contribute to risk of breaches, given how easily personal information can be duplicated, edited and shared.

Potential privacy impact

Organizations and individuals increasingly impact the reputations of individuals based on information about them that may not even be accurate. Organizations, for example, can target and profile individuals based on key words or photos from social media sites and draw conclusions that are shown in some cases to be wildly different than the truth. Unbeknownst to those targeted or profiled, they may be treated as more high risk than they actually are. A recent Harvard study led by Dr. Latanya Sweeney found racial bias in ads connected with certain search terms used in Google and Reuters. When searching black-identifying first names (such as DeShawn, Darnell and Jermaine), a higher percentage of ads offering services for criminal record checks appeared, than was the case when searching white-identifying names (such as Brad, Jill and Emma). Connecting a person's name with offenses they did not commit has the potential to smear one's name, or influence the views of other people.

The reputational risks to individuals increase as others increasingly make use of their data, often without the awareness of the individual, or without ensuring the validity of the information. For example, our Office investigated the Positive Singles dating website for people with sexually transmitted diseases. Complainants alleged that their member profiles detailing sensitive health information were shared with other dating websites operated by the parent company without their knowledge. Many of the other websites targeted people with varied interests and from different demographics, often with entirely different medical conditions. This in turn creates the potential to link one's reputation with faulty associations, and also reveal extremely sensitive information. Our Office concluded that the dating website, along with its parent company, failed to openly and clearly explain how prospective members' personal information would be made visible and disclosed. Following our investigation, the parent company made changes to the website to make its information handling practices more transparent, including indicating on the homepage that all profiles created on the website will be visible to users of other affiliate websites.

Some Additional Background

The Body as Information

Overview

Historically speaking, people have always had their bodies measured and recorded for medical, criminal, aesthetic purposes and more, either voluntarily or not.Footnote 8 A more expected practice of extracting information from the body occurs in the ordinary field of family medicine whereby individuals consult with their doctor on health issues. As a result of the sensitivity of personal information exchanged between a medical practitioner and the individual, many countries put in place laws to protect patient confidentiality.

Genetic Information
  • DNA Data Banks
  • Forensic Use
  • Genetic Testing for Insurance
Biometrics
  • Prints of Face/ Palm/Fingers
  • Iris/Gait Scanning
  • Facial/Voice Recognition
  • Human-Machine Interface
Wearables
  • Body Cams
  • Self-Tracking
  • Bio-Tracking

The rise of automating medical records and utilizing biomedical electronics, or collecting biometric data for commercial, recreational, and forensic purposes, demonstrates a shift from what was once considered a very private and protected milieu. A whole global industry has arisen that capitalizes on information about the body — from the digital measurement of one's weight, height, and heart rate, to blood analysis and genetic testing, much of which is now done in the private sector. As our bodies continue to merge with information technologies, protecting privacy will only grow in importance.

Consider but a few high-tech examples available on the market or in research labs that demonstrates the growing trend of wireless health — or the transmission and communication of information from inside your body to outside wirelessly. There are implantable sensors that can monitor the blood pressure of those with recent cardiac arrest, or contact lenses that can detect a diabetic's level of glucose. Ingestible digital medicine, from camera capsules to thermometer pills, can record the internal information of one's body while traversing through the digestive tract. There are devices that can be placed over the head or implanted onto the brain to read brain activity. This phenomenon, called "brain computer interface," can potentially help those with physical disabilities and paralysing injuries. These new diagnostic methods clearly promise real benefits for both individual patients and the health care system as a wider social investment.

Other examples of measuring the body beyond health include wearing smart devices for sports and recreation. Epidermal electronics are increasingly used in competitive sports, whereby sensors come in contact with the skin of athletes to measure the level of acidity in their sweat. There are smart devices such as a new generation of ear buds used for the enjoyment of music but also to measure real-time biometric and physiological data, which sends this information back to the user's smart phone. These modernized techno-practices present the "the human body as information" — a term coined by the OECD. As old and new types of information about the body are collected digitally, the risks to privacy are amplified.

Potential privacy impact

Sensors and information technologies that are put to use for extracting information from the body carry personally sensitive data from the type of illness you may have, to the pills you take, or the food you eat. The impacts to privacy will have to be closely examined, and in an ongoing way, as new technologies and practices implicating the body emerge. Certainly there will be many benefits offered to society through biomedical advances, and other avenues of technological progress that involve the body.

The issue of strong safeguards, who controls the information, how it is shared and used, and the sensitivity of context, is of utmost importance. The increasing reliance on biometric data as a means to identify and authenticate individuals for a host of purposes, from law enforcement, to the workplace, schools, and home security spur a number of privacy concerns. A number of Canadian school cafeterias, for instance, are becoming cashless, allowing children to access payment accounts by scanning and storing their fingerprints into a database. Toy companies have begun selling wristbands that can track and monitor kids' fitness and activity levels. Commercial wristbands have also made their way into seniors' homes. The privacy impacts of biometrics have to do with the potential for errors and security vulnerabilities, and also the accuracy and reliability of the information used to identify, authenticate, or make decisions about individuals.

Individuals are increasingly giving up their DNA information for commercial genetic testing in exchange for genealogical, health, paternity, ancestral, or recreational purposes. Aside from the individual privacy issue, there are also groups to consider since our genetic makeup can reveal sensitive information about others as well. Genetic information is also accessed by law enforcement agencies, spurring concerns over the expanding size and potential uses of forensic DNA.

There are numerous more examples of how information about the body can be misused and the impacts to privacy. In British Columbia, parents recently launched a lawsuit against two hospitals alleging breach of privacy, an unlawful search and seizure and breach of fiduciary duty. Parents took objection when they learned, after the fact, that their infants' blood samples obtained through routine newborn screening tests for genetic diseases at birth, were being retained by the hospitals and used for secondary research purposes without consent. As we shift towards greater dependency on technology, it is worth contemplating some of the risks associated with implants in the body. Researchers have long exposed substantial vulnerabilities in these implanted wireless devices, such as cyber-attacks that can tamper, manipulate or control the device within the body potentially wreaking havoc on one's health and personal information.

Some Additional Background

Strengthening Accountability & Privacy Safeguards

Overview

Privacy is important to Canadians. As a right, it is the bedrock of democracies. Many hold respect for privacy to be both a tradition and social value. But it is a principle under pressure. In a recently commissioned survey by our Office, two-thirds of Canadians expressed concern about the protection of their privacy, with one-quarter emphasizing extreme concern. Even more telling, nearly three-quarters of Canadians felt a diminished sense of control in protecting their own personal information.

While both organizations and individuals can take steps to improve their privacy management practices, the bulk of control mechanisms and safeguards for personal information reside within organizations, both small and large. Government and commercial bodies have a vital role in ensuring that they have the structures and programs in place to properly protect personal information. As the flow of information undergoes increasing digitization and spreads faster throughout a global telecommunications infrastructure, updated privacy protocols and well-understood security measures for organizations are of paramount importance.

Public & Private Organizational Privacy Practices
  • Privacy Breaches
  • Privacy Policies
  • Security
  • Transparency & Accountabilitiy
  • Employee Privacy
Individual Privacy Practices
  • Security
  • Engagement
  • Information Management
  • Responsibility for Others' Information

While an overwhelming majority of Canadian businesses indicated in a 2014 OPC survey that the protection of privacy was an important objective, it is also evident through our research that many firms are unable (or unwilling to invest properly) to take adequate, proactive privacy measures. For instance, roughly half of the companies surveyed did not have a privacy policy in place, or procedures for responding to customer requests to access their personal information and dealing with privacy complaints. In addition to this, approximately two-thirds of these companies had no policies or procedures for assessing the privacy risks of new products, services, or technologies, and expressed little to no concern about the prospect of a data breach. Given the vulnerability of porous networks and corporate servers to data breaches and outside intrusion, these results are alarming. On the private sector side, a total of 60 were reported to our Office in 2013 (a fifty percent increase over 2012). On the public sector side, the Canadian government reported over 3,000 data breaches over the past decade, affecting an estimated 725,000 Canadians.

As stewards and primary users of personal information, both public and private sector organizations have an ethical responsibility, and are required under PIPEDA as well as Treasury Board Privacy Policy, to develop and conserve robust privacy practices. Doing so reflects positively on them, generates customer trust and consumer control, as well as encourages a competitive advantage in the marketplace. Individuals, of course, have a responsibility in managing and improving their privacy practices as well. They can do their part to learn how to navigate the digital realm by increasing their proactive engagement and knowledge of security tools, in turn bolstering their privacy. Moreover, individuals must also be made aware of their duty to limit and think carefully about the information they share or post about others.

Potential privacy impact

Canadians are increasingly concerned about public and private sector organizations losing control of their personal information. This heightened sensitivity goes well beyond accidental data breaches and weak privacy policies. Ultimately, the main problems are ones of citizen trust and consumer confidence. Given the sophistication of contemporary data systems and the global information infrastructure, individuals have no realistic way of knowing what will happen to their personal information or private communications. Without proper information from governments and private organizations about intended uses that will be made of their personal data, how can they exercise meaningful control over what is done with it?

Ultimately, poor privacy management practices impact upon both organizations and individuals. Organizations, for instance, risk damage to their reputation and brand, can incur high costs, and jeopardize Canadians' trust with weak protections in place to safeguard privacy. Whether information is stolen from organizations, or misused, leaked, or lost by them, the impact on individuals can be significant. Identity theft and financial fraud are two possible outcomes of a data breach to which Canadians, in a recent public opinion survey, identified as among their most concerning risks to privacy. Not to be discounted, however, are the significant other privacy harms resulting from humiliation, embarrassment or sheer worry of what may have happened to their personal information.

Some Additional Background

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: