New Frontiers for Privacy – Canadian Perspectives

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Launch of the Montevideo Memorandum

Mexico
December 3, 2009

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

Versión en español


It is truly an honour to be here in a country that is a friend to Canada, and before such a prestigious assembly.

We started the day with a presentation on the Memorandum of Montevideo.

There is a special connection between Canada and the Memorandum, firstly because of the financial contribution from our International Development Research Council (IDRC) that allowed the memorandum to be drafted and me to participate in the discussions in Montevideo and secondly, because both Canada and the Memorandum explore new frontiers in privacy.

Canada’s expansive research into Facebook practices and the provisions of the Memorandum of Montevideo offer legislators, educational authorities and social networking companies a reference for defining those new frontiers—the boundaries of privacy that should not be violated.

It has oft been said that the Internet has no frontiers, and that is true, but there are indeed frontiers to privacy—hence the title of my presentation.

Why new frontiers? Because the Internet is a new living space, a place to shop, a place for relationships, a meeting place, in which privacy is subjected to new pressures, still without clear boundaries. ComScore statistics show that more than a billion people age 15 or older visited the Internet in 2008—eighteen percent of them from North America and seven percent from Latin America.

The challenge, particularly in relation to young people, is to establish new frontiers

  • within an open and transterritorial space
  • while ensuring both exposure and anonymity
  • that generate their own unprecedented culture of interaction and their own challenges of interaction and, more importantly,
  • with respect to a vulnerable population.

The main intention I wish to project in my presentation is to illustrate how the Office of the Privacy Commissioner of Canada has clarified the definition of frontiers of privacy on the Internet and how we intend to continue in that direction.

My presentation will be in four parts:

  • First, I will explain the social and legal context in Canada that determines the scope of our work.
  • Second, I will explain the general problem in Canada with respect to social networks and then focus on problems specific to young people.
  • Third, I will talk about the research carried out with respect to Facebook and its process.
  • Finally, I would like to present some strategies to address the general issue of privacy of young people on the Internet.

First, a description of the legal and social context in Canada with respect to privacy.

  1. Social and legal context

1.1  Social context

Almost 12 million of the Canadian population of 33 million people have a Facebook account.
Of those 12 million:

  1. 1.9 million are very young - between 13 and 18
  2. 3.3 million are between 18 and 24
  3. 56 percent of users of all ages are women.

Currently, young people communicate as much over the Internet as they do by phone.

1.2  Legal context

Having looked at the social context, we may now move on to the legal context.

The Canadian legal system for the protection of privacy is divided, but solid.

It is divided because Canada is a federation with a constitutional division of powers between the federal government and the provinces and territories. The federal government has jurisdiction over all matters that are national, international or inter-provincial, and the provinces and territories have jurisdiction in matters of local application.

This means that:

  • We have a federal law on the protection of privacy in relation to the federal public sector; 250 federal institutions are subject to a federal law protecting personal information.
  • A federal law to protect privacy in relation to the private sector applies only in provinces that have no established law in this area.
  • There are provincial laws that apply to the provincial public sector.
  • In some provinces, provincial laws apply to the private sector.

In addition, as part of the Constitution, the Charter of Rights and Freedoms protects the fundamental right to privacy.

The Criminal Code also contains relevant provisions. In that regard, the federal government last week introduced a bill requiring Internet providers to alert police to the existence of child pornography sites.

The system is solid because:

  1. It includes constitutional protection of the right to privacy
  2. It is supported by a structure of conformity ensured by provincial and federal offices that provide the resources and independence necessary to perform their functions.

That is, in general, the legal framework for the protection of privacy in Canada and, therefore, the legal tool to protect the privacy of young people. I will now begin with the general problems.

  1. General problems with social networks

The Canadian experience has revealed three major, general concerns:

  1. Breadth of dissemination unknown to and uncontrollable by the user
  2. Excessive retention of personal information by companies that is not well understood by users: secondary, unauthorized use of personal information, e.g., for marketing purposes.
  3. Intrusions by, for example, business owners, employers or insurance companies.
  • These concerns that are developing across the board have more impact on young people. And in addition to these general concerns, there are specific concerns applicable to them. Our research shows that young people in Canada, perhaps around the world:
  • Do not have the necessary knowledge of the parameters of confidentiality of Web sites and, therefore, do not give the informed consent to these parameters that is required for their protection
  • Have a sense of privacy that is different from that of adults, including business owners or potential employers
  • Are victims of predators, bullying and identity theft.

More precisely, in the winter of 2009, we held focus groups with close to 150 young people in various parts of Canada to determine trends and attitudes. This is what we found:

  1. Young people have an unsubstantiated expectation of privacy in their relations over the Internet.
  2. Young people place all responsibility for their privacy on the social networking companies.
  3. Young people disseminate their information very broadly, e.g., they may have up to 800 "friends" on Facebook.
  4. Finally, young people are more or less aware of the access to and use of their personal information by third parties - for example, for marketing purposes or employment.

Research provided by Ryerson University and sponsored by the Office of the Privacy Commissioner of Canada reveals that young people are concerned about their privacy but that their view of privacy is very different from that of adults.

The discrepancy lies therein: young people feel that their information, although available on a social network, remains private because it is theirs. Adults, such as business owners and potential employers, believe that such information is public and deserves no protection when it is available on a social network.

This discrepancy decreases when young people approach the age at which they enter the labour market. Girls are more concerned than boys with protecting their personal information and tend to do so.

3. Our research into Facebook

Our research into Facebook specifically illustrates the problem of privacy on social networks.

It all began in May 2008 when a research clinic at the University of Ottawa, the Canadian Internet Policy and Public Interest Clinic or CIPPIC, filed a complaint with our office against Facebook, claiming privacy violations.

Since Facebook has operations in Canada and users in Canada, we had territorial jurisdiction to exercise our powers of inquiry into Facebook’s practices.

Thus began a process that was presented in a report by our office in July 2009 that recognized the validity of some of the allegations and made recommendations to Facebook to change certain practices related to privacy protection. Facebook had 30 days to respond and accept the changes. Had it not done so, we were prepared to go to court.

Facebook did not want to go to court for many reasons that we can imagine and has accepted our recommendations. It has begun to make the necessary changes.

In addition, Facebook CEO Mark Zuckerberg notified all Facebook users—350 million worldwide—of a fundamental reform to its privacy parameters.

In summary, our main conclusions with respect to Facebook fall under two categories: (1) the need to better explain privacy settings and (2) better protection of privacy.

Certain Facebook practices need to be better explained and justified, such as the collection of birthdates, privacy settings, advertising and the monitoring of irregular behaviour.

  • Certain practices have to change:
    • Facebook needs to better protect access to users’ personal information by third parties.
    • The difference between deactivating and deleting accounts must be clearer.
    • The Facebook policy on keeping personal information on deceased persons for commemorative purposes must be better explained and subject to consent.
    • Finally, Facebook must assume more responsibility in relation to protection against collection and disclosure of personal information of non-users.

As we know, Facebook has accepted all our findings and recommendations, and will apply them internationally.

All our recommendations to improve information on parameters and privacy have been applied. To be specific, Facebook has:

  • Clarified the distinction between deactivating and deleting accounts,
  • Clarified the policy of keeping personal data for commemorative purposes, thereby improving the quality of consent
  • Warned users that they must obtain non-users’ consent before disclosing their personal information.

We have negotiated with Facebook to allow it one year to implement all our recommendations. Facebook is developing:

  • Protection against access to personal information by third parties with
    1. Increased user control over the disclosure of their personal information to third parties
    2. Enhanced user information on the use of their personal information.
  • New privacy settings

Facebook has until August 2010 to implement those changes.

4. Strategies to protect the privacy of young people

In addition to the Facebook survey, our office is continuing its work with a focus on prevention and enforcement of the law to protect the privacy of young people on the Internet as a priority.

That means concentrated efforts and activities specific to young people, such as:

  • Public education specific to young people, their parents and the education system, for example,
    • A "blog" for young people
    • Informative material aimed at young people
  • Empowerment activities involving young people in determining privacy issues, for example,
    • A video contest on privacy in secondary schools.
  • Research to analyze relevant social and technological trends
    • some specific to our office
    • others in universities but financed by our office
  • Practical information can be found on our Web site

These efforts are aimed at users, but this is only part of the problem. As Dr. Gregorio said in his presentation of the Memorandum of Montevideo, the other part, the other essential goal of our efforts, is to create in social networking companies a more secure means of exchanging personal information. And we will continue in that direction.

We also believe in international collaboration in light of a movement that transcends borders.

My presence here is an illustration of our openness in that regard.

Thank you very much

Date modified: