Winning better privacy protection with PIPEDA

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks to the Ontario Bar Association

September 17, 2009
Toronto, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

People think of me as a Montrealer because I have lived there for decades, or an Ottawa person, because I work there during the week… but I am, in fact, a displaced Torontonian.

And so it always gives me considerable pleasure to return to this city. So I thank you for the opportunity to speak with you today. 

I know that people in this audience represent many different areas of practice within the law, and your interests in privacy may be quite specific to those areas.

Still, as members of a profession that, more than any other, protects the rights of Canadians, I hope that you also maintain an interest in the broader aspects of privacy.

Overview

As Privacy Commissioner, my job is to oversee the application of the federal public-sector privacy law, the Privacy Act, and the private-sector legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA.

Privacy issues appear in almost every corner of the law, from national security matters to immigration, commercial transactions, criminal law and the way governments collect, use and disclose personal information about us.

I would do an injustice to the subject if I tried to cover more than a few of these areas in the time available here today.

Instead, I propose to focus on two private-sector privacy cases that gained prominence recently, to show you where progress can and is being made.

The first involves our investigation into the privacy practices of Facebook, the hugely popular social networking site.

The second involves a U.S.-based company called Accusearch, which routinely collected, used and disclosed personal information about Canadians.

After that, I would be happy to take any questions you may have.

Social Networking

No doubt you are all familiar with social networking sites such as MySpace, Facebook, LinkedIn and Twitter.

In the past handful of years, hundreds of millions of people around the world have joined such sites, in order to keep in touch with friends, family and colleagues, and to meet new people.

This represents a dramatic shift in the way people communicate. It also alters people’s concepts on what it means to have a private life or a sense of privacy. 

Without question, social networking facilitates human interaction. But it can also undo lives if people are not careful.

The fact is that many people are ready to expose the intimate details of their lives on these sites. The issue, from a privacy perspective is: Who gets access to that information, and how do they use it?

The reality is that such exposure can backfire. We know that employers sometimes troll online for information about job applicants. And so applicants who want to come across as refined and respectable in a job interview had better not be posting pictures of their weekend debauchery online.

My Office has been warning Canadians about the potential for such consequences. Moreover, as you may have heard earlier this summer, our Office was able to get Facebook to take some significant steps to enhance the privacy protections of users in Canada – and, indeed, around the world.

Facebook Complaint

As you may know, Facebook is the world’s most popular social networking site, with more than 250 million users -- nearly 12 million of them in Canada.

Our Office examined the company’s privacy practices and policies following a complaint in May 2008 from CIPPIC, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic.

This made Canada the first country in the world to complete a comprehensive investigation into Facebook’s privacy practices.

The complaint, made under PIPEDA, concerned 11 aspects of the social networking site. Key issues included:

  • the site’s default privacy settings;
  • the collection and use of personal information for advertising purposes;
  • disclosure of users’ personal information to third-party application developers,
  • and the collection and use of personal information of people who were not themselves on Facebook.

A central issue was knowledge and consent. We wanted to know whether Facebook was providing sufficient information for users to give meaningful consent to the collection, use and disclosure of their personal information.

We also wanted to see whether that information was being conveyed to them in a clear and transparent way.

Facebook’s retention of personal information was another issue of concern, especially in relation to users who wanted to deactivate or delete their accounts.

Security safeguards also figured prominently in the allegations, particularly in relation to the million or so third parties who develop games, quizzes, horoscopes and other applications that run on the Facebook platform.

What we Found

Our investigation wound up in July. Assistant Privacy Commissioner Elizabeth Denham, who lead the investigation, concluded that there was no evidence of any contravention of PIPEDA in four areas, including allegations of deception and misrepresentation by Facebook. 

In other areas, related for instance to the default privacy settings, and the collection and use of user’s personal information for advertising, we found that Facebook had, in fact, contravened PIPEDA. However, the Assistant Commissioner was satisfied that the concerns were resolved by remedial measures proposed by Facebook.

In other areas, however, we found that Facebook’s activities were not in line with PIPEDA. 

Our concerns related to:

  • third-party applications;
  • account deactivation and deletion;
  • the accounts of deceased users, and
  • non-users’ personal information.

Facebook, for instance, was not doing enough to ensure that meaningful consent was obtained from individuals when their personal information was being disclosed to third-party application developers.

Those hundreds of thousands of developers, in turn, had virtually unrestricted access to the personal information of users – and, in fact, their friends.

Facebook did not immediately agree to adopt our recommendations in these four key areas of unresolved concern.

The Assistant Commissioner asked Facebook to reconsider her recommendations, and gave them the statutory 30 days to accept the recommendations or to introduce acceptable alternatives.

She also continued to discuss and negotiate with them.

Then, late last month, Facebook agreed to retrofit its application platform – a significant technological challenge – to restrict the flow of personal information to those million or so application developers.

Once the changes are in place, developers will be unable to gain access to users’ personal information without the users’ explicit consent.

Facebook also agreed to changes to help users better understand how their personal information will be used. They’ll also be able to make more informed decisions about how widely to share that information.

I have reviewed these promised improvements and will be following up with Facebook as the changes are implemented.

Legal Powers

I think it’s important to underscore that the Privacy Commissioner of Canada has no direct powers of enforcement under either the Privacy Act or PIPEDA.

PIPEDA does, however, authorize the Privacy Commissioner to apply to the Federal Court to seek enforcement of the Act.

And so we were not without a remedy if Facebook had refused to act on our recommendations.

And yet, in the five years since PIPEDA has been fully in place, we have rarely had to go to court.

In this case again, we were able to use our powers of persuasion to get Facebook to pledge significant improvements to the operation of their site. Those enhancements, moreover, are not restricted to Canada; they’re going to apply everywhere in the world.

Even global giants like Facebook acknowledge that implementing our recommendations is the right thing to do.

So this is a huge win for privacy – in Canada and around the world.

Accusearch

Aside from Facebook, the other important case I would like to discuss again involves the Internet – but this time with an added jurisdictional twist.

The case involved Accusearch, Inc., a Wyoming-based company operating an online business under the name Abika.com.

Abika offered a range of search services on individuals by having third-party researchers obtain personal information about those people from public and private records and databanks.

The company also offered a service under which it compiles what it refers to as “psychological profiles” of the behaviour and personal traits of individuals.

Our Office received a complaint back in June 2004. It alleged that Accusearch routinely collected, used and disclosed the personal information of Canadians -- for inappropriate purposes and without their knowledge or consent.

The complainant further alleged that, even though Accusearch was based in the United States, its actions violated Canada’s PIPEDA law.

We initially declined to investigate the complaint, citing a lack of jurisdiction. On judicial review, however, the Federal Court acknowledged the difficulty in investigating an entity located outside Canada, but confirmed nevertheless that our Office had jurisdiction to investigate.

And so we launched our own investigation of Accusearch and its Abika.com site, largely on the basis of information furnished to us by the U.S. Federal Trade Commission.

What we Found

Our investigation concluded that Accusearch had violated key provisions of PIPEDA in its collection, use and disclosure of the personal information of residents of Canada.

In particular, we found that it disclosed the personal information of Canadians, without their knowledge or consent, to third parties.

What’s more, we found that the company typically accepted and fulfilled requests for personal information without considering whether the request was for an appropriate purpose.

Indeed, we determined that the company in some cases had knowingly turned over personal information for purposes that a reasonable person would consider highly inappropriate.

One element of the complaint related to the accuracy of the personal information that was disclosed about the complainant in a prepared “psychological profile.”

We dismissed this portion of the complaint on the grounds of insufficient proof. The Assistant Commissioner did, however, underscore her suspicions that much of the psychological profile was highly questionable and inaccurate.

Outcome

The Assistant Commissioner recommended that Abika.com stop collecting, using and disclosing the personal information of people living in Canada without their knowledge and consent.

The company did not provide a substantive response to the recommendations within the set time limit, and we did not consider it reasonable to grant a request from its American counsel for a time extension.

Trans-border Issues

In the meantime, the U.S. Federal Trade Commission had separately investigated Accusearch’s activities, successfully bringing suit before the District Court for the District of Wyoming to curtail the sale of confidential consumer information.

The U.S. Tenth Circuit Court of Appeals recently affirmed the lower court ruling.

The appeal case related to data flows between the U.S. and Canada, how data-brokers collect, use and disclose personal information without the knowledge or consent of the individual concerned, and how online trade in personal information affects privacy rights.

Considering our Office’s involvement with Accusearch, and the cross-border nature of the issues, we were granted leave to file an amicus curiae brief in the appellate proceedings.

Our brief outlined how the Court’s decision would have a direct impact on the privacy rights of Canadians and on the business reputation of Canadian organizations affected by the actions of data brokers.

Our brief stressed in particular that the unauthorized collection, use and disclosure of personal information over the Internet by data brokers can cause harm, and has extra-territorial effects.

In its decision, the Tenth Circuit Court of Appeals said the company knew that its researchers were obtaining confidential information through fraud or illegality.

In so doing, the business “knowingly sought to transform virtually unknown information into a publicly available commodity.”

As a result of this decision, Abika.com remains under an injunction prohibiting it from trading in confidential customer phone records, as well as other non-public “consumer personal information,” without express written permission from the consumer.

Cross-border Co-operation

This U.S. appellate decision clearly recognizes the harm to privacy resulting from the unauthorized online trade in personal information. It offers important new protection to citizens on both sides of the Canada-U.S. border.

I should add that the Court’s recognition that this company’s practices are illegal under U.S. law has led to greater consistency between our two countries in terms of how we deal with privacy.

This, in turn, will help to guide organizations that are considering outsourcing data-processing functions to the U.S. It will also help boost the confidence that individuals need when they conduct business over the Internet.

In sum, this case marked an important advance in international co-operation and collaboration – an approach that will become increasingly necessary to protect privacy rights on both sides of the border.

Conclusion

I will just wrap up by saying that the Facebook and Accusearch cases were only two of the many cases our Office handles each year.

Without doubt, taking on complex investigations such as these strains the resources of the Office.

And yet, we have made gratifying progress.

Which is vital because the stakes are immense. Consider, for example, that commercial activities that take place over the Internet, no matter where in the world they are practised, can affect the lives and privacy of millions.

The Facebook case showed that we can persuade large and powerful enterprises, even ones based abroad, to change their worldwide practices. 

And the outcome of the Accusearch case gives hope for greater harmonization of privacy standards across borders, a necessity in a world where information flashes across national boundaries at the speed of light.

I thank you for your attention and I welcome your questions.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: