What next after Web 2.0?

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the International Institute of Communications Conference

October 26, 2009
Montreal, Quebec
Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Thank you for the opportunity to speak, especially among such a distinguished and experienced group of presenters and attendees.

As some of you may have heard, my Office has some experience with the operations of online applications, whether we refer to them as Web 2.0 or Web 3.0.

Our recent investigation of Facebook, I feel, has demonstrated that companies providing online services must take specific steps to respect and protect the privacy rights of their users – whether they are Canadian or not.

As a regulator, I only need to refer back to the legislation that governs the collection of personal information by private sector companies – the Personal Information Protection and Electronic Documents Act.

PIPEDA, as it is called, creates a clear set of obligations for companies conducting business in Canada. This includes companies who deliver services virtually and through the cloud – like social networking sites, third party accounting services, and firms contracted to collect, process and store corporate data.

This also includes the new generation of web applications. It makes sense for companies to build a business model around the power, flexibility and low cost of distributed computing power. Basic economic theory tells us a company should focus its human and capital resources on delivering the best products possible.

It's obvious that some basic corporate services, especially for smaller companies trying to establish themselves in the marketplace, could be contacted out. For that reason, my Office has issued guidance on the proper protection of personal information as it crosses international boundaries.

My colleagues among the European data protection authorities have provided similar guidance.

That said, the developers of new Web 3.0 applications should remember that the information entrusted to them is a vital asset. Their business will suffer if their users suspect their information is poorly protected or mis-used.

My office has conducted research to examine why Canadians share information with online applications.

A common message? The average Canadian assumes that the application developer is taking all the necessary steps to protect their information from abuse, theft and loss.

They assume that application developers are using the information only to provide the services the user originally requested.

When confronted with examples where their information has been used for secondary purposes, their reaction varies from blind acceptance, to growing irritation, to a sense of personal betrayal.

Companies operating distributed computing applications HAVE to understand this. They cannot make decisions about how to collect, handle and distribute the information of their users without first establishing a clear agreement with their users.

Without trust, their business will fail.

I feel that PIPEDA provides a framework to encourage this relationship.

It clearly establishes the principles and guidelines that all companies – online or offline – must follow if the personal information of Canadians is to be safeguarded appropriately.

The new world of distributed computing presents a challenge for privacy regulators as well as the developers of next generation applications and services.

We must learn to build businesses that take existing privacy protections into account while still encouraging innovation.

Date modified: