Enforcing Privacy in the Online World

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Lord Reading Law Society Dinner Meeting

November 10, 2010
Montreal, Quebec

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

I’ve just returned home from an inspiring trip to Israel, which hosted this year’s International Conference of Data Protection and Privacy Commissioners.  It was a wonderful opportunity to learn about and discuss how the Jewish faith has recognized privacy as a fundamental human right for many centuries. 

You’re undoubtedly familiar with the Biblical phrase, “How fair are your tents, O Jacob, Your dwellings, O Israel” – a reference to how tents of the Israelites faced away from each other in order to ensure basic privacy.

Jewish law emphasizes hezzek re’iyyah. The Encylopedia Talmudit describes as the concept that “even the smallest intrusion into private space by the unwanted gaze causes damage, because the injury caused by seeing cannot be measured.”

As the eminent U.S. academic Jeffrey Rosen has observed, Jewish law has long understood that the uncertainty about whether or not we are being observed forces us to lead more constricted lives and inhibits us from speaking and acting freely in private places.

This was true in the context of a tent village in the middle of a desert hundreds of years ago, and continues to be true in the 21st century, where more and more of daily life takes place on the Internet.  

I’ve been asked to speak with you about privacy issues in the context of the online world.  This is certainly an area of deep interest to my Office – one that is getting a growing share of our resources and attention.  

Over the last year or so, we have seen dramatic growth in issues and investigations dealing with new technologies, particularly those related to the online realm.  I don’t expect that to change any time soon.

If we want to remain relevant as Canada’s privacy guardian, the online world is where we must be focusing our attention. 

Privacy and online issues are also raising interesting new questions and challenges from a legal perspective.  Are laws designed for a bricks and mortar world up to the task of protecting privacy in the online context?  Do we need new laws?  How do you deal with jurisdictional questions and enforcement when dealing with global online companies? 

These are some of the ideas I’d like to explore with you this evening.

Context

First, a bit of context…. 

The rate of change in the online world has been absolutely staggering.  When I took over as Privacy Commissioner – and that was seven years ago – Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare nor iPods. 

I’m sure you’re aware that my Office has been investigating a number of complaints against Facebook.  That isn’t the only online site we’re currently examining – we’re also investigating three other networking websites, including an online dating site. 

More and more often, we find that the companies we’re receiving complaints about have little or no physical presence in Canada. 

It’s clear to us that, in some cases, these companies have not adequately considered the requirements of Canadian privacy law before launching their products in our country. The online world is still something of a wild frontier when it comes to privacy protection.  That must change and, I believe, is beginning to change – albeit not fast enough!

It’s clear that our current regulatory framework for protecting the privacy rights of Canadians of privacy and personal information is being tested – and we will need to ensure that we are constantly updating it to meet current and future challenges.

We must also work beyond our borders.  Canada on its own can’t possibly tackle the plethora of privacy concerns cropping up across the World Wide Web. 

Enforcing Canadian Law Online

It’s still fairly early days, but we do have some experience in applying the Personal Information Protection and Electronic Documents Act – PIPEDA – in the online realm. 

  • Abika.com

Our investigation of a U.S. online data broker called Abika.com a few years ago,  isn’t widely known but it established the precedent that PIPEDA applies in the online context – even if an organization is located outside of Canada.

Abika.com provided a range of search services on people by hiring third-party researchers who seek personal information from various public and private records and databanks. Based largely on information provided to us by the U.S. Federal Trade Commission, we determined that the company had disclosed the personal information of Canadians, without their knowledge or consent, to third parties.

We recommended that Abika.com stop collecting, using and disclosing the personal information of people living in Canada without their consent. The company did not provide a substantive response to the recommendations within the timelines we had set.

The assistance we received from the FTC proved to be invaluable.  The FTC charged the company with violating federal law by selling consumers’ phone records to third parties without the consumers’ knowledge or authorization. 

The U.S. District Court for the District of Wyoming entered a summary judgment for the FTC in 2009; it barred the illegal operation and imposed a monetary judgment as well.  My Office had filed an amicus curiae brief, outlining how the Court’s decision would have a direct impact on the privacy rights of Canadians and the business reputation of Canadian organizations affected by the actions of data-brokers.

The case was an important step in international co-operation and collaboration that will become increasingly necessary to adequately protect privacy rights on both sides of the border in years to come.

It was the beginning of our commitment to apply Canadian law assertively when new online products and services have an impact on the privacy rights of Canadians.

Our jurisdiction in this area has not been challenged.

  • Facebook

Facebook is our most well-known online investigation.  

We were ultimately successful in promoting changes to bring the areas we investigated into compliance with our law – though I will say that it took a while before the California-based company took my Office seriously.

Things improved when they found some Canadian lawyers.

As you may have heard, we recently completed our investigation follow-up and concluded that the issues raised in a complaint filed by a public interest advocacy group had been resolved to our satisfaction.

The investigation resulted in many significant changes.  Facebook has put in place measures to limit the sharing of personal information with third-party application developers and is now providing users with clear information about its privacy practices.

It was a long road in arriving at that point. The changes were the result of extensive – and, quite frankly, often intense discussions with Facebook. The entire process was complicated by the fact that we were dealing with a site that was continually changing – a common feature of the online world. 

Our work with Facebook is not over.  We have received several further complaints about issues that were not part of our first investigation and we are now examining those. 

  • Google WiFi

I’ll also mention a third investigation that we recently made public – our investigation of Google’s collection of personal information from unsecured wireless networks in neighbourhoods across Canada.

As you may recall, we launched that investigation after Google revealed that its cars – which were photographing neighbourhoods for its Street View map service – had inadvertently collected data transmitted over wireless networks. 

Previously, in response to questions from European regulators, Google had said that, while its Street View camera cars were collecting information to identify wi-fi networks, they were not collecting the actual information that users were sending over unprotected networks.

After some further checking, Google discovered that assertion wasn’t true. 

At the time, they appeared to downplay the significance of the information collected, stating in a blog post, quote: “we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second.”

However, our investigation found that the data collected included complete e-mails, e-mail addresses, usernames and passwords, names and home telephone numbers and addresses.  Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their phone numbers and addresses. 

A Google senior vice-president, Alan Eustace, has since acknowledged that Google did collect entire emails, URLs and passwords.  In his words, the company was “mortified” by what happened, but is confident that changes to processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users.

In light of what we found, we recommended that Google ensure it has a governance model in place to comply with privacy laws.  We said the model should include controls to ensure that necessary procedures to protect privacy are duly followed before products are launched.

We also called on Google to enhance its employee privacy training and to designate an individual or individuals responsible for privacy issues and for complying with the organization's privacy obligations.

We are already seeing some changes as a result of the investigation.  We’ll consider the matter resolved upon receiving, by February 1, 2011, a confirmation from Google that it has implemented our recommendations.

Google now has an office in Ottawa.

Our dealings with Google over Street View go back to 2007, when we raised serious privacy concerns about the deployment of the service in Canada.  After extensive conversations, Google agreed to a number of changes to ensure that privacy is better protected.  Unfortunately, I understand from my European counterparts that Google has not introduced the same privacy protective measures in other countries.  Delegators continue to have ongoing concerns about the service.

Enforcement Powers

Looking further down the road, I am increasingly of the view that we may need stronger enforcement powers in order to be an effective privacy guardian for Canadians – both in the online and real-world context. 

My Office is examining its own structure and function as a data-protection authority. Should we, for instance, continue down the path we’re on now, which emphasizes my role as an ombudsman? Or should we suggest to Parliament the need for stronger enforcement and order-making powers?

Last year, we engaged two noted academics – Dean of Osgoode Hall Law School Lorne Sossin and France Houle, of the Université de Montréal – to look at the broad economic, legal and political context under which PIPEDA was first enacted, compared to the environment in which we find ourselves now.

In particular, they examined the effectiveness of the ombuds model in protecting personal information in the private sector, particularly in light of changes in the technological, economic and legal context since PIPEDA was first enacted.

In their analysis, these authors suggest that the current ombuds model has had mixed success.

On the positive side, they take the view that my Office has succeeded in accomplishing important goals related to compliance by working with large industry sectors such as banking and insurance, building trust across the private sector, providing guidance on the interpretation and application of PIPEDA, responding to complaints, inquiries and concerns, raising awareness of PIPEDA and generally enhancing the profile of privacy issues. 

However, they are also suggest that the ombuds model may be been less effective in promoting compliance where small and medium sized businesses are concerned. 

The professors have submitted as an option going forward, that my Office could acquire targeted and limited power to make orders, including the ability to impose penalties such as fines.

They also propose explicit guideline-making power, to assist with the fair and transparent implementation of new order-making powers.

My Office is currently in the process of assessing the authors’ analysis, mapping it onto what we believe has been our experience under PIPEDA to date, and comparing it with our own views of the merits and effectiveness of the ombuds model. 

The authors’ analysis will undoubtedly make a significant contribution to the public discourse on future evolutions of PIPEDA.

Another way in which we’re preparing to meet the challenge of emerging privacy challenges is with public consultations focusing on two areas – the privacy issues related to the online tracking, profiling and targeting of consumers by marketers and other businesses and the privacy issues related to cloud computing practices.

Both the consultations and the report from Professors Sossin and Houle will help shape my Office’s input during the next mandated review of PIPEDA, which is expected to begin in 2011.

Convergence and Cooperation with other Regulatory Authorities

The trend towards greater cooperation between regulatory authorities is important given the privacy implications stemming from the fact that so much information is now online.

Cooperation with other authorities was the theme of closed-door discussions with my international counterparts in Israel.

Here at home, we are also seeing converging regulatory concerns.  A few examples:

In 2009, my Office collaborated with the Office of the Auditor General of Canada on audits examining four federal institutions. 

We are also working more closely with the Canadian Radio-television and Telecommunications Commission.  The CRTC has a mandate to protect the privacy of telecom users that complements our mandate. 

We periodically intervene in CRTC proceedings that raise issues with respect to the protection of personal information.  Most recently, we intervened in a proceeding concerning the use of “deep packet inspection” by Internet service providers, or ISPs.  In addition, we separately investigated complaints about the use of deep packet inspection by ISPs.  Although we did not formally cooperate, our separate efforts served to promote the protection of personal information.

Last summer, the CRTC’s chairman contacted me to talk about a new form of marketing – addressable television advertising, which is also referred to as “super targeted” advertising.  It involves inserting targeted commercials into TV programs.  These ads are directed to a particular household based on characteristics of the people watching TV there – their age, gender, income, geography and so on. A set-top box also stores information on their viewing habits.

The CRTC is on record as endorsing the introduction of addressable advertisements – provided that any privacy issues can be worked out.  I appreciated that the CRTC took the initiative to involve my Office in the issue.

My Office will also be working with both the CRTC and the Competition Bureau to enforce provisions of anti-spam legislation currently before Parliament.  Just passed H of C committee without significant change.

Conclusion

With online companies taking on an increasingly important role in our daily lives, it is ever-more important that we ensure real-world laws are working effectively in the digital environment.

Domestically, I hope we’ll see the PIPEDA amendments introduced following the first legislative review passed into law in the near future.  The effectiveness of PIPEDA in the online context will undoubtedly be a major focus of the next legislative review. 

On the global front, the discussions I had with my international colleagues in Israel a couple of weeks ago reinforced my confidence that the decade ahead will see a more concerted, consistent – and ultimately successful – global approach to the protection of personal information.

I predict we’ll see greater collaboration, within Canada and abroad. We’ll also see an intensified international dialogue, involving all the players who need to be around the table.

A robust and coherent set of principles and guidelines, adopted around the world, will do much to preserve and promote the privacy rights of Canadians.  I will be working hard to ensure that in the future.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: