Influencing Good Privacy Decisions: Current privacy issues affecting multinational companies
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Association of the Canada General Counsel Meeting:
50th Anniversary Celebrations Economy
May 27, 2011
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Thank you for your kind introduction. I welcome the opportunity to join you for this 50th anniversary celebration, and to offer my perspective on some of the current privacy issues affecting multinational companies operating in Canada.
Before I do, allow me to applaud your association for recognizing the importance of protecting private information. I was pleased to see that my invitation included a link to IBM Canada’s online privacy education site. I know that many of your member firms are at the forefront of promoting privacy protection.
I’m the first to concede that safeguarding Canadians’ personal data is a challenge when technological innovations are coming at us at warp speed.
When the Personal Information Protection and Electronic Documents Act became law in 2001, tweeting was something that birds did, and social networking meant meeting people in bars. Mobile phones, for the most part, were used to make phone calls….
The fact is that the online revolution has made personal information a sizzling hot commodity. The business world knows it. Governments, including regulators, know it. So do identity thieves and fraudsters.
Ordinary people, however, haven’t fully grasped the whole picture.
They generally assume that whatever personal information they elect to provide online is kept confidential. They don’t expect their personal data will be collected, collated, analyzed and sold to the highest bidder.
Nor do they get that up to 90 percent of the digital data that exists about them is not the stuff they post about themselves. It’s their digital shadow, the billowing cloud of bits and bytes that emerge from their web browsing history, their credit card transactions and so forth.
Many Canadians don’t know what’s happening behind their computer or mobile phone screens, let alone consent to it. So they are understandably dismayed when something as simple as playing a video game put their personal information at risk.
As you may know, we conducted some groundbreaking public consultations last year on the emerging technologies and business models that will have the greatest impact on the privacy of Canadians.
We looked at online tracking, profiling and targeting, and cloud computing. The most frequent issue we encountered was the blurring of public and private lives, and the effect this has on people’s reputations.
We heard particular concerns about children online. Children of all ages increasingly have a digital presence and their personal information needs to be protected. We were told that privacy needs to be part of digital literacy or digital citizenship strategies.
At any age, though, it’s unreasonable to expect people to understand the privacy implications of all of the online products and services they use. They can’t consent to them in any meaningful way, without a strong baseline of privacy protection.
And so, organizations that track the online activities of Canadians must be more upfront about their practices.
They should collect personal information only for reasonable and appropriate purposes, and with the consent of the affected individuals. They also should restrict the use of the data to the stated purposes, and develop technical measures to prevent the indefinite storage of personal information.
We heard a lot of discussion about the challenges individuals face when online data about them is retained permanently. This is why the Europeans are discussing the “right to be forgotten” – or the right of individuals to have their data fully removed when it is no longer needed for the purposes for which it was collected.
The fact that we’re dealing with entirely new business models online adds another layer of complexity to the whole privacy issue.
In that context, our consultations concluded there is a need for strong standards to ensure the security of personal information stored or processed on cloud servers, given that these companies often operate in multiple jurisdictions with varying levels of information security.
So that is the backdrop in which we operate. Personal information has become a commodity. And finding ways to monetize our information has become a big business.
As a regulator, I would say that most major companies here in Canada are generally committed to meeting their obligations under the privacy laws.
Even so, I have to confess to concerns about how some of them are operating in this world of borderless communications.
Marty Abrams of the Centre for Information Policy Leadership has dubbed such players “edge riders.” An edge rider would be…
“… a company that rides absolutely on the regulatory and ethical edge. What they do is not black enough to spark a regulatory challenge, but verging towards the grey enough that they change the nature of the market. They force other companies to move the parameters in which we manage our business operations.”
More often than we’d like, we’ve seen cases where significant organizations, with international reach, have launched online products and services with insufficient regard for our privacy laws. Some companies, it seems, appear content to let the innovators innovate, and leave the cleaning up to the lawyers after the fact.
And that’s just not good enough.
We need companies to step up. We need them to show accountability for their privacy practices, for the way they collect, use, disclose and retain personal information.
The notion of accountability means that an organization does more than merely comply with legal requirements. It has to take responsibility for the personal information that customers and clients entrust to its care. It has to demonstrate that privacy considerations are built into business decisions and that people’s privacy rights are being respected.
Accountability is a central tenet in PIPEDA, making Canada a pioneer in this area. And other countries are increasingly stepping aboard.
The European Data Protection Supervisor, for instance, has explicitly requested the insertion of an accountability principle in the EU’s legal framework and the same thing is happening in New Zealand.
In the United States, the Department of Commerce’s Green Paper on Internet privacy, released last December, contains numerous references to accountability, including the development of verifiable evaluation and accountability programs.
Indeed, the principle of accountability raises a range of possibilities – from self-assessment processes, to internal audits, to third-party evaluations and validation.
Good business practices
And I suggest to you that it is very much in the business community’s interests to develop robust internal privacy compliance processes.
A good track record instills public trust in a company’s products and services. That, in turn can translate into a competitive advantage.
Making privacy protection a standard operating procedure is, moreover, substantially less costly than the alternative.
Consider, for example, that a payment card data breach a couple of years ago at retail giant TJX, which owns Winners and HomeSense stores in Canada, was estimated to have cost the company in the tens of millions, when you tote up the fines, legal fees, notification expenses and injury to the brand.
More recently we saw the Sony PlayStation Network breach, in which the accounts of hundreds of thousands of Canadians, and more than 100 million users around the world, were hacked. In the days following the incident, shares of Sony – and, indeed, other companies that specialize in cloud computing – took a hit.
While Sony has been active in mitigating the damage stemming from this breach, I was very disappointed that the company did not proactively notify my Office.
As you may know, before the federal election campaign, Parliament was considering legislation to create a requirement for private-sector organizations to report significant breaches to my Office and affected individuals.
With the election over, I am writing to Industry Minister Christian Paradis to request that implementing a mandatory breach notification requirement be made a priority. I would also like to see the requirement bolstered with significant monetary consequences for organizations that fail to meet their legal obligations.
But again, that’s just part of the picture.
As a regulator observing the frequency and scale of some data breaches in recent years, I have come to the conclusion that too many companies are still collecting more personal information than they are able to effectively protect.
And I’ve further concluded that other mechanisms are needed to make companies sit up and take notice.
One compliance incentive advanced by privacy advocates is the naming of the organizations we investigate.
As you know, PIPEDA permits me to name organizations where it is in the public interest. In the early days of the legislation, we chose to take a conservative approach to public interest naming to respect the confidential ombudsman process and to allow organizations and my Office time to learn through experience how the law should be interpreted and applied.
A decade has now passed since the law was enacted and the honeymoon is over.
Organizations today should be well aware of their responsibilities and obligations under PIPEDA and of the role of my Office.
Canadians expect and deserve to make informed choices about the commercial transactions they enter into. It’s a complex world and people need to be properly educated about the impacts of emerging information technologies, in order to make better sense of how their personal information is being used.
There is a significant public interest in the creation of a marketplace in which organizations are accountable for their privacy practices and individuals understand the privacy implications of their choices.
The time has come to be more open and transparent about organizations’ privacy practices and lessons learned – where it is warranted in the public interest.
The notion of accountability shifts the onus for privacy where it properly rests: with the organizations that collect – and profit from – people’s personal information. Regulators are coming up with interesting ways to make sure that words and good intentions turn into actions and good deeds.
For example, I was intrigued by the US Federal Trade Commission’s recent settlement with Google, which requires the company to submit to regular, independent privacy audits once every two years for the next 20 years.
This approach certainly speaks to the principle of corporate accountability. But, from a practical standpoint, it also addresses the increasing complexity of organizations’ personal information management systems. Given the scope and nature of current privacy challenges, it is becoming untenable for regulators to apply the specialized expertise, significant resources, and close oversight necessary to ensure compliance with the law in every case.
Indeed, until now, we’ve tended to take organizations at their word when we find them violating the privacy law, provided they promise to take certain corrective actions.
Even if our investigation upholds a complaint as well founded, our practice has been to accept such undertakings and deem the matter “resolved.”
And yet, I have become concerned, in some cases, to hear nothing back from organizations… or worse, to see problems recurring – problems that I would have expected to see corrected on the basis of what the company promised.
Again, we’re not satisfied by words; we want deeds.
In the not-too-distant future, you’ll start to see us applying a new approach to accountability, where we find that an organization has mishandled personal information.
Going forward, I will be expecting organizations that I have found in violation of PIPEDA to not only comply fully with my recommendations, but to prove that they have done so.
In appropriate cases, for instance, I will expect them to file independent, third-party reports, attesting to the fact that they have indeed lived up to the commitments they have made – to me as the regulator, and to the Canadians whose personal information they have misused.
The onus must be on them. That is a fundamental principle of corporate accountability.
And with that onus comes the associated cost. Any compliance certification by a reputable third party is going to cost money, and that inevitably helps focus the minds of corporate leaders.
Indeed, if an organization has committed a serious violation of our act, it’s not fair to ask Canadian taxpayers to pick up the tab so that my Office can chase after it to verify compliance. The organization should rightfully invest its own resources in order to demonstrate its compliance with the privacy law.
In conclusion, I want to say that, for the average Canadian, the sale, purchase and processing of their personal information is a completely hidden world. Few fully understand how their personal information has become a commodity, for sale to the highest bidder.
That’s why it’s up to individual companies to step up. To respect our country’s private-sector privacy laws, and to do so in a transparent and accountable way.
You, as the legal leaders have a vital role to play in this regard. With your direct pipeline to CEOs, you can influence decision making at the top.
Innovation is essential for industry to thrive. Good privacy practices support innovation because they help build consumer trust.
We need to ensure that Canadians continue to enjoy strong privacy protection, while also taking advantage of emerging technologies.
I look forward to exploring with you how best to advance this goal.
- Date modified: