Panel Presentation: Privacy and Personal Data Protection: The perspective from the Privacy Commissioner as an Authority in North America

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Ecommerce Day 2011

November 4, 2011
Mexico City, Mexico

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good afternoon, I’m very pleased to be taking part in this Ecommerce day.

I’ve been asked to discuss my experience in Canada and internationally as a Privacy Commissioner. Given that I am sharing a platform with my colleagues from the United States and Mexico, it’s natural to also stress the North American context.

Our three countries already have a good track record of co-operation on matters like trade and security. It makes sense that we should work closely together to protect the personal information of our respective citizens.

Doing so will promote and encourage electronic commerce by giving consumers confidence that their privacy is respected, both inside national borders and internationally.

I’d like to offer a quick overview of the Canadian approach to privacy protection and briefly discuss how it compares to approaches elsewhere, including the United States and Mexico.

Before closing, I’ll relate those approaches back to what I’m calling the brave new world of ecommerce.

Canadian Overview

Canada’s law covering personal information in federal departments and agencies – the Privacy Act – has been around for more than a quarter century.

The relative newcomer is the Personal Information Protection and Electronic Documents Act, which is better known as PIPEDA. It came into full force only in 2004. PIPEDA is based on 10 principles of fair information practice which follow the principles set out by the OECD guidelines on data protection.

PIPEDA applies to organizations engaged in commercial activities anywhere in Canada, although a provision in the federal law permits provinces to pass their own substantially similar private-sector privacy laws and three provinces have done so. Even in those three provinces, PIPEDA applies when personal information is moved across borders, either between provinces or internationally.

Different Approaches

The bottom line is that Canada effectively enjoys omnibus private-sector legislation which covers all aspects of personal information.

We have avoided the U.S. challenge of competing federal and state laws.

That’s not the only distinguishing aspect of the Canadian approach.

We don’t have a requirement for entities that collect personal information to register with my Office – unlike in Mexico under the Ley federal de protección de datos personales en posesión de los particulares.

Another difference: Many countries have a privacy enforcement body that can impose fines – or what the FTC calls “settlements”. In Canada, the Privacy Commissioner does not have the power to impose fines or issue orders – although I am increasingly of the opinion that stronger enforcement powers would be a helpful incentive for compliance.

I would never suggest that Canada’s approach – or any country’s – is preferable to another’s.

We recognize, for instance, the value of setting out specific penalties for privacy violations in Mexico’s legislation.

And we’d like to emulate you, and others, with mandatory breach notification, which has been proposed in amendments now before the Canadian Parliament.

Nor am I proposing a standardized global approach to protecting privacy. The result matters, not the means.

Working Collectively

What we do need is a basic level of protection for personal information that spans the globe. To accomplish this, we must work collectively on privacy and security issues. And we are making progress on that front.

A bilateral example: my Office supported the FTC in successful legal proceedings over a website operated by a U.S.-based company which advertised and sold confidential consumer telephone records to third parties without the consent of the consumers.

A regional example: I and my fellow panellists come from three ‘member economies’ in APEC, a body that has been making progress on a standard for cross-border privacy rules in a region with diverse cultures and vastly differing economies.

An international example: In April of last year, we saw an unprecedented collaboration by the privacy guardians from 10 countries – Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom.

Collectively, we wrote a letter to the CEO of Google expressing deep concern about his company’s privacy practices, particularly in relation to the launch of Google Buzz.

Issues such as the launch of Buzz and the long-running tussle with Facebook indicate how much the world of privacy protection has changed since PIPEDA came into force.

They also demonstrate the challenges currently facing the ecommerce community.

Evolving Issues

In the early years of PIPEDA, we were dealing largely with complaints against brick-and-mortar operations such as banks and insurance companies.

The belief then was that electronic commerce would be people spending a few minutes online doing banking or shopping. This was the old privacy world, where the commercial organization defined how much personal information they needed from you and justified why they needed it.

Today we are struggling with the far more challenging information exchanges.

If ecommerce also includes making money through Internet transactions, then ecommerce is now dominated by social networks, photo sharing sites, online dating, news aggregators, discount coupon networks … even geneology sites.

Mostly these websites sell eyeballs to advertisers. They also engage in extensive behavioural tracking.

The original ecommerce model has been stood on its head.

Now, the individual decides how much to disclose, while the commercial organization provides an alluring platform.

The result is a blurring of the personal self and the commercial self.

The fundamental question – is it possible to protect personal privacy in a world where some people almost live their entire lives online, from cradle to grave?

An example. I live and work in Ottawa, the capital of Canada.

Last month, a woman in an Ottawa suburb live-streamed the home birth of her baby son via the Internet. Possibly 2,500 people watched – from as far away as Afghanistan.

When he grows up, that boy may well choose his mate online. A recent survey estimated that one in five relationships in Canada and the U.S. begin online.

And so it goes….

At the same time, however, there’s more and more evidence that people are sharing a lot more online than they realize.

Just weeks ago, a study carried out at Stanford University of the top 185 high-traffic websites found that three in five shared a consumer’s name or user ID with another site. In many cases, this practice was in direct violation of the explicit data privacy policies of the initial website.

Such findings should greatly concern anyone involved in ecommerce.

Conclusion

Consumers are increasingly demanding assurances that their personal information is protected when they engage in electronic commerce.

Of course, this applies to the more traditonal kinds of ecommerce, such as buying retail goods and services online. But the non-traditional kinds of electronic commerce, such as social networks, have also been feeling the heat.

The solution lies in assuring consumers that their personal information will be protected both within their own country and when it travels beyond their national borders.

Date modified: