Taking stock and looking forward: Updates from the OPC
Remarks at the Conference Board Council of Chief Privacy Officers
February 28, 2012
Address by Chantal Bernier,
Assistant Privacy Commissioner of Canada
(Check against delivery)
The goal of my presentation today is to update you on what we have both on our plate and on our radar at the OPC.
- First, I will address legislative developments. I will summarize how we are using the new powers we have acquired under Canada’s anti-spam legislation, or CASL, and how we are preparing for the coming into force of CASL. I will also say a few words about the lawful access legislation that was tabled two weeks ago, and finally, I will talk about potential amendments to PIPEDA under C-12 and beyond.
- Second on my list of updates this morning is a summary of what we feel are the hot issues on the privacy horizon in 2012 and in the foreseeable future.
- And the last item on my list of updates is fostering compliance. I will first say a few words on how compliance can be achieved by leveraging a convergence of interests in order to build a culture of privacy, and then present a general overview of new administrative measures we have adopted to better redress divergent practices. These new measures—namely, an increased use of our discretionary powers to name respondents and issuing new types of findings—will have a direct impact on your work as Chief Privacy Officers.
There are three main points I would like to address on the legislative front. The first is Canada’s Anti-Spam Legislation, or CASL. The second is potential amendments to PIPEDA under C-12 and subsequent parliamentary reviews of PIPEDA. The third is the recently tabled lawful access bill.
Amendments to PIPEDA under CASL
Let me begin by discussing recent amendments to PIPEDA that were included in CASL. These new powers are of general application to all PIPEDA complaints, not just those related to spam, and they came into effect with the adoption of CASL. In other words, they are currently in force and are valid for all investigations under PIPEDA.
First, CASL amended PIPEDA to allow the Commissioner to exchange information with her foreign and provincial counterparts where she believes it would be relevant to an ongoing or potential investigation.
We have already established Memorandums of Understanding with two European data protection authorities and are working on establishing more. The new information-sharing provisions under CASL also allowed us to join the Asia Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement (CPEA). Because of our membership in the CPEA, we are in a position to share information with several Asia-Pacific authorities, including the FTC. These arrangements will allow our Office to conduct joint investigations with international counterparts. We are presently conducting one such investigation, concurrent with one other Data Protection Authority.
This new power arrives at a point where DPAs intensify their efforts toward greater effective cooperation. A resolution was adopted in the closed session at the latest International Conference of Data Protection and Privacy Commissioners in Mexico last fall that created a working group to explore ways of acting cooperatively. We co-sponsored this resolution with the UK. The working group that was created is meeting in Montréal this May to lay the grounds for international co-operation.
Second, CASL has also amended PIPEDA to give the Commissioner the ability to decline to investigate or to discontinue an investigation in specific circumstances. The Commissioner may decline to investigate when she is of the opinion:
- that the complainant ought to exhaust other reasonably available grievance or review procedures;
- that the complaint would be dealt with more appropriately under other federal or provincial laws; or
- that the complaint was not filed within a reasonable period of time.
The Commissioner may discontinue an investigation if she is of the opinion:
- that there is insufficient evidence to pursue the investigation;
- that the complaint is trivial, frivolous or vexatious or made in bad faith;
- that the organization has provided a fair and reasonable response to the complainant;
- that the matter is already the object of an ongoing investigation; or
- that the matter has already been the subject of a report by the Commissioner.
On that front, we have established internal procedures and legal guidelines to help our investigative branch ensure these powers are applied fairly and appropriately.
- The assessment of whether to decline an investigation is based on the information provided by the complainant, as well as the information gathered by investigators and intake officers through follow-up calls or correspondence with the prospective complainant and respondent. The rationale for declining is based on these facts and considered on a case-by-case basis.
- The criteria being applied is designed to evaluate each case on its own merits. For instance, we do not interpret “a reasonable period of time” to file a complaint as a fixed, one-size-fits-all number. Rather, we consider factors such as when the complainant was made aware of the perceived problem, which actions the complainant has already taken to pursue the matter before contacting this Office, the reasons for the delay and the prejudice to the respondent caused by the delay.
- The assessment of whether to discontinue the investigation is made after letters of acknowledgement and notification have been issued, and early enough in the process so as to remain fair to parties who may have participated in a lengthy process.
- We have developed in-house legal guidance to help us interpret each of the different motives for discontinuance. For instance, we consider a “frivolous” complaint to be one that lacks a legal basis, legal merit or any reasonable prospect of success.
This new discretion will allow us to focus more efforts and resources on complaints that raise serious and broad systemic issues that pose privacy risks for all Canadians. We will also be updating our Compliance Framework, which can be found on our website, to reflect these new powers in the near future.
As for CASL itself, you all know that enforcement of the Act is a responsibility shared between the CRTC, the Competition Bureau and our Office. The OPC is mandated to focus on two types of violations:
- The collection of personal information through illicit access to other people’s computer systems; and
- Electronic address harvesting, where bulk e-mail lists are compiled through mechanisms that include the use of computer programs to automatically mine the Internet for addresses.
CASL is expected to come into force some time in 2012. A specific date for coming into force will be pronounced when the final regulations are published in the Canada Gazette. In the meantime, I have formed an in-house A-Team of sorts, bringing together investigators, technologists, policy analysts, communicators, and lawyers. We are working hard to review our existing investigative process in light of potential complaints under CASL, and collaborating closely with our colleagues at the CRTC, the Competition Bureau and Industry Canada to ensure everything from public education to enforcement will be handled in a coordinated manner.
Amendments to PIPEDA: C-12 and beyond
The second update I will provide on the legislative front is about parliamentary review of PIPEDA. The world has changed a lot in the ten years since PIPEDA was adopted. Technology has evolved and the online world is changing the way individuals communicate and share personal information. It is also providing unparalleled opportunities for businesses to collect, aggregate and profile information. Moreover, the large scale adoption and use of various social media is blurring the lines between commercial and non-commercial activities, and private and public divides.
The Act contains a clause under which it should be reviewed by Parliament every five years. The first parliamentary review of PIPEDA was launched a few years ago, and the fruit of this exercise is Bill C-12, which is presently at first reading in the House of Commons.
C-12 contains a provision for mandatory breach notification. We are following C-12’s progress through Parliament and are looking forward to commenting on it when it is referred to Committee. C-12 increasingly appears to be too little, too late. There is so much more to consider to bring PIPEDA up to the current challenges to protecting privacy.
Looking further along in the future to subsequent reviews of PIPEDA, our position on whether and how the Act requires reform to address new and emerging challenges will be informed by our focus on three key themes: enforcement; scope; and accountability.
In relation to enforcement challenges, we continue to examine our Office’s structure and function as a data-protection authority. We commissioned a study by two leading academics on the effectiveness of the ombuds model. The study concluded that targeted powers to make orders and impose penalties such as fines may be necessary to adequately promote compliance with the Act. We are increasingly of the view that the Act does not create sufficient incentives for compliance. We are therefore examining possible ways to create additional incentives for compliance.
On the issue of scope, we have identified key gateway concepts such as the definition of personal information and the definition of commercial activity as areas for close study. The definitions of personal information and commercial activity determine whether the Act will apply or not. These definitions were intended to be broad and flexible in their reach while respecting federal jurisdiction. Still, emerging technologies and changing business models are testing the limits of both these key gateway concepts. As a result, we will need to determine whether the definitions in the Act are sufficiently broad and flexible to offer Canadians the necessary degree of protection for personal data throughout the evolving commercial sector.
Another legislative amendment we are monitoring closely is the proposed legislation on lawful access that was tabled two weeks ago in Parliament.
Before going any further, I must insist that we are convinced that catching criminals is a good thing. We do recognize that rapid developments in communication technologies are creating new challenges for law enforcement and national security authorities and that the Internet cannot be a lawless zone. If criminals are moving to cyberspace, then policing must move to cyberspace. What is at issue for us is the protection of established, fundamental privacy principles that are a pillar of the society we want to live in.
While we are encouraged by some of the items we notice have been included in C-30, such as a reduction of the specific data elements that must be handed over by telecommunications service providers and strengthened oversight provisions, the bill raises concerns for us is where it may extend police powers beyond what we accept as a society. We must insist on the importance of judicial oversight and of reasonable grounds for search and seizure. These are measures that are in place to protect the fundamental rights of law-abiding citizens in the real world; we feel they should be extended to the online world as well. As the theme of your session today is “Building a culture of privacy,” it is relevant to note that the first casualty of passing such legislation as is could be the culture of privacy in Canada.
We are presently performing a more in-depth analysis of the privacy implications of Bill C-30, and are looking forward to sharing our advice with Parliament when we are invited to do so.
Hot issues for privacy
The second part of my presentation today aims at providing you an overview of some emerging issues that we feel require particular attention from privacy professionals.
Back in 2008, the OPC identified strategic priorities that would serve as focal points for our all our work—be it public education, audits, investigations, or research. After careful consideration, the Office selected information technology, public safety, identity management and genetic information as the four lighthouses that would guide our path through these rapidly evolving times.
Today, we feel these four strategic priorities are still as relevant today as they were back then. This morning, I will summarize specific issues we have on our radar for each of our four priorities.
Information Technology: The rise of mobile
On our hot list for information technology is the advent of powerful mobile computing. Combined with the introduction and wide-scale adoption of apps, the extensive use of smartphones and tablets allows individuals to meet their expectations of “anywhere, anytime, any data” access and, in many cases, to have that data with them at all times. This makes mobile devices extremely useful, which increases their adoption—and so it goes.
But it also means that they are a much more valuable target—for theft, for malware, for phishing attacks and so on. This, in turn, puts both personal and corporate data at greater risk of compromise—although the devices themselves are becoming more capable, security controls for them are often lagging. This was initially true for PCs and laptops as well, so there is hope that whatever gap exists for smartphones and tablets will be closed in the near future.
We are contributing to the conversation by commissioning technical papers on apps from industry experts: on the privacy expectations surrounding the use of apps; on what developers are doing to protect users’ privacy; and on the monetization of apps and their importance in the mobile economy.
Public safety: Perimeter Security Agreement
Top of mind for us in the area of public safety is Beyond the Border, the Canada–US action plan for increased perimeter security. The Action Plan pursues the creation of a common Canada–US security perimeter upon four main pillars: co-operative risk assessment; facilitated trade; integrated cross-border law enforcement; and integrated protection of critical infrastructure. In general, measures include a common approach to traveller screening, co-operation on both security and criminal investigations, and broadening global cybersecurity efforts.
In an effort to address Canadians’ expectations for respect of their privacy protections, the Action Plan commits to the development of Joint Privacy Principles by the end of May; and the Canadian Government has committed to submitting to our review PIAs for all measures having repercussions on privacy.
It’s important to underscore that we don’t view the Action Plan as a singular event or as an end point. This is a process that will mean several new initiatives by Canadian federal departments and take years to implement. In other words, this plan is just that—a plan—and the impact of any plan is judged not only on its objectives, but also on its implementation.
Let me share with you some of the main elements we are keeping an eye on throughout this process.
- First of all, as an overarching concern, the action plan refers to “joint Canada–US privacy principles”. There is of course a risk that these “joint privacy principles” could be driven by US policies and priorities that do not correspond to ours. We therefore call on Canadian authorities to be vigilant in that regard.
- Second, we would like information sharing between our two countries to be subject to tighter discipline—for instance, we have been asking for years now that the Privacy Act be amended to require that the sharing of personal information among police authorities be done only under written agreements that clearly define the conditions under which the information is shared.
- Third, we would like improved measures to ensure the accuracy of information held by the police—for example, measures that ensure timely purging of irrelevant or outdated information.
- Fourth, we want to see proper, independent oversight for information-sharing measures.
- Fifth, we will want clear limitations on what can be shared and with whom.
- And sixth, the officials involved will need to receive proper training to understand the privacy issues at hand and possible consequences of a breach—a request that was echoed in Justice O’Connor’s report on the Maher Arar enquiry.
In general, if this plan is implemented well, monitored carefully, and respect for privacy is set as a key priority from the outset, it represents an opportunity to remove security barriers to travellers. On the other hand, if implementation leads to indiscriminate collection of personal information and unfettered use by security officials, this could lead to further complications.
Gathering information is one thing. How it’s used is the real question. In the past decade, three federal Commissions of Inquiry—O’Connor, Iacobucci and Major—have studied this very serious issue. I think Canada is now presented with a critical opportunity to make progress on these examinations.
As a result, we’re not looking upon the plan itself in judgment. Instead, we will be monitoring each initiative very closely to determine its privacy implications. There are many initiatives that deal, for example, with product standards and cargo shipment, which don’t require such an examination. However, those dealing for example with exit-entry information and the sharing of biometric data along with information exchange between law enforcement agencies, could potentially have massive privacy implications.
Any initiative dealing with the collection and sharing of people’s personal information will need to have its own PIA. We will be monitoring the initiatives as they unfold in order to ensure that the appropriate safeguards are put in place and that Canadians’ personal information is protected according to Canadian privacy standards.
We are encouraged by the commitment to develop a joint statement of privacy principles by the end of May. The Government has committed to consult us on this throughout—we will hold them to that commitment and monitor things very closely.
Genetic information: Offer and demand
In the area of genetic information, the main threats to privacy are linked to the rapid and significant drop in the cost of genetic testing and genetic sequencing. The result is that we are seeing an explosion of genetic information. Individuals can “buy” genetic tests over the Internet, without the intervention of a medical professional. Pharmaceutical companies, universities, and others can amass huge bio-banks of genetic information. Paternity tests are as easy to obtain. The power of this information for both socially valuable and socially harmful purposes is significant. This raises significant legal, ethical, moral and privacy issues that we as a society have only begun to address.
Our Office is presently conducting research on the predictive value of genetic information on health outcomes. We have retained the expertise of Dr. Pavel Hamet to assist us in exploring this emerging issue. We have committed to sharing the results with the Canadian Health and Life and Health Insurance Association in order to inform our continued dialogue with the industry.
I also continue to sit on the Advisory Board of the National DNA Data Bank on behalf of the OPC. Emerging issues on that front include the possibility to take DNA at the moment a person is charged with an offense rather than when a person is convicted of a crime, the privatization of labs and, most significantly, the introduction of familial searching. These items are still far on the horizon for Canada, but they are being contemplated—therefore, we are following these developments.
Identity management: Tracking, profiling and targeting of individuals
In the area of identity management, our main concern is the online tracking, profiling and targeting of individuals. This is done for the purpose of behavioural advertising, but also for other emerging purposes. The issue of online tracking, profiling and targeting that was given considerable attention during our 2010 Consumer Privacy Consultations. More recently, we have issued a set of guidelines on Privacy and Online Behavioural Advertising, which have been generally well received and sparked a constructive dialogue between our Office and the industry.
Another issue that was discussed extensively during our 2010 Consultations was cloud computing. The value of cloud computing for organizations is evident—and it is no wonder that its use is increasingly widespread. However, cloud computing could present risks for personal information, and it could raise interesting legal issues when remote servers are located in foreign jurisdictions.
In order to frame the debate in privacy principles and encourage organizations to consider privacy at the offset, we have issued a fact sheet and a research report on the matter, and are presently drafting guidelines on cloud computing for small and medium enterprises.
Pathways to Privacy: Privacy for Everyone Symposium
I would also like to take this opportunity to share some exciting news. Very much in accordance with the idea of Building a culture of privacy, we are leveraging on the success of our Contributions Program, we to launch a series of symposiums to showcase the world-class research we are funding. The first of this annual series will be held here in Ottawa on May 2.
Under the heading “Privacy for Everyone”, this event will focus on such topics as reaching diverse populations, cultural perspectives on privacy, and privacy issues specific to youth, seniors, Aboriginals and immigrants.
We are delighted to be collaborating with the Social Sciences and Humanities Research Council and the Industry Canada Consumer Affairs Bureau to organize this symposium, and I hope you will be able to join us.
The third broad topic of my presentation today is compliance. This is no doubt where the theme of your session comes most into play: compliance stems from a culture of privacy. So how do we build one. Compliance with privacy laws can come from a convergence of interests—privacy makes good business sense—or from working to redress divergent practices. Building a culture of privacy means offering assistance to some and penalties to others.
Compliance through a convergence of interests
An essential component of fostering compliance through a convergence of interests is to build a culture of privacy.
Organizations, big and small, have a vested interest in protecting privacy. The first time I met with Facebook, I asked what the importance of privacy was for them. They replied that it ensures the user has a positive experience. When I asked the same question of the Canadian Bankers’ Association, they replied that it ensures people continue to do their banking with them.
These answers highlight the fact that protecting privacy is understood as good business—whether we all agree on what protection means is another matter but that vested interest of business in offering privacy protection is a central element of compliance.
And that is the gospel that you have to spread within your own organization: Privacy makes good business sense.
Where it may get a little trickier for you is when you have to explain how privacy translates into the day-to-day operations. It’s not enough to recognize that privacy is important, or even to include privacy in your policies and templates. Good privacy practices have to be internalized in the people who comprise the organization.
Look back to the events that resulted in the collection by Google Street View cars of payload data from unsecured Wi-Fi networks: the engineer who built the code filled out the appropriate paperwork and ticked the appropriate boxes to indicate that this product had no implications for privacy. Look back to more recent events at a federal agency, where an employee gathering information to back up a grievance claim downloaded sixteen CDs’ worth of Canadians’ personal information and transferred it on someone else’s laptop, without thinking of the potential consequences for people’s privacy.
Or remember the recent case at Veterans Affairs Canada, where the sensitive personal information of a veteran was widely shared within the department, way beyond need-to-know.
In all these cases, damage could have been avoided if specific members of the organization had understood how privacy protection translates to their specific role in the organization. Our audit of Veterans Affairs, may shed light on the very topic you address today: protecting privacy as a matter of organizational culture.
Building a culture of privacy is building a culture where everyone understands how privacy is their business, too—privacy is not just the CPO’s or the general counsel’s or the ATIP manager’s business; it’s everybody’s business.
Compliance through correction of divergent practices
The second way to foster compliance is to correct divergent practices, notably through our application of the Act. I mentioned earlier how we are exploring asking for increased powers through legislative review—in the meantime, we are making the most of what we already have. What we already have is the power to name respondents, latitude on the types of findings we issue, and the ability to follow-up on how our recommendations are implemented.
You will have noticed these past few years and especially in our latest Annual Report on PIPEDA that we are naming names. We have increased the use of our legal power to make public the information practices of an organization where we consider that there is a public interest to do so. That increase in naming is based on the increased impact of the violations we observe.
We realize that naming organizations works because of the potential reputational loss that compromises an organization’s business interests. It also rests upon the fact that in the end, particularly for big businesses, the cost of compliance must be brought below the cost of contravention.
Another example of how we use our existing powers to their full extent is the newly introduced requirement that in certain cases, respondents must produce a third-party audit to demonstrate that they have implemented all of our recommendations before we actually close the file. In doing so, we reserve the right to use our recourses under the law, including going to Federal Court, should that third-party audit not be presented or not be positive. We have already included this requirement as a follow-up to our investigation of Google Wi-Fi and to our audit of Staples.
This new requirement, as well as our new discretionary powers under CASL, is reflected in a recent review of the definitions of our findings and other dispositions.
In closing, I hope to have given you a sense of how we are poised to protect Canadians’ privacy rights for 2012 and beyond—how we are building our own culture of privacy protection.
- We are exercising our role of advising Parliament on legislation that has an impact on Canadians’ personal information, by commenting on proposed laws and calling for amendments to existing ones, where it is warranted. Once new bills and amendments come into force, we administer them in the most appropriate way—as we are doing for CASL.
- We are keeping abreast of technological and societal developments that have an impact—or will have an impact—on Canadians’ privacy.
- We are making full use of our powers in order to foster compliance with the law.
The building blocks for a culture of privacy are set in Schedule 1 of PIPEDA: they include robust governance structures, where the CPO is at the top of the organization; they include training, motivating and assessing staff for privacy protection; they include understanding privacy safeguards, whether they be cyber-resilience, access controls or ongoing vulnerability assessments.
My observation is that, in short, building a culture of privacy is about integrating privacy protection into the organization’s culture of service, and privacy safeguards over the organization’s assets.
- Date modified: