A “Professional Citizen’s” Guide to Privacy in a Rapidly Changing World

Remarks at the Students in Masters of Public Administration, School of Policy Studies, Queen’s University

January 12, 2012
Kingston, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good afternoon. It’s a pleasure to be here. My Office has a long-standing relationship with Queen’s and the Surveillance Studies Centre.

We’ve been extremely impressed by the ground-breaking research being done here at Queen’s on areas such as privacy and national security, camera surveillance and location technologies. Since 2004, my Office has awarded Queen’s researchers over $200,000 through our Contributions Program.

I understand that one of Professor Elder’s objectives is that students graduating from the Master of Public Administration program have learned how to be "professional citizens." This is a highly commendable goal – and one with particular relevance for those involved in public administration.

With this in mind, I thought it might be appropriate to speak with you this afternoon about becoming “professional citizens” in protecting privacy.

For me, a “professional citizen” is someone knowledgeable about his or her rights and responsibilities as a citizen. In the context of privacy, it means understanding how the laws protect our rights, but also understanding how to be vigilant in protecting our privacy.

To deal with something so all-encompassing requires touching briefly on a few areas: the mandate and role of my Office and our work in the online realm. In terms of the digital, I’ll focus on the “saga” of Facebook, as well as a topic likely of special relevance to this audience, social networking and the workplace.

Information Control

It’s unlikely that anyone here really wants, or expects to be invisible in an information age, but it is likely that all of you cherish your privacy. More precisely, you cherish your control over your personal information.

Canadians understand that privacy is something they can opt to relinquish. They can – and often do – choose to reveal personal things about themselves, such as on social networking sites like Facebook. (Sometimes things they later regret revealing!)

But they do not appreciate any organization simply helping itself to their personal information, without their knowledge and consent.

To sum up, the right to privacy is the right to control the disclosure and use of your personal information. And no one – even those who chose to share intimate details online – wants to relinquish this control.

Control over our personal information protects us from intrusions on our person. It allows intimacy and facilitates freedom of expression and thought. It protects our reputation. In short, it allows us to protect our place, our sense of self, in our social environment.

At the end of the day, privacy is the space we need in order to exercise our other freedoms and civil rights.

Role of the OPC

So, how does this all work in practice?

Parliament has tasked my Office with the mission of protecting and promoting the privacy rights of Canadians. Our formal mandate is to enforce Canada’s two federal privacy laws:

  • The Privacy Act imposes obligations on some 250 federal government departments and agencies.
  • The Personal Information Protection and Electronic Documents Act – better-known as PIPEDA – covers the private sector.

This is an enormous – but exciting – challenge given how rapidly the privacy landscape is evolving. I have been Commissioner for eight years and the change that has occurred in this short period of time is astonishing.

On the public sector side, the rationale of safety and national security has been used – in Canada and elsewhere – to justify a dramatic expansion in the amount of personal information that is collected, analyzed and shared.

In the private sector, our personal information has become an increasingly hot commodity for many organizations that use it in order to try to sell us more of their services and products.

The fact that the online world has become so central to our daily lives has exacerbated the privacy concerns related to this trend. There is more and more personal data being created and that is moving about the globe – and all that data needs to be protected!

My Office has a number of tools available to help it fulfill its mission to protect the privacy rights of Canadians. These include investigations, court action, audits and reviews of privacy impact assessments.

The “professional citizen” needs to be familiar with them.

Investigations

An investigation may be launched as a result of a complaint, or I can launch a Commissioner-initiated complaint. If, after an investigation, we find that there has been a contravention of the law, we make recommendations.

Effective January 1, we have implemented a new approach to issuing findings in our PIPEDA complaint investigations.

To date, when one of our investigations concluded that a company had breached PIPEDA, we were prepared to label a matter “resolved” when an organization committed to taking corrective action.

We have accepted an organization’s word that they would remedy non-compliance issues we had identified in accordance with our recommendations and borne the burden of proactively following up to ensure compliance with the Act.

However, putting the onus on my Office to follow-up with organizations and secure proof of compliance is administratively burdensome and inconsistent with an organization’s responsibility to be independently accountable for its compliance with the Act.

In keeping with our commitment to require organizations to demonstrate accountability for their compliance with the Act, we will no longer be accepting a commitment to address a matter as a sufficient basis for finding the matter to be resolved.

For organizations that are committed to bringing themselves into compliance with the Act but are unable to do so before our findings are issued, we will be introducing a new category of finding that clearly indicates that some issues remain to be addressed. In these cases, a complaint investigation will be labeled “well-founded and conditionally resolved”.

In this case, we will ask the companies to confirm compliance with our recommendations through a third-party audit at their own expense within a given time frame.

Where an organization has not demonstrated that it has followed through on its commitments to my Office within the time permitted, we will consider further enforcement action, which could include court action or disclosure of information about the matter in the public interest.

Audits

My Office is also empowered to conduct audits to review compliance with both pieces of legislation.

In the federal government, these audits have ranged widely, covering everything from the no-fly list (formally known as the Passenger Protect Program) to the privacy implications of the government’s use of BlackBerries and other wireless devices.

Late last year, we published the results of an audit of the privacy policies and practices of the Canadian Air Transport Security Authority, which is responsible for airport security.

The audit found CATSA was collecting too much information about some air travelers and was not always safeguarding it properly.

More specifically, CATSA was reaching beyond its mandate by completing security reports on incidents not related to aviation security. This was the case even with incidents involving legal activities. For example, CATSA collected information about passengers carrying large sums of cash on domestic flights – and it called in police. We recommended that CATSA immediately stop that practice and, fortunately, they agreed.

During their site visits, our auditors were also surprised to find documents containing sensitive personal information left on open shelves and in plain view in a room where passengers may be taken for security checks.

Privacy Impact Assessments

Privacy impact assessments are another important tool. They are used to identify the potential privacy risks of new or redesigned federal government programs or services. They also help eliminate or reduce those risks.

Done properly, a privacy impact assessment is an opportunity to ensure that privacy protections are incorporated at the front-end. If it's just a checklist at the back-end of an initiative, and no one reads it, then it hasn't been done right.

Government departments are required to submit privacy impact assessment reports to my Office when they develop programs or services involving the collection, use or disclosure of personal information. We have the discretion to provide comments and recommendations. However, the final decision on whether to implement our recommendations rests with departments.

I mentioned airport millimetre-wave security scanners a moment ago. Through the privacy impact assessment process, my Office was able to reassure Canadians that privacy safeguards were incorporated in the use of these scanners.

Guidance

Another important way in which my Office helps organizations to meet their privacy obligations is by issuing guidance documents on how to navigate challenging privacy issues.

For example, just last month we issued new guidelines on online behavioural advertising.

The use of this type of advertising has exploded and we have had concerns that privacy rights aren’t always being respected. A big part of the problem is that people don’t know they’re being tracked because, too often, information about what’s happening to their personal information is buried at the bottom of a difficult-to-read privacy policy.

Following the launch of the guidelines, some observers questioned how my Office would be able to make them stick.

I can tell you that online behavioural advertising will be a priority for my Office if we receive complaints or see questionable practices.

Over the last year, since my mandate was renewed, our focus has been on re-tooling the Office to better serve Canadians. One of the tools I’m most proud of is our new technology lab, which offers us the technical know-how to understand what’s happening behind the screen. For example, we can analyse the tracking techniques employed by various online behavioural advertisers or the effectiveness of privacy controls on social networking sites.

Facebook Saga

I’ll turn now to a well-known example of my Office taking action in the private sector side that probably resonates especially strongly with many here. Half of Canadians – and a higher proportion of younger Canadians – have a Facebook account.

My Office’s investigation in 2009 prompted privacy improvements which Facebook put in place world-wide. In late 2010, we were able to announce that we were satisfied with those changes.

As some of you may remember, our major concern was that Facebook lacked technical safeguards to effectively restrict third-party developers – the people who create games and quizzes known as applications – from accessing the personal information of Facebook users and their friends.

As a result of our investigation, Facebook retrofitted its application platform to prevent any application from accessing information without first obtaining express consent from the user for each category of personal information it wishes to access.

Another concern during the investigation was that, in some cases, Facebook was not being transparent enough about its personal information handling practices. We were pleased that the site agreed to make changes to provide users with clear information.

An important message that has often been overlooked in discussions about the investigation is that Facebook users also have a responsibility – and this speaks to the notion of being a “professional citizen.”

Facebook users – and indeed all Internet users – need to inform themselves about how their personal information is going to be used and shared.

The Facebook investigation led to more privacy information and improved privacy tools – but people should take advantage of those changes.

Our work with Facebook is not over. We will soon be announcing our findings in further investigations related to invitations to join Facebook, as well as those Facebook “Like” buttons that other websites can add to their sites.

As well, we’ll very soon be announcing the results of an investigation of another social networking site targeting young people.

I want to point out that other international data protection authorities are also doing important work in this area.

For example, last November, the U.S. Federal Trade Commission announced a settlement with Facebook that requires the company to undergo regular privacy audits for the next 20 years.

My Irish counterpart, meanwhile, last month completed an audit of Facebook and called for a series of improvements to privacy protections and data-handling practices.

No doubt there will be further interesting privacy issues related to social networking in the years to come. For example, Facebook has launched a controversial facial-recognition technology in other countries – but, so far, not in Canada.

Data protection authorities in other countries are taking a very keen interest in that feature.

The potential uses of facial recognition – in social networking or marketing contexts, for example – are open to the imagination. (How many of you saw Minority Report?)

As a result, data protection offices around the world are following developments closely.

In fact, last fall my Office hosted a meeting with a number of other international colleagues to discuss the growing privacy implications of this technology. The US Federal Trade Commission held a workshop on facial recognition which I attended in December.

Privacy and the Role of the Individual

Another issue that regulators around the world are beginning to wrestle with is the growing importance of the individual as a provider of content in the online world.

My Office certainly encourages people to be conscious of the privacy of others when posting information online.

But PIPEDA – like most privacy laws around the globe – doesn’t apply to personal or domestic uses of personal information. We lack a legal framework and sanctions in this area.

What is the responsibility of the individual? How should responsibility for what gets posted be allocated between social networking platforms and users?

Experts reviewing the OECD’s privacy guidelines – which marked their 30th anniversary last year – have identified the ability of individuals to create and share information as one of the major changes with implications for privacy protection of recent years.

I believe that individuals, just like organizations, need to assume responsibility for the use of personal information. My personal view is that our laws need to evolve to take this into account.

Some of these issues may be explored in a legal appeal that will be heard by the Supreme Court of Canada.

Known as AB v. Bragg Communications, the case involves a 15-year old girl who became aware that someone had set up a fake Facebook profile in her name. It was a case of sexualized cyber-bullying.

She applied for an order requiring Bragg Communications to disclose the identity of the persons who had used a particular IP address. This was granted by the Nova Scotia Supreme Court.

The teenager also sought an order which would allow her to proceed by pseudonym, as well as a partial publication ban to prevent the public from knowing the exact words contained in the fake Facebook profile.

Not unexpectedly, this was opposed by a newspaper and television network. This additional relief was not granted. The Nova Scotia Court of Appeal upheld that decision.

My Office will seek leave to intervene before the Supreme Court if we feel our input would be helpful to the Court.

Conclusion

This has been a rapid tour de horizon.

I’ve offered you a quick snapshot of my Office and a sense of some of the emerging privacy risks we’re working to address. But I hope I’ve also inspired you to consider how you can help protect the fundamental right of privacy as well.

Canadians are a sophisticated bunch when it comes to online literacy, but we have to work at our privacy literacy skills.

Many people haven’t considered the trail of digital bread crumbs they create as they click their way through websites and from website to website. They don’t consider how those breadcrumbs may be stored, analyzed and accessed. And how many of us actually read those wordy privacy policies?

The online world is an incredibly complex environment and people need to be properly educated to make better sense of how their personal information is being used.

I am very pleased to see that Canadians are increasingly demanding information about organizations’ privacy practices – and speaking out when they don’t like what they see.

When I speak across the country to audiences such as this one, I am constantly heartened to meet so many people who care very deeply about privacy – and who are “professional citizens” when it comes to being vigilant about protecting their privacy rights.

Thank you for your attention. I look forward to hearing your thoughts and would be pleased to answer any questions.

Date modified: