Privacy Professionals 2.0
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the 2010 Conference of the Association sur l’accès et la protection de l’information (AAPI)
April 10, 2010
Quebec City, Quebec
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
I am pleased to be here in Quebec City today, after a very busy few days.
Since Tuesday, you have been hearing about Web 2.0 and social networks, cyber crime and piracy. It seems like every day we have to learn new ways of communicating — and to avoid new ways of being duped.
This new reality that is changing our lives, for better or worse, has a direct impact on your work.
You play an important role. As guardians of access to information and privacy, you protect principles that are at the very heart of democratic society. It should therefore come as no surprise that all radical shifts in society, such as the digital revolution, have implications for your work.
I witnessed the beginning of this revolution ten years ago when I joined the Commission d’accès à l’information du Québec. One of the proudest memories of my tenure as President of that CAI is that Quebec adopted the principle of automatic publication, on our recommendation. An excellent initiative, it already recognized the tremendous importance of the Internet as a source of information.
And I think the first time we ventured online, most of us understood right away that this thing would change the world. But who among us knew what was just around the corner: Twitter, Flickr, Facebook and Foursquare — phase 2.0 of the revolution. Web 2.0 has a major impact on privacy because it relies on user-generated content, and a good chunk of this content refers back to identifiable individuals.
Today, I would like to talk to you about the issues that our Office considers to be the key issues to watch over the next few years.
We have identified four top strategic priorities, which will allow us to take a more focused approach to our work in the coming years. These four priorities are:
- information technology;
- genetic information;
- national security; and
- identity integrity.
You will have noticed that today’s information systems, with their lightning-fast processing capabilities and seemingly limitless storage capacities, are a factor in each of these priorities.
Globalization and regulatory challenges
Since these powerful information systems are increasingly networked, they open the door to another very important issue: transborder data flows in an age of increased globalization.
We all know that data knows no borders. With virtual businesses and cloud computing, data flows are instantaneous and global.
Some of this data winds up in countries with less robust privacy protection regimes than our own.
Another challenge faced by data-protection authorities as a result of globalization is that we receive complaints against online companies that have no physical presence in our respective jurisdictions.
In the Facebook investigation that we conducted last summer, we were successful in getting a U.S.-based company to commit to complying with our laws.
On the other hand, in the case of an American online data broker called Abika.com, we had to rely on the U.S. Federal Trade Commission for enforcement
Last fall, at the International Conference of Data Protection and Privacy Commissioners, everyone wanted to talk to me about one thing: Facebook.
This isn’t a surprise considering that the changes Facebook made have benefited all of its users, all around the world.
When we released the findings of our investigation, the site had 300 million users. Today, there are 400 million, 70% of whom are outside of the United StatesFootnote 1.
In this wired world, we need to adopt a flexible, efficient approach to global privacy regulation.
But no matter what countries do within their own borders, it is becoming increasingly apparent that it’s not enough. Worldwide data flows demand global solutions.
That is why my Office is exploring ways to increase collaboration with data-protection authorities – at the provincial level, as well as in other countries.
It’s about building common rules and standards, as well as a coherent and shared approach to enforcement.
From a legal perspective, we have to apply the law to issues that were inconceivable at the time the law was developed.
So far, PIPEDA’s neutral stance on technology-related matters has worked to our advantage: We have successfully applied the law to all of the cases that have been brought to our attention. And we don’t expect the rate of technological advancement to slow down any time soon — Quebec is no stranger to innovation, a practical application of creativity. The vitality of Montreal’s IT community is an excellent example.
In anticipation of the five-year review of PIPEDA, scheduled for 2011, my Office is currently organizing roundtable discussions to be held in Montréal on May 19, as well as in Toronto this month and in Calgary in June.
The roundtables will bring together representatives from industry, government, consumer associations, civil society and other interested parties.
They will focus on some of the most important emerging issues in privacy — behavioural advertising, cloud computing and location-based data.
Our plan is to explore the privacy implications of each of these technologies and determine whether PIPEDA is able to meet those new challenges without standing in the way of progress.
For example, there are issues of consent in behavioural advertising; questions of jurisdiction and adequate safeguards in cloud computing; and limitations on the collection, use and disclosure of personal information arising from location-based data.
Another objective of the roundtables is to help inform our own policy positions on these three technologies, which are likely to play a larger and larger role in the complaints and information requests that we receive.
So far, the federal sector law that my Office oversees has served its purpose, even in this increasingly complex global environment. Time and again, we have been able to apply the law to technologies and business models that didn’t even exist when PIPEDA came into force nine years ago.
Web 2.0 and the new social norm
Of course, we can’t talk about these new business models without talking about the “new social norm,” an expression that is on everyone’s lips these days. Many wonder whether the Internet created a new social norm, or whether it is society’s use of the Internet that has built this new norm. However, one thing is certain: Web 2.0 has a major impact on privacy.
A news article on British Columbia’s new online court records system published last year clearly illustrates the impact of the Internet on privacy.
This online system allows people to look up any civil or criminal proceeding. Traffic of the site was so high that a virtual line-up was formed.
A privacy advocate pointed out that there has never been a line-up at the registry office to access these same files.
The increasingly voracious appetite of certain members of the public for other people’s personal information is motivated, at best, by an unhealthy curiosity, and, at worst, by criminal intentions.
This voyeurism goes hand in hand with the online exhibitionism that is everywhere on the Internet.
Most people today want to be online. Ten years ago you might have asked somebody, “Do you have email?” Today, it’s become practically inconceivable that someone would not be online. You should see the looks I get when I say that I’m not on Facebook.
But where we’re seeing differences is in what people do online – the extent to which they are prepared to post their personal information.
Young people have a different notion of privacy than previous generations.
That said, however, I disagree strongly with the tendency, in some circles, to announce the death of privacy.
There are fewer and fewer among us who would argue that to have true privacy we have to live our lives behind closed doors, and that the best way to protect our personal information is not to share it, never mind post it online.
But it would be wrong to say that those individuals who choose to join a social networking site or contribute in some other way to Web 2.0 do not value their privacy.
All the evidence we’ve seen from our own polling of young people underscores that privacy remains a deeply held value.
Another survey, conducted by Natural Resources Canada, showed that the vast majority of Canadians want the federal government to regulate the application of new technologies to protect their privacy.
Regardless of how people choose to act, they maintain a powerful belief that the choice must be theirs.
Increasingly, the disclosure of personal information boils down to questions of knowledge and consent.
Privacy issues have traditionally come up in the context of interactions between one person and an organization.
Increasingly, however, we are seeing that the most critical privacy risks stem from systemic threats related to rapidly changing information technologies.
These types of threats, although they can have significant consequences, are generally not the types of issues that the average person would think to complain to us about.
We have received very few complaints and information requests to date concerning social networkingFootnote 2.
However, each complaint that we investigate is very complex, from a technological and legal perspective. Technologically speaking, we have to look at very sophisticated Web applications, which we didn’t usually have to do before.
However, when a major issue arises, we do not wait until we receive a complaint before taking action.
For example, you might have heard in the news this week that my Office is joining with nine other international data-protection authorities to hold Google accountable for the rollout of Google Buzz, a social networking application that complements its Gmail email service.
The initial launch of Buzz in February resulted in Gmail users’ contacts being revealed. Many of these users spoke up to say that they had not been informed of this service beforehand. Although Google acted quickly to correct the situation, in many cases, the damage was already done.
The point we wish to stress is that, as a leader in the online world, Google should ensure that it complies with the privacy laws and standards in force in the countries in which it does business.
The company should have considered the impact that its new application would have on users’ privacy beforehand, rather than repairing the problem after the fact.
Social networking in the workplace
In the course of your work, you have probably looked at the use of social networking sites in the workplace over the past few years.
You are no doubt aware that many employers and recruitment agencies use Internet search engines and read personal blogs and websites to learn more about job applicants — and existing employees. During the staffing process, this practice may become a problem if it substitutes for more formal and thorough references checks.
While many employers have guidelines and codes of conduct for email and Internet use, social networking sites pose additional challenges that should be addressed specifically in conjunction with these other workplace rules. Clear rules and policies drafted specifically on the use of social networking sites should be communicated to all employees.
The Office of the Privacy Commissioner of Canada recommends that an organization’s policy establish best practices and outline expectations for acceptable use of these sites in the workplace, set out the consequences for misuse, and address any workplace privacy issues.
Employers should inform their employees in plain language why it’s important to keep some personal and corporate information — about themselves, their co-workers, clients and the organization — confidential or undisclosed.
Similarly, employers need to exercise judgment and abide by all applicable legislation if they decide to collect, use or disclose personal information from online sources. A privacy‑friendly workplace calls for fair use of information by all parties.
Your work on privacy and access to information is therefore becoming increasingly complex as technological advancements grow and globalization challenges the regulatory frameworks.
Most of the privacy laws in force today are based on models of data collection and use that date back to another century.
These laws are now being tested by new applications that break the mould of traditional information processing models. We discussed social networking, but there is also street‑level imaging, deep packet inspection and behavioural advertising.
Organizations should ask what to do when the letter of the law is not clear in a particular situation.
They are waiting for you, their trusted advisors on this matter, to be creative and think outside the box.
It is no longer enough to ask what the law requires us to do. We need to consider what must be done to respect individuals’ privacy rights and minimize privacy breaches.
Organizations have to ask what they should do to respect the spirit of the law. And they will be turning to you for answers.
Today’s world needs professionals like you who can convince their organizations that respecting privacy goes far beyond complying with the law.
Personal information is a precious commodity that deserves to be protected by default, not something that we protect after the fact, once we have seen people’s reaction.
Privacy professionals must remind organizations that privacy is a fundamental value in democratic societies, not just a set of rules to be followed.
In other words, you must be the conscience of your organizations.
I am sure that some of you have a lot of work ahead of you. But the next few years will require each of you to demonstrate creativity and overcome great challenges.
I will now be happy to take your questions.
- Date modified: