Innovation and the Privacy Advantage
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Institute of Public Administration of Canada 62nd Annual Conference
August 25, 2010
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good morning and thank you for inviting me to join you. It’s a privilege to be here with so many people dedicated to excellence in public service.
I’ve spent most of my working life in the public service in the Government of Québec and the Government of Canada. Public service has been a way of life – one that has been both interesting and personally satisfying.
The invitation to speak today was one that held instant appeal – a conference about the importance of public service and a theme of Guardians of our Communities: Local to Global.
Privacy cannot exist in a society where mistrust and suspicion are rampant. Remember the movie, “The Lives of Others,” about life in East Germany under the Communist regime? Mistrust led to dramatic invasions of privacy and ultimately death.
The concept of being a guardian is central to how we approach our work as an Office. We evaluate issues in terms of the impact on Canadians and their privacy rights – individually and collectively. We take this responsibility – indeed, this privilege – very much to heart.
This year’s IPAC conference has examined the importance of the public service to Canadians who increasingly live out their daily lives not only as members of local neighbourhoods, but also a global community.
The shift to a globalized world has certainly had a profound impact on the privacy landscape.
Our world is shrinking and the planet’s inhabitants are connected like never before. Increasingly sophisticated information and communications technologies are integral to our daily lives.
These developments provide undeniable benefits in terms of convenience and efficiency.
But, at the same time, the fast and furious pace of technological change – coupled with social change and globalization – carries great risks for our privacy.
This morning, I’d like to focus my remarks on two areas: First, the implications of globalization for privacy; and, second, how the technological advances that are responsible for making our world seem so much smaller are also raising new threats to our privacy.
There is a critical need for organizations – in both the public and the private sectors – to keep privacy at the forefront as they push technologies forward. In other words, innovation and privacy must go hand in hand.
First, a bit of context…
Over the past 20 years, advances in information and communications technologies have made it exponentially cheaper and faster to collect, create, share, process and store information.
This has resulted in a data explosion. Experts now refer to the concept of “big data” or an “exaflood” of data. It’s been estimated that worldwide data volumes are currently doubling every two years.
Consider this: It took two centuries for the U.S. Library of Congress to acquire the more than 134 million items in its print collection. With the explosion of digital information, it now takes less than 15 minutes for the world to produce an equivalent amount of information.
Each one of us is contributing to this dramatic growth in data each time we e-mail or text, take pictures and videos, send Tweets or change our status on Facebook. Technologies allow us to create more information than ever before and we’re increasingly inclined to share this information widely.
Corporations and government are also contributing to the data boom. I read recently that Wal-Mart alone handles more than one million customer transactions every hour and that this data feeds into databases containing over 2.5 petabytes of information.
What’s a petabyte? According to The Economist magazine, all of the letters that the U.S. postal service delivers this year will contain around five petabytes of information. Google, meanwhile, is processing the same amount of data in just one afternoon.
Within all of these mountains of information is a lot of personal information.
And this is the kind of data that businesses have come to behold as a potential goldmine and that governments see as key to achieving laudable goals such as combating crime, stopping terrorists and better managing programs.
As a result, we see businesses and governments alike collecting and using personal data on a scale that was until recently unimaginable.
You can see the growing challenge for a Privacy Commissioner whose job it is to help ensure that all of this data is respected and protected!
Pressures on Privacy
Global competition has converted every industry into an information industry hungry for as much information about their clientele as possible.
In this context, the online world – where every click we make can be monitored – offers up a veritable feast of personal data. A fascinating investigation by the Wall Street Journal recently concluded that one of the fastest-growing online industries is the business of spying on Internet users.
On the public sector side, the Government of Canada is the single biggest repository of personal information of Canadians. So much of it is extremely sensitive: tax information, health records, prison records, income supplements – even census information, to name just a few. Other levels of government also have a great deal of highly personal data entrusted to their care.
At the federal level, we increasingly see our government – not unlike other governments around the globe – making the collection and analysis of personal information a central component of national security and public safety initiatives.
For example, a single piece of federal legislation requires some 300,000 organizations – life insurance companies, real estate brokers, casinos and many others – to file reports containing sensitive personal information so that FINTRAC (the Financial Transactions and Reports Analysis Centre of Canada) sift through it in search of signs of money laundering or terrorist financing activities.
It’s something of a double whammy for privacy. We have a situation where: (1) far more data – much of it personal – is being created than ever before; and (2) a wide range of organizations is clamoring to get their hands on that personal information.
There’s a further complicating factor to this evolving privacy environment: the globalization of data flows – in other words, the fact that our personal information is now in constant circulation around the planet.
E-commerce is the most obvious example. In the course of a single transaction, personal information may be gathered and traded between dozens of parties, in many countries.
Meanwhile, governments are also increasingly turning to cross-border information sharing as part of international efforts to stymie terrorists and other criminals.
Role of the OPC
As I’ve said, my role as Privacy Commissioner is to protect Canadians’ privacy rights in the face of these multi-pronged threats. And it may be worth pausing here for a moment to explain the mandate and mission of my Office….
We oversee compliance with two pieces of legislation: the Privacy Act, which applies to federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act, better known as PIPEDA, Canada’s private sector privacy law.
We protect and promote the privacy rights of individuals in a number of ways: We investigate complaints; conduct audits; engage with federal departments and the business sector; and promote public awareness and education of privacy rights and obligations.
Over the past couple of years, we’ve seen dramatic growth in issues and investigations dealing with new technologies – particularly those related to the online realm. As part of our increased focus on this issue, we’ve launched consultations into various online practices and technologies – specifically online tracking, profiling and targeting of consumers by businesses, and the growing trend towards cloud computing.
One of the one of the issues we’re increasingly concerned about is “dataveillance.”
Many of our daily activities leave behind a trail of digital bread crumbs. In the old days, for some down time, I’d go to the high street, browse in the windows, maybe try something on, flip through a magazine at a newsstand – and nobody knew. When I do those same things online, every step I take is carefully recorded and used for many purposes.
From people writing about themselves and others on social networking sites, to mapping capabilities that show us and others where and how we live, to monitoring our use of the things we own – a comprehensive portrait can be drawn of an individual, thanks to increasingly powerful data mining tools.
The Wall Street Journal investigation I mentioned a moment ago found that the top 50 websites in the U.S. installed – on average – 64 pieces of tracking technology onto visitors’ computers. Some sites installed more than 100.
Often Internet users are not aware of how or why their personal information is harvested from their online activities.
The cornerstones of privacy protection – knowledge and consent, access and limited retention – are concepts that creators and users of digital technology need to understand and find ways to incorporate into products and services.
Unfortunately, this isn’t always happening. It seems to me that we’re seeing too many cases where the innovators innovate and the lawyers mop up after the fact.
The main example I’d like to share with you about how innovation can go badly wrong when privacy protection is not adequately addressed comes from the private sector. However, the story also holds lessons for public servants in all levels of government.
You may recall the public outcry earlier this year when Google abruptly melded Gmail, its private, one-to-one web-based e-mail service, with a new social networking service.
Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail, without adequately informing those users about how this new service would work or providing sufficient information to permit informed consent.
Gmail users – understandably concerned that their personal information was being disclosed – were highly critical of the new service. In response, Google apologized and quickly introduced changes to address the widespread criticism.
However, the incident sparked deep concern among data protection authorities around the world. It prompted 10 offices – including my own – to come together to send a strong message to Google and other online companies.
In a joint letter, we reminded Google about the need to take privacy into account as it develops new online products – and also the obligation to respect privacy laws of the countries in which they launch those products. It’s worth noting that Google is based in the U.S., which does not have a federal private-sector privacy law.
Privacy protection needs to be considered and built in at the front end as products, services and programs are developed. It’s not enough to fix problems after the fact.
Our request to Google is reasonable and it does not stand in the way of innovation.
Privacy in the Public Sector
In the public sector context, my Office sees fewer cases of things going awry because not enough thought is given to privacy concerns at the development stage of an initiative.
This is largely because the Privacy Impact Assessment process of the federal government and many provincial governments is designed to ensure that privacy is considered early on.
My Office reviews these assessments and makes further recommendations. We usually see positive results. A couple of examples:
During the assessment process related to the Enhanced Driver’s Licence Program, the Canada Border Services Agency agreed to house a database of EDL holders’ personal information in Canada rather than in the United States as had been originally planned.
When we looked at an assessment on the RCMP’s use of pre-employment polygraph testing, we worked with the force to eliminate certain questions that seemed to be overly intrusive.
Generally, if a department conducts a privacy assessment, is it supposed to ensure that, at the end of the process, the majority of privacy risks have been satisfactorily addressed.
This may be even more important in the public sector context given the highly sensitive information that governments collect.
Integrating privacy into public policies – especially in the areas of security and law enforcement – is of paramount importance.
Protecting its citizens is surely one of the most important functions of the state.
However, in devising public safety measures, it is vital to incorporate a respect for privacy. Privacy is a matter of human rights. It is a cornerstone of our democracy – the space in which Canadians may exercise their fundamental freedoms and safeguard their personal integrity.
There are also practical reasons for applying fair information principles to the collection, use and disclosure of personal information by the state.
Not doing so can spark dire consequences.
People can, for example, be wrongfully accused of crimes as a result of faulty or illegal surveillance or wiretapping. They could be stranded without cause on the federal no-fly list, without meaningful recourse. Erroneous information could also be shared with foreign powers, leading to deportation, false imprisonment and even torture.
Another concern is function creep – the danger governments will be tempted to use all of this personal information they’re collecting for purposes beyond what was originally intended. In the United Kingdom, for example, we’ve seen powers originally provided under legislation designed to thwart terrorism eventually being used to investigate petty offences such as under-age smoking, parking fines – even the failure to pick up after a dog.
Canadians entrust their personal information to the state. The state, in turn, has to live up to that trust – and the best way to do that is to consider privacy and build in protections at the earliest stages of developing a new initiative.
Global Digital Economy
The increasing pace of technological development, the changes in how individuals and organizations interact with and participate in technology and the globalization of personal information have given policy makers, data protection authorities and observers in many countries pause.
Privacy issues are increasingly global in nature – we live in an age where sending data to the other side of the globe as easy as sending it next door. And yet we lack a global approach to address these global data flows.
For us, it can be very challenging to regulate the personal information practices of businesses that operate in multiple jurisdictions, where data regimes vary (if they exist at all).
Meanwhile, citizens want to know that privacy protections are in place when their information leaves Canada, and businesses want to have a common set of rules to follow.
The critical need for an international solution has become clear to policy makers and privacy authorities around the world and we now see many data protection authorities as well as organizations such as the OECD and APEC working towards this goal.
We’ve made some progress already, and I expect we’ll see further movement in the coming few years.
Privacy protection is not an impediment to innovation and growth – or to a well-functioning government.
Rather, privacy supports these things by reinforcing confidence in people that the technology they use – or that is used by the business or the government body they interact with – is protecting their personal information.
Privacy is a critical element of a free society. Even with changing social norms, where people are prepared to post even the most intimate personal details of their lives online, privacy remains a cherished value, and a cornerstone of our democracy.
Thank you. I would be very pleased to answer any questions …
Report a problem or mistake on this page
- Date modified: