The Evolution of Privacy in an Online World

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Women’s Executive Network, Breakfast Series

May 17, 2011
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good morning. I’d like to start off by thanking the Women’s Executive Network for inviting me – and especially for finding a new date when the federal election campaign forced me to re–schedule. It’s an honour to be here to speak with so many energetic women.

I’ve been asked to share some thoughts with you this morning on the evolution of privacy in a digital world.

This is an area of deep interest to my Office.

New research shows that Canadians are the biggest Internet users on the planet. We spend an average of 43–and–a–half hours online every month – almost twice the global average.  We are also among the world’s most enthusiastic online social networkers. Roughly one in two Canadians are on Facebook.

The Internet is where we go to check the weather, arrange travel, chase after romance, shop, pay bills and taxes, watch videos, play games, hunt for information on products and services, and interact with friends, family and complete strangers.

All of those online activities leave behind a trail of personal data.

It’s clear that if I want to remain relevant as Canada’s privacy guardian, the online world is where my Office must be focusing its attention.

But protecting privacy rights in this environment can be a little daunting at times.

Privacy Landscape

Allow me to quickly give you a sense of what we’re up against….

The amount of data we must protect is increasing at a staggering rate. Experts say worldwide data volumes are doubling every two years.

At the same time, advances in information and communications technologies have made it exponentially cheaper and faster to collect, share, process and save all of that data.

And while Canadians are sophisticated when it comes to online skills, I worry that we’re lagging a bit when it comes to privacy literacy in the context of the digital world.

For example, most Canadians don’t know what’s happening behind their computer screens when they go online – how each click of their mouse is tracked, analyzed and stored.

No wonder – it’s very difficult to keep up with what’s happening given the absolutely staggering rate of change in the online world.

When I took over as Privacy Commissioner a little over seven years ago, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, nor Foursquare. And these services are constantly evolving as well – one of our biggest challenges during our Facebook investigation a couple of years ago was keeping up with the non–stop changes to the site!

As a data protection regulator in a relatively small country, we must now enforce Canada’s privacy law in a global environment. Increasingly, we are receiving complaints about online corporations based outside of Canada.

You can see there are many challenges to protecting privacy in the digital era!

OPC 101

Some of you may not be very familiar with my Office, so a quick overview might be helpful. Our mandate is to oversee compliance with two privacy laws. The Privacy Act covers the personal information handling of federal government departments and agencies. The Personal Information Protection and Electronic Documents Act PIPEDA – governs the private sector.

Both pieces of legislation set out ground rules for the collection, use, and disclosure of personal information.

As Privacy Commissioner, I can investigate complaints, conduct audits and pursue court action. I can publicly report on the personal information–handling practices of public and private sector organizations.

My Office supports and undertakes research into a broad range of privacy issues. And we also also promote public awareness and understanding of privacy issues – with a big focus on educating younger Canadians about online privacy.

Over the last few years, we’ve seen dramatic growth in issues and investigations dealing with new technologies, particularly in the online world. I don’t expect this trend to change any time soon.

You may be aware of some of the more high–profile recent investigations that my Office has undertaken.

We were the first data–protection authority in the world to conduct of comprehensive investigation of Facebook’s privacy policies and practices.

In response to our recommendations, the company implemented significant improvements that benefitted users around the globe.  However, our work with the company is not over – we have received further complaints about issues that weren’t part of our first investigation and we’re working on those.

We’ve also investigated that other online giant, Google.

You’ll recall the revelation that Google’s Street View cars collected not just photographs for its street–level imaging service, but also data transmitted over unsecured wireless networks in homes and businesses.

Despite Google’s attempts to downplay the extent of the data collected, our investigation found that the information included highly sensitive personal information such as e–mails, user names and passwords, and even a list of the names, phone numbers and addresses of people suffering from certain medical conditions. It is likely that thousands of Canadians were affected.

We made a series of recommendations to Google and have received the company’s response. We are currently finalizing our investigation conclusions and will be making those conclusions public in the next couple of weeks.

We’ll also be in a position in the near future to share our findings into a few other online investigations. We’ve finished an investigation into an online dating service and we’re in the final stages of an investigation of another social networking site.

These are critical issues. According to a statistic highlighted in the Harper’s magazine Index a few months back, one in four new couples first meet online. That’s pretty astonishing!

With so many Canadians living their lives online, we must ensure that their privacy rights are respected and protected in that still relatively new environment.

Enforcement Powers

Rapid technological change is prompting some soul searching about my Office’s structure and role as a data protection authority.

Should we continue down our current path, which emphasizes my role as an ombudsman? Or should we suggest to Parliament that we need stronger enforcement powers?

Canada has become one of the few major countries where the privacy regulator lacks the ability to issue orders and impose fines.

The privacy world has changed – and our laws need to keep up.

One of the trends that deeply concerns me is the string of ever–bigger data breaches that we’re seeing.

Only in the last few weeks, Sony revealed that it had been attacked by hackers who obtained the names, addresses, email addresses, birth dates, usernames, passwords, logins, security questions and what Sony says was encrypted credit card data from 77 million PlayStation Network accounts.

The incident has affected people around the globe, including hundreds of thousands of Canadians. I’ve had parents approach me at public events to tell me how concerned they are because their kids had been using their credit cards to play games. They’re understandably worried.

Sony has been cooperative with my Office and we’re pleased that the company has undertaken a number of proactive measures such as shutting down systems and launching a forensic audit. Over the last few years, we’ve seen many huge data breaches as technological advancements have paved the way for companies to collect more personal information than they are able to effectively protect.

I believe it’s time to begin imposing fines – significant, attention–getting fines – on companies when poor privacy and security practices lead to breaches. The only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance.

It’s been a decade since our private–sector law came into force and since then, privacy advocates around the world are re–thinking how to make organizations show they are accountable.

At the moment, there is no simple mechanism for my Office to check compliance, unless we get a complaint. However, there are too many organizations collecting too much personal information for us to rely solely on a complaints–based system.

A mandated Parliamentary review of the legislation is expected to take place later this year and all of these issues will undoubtedly be part of that discussion.

Anti–spam Legislation

I also wanted to touch on a new law in Canada that will help safeguard privacy.

Anti–spam legislation is expected to come into force at the end of this year.

A key element of the law is that organizations that send commercial e–mail, text messages and other forms of electronic communication will have to obtain recipients’ consent. The only exceptions are for friends, family, and existing business contacts.

My Office will share enforcement responsibilities with the CRTC and the federal Competition Bureau.

Our focus will be on two areas: The collection of personal information through illicit access to other people’s computer systems as well as electronic address harvesting, where bulk e–mail lists are collected by mining the Internet.

The CRTC will be responsible for investigating complaints about unsolicited commercial electronic messages and the installation of software without consent, while the Competition Bureau will focus on false or misleading representations in electronic messages.

I think that the business community can prepare for the legislation by proactively building privacy rights into procedures and practices. There will be, among other things, requirements for up–to–date contact information on all electronic correspondence and “unsubscribe” buttons that are easy for recipients to locate and use.

This is an important step forward that will bring Canada in line with several other countries that have had anti–spam laws on their books for some time.

Youth Privacy

I’d like to turn now to a topic that is near and dear to my heart as a privacy advocate and as a mother – youth online privacy. It’s likely a subject of growing interest to you as parents and as bosses.

We keep hearing the message that privacy is pretty much dead in the face of a younger generation of digital exhibitionists.

That’s simply not true. Yes, concepts of privacy are clearly evolving, but study after study shows that young people do care about their privacy.

What we hear when we go out to speak in schools, is that young people want to protect their online reputations, but many of them just don’t know how.  They ask us how to control who sees what is in their online profiles. They want to know how to block unwanted contact on social networking sites, and how to learn what others are posting about them.

Many are eager to find out how to permanently delete personal information, such as old responses to online quizzes that they no longer want circulating around the Internet, and items they wish they hadn’t posted in the first place.

And then there’s the ever–popular query about blocking Mom or Dad’s persistent “friend” requests on Facebook!

Our polling of young people also underscores that privacy remains a deeply held value.

And yet we keep seeing younger Canadians running into privacy pitfalls online. Why?

Part of the explanation is that young people are generally among the most enthusiastic users of online technologies. They are quick to try new applications – sometimes before all the privacy kinks have been identified and ironed out.

Another major factor is that young people tend to think that their online space is private and only their friends will see the content.  They don’t think about how the messages they send or post today could turn up to haunt them years in the future.

We’ve all heard stories about young people getting into trouble at school or at work because of something that’s been posted online. The Macmillan English dictionary has officially recognized the word “dooced” – being fired because of something you’ve put in an Internet blog.

Some interesting research at Ryerson University a few years ago showed a “digital divide” between how different generations in the workplace view online privacy. Young workers felt that personal information is private – as long as it is limited to their social network. Managers, on the other hand, believed that information posted online is public and deserves no protection.

How do we bridge this gap?

My Office is working hard to promote online privacy for young people, through our youth website, our blog, YouTube, video contests and by offering teaching materials to schools.

But there is also an urgent need for more parents, teachers – as well as managers who work with people just entering the workforce – to spend more time talking with young people about online privacy.

The online world has developed so rapidly that we haven’t had time to develop – and adopt – appropriate rules of engagement.

As parents, I urge you to keep up with the technologies and online services that your kids are using. Talk with them about what they’re doing and how they are sharing their personal information – and perhaps even your personal information!

Emphasize concepts such as Think Before You Click; and the fact that the Internet never forgets – as well as your own values about what is acceptable behavior online.

Many of you likely manage young people. You can help these employees to stay out of trouble – for their own good as well as for the good of your organization – by ensuring that they understand the potential workplace consequences of what they do on the Internet.

Organizations need to have clear and specific guidelines about their expectations regarding employees’ behaviour online. They should also be transparent about how they will monitor employees’ online behaviour.

I’m pleased to see that many organizations are developing guidelines. The key now is to ensure that employees know about them!

The organizers of this breakfast requested that I offer an “inspiring message” today. It’s a bit early in the morning to be truly inspirational, but I do hope to inspire you to talk about privacy issues with the younger people in your lives.

Conclusion

People have said that the concept of online privacy is an oxymoron or a lost cause.  I disagree. Rather, I expect that as the online world evolves, Canadians will become more informed and increasingly cautious about protecting their privacy.

I believe my role is to make people aware of the privacy risks, offer suggestions on how to manage those risks, and make it as easy as possible for them to do so.

We are certainly not standing in the way of innovation. Or fun.  We believe that there is a way for online technology and privacy to become “friends” – or at least respectfully co–exist.

Thank you.  I welcome your questions . . .

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: