Privacy and Communications in Changing Times
Remarks at IABC 2012 Canada Business Communicators Summit
November 2, 2012
Ottawa, Ontario
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Introduction
I am happy to be able to speak with you about the crucial role which professionals like you can play in ensuring the privacy of Canadians in today's rapidly evolving communications landscape.
In a moment I will address the challenges that the revolution in communications brings for protecting personal information.
But first I thought it might be helpful to tell you a bit about the Office of the Privacy Commissioner.
OPC Overview
It might surprise some of you to hear that Canada's Privacy Act was born 30 years ago, a birthday we celebrated in our most recent annual report tabled in Parliament last month.
The Privacy Act covers federal government institutions.
Its counterpart covering the private sector is the Personal Information Protection and Electronic Documents Act, or PIPEDA, which has been around since 2000.
The mandate of my Office is to oversee compliance with those two laws which govern the collection, use, and disclosure of personal information.
As Privacy Commissioner, I can investigate complaints, conduct audits, pursue court action and publicly report on the privacy practices of organizations.
My Office also conducts and supports research about privacy issues and promotes public awareness – indeed, communications is an important part of my job!
My Communications staff keeps me busy!
The touchstone in all our work is that Canadians place a high value on their personal information and don't want it broadcast, bartered, and bandied about without their knowledge and consent and without other appropriate protections in place.
Evolving Issues
The right to such personal privacy has been recognized for a long time
More than two thousand years ago a provision in Jewish law protected people's privacy at home by preventing neighbours from building in such a way that they could peer in.
In recent weeks, the Supreme Court of Canada has addressed more modern privacy issues related to personal information held on computers used in the workplace in one case and also the protection of young people's privacy in another case involving sexualized cyber-bullying.
As issues evolve, so too do our concepts of privacy. This is a trend we have seen throughout history.
But people who claim privacy is dead in this age of digital sharing are just plain wrong. Social networking sites demonstrate that people do differ in what they are freely willing to make public. But what we all have in common is that no one wants to give up ultimate control over their personal information. We want to choose what gets shared and with whom. Canadians continue to deeply value their privacy rights. Control over our personal information protects us from intrusions on our person. It allows intimacy and facilitates freedom of expression and thought.
Privacy and Reputation
It also protects our reputation – a concept that I suspect is central to all of you, not only in your personal lives, but also in your daily work.
Reputation is critical.
In his play, Othello, Shakespeare gave these famous dissembling lines to the villain Iago:
Who steals my purse steals trash; ….But he that filches from me my good name robs me of that which not enriches him, And makes me poor indeed.
Of course, the Elizabethans didn't have to cope with the challenges to privacy and reputation spawned by the technological revolution in communications.
They could not have imagined online behavioural advertising, data mining, robocalls, personalized electronic billboards, rate your teacher and rate your doctor sites, data breaches and so on … and so on.
Even a decade ago, almost no one could have foreseen how much of our daily lives would be carried out online – or the measureless trails of digital crumbs we would leave behind.
Crumbs of personal information flow from our smart phones, tablets and computers; they are recorded by ubiquitous CCTV cameras and automated licence plate recognition systems; and they are tracked through our credit cards and loyalty cards.
This tsunami of personal information is a goldmine.
The Wall Street Journal reported recently that companies with business models based on collecting personal information and using that data to attract advertisers constitute a new Silicon Valley industry worth nearly $30 billion.
Canadians are uneasy about what is happening to their personal information behind the computer screen.
A survey conducted for my Office last year found that four in 10 felt that computers and the Internet pose a risk to their privacy.
That's up from one-quarter in a similar survey just two years earlier.
Just over one in five (22 percent) say the federal government takes serious its obligation to protect privacy.
Meanwhile, one in seven (14 percent) say that businesses take their privacy obligations seriously.
That's not good news for people in the communications business. But you could turn this situation to your advantage!
Privacy concerns are more than just a bothersome legal requirement
They are something with the potential to seriously harm the reputation of your organization.
Let me give you a few examples.
Not too long ago, Facebook hit an incredible milestone – one billion users. That means roughly one in seven people on this planet now have a Facebook account.
Yet Facebook has a problem.
Despite this popularity, a recent U.S. poll by AP-CNBC suggests that 59 percent of respondents said they had little to no trust in Facebook to keep their information private.
That's perhaps not so surprising given some of the company's privacy stumbles over the years.
A couple of prominent examples from the past include the Facebook Beacon advertising fiasco and the overnight change in privacy settings so that sharing information with everyone became the Facebook default.
More recently, Facebook announced it would stop using controversial facial recognition technology in Europe in response to concerns expressed by privacy advocates and data protection authorities.
We have repeatedly seen Facebook apologize and backtrack in the face of a storm of user protest over privacy issues.
Facebook CEO Mark Zuckerberg has told users: “Each time we make a change we try to learn from past lessons, and each time we make new mistakes too.”
I should add that, compared to when we first investigated Facebook a few years ago, the company appears to be giving privacy more consideration in certain areas, including providing clearer, more understandable information to members on various personal information handling practices.
From time to time, the company seeks our views on certain issues and listens to our feedback.
These are positive developments.
Google is another company my Office has gotten to know well.
Like the whack-a-mole arcade game, each time a privacy concern is resolved with Google, another one seems to pop up.
You may recall, for example, the Google Buzz debacle.
Google tried to kick start a social networking service by abruptly melding it with Gmail.
Not too long after that, Google had to admit it had collected data from unsecured wireless networks as its cars were photographing streetscapes for its Street View map service in Canada and around the globe.
And just this past summer, the company was fined a record $22.5 million by the U.S. Federal Trade Commission to settle charges that it misrepresented privacy assurances to users of Apple's Safari web browser.
I don't want to leave the impression that our concerns about privacy are limited to the private sector.
We have had some challenges involving the federal government as well.
Veterans Affairs
One case which generated an enormous amount of adverse publicity was the mishandling of a veteran's personal information by Veterans Affairs Canada.
An investigation by my Office found that the veteran's sensitive personal information was shared among departmental officials who had no legitimate need to see it.
Some health information even ended up in ministerial briefing notes detailing the veteran's advocacy activities.
The serious systemic privacy issues identified in that investigation prompted my Office to launch an audit.
Our audit report outlines Veterans Affairs' effort to regain the trust of more than 200,000 clients.
All organizations would best serve Canadians by striving to reach this destination without having to endure a similar journey.
We are currently conducting an audit of a department more used to being the auditor than “auditee” – the Canada Revenue Agency.
We selected the CRA for an audit following numerous reports of privacy breaches involving employees inappropriately accessing taxpayer information in recent years.
Familiar Pattern
You may have detected a pattern in these stories – one with which my Office has become all too familiar.
An organization introduces innovations to its operations; users (or citizens, in the case of government) raise privacy concerns; privacy enforcement authorities become involved; the organizations calls in lawyers to find a solution and communications specialists to clean up the reputational damage.
In other words, privacy gets addressed after the fact – after the damage is done.
You all know this isn't the ideal way to do things. Far from it!
As I have repeatedly said, a lot of trouble and grief would be saved all around if organizations built the concern for privacy into their innovation cycle.
We need to find ways to make organizations more accountable; organizations need to be more proactive and to build privacy in at the front end. This is the way to being competitive and maintaining consumer trust.
From a communications and marketing point of view, consider the advantages of showcasing your privacy safeguards in advance, rather than having to apologize for their absence in the aftermath.
Good privacy can be a competitive advantage.
It can help build trust with consumers and citizens.
Online Marketing
I understand some of you are involved in marketing.
Before closing, I would like to touch on a couple of issues related to online marketing and advertising which are of particular interest to my Office, and which I think will be relevant to you as well.
One is online behavioural advertising. While the use of this type of advertising has exploded, the privacy issues have yet to be adequately addressed.
Canadians spend more and more time online and they have come to expect that many of the online services they use will be “free.”
Of course, the fact of the matter is that they are paying for those free services – at least in large measure – by letting websites sell their eyeballs to advertisers.
Some people like having the ads they see tailored to their particular interests.
Others are extremely uncomfortable when they see ads that are clearly targeted on the basis of their online wanderings.
What is clear is that Canadians – according to our polling, a whopping 83 percent of Canadians – believe that Internet companies should be asking permission to track Internet usage and behaviour.
My Office has issued a guidance document to help organizations involved in online behavioural advertising ensure that their practices meet those expectations of fairness and transparency – and are also in compliance with Canadian privacy law.
The issue of transparency is also central to another important issue my Office has been working on in recent months – web leakage.
Our research found that some leading websites in Canada are inappropriately “leaking” registered users' personal information – including names, email addresses and postal codes – to third-party sites such as advertising companies.
The research findings raise concerns for the privacy rights of Canadians.
Web leakage can involve the disclosure of personal information without an individual's consent– or even knowledge.
The research also raised questions about compliance with Canadian privacy law in the online world.
It also raises reputational concerns for any organization that has an online presence but isn't ensuring that privacy issues are appropriately addressed. When we announced the general research findings, I opted not to exercise my discretion to name the organizations whose sites we tested.
We felt it was reasonable to give them an opportunity to respond and address any compliance issues.
Naming the organizations remains an option – depending on their responses.
My Office will continue to monitor compliance with privacy law in the digital world – particularly with respect to online behavioural advertising.
A lot of online organizations need to do a better job.
We will be looking at our enforcement options to ensure Canadian privacy law is respected – and that could include naming names.
Conclusion
These are just some of the areas where members of the IABC should be attuned to privacy concerns as potential reputational issues for organizations in both the public and private sectors.
My take-away message for you is this: As communications and marketing professionals, don't wait to be brought in to clean up a mess when an organization has failed to give proper weight to protecting privacy.
You need to be part of the precautionary process – a proactive, responsible and wise process – that avoids such messes in the first place.
- Date modified: