Ensuring a Safer, Stronger Online Marketplace: The Privacy Perspective
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at Canada’s Digital Economy: Moving Forward Forum
June 22, 2009
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Let me begin by explaining what the Privacy Commissioner of Canada is doing at a forum on the Digital Economy. In today’s interconnected, digital world personal information is being collected, used and disclosed in used in ways that raise fundamental privacy issues. As a result, we have become involved in issues as diverse as deep packet inspection, online social networks and street level imaging.
In examining these issues, we need to look at the Internet and the online marketplace from a global perspective.
When Canadians go online to chat with their “friends”, plan their next vacation, update their social networking page, do online banking or download music, they are using a global infrastructure that does not acknowledge national boundaries.
Their friends may live on the other side of the world; the searches they conduct are likely to be warehoused in a server in the United States; and their credit card transactions may be processed almost any where in the world.
People need to feel secure when they go online. They don’t want to worry about whether an e-mail from their bank is really a phishing attack. They want to have confidence that their personal information will be protected and that their privacy will be respected.
However, the features that make the Internet so attractive – its global reach, openness and anonymity – are also potential vulnerabilities.
We want a safer, stronger Internet but the evidence suggests that, in fact, online threats are evolving and becoming more sophisticated and more targeted.
For example, the U.S. Federal Trade Commission recently warned that scammers – taking advantage of the mortgage crisis – have been sending phishing e-mails designed to look as if they were from a financial institution that had recently acquired a consumer’s bank or mortgage.
Responding to the Threats
So how can we respond to these threats? How can we make the Internet safer?
Clearly, there is an important role for governments.
I was pleased to see that during the recent Parliamentary session the federal government introduced legislation to amend the Criminal Code to tackle identity theft.
The bill is important. It creates new offences related to obtaining, possessing and trafficking in identity documents or identity information and it provides a means for victims to seek compensation for the costs incurred as a result of the fraud.
But we can’t stop there. As I have repeatedly said, what we really need is a multi-stakeholder, broad-based identity fraud strategy.
As I am sure you know, Canada is the only G-8 country without anti-spam legislation another point I have made repeatedly over the last several years, and Bill C-27 fills an important void.
I support the legislation. The ECPA think it strikes the right balance between giving people greater control over the e-mail and text messages they receive while allowing legitimate businesses to continue to communicate with their clients and customers.
And the legislation will help us fulfill our mandate to promote the protection of personal information.
I hope that we will soon see amendments to the Personal Information Protection and Electronic Documents Act requiring organizations to notify individuals and our Office when data breaches occur that create a risk of harm to individuals.
We recently completed an analysis of the private-sector data breaches voluntarily reported to our Office between 2006 and 2008 in order to better understand how breaches are happening and how to prevent them.
One conclusion is that too many organizations continue to underestimate the market value of personal information and thus also underestimate the security risks and the need to protect personal information.
We also found that human error is often a factor, which is why training is critical.
We have been asked to come up with concrete suggestions for action, so let me my ideas.
Identity theft legislation, an anti-spam act, and breach notification – these are all important elements of what could be a comprehensive national strategy to respond to the growing cyber-threat challenge.
And I would add a fourth action item – the need for federal leadership to encourage common standards to protect personal health information. I was interested in Mr. Alvarez’s comments about the progress that has been made in this area, but from my perspective, many critical issues remain unresolved.
The Privacy-Security Intersect
Privacy and security are mutually reinforcing. Minimizing the amount and the sensitivity of personal information collected makes protecting privacy easier; and robust security enhances privacy.
But I would be remiss if I did not also acknowledge that there can be tension between cybersecurity and privacy.
We were reminded of this last week with the introduction of lawful access legislation and a set of amendments to the Criminal Code that enhance the ability of law enforcement agencies to obtain access to telecommunications data.
Global Threats Require Global Solutions
The threats we are facing – spam, identity theft, cyber attacks – are global. We need to work collectively with our international colleagues to find global solutions.
As an aside, I am pleased that the new anti-spam legislation significantly expands my ability to share information and collaborate with my international colleagues.
Protecting privacy, enhancing security and building confidence cannot be done solely on a country-by-country basis.
I am increasingly working with privacy commissioners and their equivalents, as well as the private sector, around the globe to enhance the enforcement of Canadian standards for information privacy and security in a way, which protects individuals without compromising innovation in the digital world.
- Date modified: