Appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the Privacy Implications of Camera Surveillance
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
October 22, 2009
Statement by Elizabeth Denham
Assistant Privacy Commissioner of Canada
(Check against delivery)
Thank you, Mr. Chairman and members of the Committee for inviting our Office to address you on the privacy implications of camera surveillance, as used in such commercial applications as Google Street View and Canpages and other issues related to video surveillance and new technology. I am joined today by my colleagues, Carman Baggaley, our senior strategic policy advisor, and Daniel Caron, Legal Counsel.Unfortunately Commissioner Stoddart cannot attend today. She has laryngitis. I think this is a first for her not attending.
We very much appreciate the Committee’s interest in this issue and we followed the hearing on June 17, 2009, at which representatives from Google and Canpages appeared. We welcome the opportunity to discuss this interesting development in technology.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a technology neutral law that does not, in our view, thwart the innovation of new technologies. We have sought to ensure that PIPEDA is a dynamic, modern and effective tool to strengthen the privacy rights of Canadians, and we believe that PIPEDA can cope with the commercial collection and use of personal information through street-level imaging technology.
We are very much aware that many services that use street-level imaging are popular with the public. Our ongoing concerns about the commercial use of this technology centre on ensuring that it protects the privacy of Canadians by meeting the requirements of PIPEDA, such as knowledge and consent, safeguards and retention.
I would like to now briefly recap our involvement in this issue.
The Office of the Privacy Commissioner of Canada has been closely following the development and use of on-line street-level imaging technology by companies operating in Canada and elsewhere for a few years. As I indicated, such technology has potential privacy concerns and we wanted to know more about it and how it may be deployed in Canada.
Street-level imaging applications use various means of photographing the streetscape. A camera is typically mounted on a vehicle that is driven down a street. The images are then shown on the internet as part of the company’s mapping application. Although the companies’ interest is to capture a streetscape so that users can take a virtual tour of a particular neighbourhood, the companies are also capturing images of identifiable individuals and tying them to specific locations.
We began to monitor this issue in 2007, when we learned that Google was photographing the streets of certain Canadian cities for the eventual launch of its Street View application in Canada, without the apparent knowledge or consent of the individuals who appeared in the images.
The Commissioner wrote an open letter to Google, outlining my concerns about the Street View application. She took the opportunity to point out that if companies like Google wished to use this technology for commercial services in Canada, there was private-sector privacy law that would have to be adhered to and stronger privacy protections would have to be put into place.
Photographing people in public places
I would like to address a common misconception that some companies have about photographing people in public places. If an organization takes a photograph of an individual in a public place for a commercial purpose – for example, when a company, in the course of photographing a streetscape captures an identifiable image of a person and the image is uploaded onto the internet, for a commercial reason – Canadian privacy law still applies. One of the key protections is that people should know when their picture is being taken for commercial reasons and what the image will be used for. Their consent is also needed. While there are exceptions under the law, they are limited and specific and concern journalistic, artistic and literary pursuits.
Our views on privacy and street-level imaging
Street View has now been launched in Canada — it went live on October 7 — as well as in other countries, and the Canpages service, Street Scene, was launched earlier this year in certain cities in British Columbia. Canpages is seeking to expand its service to other Canadian cities, and has recently provided notice that it is photographing streets in Montreal and Toronto.
Our office and our provincial counterparts with substantially similar commercial privacy laws (Alberta, BC and Quebec) have been in contact with both companies about their street-level imaging and mapping applications. Early this year, those provincial privacy commissioners and our commissioner issued a fact sheet, which I believe you have a copy of, for industry and the public on what we think needs to be in place in order for commercial services that use such technology to be in compliance with Canada’s privacy laws. The fact sheet, entitled Captured on Camera, details the privacy protections that are particularly pertinent in the case of street-level imaging. These are:
- Citizens need to know in advance that street-level images are being taken, when, and why, and how they can have their image removed if they don’t want it to appear online. This could include visible marking on vehicles — and if you’ve seen the Google car you’ll see that it’s well identified; notification through a variety of media outlining dates and locations, the purpose of filming and how people can contact them with questions.
- We also think that faces and license plates need to be blurred so that the individual is made anonymous or is at least not identifiable.
- Companies need an effective and quick take-down process whereby an individual can have their image removed
- Unblurred images retained for legitimate business purposes should be protected with appropriate security measures and the raw data should not be retained indefinitely.
We have seen changes to how the technology is used that are more privacy respectful, and we played an important role in encouraging these changes – not only in Canada but worldwide. Images of people and licence plates are blurred but the process of doing so needs to continue to evolve and improve. Take-down processes are being established. The need for clear retention periods is being addressed. Companies appear to understand the need to solicit the views of community organizations about any possible sensitivity to filming in certain locations.
Notifying the public is an ongoing concern. We believe that the nature of the information collected is not especially sensitive and that companies can rely on implied consent provided they give reasonable notification to the public in the form of outreach. Individuals need to know in advance when an organization will be photographing their neighbourhood so that they may adjust their plans accordingly.
New technology and PIPEDA
As you know, the purpose of PIPEDA is to balance the individual’s right of privacy with an organization’s need to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. PIPEDA applies to a wide range of businesses – from banks and telecommunications companies to car dealerships and the local social networking sites. The law is not prescriptive; rather, it requires organizations to adhere to a set of fair information practices or principles. Each organization, given its business model and other regulatory requirements, must find ways to adhere to these principles and achieve the balance between its own legitimate needs and the rights of individuals to their privacy. The Office of the Privacy Commissioner of Canada works with organizations to help meet their business objectives and meet their obligations under PIPEDA. I’d be very pleased this morning to talk to you about Facebook as a good example of that.
As I indicated earlier, PIPEDA is a technology-neutral and principle-based law and so far appears to be flexible enough to guide commercial uses of new technology. As you are likely aware, over the summer we released findings in two complaints that were filed in 2008, in which new technology and new business models featured prominently. One involved a social networking site, Facebook, and, the other, the use of deep packet inspection (DPI) by a telecommunications company. Under PIPEDA, we were able to strike a reasonable balance that serves as a road map to help us face new privacy challenges on the horizon. These findings will have a positive impact on the privacy rights of Canadians (and indeed on 300 million people worldwide who are users of Facebook), while at the same time acknowledging business interests. What we have learned in the past 18 months, through our work in street-level imaging, social networking sites and deep packet inspection, will help us significantly, and we believe that these examples have served to raise the profile of privacy for business and average Canadians.
As we note in the PIPEDA Annual Report for 2008, new technology, for all its indisputable benefits, continues to pose new privacy challenges. Indeed, our Office is planning to explore, over the next year, the implications of behavioral advertising, cloud computing and geospatial technology on privacy. We will be seeking the views of business, academics, advocates, and regular Canadians in order to better understand how PIPEDA applies to these technologies and business practices and their impact on privacy.
Since we were asked to appear, we tabled our 2008 PIPEDA annual report and I understand that you all have copies. The main themes of the report are really a shout-out to youth, a reminder that Canadians need to take control of their personal information on the Internet. We think that youth are particularly vulnerable because they’re big users of technology and may not realize the risks.
Therefore, as our report indicates, we really focused this year on public education activities to reach out and talk to that demographic.
We’ve passed out some stickers for you, Think before You Click. We distributed those during frosh week. We also have many other tools: a youth blog, we have videos produced by youth, so we have youth talking to youth. You can find all of these tools on our website Youthprivacy.ca, the federal, provincial and territorial commissioners passed a resolution in 2008 on youth privacy advising what individuals and organizations need to do.
Lastly, before I close, the other main issue I would like to highlight in the annual report is the matter of data breaches and notification. As you know, this is a global issue. Governments, organizations, and data protection commissioners are really grappling with various models including mandatory breach notification.
The report highlights a study that we conducted on our current voluntary reporting regime. I’m happy to talk about it more, but what it confirmed is that we can’t possibly be receiving reports from businesses about all significant privacy breaches in Canada. There’s just no way. The numbers are relatively low. It underscores also the ongoing need for training because a third of the breaches reported to us were not the result of hacking, of technology breaches, but really simple employee errors like dialing the wrong fax number.
In conclusion, I would like to thank the Committee for inviting us today to discuss privacy, street-level imaging and other new technologies. I welcome your questions.
- Date modified: