Privacy and the Information and Communications Revolution
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Canada 3.0 Conference, organized by Canadian Digital Media Network
May 4, 2011
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
I would like to focus my remarks this morning on how the information and communications revolution of the last two decades is having a profound impact on privacy.
Over the past 20 years, advances in information and communications technologies have made it exponentially cheaper and faster to collect, create, share, process and store information.
This has resulted in a data explosion, with experts estimating that worldwide data volumes are currently doubling every two years.
Within all of these mountains of data is a lot of personal information.
It’s not just the volume of data that is creating new privacy challenges; the ease with which massive amounts of information can be widely disseminated also creates significant risks for our privacy.
While there are many upsides to this ability to share data, it seems to me that we – and by “we” I mean individuals, government and business – haven’t fully figured out how to properly apply filters and safeguards that will ensure privacy is protected and respected.
Transparency and Wikileaks
Wikileaks is a case in point. Wikileaks is possible because (1) government departments have so much information in a digital format and (2) it is so difficult to protect all of that information.
I have significant concerns about the Wikileaks style of openness. In dumping vast amounts of information onto the Internet, you aren’t ensuring that proper consideration is given to privacy – or other very legitimate reasons to keep information secret.
When you have wholesale publishing of data, there’s a real danger of harm – and certainly a grave risk for people’s privacy rights.
Allow me to stress that advocating privacy is not the same as favouring government secrecy.
Indeed, I strongly support the idea of open government. I advocated for it while I headed Québec’s access to information commission and, at my last meeting with provincial and territorial counterparts, I supported a resolution urging governments to embrace open government principles to enhance transparency and accountability.
Openness builds trust between citizens and their government – a critical element of any democratic society.
Innovation, Profits and Personal Information
Information technologies have created various types of new risks for personal information as well.
I’d like to touch on a couple today.
We’re seeing more and more technological innovation that involves the collection and use of personal information – and it’s not always clear that users have been properly informed of, or understand, the consequences for their privacy.
Online tracking, profiling and targeting is a case in point. Many Canadians don’t know what’s happening behind their computer screens, let alone agree to it.
Children – who are going online at younger and younger ages – are even less likely to understand. This issue was one that we explored during public consultations over the last year. Our final report on the consultations will be available on our website later this week.
It seems to me that privacy is being put in peril by the race for profits – sometimes euphemistically referred to as innovation.
Personal information has become a commodity – one that is often shown far too little respect.
And finding ways to monetize our information has become a big business.
Meanwhile, individuals have little understanding of how their information is being used, analyzed and collected. Meaningful consent – a fundamental privacy principle – is impossible in this context.
Here in Canada, I would argue that – for the most part – larger organizations in the bricks and mortar world are thinking about their privacy obligations as they develop new products and service.
Unfortunately, this has not always been the case in the online context – and the result has been some disastrous cases of privacy gone wrong. Too often, we see organizations, often based outside of Canada, launching online products and services with little thought to respecting our privacy laws.
Some organizations, it would seem, have been content to let the innovators innovate and have the lawyers mop up after the fact. One might call this approach caveat emptor innovation. This must change.
In spite of the fact that – for well over a decade now – some of my commissioner colleagues have been talking to corporations about the need to consistently build privacy in at the inception stage of new products and services, this concept has not been widely adopted in any meaningful fashion.
We saw the kind of privacy disaster that can result from too little thought being devoted to privacy at the development stage of an initiative in the infamous case of Google Buzz.
You’ll recall how Google created this social network by taking its Gmail service – a private, one-to-one, web-based e-mail service – and automatically assigning users a network of “followers” from among people with whom they corresponded most often on Gmail. In many cases, this list of followers was made public.
Not surprisingly, people were outraged. The rollout of a product with such significant privacy flaws betrayed a disappointing disregard for fundamental privacy norms and laws.
Data protection authorities around the world were shocked. Ten of us jointly wrote to Google to remind it of the need to respect the laws of the countries in which they launch their products.
To its credit, Google was quick to apologize and introduce changes to address the widespread criticism.
But the point is that the entire debacle could have been avoided by thinking about privacy at the front end.
In our joint letter, we called on all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services.
That means, at a minimum:
- collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
- providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
- creating privacy-protective default settings;
- ensuring that privacy control settings are prominent and easy to use;
- ensuring that all personal data is adequately protected, and
- giving people simple procedures for deleting their accounts and honouring their requests in a timely way.
These are not particularly difficult principles to apply. They are a reasonable and respectful approach to handling personal information.
I was intrigued by the U.S. Federal Trade Commission’s recently announced settlement with Google in the Buzz affair. Under the terms of this agreement, Google is required to implement a comprehensive privacy program and to submit to regular, independent privacy audits for the next 20 years.
Hopefully, those measures will prompt a major re-think of how privacy is integrated into product development at Google in the future and that we will see far greater accountability within the organization.
My Office believes that independent privacy audits could be helpful in appropriate cases as a way of allowing organizations to demonstrate they are complying with their privacy obligations.
I don’t wish to paint an entirely bleak picture of the situation.
Some companies have developed very robust internal privacy compliance processes. For example, I have been impressed by Hewlett Packard, which has developed an Accountability Model Tool that prompts HP employees to think about the privacy implications of specific programs to ensure that they are consistent with users’ expectations; are fully transparent; and meet fundamental privacy principles. This model is based on the same fair information principles that underlie Canada’s private-sector privacy law.
Privacy protection does not stand in the way of real innovation. In fact, the knowledge that their personal information will be protected and respected could actually encourage people to choose certain products or services over others.
I’d also like to talk about another risk that is of growing concern to my Office – the increasing threat that hackers pose to personal information.
This is a risk common to both public and private sector organizations.
Earlier this year, for example, the Department of Finance and Treasury Board were hit by a cyber attack linked to Chinese IP addresses. Other departments have also been hit by hackers.
On the private-sector side, we have seen an alarming trend towards ever-bigger data breaches.
Only last week, Sony revealed that it had been attacked by hackers who obtained the names, addresses, email addresses, birth dates, usernames, passwords, logins, security questions and what Sony says was encrypted credit card data from 77 million PlayStation Network accounts. The incident has affected people around the globe, including hundreds of thousands of Canadians.
I was very disappointed that Sony did not proactively notify my Office of the breach.
However, since my Office contacted Sony, the company has been very cooperative. We are also pleased that the company has undertaken a number of proactive measures, including limiting damage by shutting down systems; launching a forensic audit and notifying users.
Still, I remain deeply troubled by the large number of major breaches we are seeing. Too many companies are collecting more personal information than they are able to effectively protect.
What do we do to correct this dangerous situation?
It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.
I have come to the conclusion that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance.
We’ve seen a number of other countries moving to impose substantial fines.
In the United Kingdom, for example, my colleague, Information Commissioner Christopher Graham, recently used his powers to impose monetary penalties to send a strong message about serious breaches of the UK’s Data Protection Act.
For example, a county council was ordered to pay 100,000 pounds – roughly $157,000 Canadian – for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients.
Our French counterpart, meanwhile, issued a record-setting fine of 100,000 Euros (over $140,000 Canadian) against Google after the WiFi debacle.
Before the federal election campaign, the Canadian Parliament was considering legislation to create a requirement for private-sector organizations to report significant breaches to my Office and affected individuals.
With the election over, one of my top priorities is to write to Industry Canada to recommend that we bolster the previously introduced data breach legislation to include fines in certain cases.
Before closing, I wanted to quickly mention that my Office, along with the Privacy Commissioners of Alberta and British Columbia, just yesterday launched a new online tool that will help businesses better safeguard the personal information of customers and employees.
The tool, which you’ll be able to find on our website, is a detailed online questionnaire and analysis tool that helps organizations gauge how well they are protecting personal information, in keeping with the applicable private-sector privacy law.
As you can see, the information and communications revolution is giving us plenty to think about in terms of how to ensure that Canada maintains its tradition of leadership in privacy protection.
The next few years promise to be extremely interesting.
Thank you – I am looking forward to a thought-provoking dialogue on these and other issues.
- Date modified: