Facebook™, Streetview™ and What's Next – Navigating your Way Through New Issues in Privacy Law

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the 15th Biennial National Conference organized by the Law Society of Upper Canada

April 24, 2010
Ottawa, Ontario

Remarks by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you to the Law Society of Upper Canada for the chance to join you at this distinguished gathering.

The topic before us is “Facebook, Street View and What’s Next – Navigating your way through new issues in privacy law.”

The scope of the discussion is quite ambitious, and so I also want to thank Alex Cameron for his trenchant analysis and summary.

Context

With that excellent backdrop for our discussion, let me take you back to January, and a dustup provoked by Facebook founder Mark Zuckerberg.

He said at the time that the social norms around privacy had evolved to the point where people had become very comfortable about sharing lots of information with more and more people.

His comments were widely interpreted as belonging to the “privacy is dead” school of thought, although he never actually said that.

In any case, as Privacy Commissioner of Canada, that theory obviously finds no traction with me. Privacy is alive and well and living in all of our souls. And it is we as individuals – not companies or governments – who give definition to that right.

Indeed, even young, socially networked people continue to care about privacy, according to a recent UC Berkley study; they just overestimate the privacy protections that exist in the online environment.

Even so, we have to acknowledge is that things are changing – quickly, dramatically, and in many different ways.

And so the challenge for regulators is to identify what’s on the horizon, and to figure out a way to prepare for the future. 

Changing norms

It’s true that privacy, as a social norm, is evolving.

In that respect, I was intrigued by a deeper examination into social networking that was conducted by Avner Levin, of Ryerson University, and a colleague at the University of Miami.

After surveying 2,500 young people in Canada and the U.S., they concluded that privacy is no longer just about control. It’s no longer good enough to presume that if people ‘click here’ to say they’ve read the privacy policy, then their privacy concerns have been addressed.

Professor Levin found a more nuanced understanding prevailing in the online universe.

While young people aren’t too worried about posting unflattering or highly personal information about each other – even if it is disseminated beyond their immediate control – they become incensed if the information is accessed, used or disclosed by anyone they perceive to be outside their social network.

In a phenomenon he calls “network privacy,” Prof. Levin argues that young social networkers consider information to be private if it originates with them and is not disclosed beyond their immediate network.

Interestingly, however, they also consider information to be private if it originates outside their network – provided it doesn’t affect their established online persona.  

It all boils down, he concludes, to dignity and reputation.   

And I would add another word: discretion. Before the age of social networking, one used to be able to discuss things quietly and with candour with one’s peers, confident that the matter would not be shouted from the rooftops.  Sadly, while many young people still seem capable of grasping this concept, a generation of adults from Silicon Valley could benefit from a refresher.

Changing technology

Aside from the changing norms, regulators are also challenged by changing technologies. 

For instance, the title of this panel refers to Google Street View, but that’s just one of numerous new geospatial applications emerging these days.

Some, like Street View, are largely urban and depend on online advertising as their business model. Others go farther and allow digital tags and virtual graffiti, so that the environment becomes interactive and layered with new information that people can add through smartphones.

Still other applications are used principally for natural resource extraction in remote areas.

And then there are the open online mapping projects, which tend to be entirely volunteer driven. Open Street Map, for example, is an editable map of the whole world. The project began in 2004 and aimed to allow free online access to map data.

Consumer consultations

With the scope of pace of technological change, it’s important that we keep in touch with Canadians about privacy issues on the horizon that matter to them.

That is why my Office is launching a series of consumer consultations on emerging issues, such as location-based or geospatial tracking, consumer profiling, online advertising and marketing, children’s privacy in the evolving online environment, data mining and analytics, and cloud computing.

The first session gets underway next week in Toronto, and we’ll have other sessions in Montreal in May and Calgary in June.

The idea is to learn more about these cutting-edge practices, to explore their privacy implications, and to find out what privacy protections Canadians expect in relation to them.

We’re also looking to stimulate a broad and informed public debate about these issues.

And we hope to use what we learn to inform the next review process for PIPEDA, the Personal Information Protection and Electronic Documents Act, our private-sector privacy law.

Changing regulatory environment

Indeed, with PIPEDA approaching its 10th birthday, we want to ensure that the law is sufficiently well suited for today’s many challenges.

And so I asked two eminent legal scholars to examine a wide range of issues around the law, its impact and the powers of my Office. The work, which we intend to publish soon, was done by France Houle, of the Université de Montréal, and Lorne Sossin, currently with the University of Toronto, although he’ll take over as dean of law at Osgoode Hall in July.

Overall, they said, Canada’s private-sector privacy regime has been most effective among large businesses. That’s due to the particular approach set out in PIPEDA, along with the collaborative and inclusive ombudsman approach adopted by my Office over the years.

Smaller firms, however, could use more prodding. This is not insignificant, in light of the sheer numbers of small- and medium-sized enterprises, and the amount of personal information they handle.

Incentives could work, according to the report, and should be explored.

But the most effective way to better protect consumers would be to expand the Commissioner’s powers to draw up explicit and enforceable guidelines, and then to levy fines or other penalties to ensure compliance.

The report argues that broad or intrusive powers are unnecessary because even limited powers that could affect a company’s bottom line would bolster compliance. Enforcement powers would also serve as a deterrent to enterprises that would otherwise play fast and loose with the privacy law.

We have, in fact, witnessed a trend – in Canada and elsewhere – away from a strict reliance on judicial enforcement, and more toward guidance and other soft-law alternatives. With technology changing so rapidly, it may make sense to have greater regulatory speed and agility, with recourse to the courts for intractable disputes.

But I want to underline that, even if our compliance approach seems more flexible, the law is the law, and we are committed to enforcing it.

Facebook

That is why we conducted an in-depth investigation into Facebook’s privacy policies and practices last summer. They eventually committed to a number of changes that would bring their social networking site in line with Canadian privacy law.

They’re not there yet and, in fact, we wound up launching another investigation in January, in response to other changes they made to their privacy settings last December.

But we are continuing to talk to them and to monitor their progress.

Bear in mind that Facebook is a multinational giant with all the legal and technical backing necessary to know, understand and respect the privacy laws of the countries in which they operate.

And, again, much like the lost lesson of discretion, gigantic companies like this seem to have lost sight of another fundamental social nicety: when in Rome, do as the Romans do.

Google Buzz

Which brings me to Google Inc., one of the other giants of the online world and a company ably represented in Canada by my fellow panellist, Jacob Glick.

As you may know, my Office teamed up with nine other data protection authorities from around the world earlier this week to challenge Google on the rollout of its Google Buzz social networking service, as an add-on to its popular Gmail webmail service.

The initial rollout last February exposed people’s personal Gmail contacts, sparking a huge outcry from users. While Google moved quickly to remedy that situation, a certain amount of damage was done.

But our larger point was that, as a global technology leader, Google should have ensured that it respected the privacy laws and norms prevailing in the countries where it operates.

It should, moreover, have applied its legendary resourcefulness to the search for more privacy-enhancing technologies.

And – most important of all – it should have considered and minimized the impact of its new application on people’s personal information before rolling out the application, rather than waiting to fix flaws after the fact.

Global approaches

Before I leave the subject of Google Buzz, I want to point out one more thing – and that was the multinational approach we took.

Even if a company lacks Google’s global reach, the fact is that many can and do operate in other countries. Some have only a virtual or online presence. Others store their data in a cloud computing environment that could be anywhere and everywhere.

After all, data today knows no borders.

And so, more and more, you will see regulators banding together in joint initiatives – up to and including enforcement activities.

Under ECPA, the Electronic Commerce Protection Act, I would be explicitly authorized under law to share information with other data protection authorities, in Canada and around the world.

As you may recall, that legislation, which was mostly about curbing spam, died at prorogation, but we are hopeful that Parliament will resurrect it soon.

Public sector

I’ve been talking so far about private organizations, but the protection of privacy is just as compelling an obligation for the public sector. If anything, it is even more vital that the state exercise restraint in the collection, use and disclosure of personal information.

After all, the government is the keeper of profoundly sensitive personal data, such as income tax and income support information, criminal and justice system records, health data for certain groups, and so on.

And so it must ensure that information is collected for justifiable purposes, that it is accurate, that it is safeguarded, and that it is shared only under the strictest terms.

As the Maher Arar and similar cases revealed, errors, oversights or omissions in the handling of personal information can have grave consequences.

At a minimum, departments are required to carry out formal privacy impact assessments, or PIAs, which are submitted to my Office for review. 

They must clearly state the necessity of the information they are collecting, spell out how the invasion of privacy is a proportional response to a particular policy objective, outline how their program will effectively treat the problem they have identified, and assert that there is no less privacy-invasive alternative.

It is hoped that this extra investment of effort, and ongoing consultations with my Office, will help ensure that new public safety measures also respect privacy rights.

Conclusion

To wrap up, I just want to underscore again that privacy laws, whether in the public or private sectors, are not optional. They are not guidelines, suggestions or “nice to haves”.   They are the law.

It doesn’t matter whether a company is Canadian or based elsewhere, virtual or real.  It can be a new wireless firm in Toronto or a bank in an online community run out of Singapore.  If it has an operating presence inside Canada, and is collecting the personal information of Canadians, then it is subject to Canadian law.  There is no ambiguity about that.

We expect organizations to know the law, and to understand and meet their responsibilities under it.

We expect them to develop and implement privacy-enhancing innovations, and to communicate with their customers about privacy.

But, most of all, we expect them to do all of those things – before they take an action that could impinge on the privacy rights of Canadians. This is not an unreasonable position; it is one shared by data-protection authorities around the world.

And it’s in their own interest. By safeguarding the privacy of citizens and consumers, organizations build trust and invest in their own long-term success.

Thank you for your attention, and I welcome your comments….

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: