When Everyone and Their Mother is a Content Provider: The Principle of Privacy at the Heart of the Social Revolution

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the CRIM Crystal Ball Conference

April 7, 2010

Montreal, Quebec

Address by Jennifer Stoddart

Privacy Commissioner of Canada

(Check against delivery)


Introduction

I am pleased to join you here today. It is very important to me to take every opportunity I can to speak to an audience of IT experts, since technology and privacy are the very essence of our day and age.

Let me introduce myself. I am an Officer of Parliament, which means that I report directly to the House of Commons and the Senate, like other officers of Parliament such as the Auditor General Sheila Fraser. In the relatively short time that has passed since I took over as Privacy Commissioner, I have witnessed significant change.

When I arrived in Ottawa in 2003, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare or iPhones.

Although things have changed dramatically over the past decade, it is more than just the result of technological advancements — there are other drivers of change, including globalization.

With that in mind, the perspective of privacy advocates is different from that of IT experts. If I say “user-generated content,” you automatically think, “copyright and fair use,” while I think “consent and control by the individual.”

My objective today is therefore to help you see things from our perspective at the Office of the Privacy Commissioner, which acts as both a privacy advocate and a regulatory body.

Since the purpose of this conference is to look to the future, I will discuss the drivers of change that we think have the greatest impact: first, globalization and transborder data flows, and then the impact of new Web applications on privacy in the context of this new social norm that is talked about so much these days.

A regulator’s perspective

We have to cooperate with our provincial colleagues on matters that affect all jurisdictions. For example, we will be working closely with the Commission d’accès à l’information du Québec in our discussions with Google concerning Street View.

So far, the federal private-sector law that I oversee has served its purpose, even in this increasingly complex global environment. Time and again, we have been able to apply the law to technologies and business models that didn’t even exist when PIPEDA came into force nine years ago.

Our investigations of Facebook, the one we concluded last summer and the one that is underway now, underline the effectiveness of PIPEDA’s flexible, principles-based approach that is somewhere between the market‑based strategy adopted by the United States and the more prescriptive European method.

The success of our first investigation of Facebook, the U.S. social networking giant, demonstrated that PIPEDA can apply to the commercial collection of citizens’ personal information by foreign commercial entities, even if they are operating entirely online.

Another key issue that was raised is how to draw the line between personal and commercial uses of personal information. Facebook users themselves are the ones who decide what information they are willing to post on the site to carry out their social networking. That information in itself does not fall under PIPEDA.

However, the moment Facebook uses the information for commercial purposes, the law applies and the commercial entity becomes responsible for safeguarding the data.

We’ve also recently dealt with some interesting questions arising from another new business model as part of our work with street-level imaging service providers Google Street View and CanPages.

We’ve discussed how consent can be obtained with both Google and CanPages. People need to know in advance that street-level images are being taken, when, and why, and how they can have their image removed if they don’t want it to appear online. This can be achieved with clear markings on vehicles and through notification in the media.

Globalization and regulation

The second driver of change that has a considerable impact on data-protection authorities is transborder data flows in an age of increased globalization.

We all know that data knows no borders. With virtual businesses and cloud computing, data flows are instantaneous and global.

Some of this data winds up in countries with less robust privacy protection regimes than our own.

Another challenge faced by data-protection authorities as a result of globalization is that we receive complaints against online companies that have no physical presence in our respective jurisdictions.

In the Facebook investigation that we conducted last summer, we were successful in getting a U.S.-based company to commit to complying with our laws. On the other hand, in the case of an American online data broker called Abika.com, we had to rely on the U.S. Federal Trade Commission for enforcement.

Last fall, at the International Conference of Data Protection and Privacy Commissioners, everyone wanted to talk to me about the same thing: Facebook.  

This isn’t a surprise considering that the changes Facebook made have benefited all of its users, anywhere in the world. When we released the findings of our investigation, the site had 300 million users. Today, there are 400 million, 70% of whom are outside the U.S.Footnote 1

Faced with a global network, we need to adopt a flexible, efficient approach to global privacy regulation.

But no matter what countries do within their own borders, it’s becoming increasingly apparent that that’s not enough. Worldwide data flows are demanding global solutions.

That is why my office is exploring ways to increase collaboration with data-protection authorities – at the provincial level, as well as in other countries. It’s about building common rules and standards, as well as a coherent and shared approach to enforcement.

Let me give you a quick overview of some of the leading initiatives underway around the world.

  • Last fall in Madrid, dozens of the world’s data-protection authorities endorsed a draft international standard on privacy protection.
  • Important work is also unfolding within APEC, and Canada is at the table. APEC’s Data Privacy Subgroup is working on cross-border privacy rules.
  • Discussions will be held shortly on how the guidelines adopted by the OCDE 30 years ago have been put into practice, and I have been asked to head a working group on this matter. My office will help draft a discussion paper looking at privacy and personal information in the 21st century.

Social changes

One more driver of change I want to mention is the social norms that have been evolving rapidly over the past decade.

Most people today want to be online. Ten years ago you might have asked someone if they had access to email. Today, it’s become practically inconceivable that someone would not be online. You should see the looks I get when I mention that I’m not on Facebook.

But where we’re seeing differences is in what people do online – the extent to which they are prepared to post their personal information.

Young people have a different concept of privacy than previous generations did.

That said, however, I disagree strongly with the fashion, in some circles, to declare privacy as good as dead. There are fewer and fewer among us who would argue that to have true privacy we have to live our lives behind closed doors, and that the best way to protect our personal information is to never disclose it, never mind post it online.

But it would be wrong to say that those individuals who choose to join a social networking site or contribute in some other way to Web 2.0 do not value their privacy. 

All the evidence we’ve seen from our own polling of young people underscores that privacy remains a deeply held value. Another survey, conducted by Natural Resources Canada, showed that the vast majority of Canadians want the federal government to regulate the application of new technologies to protect their privacy.

Regardless of how people choose to act, they maintain a powerful belief that the choice must be theirs. Increasingly, the disclosure of personal information boils down to knowledge and consent.

Look at what happens, for instance, when a social networking site makes a change to its privacy policy. Its users are all over it. They’re hard to ignore, and companies are wise to listen.

The impact of technology on privacy

Of the many challenges we face, none is more dramatic than the impact of technology.

Much of the content swirling through this Web 2.0 world is generated for the most part by individuals, which poses new challenges for regulators and our society as a whole.

Concepts of consumer knowledge – never mind consent – are become increasingly strained.

Privacy issues have traditionally come up in the context of interactions between one person and an organization. 

Increasingly, however, we are seeing that the most critical privacy risks stem from systemic threats related to rapidly changing information technologies. These types of threats, although they can have significant consequences, are generally not the types of issues that the average person would think to complain to us about.

We have received very few complaints and information requests to date concerning social networkingFootnote 2. However, each complaint that we investigate is very complex, from a technological perspective and from a legal perspective. Technologically speaking, we have to look at very sophisticated Web applications, which we rarely had reason to do before. On the legal end of things, we have to apply the law to issues that were inconceivable at the time this law was developed.

So far, PIPEDA’s neutral stance on technology-related matters has worked to our advantage: We have successfully applied the law to all of the cases that have been brought to our attention. And we don’t expect the rate of technological advancement to slow down any time soon — Quebec is no stranger to innovation, a practical application of creativity. The vitality of Montréal’s IT community is an excellent example.

Consultations on the impact of new technologies on consumer privacy

In anticipation of the five-year review of PIPEDA scheduled for 2011, my Office is currently organizing roundtable discussions to be held here in Montréal on May 19, as well as in Toronto this month and in Calgary in June. The roundtables will bring together representatives from industry, government, consumer associations, civil society and other interested parties. They will focus on some of the most important emerging issues in privacy — behavioural advertising, cloud computing and location-based data.

Our plan is to explore the privacy implications of each of these technologies and determine whether PIPEDA is able to meet those new challenges without standing in the way of progress. For example, there are issues of consent in behavioural advertising; questions of jurisdiction and adequate safeguards in cloud computing; and limitations on the collection, use and disclosure of personal information arising from location-based data.

Another objective of the roundtables is to help inform our own policy positions on these three technologies, which are likely to play a larger and larger role in the complaints and information requests that we receive.

Conclusion: A wish list

In light of the colossal changes we have seen over the past ten years alone, it would be foolish to try to predict what the next decade will hold.

Many of our initiatives have been successful so far. However, our successes have hinged on the co-operation and goodwill of organizations that are willing to submit to the authority of Canadian privacy law. But will this always be the case?

We need to make sure that respect for privacy rights does not stand in the way of innovation. This is an objective shared by our counterparts at the European Commission, which recently announced funding for the PRESCIENT project. This project is aimed at informing a new personal information protection framework that takes into account emerging technologies by promoting reflection, dialogue with concerned parties and, most importantly, the integration of safeguards at the design stage of new products and services.

This is not a new idea. For more than a decade, privacy advocates have been touting the benefits of considering privacy matters at the design stage. This principle, known as Privacy by Design, is meant to ensure that respect for privacy is not a reaction to regulatory measures, but rather a routine part of a company’s model for designing products and services. My Ontario counterpart, Ann Cavoukian, has been promoting this concept since the 1990s, and her hard work and tireless efforts have played a key role in bringing this issue to the forefront.

However, during a meeting in Toronto two weeks ago with the who’s who of privacy experts, Assistant Privacy Commissioner Elizabeth Denham asked the crowd for an example of a system or product designed with consideration for privacy. Out of the hundred or so people in the room, not a single one was able to give an answer.

Professor Ian Kerr from the University of Ottawa has begun promoting the concept of Privacy by Default, the protection of personal data as the default way of operating. He recommends that we ask questions prior to introducing a new technology, even before we think about improving the product.

However, after the announcements made by Facebook last December and the launch of Google Buzz in February, I can’t help but wonder whether there shouldn’t be a regulated standard, mandatory for new products and services, to allow for simpler implementation and an integrated application.

On the one hand, we often hear multinationals, particularly Web 2.0 giants, say that they support the privacy rights of their users. When we take a look at their actions, however, it is clear that they are merely paying lip service.

This is why I want to wrap up this address with a list of suggestions for you in the IT field to encourage you to continue to do your part.

  • Make sure that you have users’ consent prior to launching an application that uses personal information.
  • For this consent to be valid, users should clearly understand that their personal information will be used, where it’s going, who it’s going to, how it will be posted and for how long it will be retained.
  • Remember that profiling is also a use of personal information and that users must be informed about it.
  • At the design stage of an application, develop a policy for the retention and destruction of the personal information you think you will be handling.
  • Plan an easy way for users to end their relationship with you, by which I mean, a way to erase all of their personal information from your servers.
  • Make sure that you anonymize data at every opportunity.
  • Lastly, make sure that you have concrete safeguards in place to protect the personal information of your users.

It will soon be mandatory in Canada for data breaches to be reported to my Office. Organized crime, both large and small scale, is more and more often turning toward information theft, and one thing is becoming increasingly clear: we cannot have privacy without security. This is another key element that you should bear in mind when new products and services are introduced.

I’d now welcome your questions.

Date modified: