Appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on Privacy and Social Media
May 29, 2012
Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Mr. Chair and Honourable Members, I want to thank you for the invitation to appear before Committee today as you begin your study on social media companies and the steps they are taking to protect the personal information of Canadians. I am joined here by two social media experts from my Office, Daniel Caron, Legal Counsel, and Barbara Bucknell, Policy Analyst.
Overview of Social Media
I am sure that all of you have had experiences with these online platforms. They have become important channels for news, communications, relationships and the sharing of photos, videos and almost anything else that can be digitized. That said, I think it useful to start with an overview of the industry to help clarify what it does, and how its activities have an impact on the privacy of Canadians.
Social media involve applications that allow individuals, organizations and communities to share information and generate content. Building on traditional business models where businesses required personal information in order to provide a service, today, individuals, young and old, voluntarily share their personal information on social media sites to connect with other people or, in some cases, to draw attention to themselves and their views. Indeed, many social media sites encourage users to establish profiles that reflect who they are, what they are interested in, who they know and what they like. Many provide their services for free in the hopes of gaining a large user base.
To suggest that these services are “free” however is not entirely accurate. Social media companies can quickly amass a staggering amount of personal information. In addition to the preferences, habits and social interactions of their users, these companies also collect vast amounts of background information that are not visible on public profiles, including search histories, purchases, Internet sites visited, and the content of private messages. This collection of billions of data points allows social media companies – using sophisticated algorithms – to analyze user behaviour in order to refine their services, and to identify ways to generate revenue. It can also enable others, such as researchers, employers, school administrators and law enforcement, to learn more about individuals and their activities.
This is the Age of Big Data, where personal information is the currency that Canadians and others around the world freely give away.
The OPC and Social Media
My Office has a mandate to ensure private sector compliance with the Personal Information Protection and Documents Act – or PIPEDA, which applies to the commercial use of personal information by social media companies operating in Canada.
Over the course of the past five years, we have engaged with, and conducted investigations into, many players in the industry, both big and small. A significant part of our recent research and policy work has focused on understanding and explaining to others the privacy implications of the social media phenomenon.
Ever mindful of the importance of innovation in today’s digital economy, we have tried to strike a reasonable balance between companies’ desire to experiment with new products and services, and an appropriate level of protection of Canadians’ personal information.
Key Privacy Issues
That said, I have become concerned about the apparent disregard that some of these companies have shown for Canadian privacy laws. Although we have made some headway with some of these companies, I would like to identify the following significant privacy concerns that I believe require more attention on the part of all social media sites. They are the issues of accountability, meaningful consent, limiting use and retention.
The first is accountability. Too often we have seen privacy concerns being addressed after a major problem is uncovered or there is a backlash on the part of users. While it appears that many of the major players are making improvements on this front, the social media world is constantly evolving, with new entities popping up regularly, in a hurry to get their new service on the market. Privacy does not appear to be a top priority for them.
This is one of the reasons that my Office, together with my counterparts in Alberta and British Columbia, recently issued accountability guidance to companies on the internal privacy processes and procedures that need to be in place, including having an individual in charge of privacy.
The issue of meaningful consent is critical. Social media companies need to clearly explain the purpose behind their collection, use and disclosure of personal information, and what third parties – such as application developers – they are sharing this information with. And they have to clearly obtain users’ consent.
This is a particularly challenging issue since privacy policies tend to be too long, too convoluted, and largely ignored by users. Providing adequate information that users can easily understand, read and consent to is a challenge for social media companies and data protection authorities.
Further complicating the issue of consent is the fact that children are online from an increasingly young age. The youngest users may not yet be able to provide meaningful consent required under PIPEDA.
The next is limiting use. Social media services are constantly evolving in an effort to be innovative and competitive. This has meant that personal information can be used in new, and sometimes, unexpected – even unwelcome – ways. It is important to keep users properly informed, explaining new features in a timely fashion, and seeking their informed consent for new uses of personal information. I think we also need to learn more about how personal information on these sites could be used, beyond advertising, and the onus should be on social media companies, as with all other organizations, to be fully transparent about their personal information practices.
Another issue of concern is organizations failing to establish retention schedules of personal information and true deletion options for individuals. Social media companies need to be clear about how long they retain the personal information they are collecting. They should also spell out how they treat personal information differently when an account is de-activated versus when an account is actually deleted. Under PIPEDA, firms are obliged to keep data only as long as is necessary for a specific purpose and then they must destroy it.
Vast quantities of data, often located in other countries, can also pose security issues.
Honourable Members, as you proceed with your study into privacy and social media, you may wish to use these principles – that of accountability, meaningful consent, limiting use, and retention– as a guide for assessing how social media companies protect the personal information of Canadians.
In public opinion polling commissioned recently by my Office, we asked more than two thousand Canadians about social media. 83% of respondents said online companies should be asking for explicit permission before tracking their Internet usage and behaviour. Clearly Canadians value their online privacy. That is why we feel it is so important to hold companies to account for how they collect and use personal information.
To that end, my Office has made steady progress with the tools available to it under PIPEDA, but I believe much more needs to be done. The reach of digital companies using Internet and mobile technologies to collect and share personal information will only grow in the coming years.
My Office has been conducting extensive research and analysis in preparation for the second mandatory five-year review of PIPEDA by Parliament, which is now past due. We are giving serious thought to how the current regime, which predated all these novel technological developments, should be modernized to keep up with the times. Top of mind is how the existing enforcement powers could be further strengthened to curb industry non-compliance and encourage greater accountability from companies for the personal information they collect, use and share with others.
In recent years, there has been a trend internationally towards more robust enforcement powers. Canada has long been a leader in terms of privacy protection laws, but we now risk falling behind.
I look forward to sharing my Office’s detailed position on this matter when the Parliamentary review gets underway.
And with that, I would be happy to take your questions.
- Date modified: