Information Technology Association of Canada (ITAC)

2010 OPC Consultations on Online Tracking, Profiling and Targeting and Cloud Computing

December 2010

Canada's privacy principles

The Information Technology Association of Canada (ITAC) is pleased to respond to the October 2010 draft Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting and Cloud Computing. ITAC was a key player in the creation of the Personal Information Protection and Electronic Documents Act (PIPEDA), and continues to follow its evolution with interest.

The public internet may have been in its infancy when the ten principles of the CSA Privacy Standard were crafted, and only slightly more mature when PIPEDA was passed, but the Act has proven to be remarkably resilient. Fortunately, PIPEDA is based on broad principles rather than specific technologies or approaches that are liable to rapidly become outdated. This provides flexibility and adaptability to address changing contexts, changing expectations and changing technologies. Organisations, individuals and the Commissioner are not constrained by rigid rules, but instead refer to a broad set of flexible principles that were intended to accommodate the technology that existed in the late 1990s and new technologies that simply were not anticipated at that time. These principles are sufficiently robust and provide a true "gold standard" for personal information protection that is flexible enough to accommodate significant changes in technology, including the increased adoption of both cloud computing and online tracking, profiling and targeting.

PIPEDA is further rooted in the important provision of "reasonableness", which sets the baseline for businesses and the expectations of Canadian citizens. Collection, use and disclosure of personal information has to be reasonable in the particular circumstances. Those circumstances can evolve and the framework in which PIPEDA is applied can similarly evolve to take into account the participation of Canadian citizens and businesses in the dynamic and promising internet ecosystem.

ITAC is of the view that there is nothing inherent in either cloud computing or in online tracking, profiling and targeting that requires amendments to PIPEDA or even a significant re-thinking of how the Office of the Privacy Commissioner applies the Act. The consent principle, for example, requires that businesses take into account the reasonable expectation of the individual in determining what form of consent is necessary. If one were to prescribe that a particular circumstance requires a particularly form of consent, it would become the de facto standard regardless of how expectations evolve or how technological measures can be introduced to further empower citizens to take control over their own personal information.

It must also be recognised that Canadian businesses are embracing advanced practices that tailor advertising to the interests of users. It is common sense that providing a user who has a demonstrated interest in photography with advertisements for camera equipment will be more effective and efficient than showing that same advertisement to every member of the public, hoping that a segment of that population might be interested.

Encouraging business and innovation

The online marketplace is truly global and Canadian businesses are well situated to continue to take advantage of it. It must be noted that PIPEDA's title clearly indicates that the Act was intended not just to protect personal information but also to support the adoption of electronic commerce in Canada. Among other things, PIPEDA was designed to be technologically neutral and to encourage business, experimentation and innovation. Where advertising is concerned, undue regulation or over-regulation can have a negative impact on businesses and consumers. Many of the services that Canadian consumers take advantage of online are "free", but are mostly supported by advertising. Targeted ads are more valuable, both to the company whose wares or services are presented and to the organization that provides the advertising space. Undue restrictions on such advertising will hurt both ends of that value chain and will ultimately reduce the ability of online companies in Canada to provide valuable services to consumers, both in Canada and globally.

This is not a zero-sum game. Targeted advertising can be delivered in a way that respects consumer privacy and autonomy. Legitimate advertisers who are mindful of consumer preferences and choice provide those consumers with information about targeting practices and tools to adjust how advertising is delivered to them, including complete opt-out. ITAC is confident that PIPEDA and the OPC are sufficiently robust to be able to respond appropriately if instances arise where sensitive personal information is used in efforts to target online advertising.

The future of computing is cloud computing

There is little doubt that the adoption of cloud computing will continue to grow, to the benefit of businesses and consumers.However, these benefits will be curtailed in Canada to the degree that Canadian governments take steps that limit the flow of personal information to cloud locations.Given the small size of the Canadian market, the commercial development and maintenance of a permanent "made-in-Canada" cloud cannot be ensured; global service providers are more likely simply to focus on other markets. Fortunately, PIPEDA already includes the principles to be considered by any Canadian business that contemplate moving in-house data processing to a cloud, where the location of the data is only one consideration. Furthermore, the OPC's extensive work in cooperation with the Treasury Board Secretariat in response to public concerns related to transborder flows in the face of the US Patriot Act displays a balanced understanding of business realities and the need for a reasoned, risk-based approach.

Not only can privacy concerns relating to cloud computing be addressed, ITAC would stress that the economies of scale behind the adoption of cloud computing can have some very important privacy benefits. Most large cloud providers operate world-class data centres with leading-edge physical and logical security. They can and do adopt stringent security measures to protect personal information in their custody, whereas small and medium-sized businesses rarely choose or can afford to devote the resources necessary to keep all their infrastructure secure and their software updated.Furthermore, when data is securely stored in the cloud, it is not resident on devices that can be readily lost, stolen or tampered with. (Keeping materials in the cloud obviates any need to carry data around on thumb-drives, for example.) This benefit will become more and more pronounced as consumers and businesses move to the more widespread adoption of mobile computing devices, such as smart phones, netbooks and tablets. These smaller devices are more convenient and more vulnerable to loss, but if they are used to access information that is stored in the cloud, there is no information on them to be compromised if control over the device itself is lost.

The development of standards

In addition to discussing the privacy aspects of cloud computing, ITAC will also respond briefly to the invitation in the draft report (page 41) to respond to the suggestion that "government undertake to develop standards." ITAC would very much prefer that interested parties use the existing processes that already enable and encourage Canadian participation in international standards development rather than have government take on the entire responsibility itself. ISO/IEC JTC 1, ITU-T and other forums offer well-established mechanisms that allow for both public sector and private-sector input – at both the domestic and the international level. International standards should be considered first for use in Canada; only if the existence of unique Canadian requirements can be demonstrated should there be Canadian standards.


ITAC supports the OPC's efforts to gain a better understanding of business practices and consumer preferences as technologies evolve. Such an understanding is important given that the legislation is technologically neutral and all stakeholders must rely on the OPC and the courts to interpret the legislation in light of evolving technologies and expectations. While the online environment may be evolving rapidly, ITAC is confident that the legislation that regulates the collection, use and disclosure of personal information in Canada is up to the task and should in fact be interpreted to encourage innovation in how personal information is protected and how Canadians are given tools to manage their own privacy.

Date modified: