Protecting Privacy in the Age of Big Data: Change, Challenges and Solutions
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks to the Council of Chief Privacy Officers organized by the Conference Board of Canada
January 25, 2011
Assistant Privacy Commissioner of Canada
(Check against delivery)
I find it deliciously ironic that less than a month ago, some commentators, in their year-end review, qualified 2010 as “the year that privacy died.” the reputable Globe and Mail published on December 18 an article entitled “Just watch us,” confusing government secrecy and individual privacy, in the wake of the Wikileaks affair. The inference was that the ideal of transparency was displacing that of privacy.
And yet, 2011 is barely a month old and we already have new stories of people fighting back against perceived intrusions into their privacy, from Facebook users learning of yet new ways in which their personal information can be shared, to holiday travelers coming up close and personal with airport security screening.
Public reaction to these stories shows that privacy remains a deeply held value. That is not to say that contemporary life isn’t putting it to the test.
I am here today to talk about how the OPC is tackling these challenges. First, how some internal organizational changes will position us better to protect privacy in Canada. Second, how some legislative changes impact on our mandate and on the privacy landscape, and finally, how social, technological and policy changes force us to redefine our work — namely, the growing demand from the state for private-sector information gathering, cybersecurity, and the increasing influence of analytics on identity integrity.
I know that you are interested in solutions. My hope is that you leave here today with a clearer picture of the current situation and of what lies ahead, but also with a clearer vision of how you can best position yourselves and your organizations.
I will start my talk on a more practical note, by giving you an overview of the recent reorganization we have effected at the OPC.
Changes at the OPC
As privacy professionals, you are likely very familiar with the Office of the Privacy Commissioner of Canada. As you know, we are responsible for ensuring compliance with the two federal acts that protect the right to privacy in Canada: PIPEDA, the Personal Information Protection and Electronic Documents Act, which applies to federally-regulated private sector entities, and the Privacy Act, which applies to the federal public sector.
We accomplish our mandate through six clearly defined functions:
- Responding to requests for information;
- Receiving and investigating complaints;
- Reviewing privacy impact assessments, or PIAs;
- Auditing the privacy practices of organizations subject to PIPEDA and the Privacy Act;
- Conducting and financing research, public education and awareness activities; and
- Providing advice to Parliament.
We have implemented a significant reorganization within our Office, which we feel better captures the intersection between the public sector and the private sector, and better positions us to improve compliance in the private sector. The first part of this reorganization is to have me serve as a single Assistant Commissioner responsible for both PIPEDA and the Privacy Act.
This internal integration reflects the changing external environment, in which so many technological challenges and public safety pressures apply equally to the public and private sectors.
Consider, for example, that wireless communications pose risks and vulnerabilities to government and business alike. Financial institutions are just as likely as government agencies to be pressed into gathering information for use by law enforcement authorities. And computer analytics are just as useful for public utilities establishing a smart grid, as for companies looking for new insight into their customers’ habits.
Our view is that integration of the public and private spheres at the senior level will lead to greater cohesion and effectiveness. However, at the working level within the organization, we continue to build distinct specialized expertise for each sector.
Another key step we undertook in recent months is the launch of a satellite office in Toronto. The new office, which we officially opened in October, is headed by Robin Gould-Soil, which many of you will remember from her time as CPO of the TD Bank.
We established an office in the heart of the Toronto’s business district, recognizing that several of Canada’s leading companies are headquartered there.
We hope our presence in Toronto will help raise awareness of privacy and strengthen our mutual understanding of the norms and measures necessary to protect privacy in the current business environment.
We also anticipate that this collaborative posture will foster more dialogue, contribute to the early resolution of issues, and lead to better compliance with the law.
As Chief Privacy Officers, you are no doubt interested in legislative changes that will impact the guidance you offer to your organizations. Therefore, I will now give you an update on some of the legislative work that we have been following closely, namely C-29, which would modify PIPEDA, and the recently enacted Fighting Internet and Wireless Spam Act, which we will be enforcing along with the Competition Bureau and the CRTC.
Parliament is currently examining Bill C-29, Safeguarding Canadians’ Personal Information Act, which proposes a series of amendments to PIPEDA. It is complex legislation emerging from Parliament’s initial five-year statutory review of the law, and we are still studying all of its ramifications.
But I can tell you we are very happy with one aspect of it, which relates to mandatory breach notification. As you may know, our Office has worked with the industry to develop voluntary data breach notification guidelines. Issued in 2007, they have helped to ensure that such situations are addressed in a timely and efficient manner.
But we remain persuaded that more action is needed. Under Bill C-29, organizations would be required to report to our Office any “material breach” of security safeguards. This would help ensure that steps are taken to correct or mitigate any damage.
Equally valuable is that, over time, we would be alerted to patterns or trends that require special attention, so that Canadians’ personal information continues to be protected.
Under the legislation, there would also be a duty to notify affected individuals in cases where a breach poses a “real risk of significant harm”—“significant harm” being defined as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.
We feel the legislation takes a reasonable approach in having private-sector organizations make the initial determination as to whether consumers need to be notified of a breach. Our Office would retain the authority to investigate a data breach or recommend to an organization that it notify affected individuals if we feel that’s appropriate.
Meanwhile, we continue to study the implications of other provisions of Bill C‑29. For example, the Bill would add new circumstances under which personal information could be disclosed without consent. Banks, for instance, would be able to provide information about a client to law enforcement authorities, if they have reasonable grounds to believe that the client, such as a senior, may be the victim of financial abuse.
Another provision of Bill C‑29 would establish a new definition of “business contact information” that would be exempt from consent provisions. If C‑29 is adopted, e‑mail addresses, along with phone numbers and mailing addresses, would no longer be classified as personal information, provided they are only used to contact an individual in his or her business or professional capacity.
In other legislative news, you will no doubt have head that the Fighting Internet and Wireless Spam Act, or FISA, obtained royal assent on December 15, 2010.
More than a mere nuisance, spam and other forms of unwanted electronic intrusion bring with them a variety of online threats such as spyware, malware and phishing attacks. This can expose people to identify theft or other frauds. It can also undermine confidence in the Internet in general, and e-commerce in particular.
We have long called for a national strategy to address serious threats to the digital economy, especially those posed by cybercrime. FISA will better equip us to deal with emerging privacy challenges.
FISA is being enforced by our Office, the CRTC and the Competition Bureau. It reinforces our power to investigate the unauthorized collection of personal information by organizations sending spam. We will have more explicit authority to investigate the use of malware to collect personal data.
The legislation also contains two more generalized changes to the powers of our Office, both of which will help us address evolving privacy challenges.
In particular, we have more explicit authority to share information with other enforcement authorities, both within Canada and abroad—a vital power in this era of global data flows.
We have also acquired greater discretion over which complaints we investigate under PIPEDA. We may refuse to investigate certain complaints if other procedures are reasonably available. We may also drop investigations for various reasons. For instance, there may be insufficient evidence; the issue could have already been investigated following a similar complaint, or be subject to another ongoing investigation; or we could deem the complaint to be trivial or vexatious.
All this will serve to move us away from a complaint-centered approach, while enabling us to focus on more complex investigations and systemic issues.
LOOKING FORWARD: CHALLENGES AND SOLUTIONS
Now that I have given you an update on the goings on down the street at the OPC and next door at Parliament, I will address some of the trends that we feel will have a strong impact on the work of privacy professionals such as yourselves.
Law enforcement and the private sector
I will start with a long-standing concern for our Office, and that relates to the increasing call on private entities for support in public safety and security measures.
Data brokers, communications companies, Internet firms, airlines, financial services institutions and digital device manufacturers are being called upon to provide information to the state in the name of fighting crime and terrorism.
Increasingly, these private entities are being mobilized—drafted, if you will—into collecting personal information and passing it on to the government. In some cases, they are even asked to vet this information and act upon it as proxies.
We understand the reasons for this direction, but we want to ensure that it is accompanied by the safeguards commensurate to the risks to privacy, and that the government does not acquire, through the private sector, more personal information that it is allowed to.
One example of this can be found in Bill C-42, the Strengthening Aviation Security Act, which is presently before the House of Commons.
Canadian airlines already provide US authorities with identity information of all travellers landing in the US. Bill C-42 would extend this requirement to provide information on passengers simply flying through US airspace, as well as any information they may have on the passenger’s travel plans, contact information and so forth.
The stated objective is aviation security, but it’s unclear whether the data could be used for any other purpose. The Privacy Impact Assessment from the Department of Homeland Security regarding the new airline security requirements state that the information may be used for purposes including national security, law enforcement, immigration, intelligence and other “mission-related functions.”
Another example of private-sector mobilization is a package of legislative amendments that would expand the investigative powers available to law enforcement and national security agencies to demand and acquire digital evidence.
Collectively, Bills C-22, C-51 and C-52 would place a significant onus on commercial entities to help law enforcement officials address online crime and the use of new communications technologies for the commission of crimes.
Under C-51 and C-52, telecommunications companies would have to set up the infrastructure to enable investigators to intercept communications with a warrant. What concerns us is that the government would have access to subscriber data without judicial warrant, for any undefined purpose.
While we understand the desire of law enforcement authorities to keep up with “the bad guys,” we have urged Parliament to proceed with caution. Any expanded police power has to be justified as necessary and effective, on the basis of clear evidence and threat analysis. Its impact on privacy must be proportionate to that threat.
And it should be the least privacy-invasive option available. After all, there can be grave consequences for people if erroneous personal information is collected, shared, or used against them.
Expanding the concept of personal information
As technologies evolve, we are also widening our definition of “personal information”. With the emergence of biometrics, genetic information and the virtually limitless capacity to collect and mine data, mash it up and cross-reference it to geolocational information, we clearly have to think of personal information as a whole lot more than names, addresses and phone numbers.
In fact, much of the digital data that exists about you—some say as much as 90%—isn’t the information, messages and photos you consciously post online, but rather generated by surveillance cameras, your credit card transactions, your web browsing history, and so on.
We are less aware of what personal information exists about us, given that most of the time, we’re not aware this information is being generated. The fact is that even if you never post a single word or image on the Internet, you are still leaving an electronic footprint. Today, with surveillance cameras, smartphones and global positioning systems, you create a rich trail of data about your movements, behaviours and preferences.
This has a significant influence on our very identity, because of the power of analytics. Each kernel of data taken in isolation may reveal little. But collated, cross-referenced and analyzed, all the pieces put together can yield an extremely detailed profile. Taken together, this can become your identity.
Analytics — or the use of information technology to make data more telling — opens the door to ethical considerations that were not on society’s radar when PIPEDA was enacted, let alone when the Privacy Act was being drafted.
The Centre for Information Policy Leadership recently presented a white paper entitled Data Protection Law and the Ethical Use of Analytics, which was drafted by Prof. Paul Schwartz of Berkeley University.
After thoroughly examining the general and specific risks that analytics poses to privacy, this white paper establishes a series of ethical standards for using analytics, at every stage: collection; integration and analysis; decision making; and review and revision.
The paper also identifies seven overarching ethical requirements to protect personal information in the context of analytics. They are as follows:
- Legal requirements. An organization should always comply with them in its use of analytics.
- Cultural and social norms. The use of analytics should always take them into account.
- Impact on stakeholders — all stakeholders, be they consumers, businesses or policymakers.
- Accountable processes. These processes should acknowledge the impact on individuals — good and bad — and be supported by adequate internal policies and training.
- Appropriate safeguards. As always, the level of security should always be on par with the sensitivity of the data.
- Sensitivity assessment. If the use of analytics involves sensitive areas, it should be framed by reasonable safeguards.
- Special protection for children. Because they are especially vulnerable, there should be limits to the use of analytics where they are concerned.
A third issue that would like to highlight today is cybersecurity. As you may know, identity protection, public safety programs and information technologies are three of the priority policy areas we have been focusing on in recent years. Obviously, cybersecurity is at the confluent of these streams.
Cybersecurity is a serious and growing concern. Security problems, particularly cybercrime and cyberespionage, are threatening our private and public e‑infrastructures.
There are a number of factors contributing to this problem. Among them:
- more valuable electronic data being stored and processed;
- ever increasing complexity of computer hardware and software;
- ubiquitous computing devices that are often portable (such as smartphones, tablets and netbooks);
- a failure to use reliable software development methods that ensure security;
- cybercriminals’ skill at exploiting any vulnerability;
- the quasi instantaneous infection of millions of computers with malware; and
- a developing e-crime economy that has perfected methods to convert stolen data into money.
Effective solutions to cybersecurity will require technical developments as well as economic and, perhaps, legislative actions.
The Commissioner has consistently asked for a number of changes by government to address this issue:
- new identity theft legislation;
- a coordinated identity crime strategy;
- anti-spam legislation;
- a mandatory data breach notification regime;
- new international standards on the issue; and
- a coordinated made-in-Canada cybersecurity strategy.
We are making good progress in implementing these solutions. We have already discussed the passage of FISA (the anti-spam legislation), as well as the mandatory data breach provisions under Bill C-29.
We have been actively participating in international standard initiatives under the auspices of international bodies such as the OECD, the ISO and APEC.
For the past several years, along with a call for anti-spam legislation, a national effort on identity theft and mandatory breach notification requirements, our Office has recommended a coordinated strategy on cybersecurity. We were pleased to see the launch of Canada’s Cyber Security Strategy in October 2010.
The strategy itself stands upon three pillars:
- Securing government systems;
- Partnering to secure vital cyber systems outside the federal government; and
- Helping Canadians to be secure online.
Of course, the second pillar will be of particular interest for those of you who are from the private sector: the Government is indeed proposing to support initiatives to secure the systems that ensure Canadians’ safety and prosperity — all the systems. This will call for partnerships with the provincial and territorial governments, but also with the private sector.
The third pillar is the one where we already play a lead role: For years, The OPC has engaged in awareness campaigns, public education and public research to promote digital literacy in Canada, and thus give Canadians the means to protect themselves or the Net. This Data Privacy Day, January 28, we are launching a new campaign around the theme “The Net never forgets”, to raise awareness on the permanency and extent of our digital footprint.
We are looking forward to new opportunities for outreach to small and medium enterprises along with Industry Canada in the context of the Cyber Security Strategy. Our Toronto office is already hard at work to organize a conference on information security in small and medium enterprises, to be held soon before the summer break.
In closing, I would like to place some of the solutions I have proposed into a wider context. At the 32nd International Conference of Data Protection and Privacy Commissioners, which was held last October in Jerusalem, Prime Minister Netanyahu gave a presentation focused on avenues of privacy protection in today’s world where personal information is a most valuable commodity.
In his view, data protection lies in the protection of cyberspace. Protecting cyberspace is essential to protecting the security and prosperity of both governments and individuals. It can be achieved by initiating response measures that cover technology, legislation, education and citizen empowerment.
I returned from the Jerusalem conference with a view that the main risks to privacy for civil society are analytics, public safety measures and the business models of data holders.
I also returned with the sense that the most promising solutions are PIAs, an empirical approach to assessing “necessity” for personal information, an open dialogue with the business world to incorporate privacy to new business models, and a healthy competition, so to speak, among governments and businesses, for the highest standards of privacy protection. Whether a political party against another or a company compared to another, respect for privacy must be a competitive advantage.
Public education is key to this dynamic and a central component of our mandate. We firmly believe that public education is part of the solution. We are taking steps to leverage the successes we have achieved and the lessons we have learned in recent years into new public education initiatives, many of which in partnership with public organizations.
Like anything of value, privacy is constantly under threat. It must be safeguarded with vigour, vigilance and care.
Report a problem or mistake on this page
- Date modified: