Enforcing Privacy in the Online World
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the IAPP Canadian Privacy Summit 2010
May 27, 2010
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good morning. It’s wonderful to be here in Toronto.
I had the pleasure of attending the IAPP global summit in Washington last month. That event was extremely well organized and it sparked a lot of interesting discussions about international privacy issues.
I’m delighted to be able to join you for this IAPP conference with a distinctly Canadian focus.
I thought you’d be interested in an update on my Office – where we are and where I see us going in the near future.
For us, the future is all about the online world.
In recent days, we’ve seen yet another example of why it’s so important for us to be there – Google’s public admission that its Street View cars had been accidentally collecting snippets of people’s wireless communications on unsecured networks.
The privacy issues we’ve recently worked on with Google are part of a broader trend.
The last year or so has marked a turning point for the Office of the Privacy Commissioner of Canada. We’ve seen dramatic growth in issues and investigations dealing with new technologies, particularly those related to the online realm. It seems clear that those issues will continue to dominate our work for years to come.
If we want to remain relevant as Canada’s privacy guardian, the online world is where we need to be focusing our attention. And that is where we will be.
We need a greater commitment from some companies to bring themselves into line with privacy laws around the world.
Meanwhile, data protection authorities need new tools to address privacy online. We have to find ways to meet the challenges of addressing online privacy in the context of our investigations. After all, investigations involving online issues tend to be complex, highly technical, labour-intensive and deal with ever-changing websites. They often involve companies based outside of Canada – raising the potential that they’ll be hesitant to cooperate with us.
My Office is taking a multi-pronged approach to these challenges.
We’ve recognized that increased cooperation with our international colleagues is critical to our future success. We’re involved in global privacy initiatives and working with international and provincial partners about issues of mutual interest.
We are also taking steps to ensure we have the right investigative resources in place. We recently cleared up our backlog, freeing up resources for our expanding online work, and we’ve hired more technical experts.
We’re also working hard to develop a deeper understanding of privacy issues in a digital world. Our current public consultations are a good example of that.
I’ll elaborate on these developments shortly.
First, I do want to make clear: Our increased online focus doesn’t mean we’ll be ignoring bricks and mortar businesses! In fact, we’re opening an office in Toronto so that we can work more effectively with the businesses located here.
We’ve made great progress in terms of how organizations operating under traditional business models handle personal information. By and large, these companies are living up to their obligations under PIPEDA.
The online world, however, is still something of a wild frontier when it comes to privacy protection. And with online companies taking on an increasingly important role in our daily lives, it’s ever-more important that we ensure real-world laws are working effectively in the digital environment.
I suspect that the problems we’re seeing have a lot to do with the raison d’être of these organizations. They are in business for one perfectly legitimate reason: To make a profit.
While this is true of every business, the impact for privacy appears to be more acute in the digital context.
Some online companies appear to believe that the path to riches is to race to market with every new and innovative product. In their frantic rush, they seemingly forget to look at what privacy laws say about what they can and can’t do. In some cases, they seemingly aren’t even bothering to glance at that legislation!
Some of these companies see personal information as a money-maker. This is spawning a digital arms race in terms of the collection of personal information. Too often, fundamental privacy principles are being forgotten – or perhaps ignored – along the way.
It seems to me that we’re seeing too many cases where the innovators innovate and the lawyers mop up after the fact.
Much of my focus today is on Google. That’s because they’re a giant of the online world and they’ve been in the news so much lately. However, we do have concerns about what some of the other online players out there are doing.
The recent revelation by Google that – despite previous claims to the contrary – it had in fact been collecting and storing information broadcast via unsecured wireless networks reinforced concerns we expressed with international colleagues last month.
Ten data protection authorities came together to send a strong message to Google about the need to take privacy into account as it develops new online products. We also issued a reminder about the need to respect privacy laws of the countries in which they launch those products.
This is not an unreasonable request, nor does it stand in the way of innovation.
The trigger for our joint letter was our disappointment at the company’s apparent disregard for fundamental privacy principles when it launched its new social network, Google Buzz.
In response to our letter, Google told us it is “keenly aware” of its responsibility to protect privacy.
One week later, the privacy misstep involving wi-fi data came to light. The company admitted that, for more than three years, it had inadvertently collected information that people in various countries had sent over unencrypted wireless networks.
Previously, in response to questions from European regulators, Google had said that, while its Street View camera cars were collecting information to identify wi-fi networks, they were not collecting the actual information that users were sending over unprotected networks.
After some further checking, Google discovered that assertion wasn’t true.
We are, of course, shocked and deeply concerned. Three and a half years is an awfully long time for people who are supposed to be among the world’s best and brightest at using these types of technologies to not know.
Eric Schmidt was quoted in media reports as saying that there was “no harm, no foul” in what happened. I don’t agree. While it’s true that – as far as we know – no specific individual was harmed, a fundamental value in our society has been harmed. Privacy is one of the basic tenets of a democratic society. It is something we cherish. We certainly don’t expect our communications to be intercepted in this way – regardless of whether or not something nefarious is done with it.
Clearly, as we said in our initial joint letter, the way in which Google develops products and services is not working well from a privacy perspective.
Google reported the breach to our Office and we’re asking for information to help us understand what happened. We’ve also asked Google to retain the data as we work to determine our next steps.
Meanwhile, we’ve been in touch with international counterparts. Many are equally concerned and have launched investigations.
Google Letter Initiative
I would also like to highlight the significance of the letter we sent to Google about Buzz.
The collaboration really was unprecedented in that it wasn’t simply a group of authorities in one region working together. Rather, we saw 10 offices on four continents speaking with one voice on an issue. And this happened despite the fact that the participating authorities, in many cases, have very different approaches to privacy.
What was surprising to me was that, with so many countries involved, it was actually very easy to reach agreement on the substance and text of the letter.
I think that was a sign of how strongly my international colleagues and I felt about the privacy problems related to Buzz and also the fact that what’s required in privacy legislation around the world is actually not all that different. The fundamental principles enshrined in those laws are essentially the same.
Privacy laws require accountability. And companies like Google are expected to do their due diligence when it comes to knowing the laws – before they launch new products and services.
It’s not enough to simply fix problems after the fact – as Google did do in the case of Buzz. And launching a product in “beta” form does not allow a company to circumvent the law.
Further Joint Action
So, what’s a data protection commissioner – particularly one in a relatively small country such as Canada – to do to address this new global challenge?
The Google letter initiative with our international colleagues is undoubtedly a sign of things to come. Data protection authorities around the world are recognizing that the best way to make a difference for the privacy rights of our citizens is by working together. Huge multinational corporations are not going to be able to ignore our message if we’re all saying the same thing.
Recently, several countries have come together to create an international forum to discuss issues of joint concern – the Global Privacy Enforcement Network. The expectation is that this initiative should result in data protection authorities taking a more harmonized approach to issues.
At the moment, some data protection offices don’t have the legal authority to share information with international counterparts as part of an investigation. Here in Canada, we’ve been calling for changes to PIPEDA that would make it easier for my Office to work collaboratively. We were delighted to see these amendments included as part of new anti-spam legislation introduced this week. We hope the bill will pass quickly because it’s increasingly critical that we strengthen our capacity for cross-border cooperation.
Looking further down the road, I am increasingly of the view that we may need stronger enforcement powers in order to be an effective privacy guardian for Canadians – both in the online and real-world context. We’re studying this issue and it may be something discussed as part of the next PIPEDA review.
Re-focusing the OPC
I believe – very strongly – that my Office’s resources should be focused on privacy issues of a broad, systemic interest.
Going forward, you are going to see an Office that is much more focused on the most important privacy issues of the day – the privacy issues that pose the biggest risks to Canadians as a whole.
As I mentioned earlier, those types of investigations normally require extensive time and resources. For example, as I mentioned earlier, online investigations are, by their very nature, extremely challenging.
Our Facebook investigation illustrated just how complicated and technical online issues can be. For example, one of the biggest challenges during that investigation was the fact that the site kept changing. Tracking the modifications was essentially a full-time job for someone in the Office! The pace of change on the site has only picked up in recent months.
My expectation is that we’ll have the resources in place to meet this new workload challenge thanks to a few developments.
The backlog was recently eliminated. We’re also encouraging people who contact us with fairly straightforward privacy problems to try to resolve issues directly with organizations before they make an official complaint. This approach has led to a significant drop in formal complaints.
This week, the government introduced legislation that would provide me with greater discretion in accepting complaints or discontinuing investigations. These include cases where, for example, the complaint is trivial, frivolous or vexatious.
As a result of all of these recent developments, I fully expect we will have more investigators available to handle the complex issues coming before us. As well, we’ll be able to do more follow-up on the important issues we investigate.
Meanwhile, our investigations team is also getting important guidance from newly hired staff with an expertise in technology issues. Now that we have established a highly qualified and experienced IT team, we are building a research lab to examine new technologies and support our ongoing investigations.
I’d like to touch on another way in which we’re preparing to meet the challenge of emerging privacy challenges – our public consultations.
The consultations are focusing on two areas – the privacy issues related to the online tracking, profiling and targeting of consumers by marketers and other businesses and the privacy issues related to cloud computing practices.
We’ve held a day-long series of panel discussions here in Toronto and also in Montreal just last week. Next month, we’re taking the consultations to Calgary.
I have appreciated the transparency of industry representatives about their practices in the digital world. And we have heard from some very responsible online companies that take privacy seriously.
One of the motivators for undertaking these consultations was our desire to be ready for the next review process for PIPEDA, which is expected next year.
Another way in which we’re learning about the current privacy environment is informing our position on possible PIPEDA amendments is by polling businesses to gauge viewpoints and awareness levels related to a variety of issues.
New poll results we’re releasing today uncovered some encouraging news about the state of private-sector privacy in Canada.
The Ekos survey conducted for my Office this past March found that the majority of businesses have implemented provisions to protect customer information, and almost half of the businesses surveyed report high awareness of their responsibilities under Canada’s privacy laws.
That data collected also suggests that PIPEDA has had a positive impact on businesses’ handling of customers’ personal information. More than half said PIPEDA has resulted in improved security to protect personal information.
If there was one disappointing result, it’s that a majority of companies don’t appear worried about security breaches when it comes to customers’ personal information – even though they are collecting and holding more personal information than ever before.
Given the major data spills we’ve seen over the past few years, it’s alarming to see that businesses aren’t more apprehensive about the safety of their customer’s personal information.
Data breaches are a problem around the globe, and many governments are responding to consumers’ concerns by implementing mandatory breach notification legislation.
We were extremely pleased this week to see the government introduce legislation to create a mandatory data breach notification reporting regime in Canada. This is great news
Before closing, I’d like to pay tribute to someone who has played a central role in helping businesses across country to better understand how PIPEDA works and who, more recently, has led my Office into the thick of the online world.
As most of you will have heard, earlier this month, the B.C. legislature approved the unanimous recommendation of a special committee that Elizabeth Denham be appointed the Information and Privacy Commissioner of British Columbia.
Liz has been an outstanding Assistant Commissioner for PIPEDA in my Office. She has expertly guided our work in the new realm of enforcing PIPEDA in the online context. She has also strengthened our relationships with the business community, where I know she has developed a reputation of being fair and forthright.
While we will see Liz off to beautiful British Columbia with a mix of both sadness and great pride, we look forward to continuing to work with her as a strong provincial partner.
I’d invite you to join me in thanking Liz for her work in my Office and also wishing her well in her new adventures…..
We’ve covered a lot of topics in a very short period of time. I hope I’ve left you with a sense of where I see the Office heading over the next few years – and how we’re preparing for this change.
Privacy issues are never static, or easy to address. But they are always interesting.
Finally, I would like to extend an invitation to all of you to join me tonight for a reception at the Art Gallery of Ontario. This event will offer the opportunity to let you know a bit more about our plans for a Toronto office and to introduce you to its new director. The reception begins at 5:30 and I hope to see you there!
- Date modified: