The privacy landscape in 2013
Remarks at a meeting with the Privacy and Access Law Section of the Canadian Bar Association
January 17, 2013
Halifax, Nova Scotia
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
My plan today is to:
- Highlight the most salient legal issues we see in the fast evolving privacy landscape;
- Describe our approach to these issues;
- Share with you our strategies to remain effective in this context.
I. Salient Legal Issues
So first, let me share with you the main legal issues that arise in the changing privacy landscape, as we see them in our investigations and our research.
At the risk of stating the obvious, you will see that they emerge from one fundamental development: the move to a digital era.
I will focus on six privacy principles that are most impacted in this new context.
1. Transparency and consent in the new digital realities of mobile apps, smartphones and online behavioural advertising
The technological complexity of online communications puts an unprecedented stress on the principles of privacy and transparency. While it was easy to show your clients how you were keeping their information well locked up in a safe, it is difficult for companies to explain how personal information is collected, used and safeguarded in a virtual world. Consequently, it is also difficult to secure meaningful consent since that is predicated on an understanding of the modalities for collection, use and safeguards.
- The issue arose, for instance, in one of our investigations on Facebook with respect to friend suggestions. Even though we did not find that Facebook was unlawfully collecting or using non-Facebook user information through the friend suggestions, we found that the mechanism for friend suggestions was not clear enough. Further to our recommendations, Facebook now provides clear and adequate notice of its use of email addresses to generate friend suggestions. The company also provides non-users with a convenient and user-friendly manner in which to opt-out of receiving friend suggestions.
The second principle I want to mention as impacted by the changing landscape is Disclosure. This is especially relevant given the fact that instances where government taps into data held by the private sector are on the rise.
We have seen this issue brought to the fore in several recent files:
- The Advanced Passenger Information (API) and Passenger Name Record (PNR) programs involve airlines providing “biographical” (API) information and travel (PNR) information on passengers. All this information is collected by commercial airlines and transmitted to various governments through various electronic channels.
- The Financial Transactions Reports Analysis Centre of Canada, or FINTRAC, is the independent agency charged, amongst other things, with receiving financial transaction reports under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. FINTRAC is subject to a mandatory biennial audit by the OPC. In our latest audit, published in the fall of 2009, we found instances of excessive reporting to FINTRAC by financial institutions—the Centre was being provided with more personal information than it needed, used or even had the legislative authority to receive.
- Proposed Bill C-12 would amend PIPEDA by adding two additional situations in which law enforcement authorities could request information from an organisation, namely to communicate with a next of kin and to “perform policing services”.
- Proposed Bill C-30 on lawful access would give warrantless access to customer information behind an IP address.
These developments bring into play the relationship between the individual right to privacy and collective rights to public safety or to effective taxation, and, therefore, what in the name of public interest constitutes lawful disclosure.
3. Safeguards in the digital era
The third principle to highlight in this changing context is safeguards.
I was struck recently by a comment from FBI Director Robert Mueller. He said there are only two types of companies: those that have been hacked and those that will be.
Legally, this raises the question as to whether cyber security is an obligation of means or an obligation of results.
Our position is that it is an obligation of means. This entails that organizations must implement safeguards commensurate with the level of risk created by the move to electronic platforms.
And yet, Canadian companies show alarming complacency in this regard. We see recurring surveys that bring to light a lack of awareness, from our point of view, particularly among small and medium sized businesses, about the virulence and frequency of cyber attacks and about vulnerabilities in technological infrastructures.
Verizon issued in 2011 a study of 855 breaches in 36 countries, which showed results very similar to what is applicable to Canada. Of particular interest, they found that
- Most breaches are avoidable, as 95% of cyber-attacks are not sophisticated;
- 96% of all firms studied were non compliant with the Payment Card Industry Data Security Standard; and
- 92% of incidents were discovered by a third party – not by the company.
- Overall, the study confirms our impression, from the number and gravity of breaches last year, that we are moving services to the Internet without a full risk and threat analysis.
And then of course there are repeated incidents of lost, unencrypted laptops and USB keys that reveal poor sensitization of staff to risks and safeguards.
A culture of accountability is crucial in an era of cyber attacks. Saying that cyber security is an obligation of means rather than results does not reduce the responsibilities of the organization. When breaches happen – and they will, through accidental disclosure, loss or hacks – the organization needs to demonstrate it had been diligent. After the incident, organizations have an obligation to remediate to the greatest extent possible with a view to preventing future breaches.
That is what happened in June 2012 when LinkedIn, a business networking site, had nearly 6.5 million user passwords stolen and posted online. While the breach exposed certain weaknesses in its information safeguards, LinkedIn was swift in its breach response and cooperative with both our Office and the offices of our colleagues in British Columbia, Alberta and Quebec as we endeavoured to better understand the situation. The company quickly implemented measures to identify and remedy weaknesses and, in so doing, demonstrated a strong commitment to accountability.
LinkedIn’s commitment to remediation clearly flowed from the top, with senior management fully engaged and authorizing a “Code Red” response. Code Red rendered the breach Priority Number One for LinkedIn, and resulted in an immediate deployment of resources towards breach response. After the Code Red, LinkedIn followed up by reviewing their response, assessing lessons learned and implementing information security enhancements.
At a time when cyber attacks have become commonplace, could LinkedIn have had better safeguards?
Of course, and we made some recommendations to LinkedIn, who strengthened its safeguards.
However, when we looked at LinkedIn’s safeguards and breach response, we found that, in the context of cyber security where attacks can’t be avoided, LinkedIn demonstrated due diligence in their actions immediately following the breach.
4. Jurisdictional issues
The digital economy also brings with it the reality of cross-border data flows through multinationals and cloud computing, raising the question of territorial jurisdiction.
As you know, the jurisdiction of the OPC on foreign companies that collect, use and disclose Canadians’ personal information in the course of commercial activities has been firmly established over the years: by the TJX case, by Abika/Accusearch, and of course through the well-publicised investigations on Facebook and Google.
As for Canadian businesses that outsource treatment or storage of customer data abroad, be it through the mail or through the cloud, they would be subject to the requirements of Schedule I of PIPEDA with regard to accountability, knowledge and consent, and safeguards.
We have issued guidelines for processing data across borders in 2009, and more recently, we have issued last June a guidance document on cloud computing aimed at small and medium sized enterprises.
5. The definition of personal information
Definition and interpretation
As I mentioned earlier, the move to digital communication creates new forms and new supports for personal information thus challenging the actual definition of personal information.
The guiding principle in this regard is that any information that can be linked to an identifiable individual is personal information.
That principle is challenged with new applications and case law.
In the debate around lawful access, for example, the question of whether an IP address is personal information is generating contradictory case law. Our Office clearly takes the view that an IP address does constitute personal information because it can be linked to an identifiable individual.
In relation to license plates, the Alberta Court of Appeal has expressed a reductionist viewpoint in the decision involving Leon’s furniture chain, in determining that a licence plate number is not personal information because it relates to an object rather than an individual.
Our Office, along with other Canadian commissioners and privacy advocates, had hoped the Supreme Court of Canada would hear an appeal on this important issue, but it chose otherwise.
The definition of personal information will again be an issue before the Supreme Court of Canada due to another Alberta Court of Appeal decision, the United Food and Commercial Workers case.
As many of you know, the United Food case raises the issue of appropriate balance between freedom of expression and the protection of personal information in a public space. To refresh your memory: In 2006, the United Food and Commercial Workers (“UFCW”) was on strike at the Palace Casino. The Union and employer videotaped and photographed the picket-line and its immediate surroundings, including persons who walked in and out of the casino.
UFCW posted signs stating that images of persons crossing the picket-line would be placed on its website. Complaints were made against UFCW to the Alberta Privacy Commissioner by the Vice President of the Casino, who had his image used on union materials with “humorous” captions, and two other individuals who were, or may have been, photographed and videotaped.
In relation to the definition of personal information, the issue is whether it is overbroad to the point of not being functional.
Our Office supported the Alberta Information and Privacy Commissioner’s leave to appeal to the Supreme Court and a decision on the application is still outstanding.
The importance of this case cannot be overstated.
And as Commissioner Stoddart pointed out in her affidavit supporting the Alberta Office’s leave to appeal in the United Food case, unduly restricting the application of PIPEDA could “jeopardize Canada’s status as a country which provides adequate privacy protections for the purposes of European Union data protection laws, which in turn could impact international trade and commerce.”
6. The evolution of privacy laws in the European Union
Finally, I just want to bring to your attention the draft European Data Protection Regulation presented on January 25, 2012. It still has to be voted by the European Parliament but if it does become law, all Canadian businesses having dealings in Europe will be impacted.
II. Legal Approach
So how does our Office address these emerging legal issues in this fast evolving context?
As you know, PIPEDA was meant to be interpreted with pragmatic consideration of the business environment.
Concretely, it means taking into account the following, in our investigations, our guidance documents and our advice to Parliament:
- New business models — as we have taken into account in our approach to online advertising; the Internet is free, so users should expect some advertising. Where we draw the line is that the advertising cannot be targeted on the basis of information linked to an individual. You can find our Guidelines on Online Behavioural Advertising on our website.
- New forms of social interaction, as we took into account in our investigation of the youth website Nexopia, where we recognized that social interaction was all about disseminating personal information; the limits we set were meant exclusively at protecting users control over personal information; and
- New technological realities, as we took into account in the case of the LinkedIn breach—taking into account the vulnerability of information technology and requiring that technological safeguard measures are in place in light of the generally accepted industry standards, for instance in the case of password encryption.
Pragmatic consideration of the business environment also means taking into account a new balance between consumers and companies, defined, as I mentioned earlier, by a new context of technological complexity, impact of breaches and multinational giants.
This entails that regulators such as our Office must become more assertive, as in effectively upholding the privacy rights of Canadians in the face of ever changing risks. We cannot simply count on consumers protecting themselves or voting with their feet.
III. Concrete Strategies
To better protect Canadians, our Office is increasing the use of its existing powers and seeking additional ones. Let me turn to that.
a) Exercising our power to name
In the last few years, our Office has increased its use of the power to name. To clarify our interpretation of that power under subsection 20(2) of the Act, I would like to share with you our reasoning for each company we have chosen to name in our latest Annual Report on PIPEDA:
- Google and Facebook: no surprise. The sheer number of users brings the impact of any privacy issue to the level of public interest. In the case of Google Wi-Fi, there were additional factors that pointed to naming:
1) the expansive impact of operations;
2) the sensitive nature of the personal information that was unlawfully collected and retained; and
3) the significance of the systemic deficiencies brought to light by the investigation.
As you know, like all other foreign regulators who investigated, most recently the U.S. Federal Communications Commission, we found that Google was lacking basic control mechanisms for privacy protection.
- Sobeys was also named for the vast impact of its operations as well as the systemic issue at hand: video surveillance records. Considering the size of Sobeys and its broad, although not unique, use of video surveillance in its stores, we felt the public needed to be alerted to Sobeys’ privacy policies and practices, as well as its position on the matter.
- Nexopia we chose to name because of its specific vocation towards youth — youth constitute a vulnerable group. In fact, Nexopia has been linked to a number of criminal cases of luring, robbing and cyber bullying. Moreover, the systemic deficiencies in Nexopia — from privacy settings that allowed non-users to access users’ profiles through Internet searches, to the total lack of a retention policy and deletion capacity — made the case of such concern that we felt the public had to be alerted. This case ended up before the Court; at the present time, all our recommendations are being implemented.
- Finally, Job Success – this is where a company portrayed itself as interviewing candidates for job placements, thus gathering personal information, while in reality it was in no position to recruit anyone or place anyone. We felt that the violation of PIPEDA was so egregious and that the current economic context could make so many people vulnerable to this kind of deceitful operation, that, again, the public needed to be warned about this company, not just about the issue.
However, in spite of criticism from privacy advocates, we have yet to name any company subject to our web leakage study.
To refresh your memory, we conducted in-house testing on leading Canadian websites’ disclosure of personal information to third parties.
Our research indicated that about one in four sites in our relatively small sample were “leaking” registered users’ personal information (including names, email addresses and postal codes) to third-party sites such as advertising companies, apparently without the knowledge or consent of the people affected.
Our research report on this matter was issued in September 2012, and we are still in discussion with the companies over what adjustments are required to their respective websites.
We chose not to make any of these companies public firstly because we had chosen a small sample for our study, and we do not know how this sample compares to the rest of the industry.
Secondly, because all these companies are so far complying with our recommendations.
Thirdly, because we do not believe that an antagonistic approach is effective — our motto is compliance through partnership.
The defining criterion for naming is relevance for the public to know about a specific company. It is protective rather than punitive.
Moreover, we are very much aware of the consequences of reputation loss, so we are using our power to name judiciously.
b) Requiring third-party audits
Another new measure we apply is the requirement to produce third-party audits to demonstrate that our recommendations have been implemented.
We have received a third-party audit from Google demonstrating implementation of our recommendations in the Wi-Fi investigation, which we made a condition to resolving our investigation.
We requested the same from Staples at the outcome of our 2011 audit, where we had found that the company was reselling hard drives that still contained the personal information of the previous owners.
c) Refining investigation findings
We have also sharpened how we express our investigation findings. There are two key changes here:
- in the cases where the organization was found to be at fault, but addressed the issue during the course of the investigation, we issue a finding of “well-founded and resolved” rather than merely “resolved” so that the violation of PIPEDA is recognized; and
- in the cases where the organization has made a commitment to implement our recommendation but not has not had the opportunity to do so by the end of the investigation, we issue a finding of “well founded and conditionally resolved”.
d) Implementing new powers to decline or discontinue
A new power we have received through CASL, although unrelated to spam, is the power to decline to investigate where either another process would be more effective or where we consider the complaint to be frivolous or vexatious.
Since these new powers came into force on April 1, 2011, we have declined to investigate two complaints, in one case not to interfere with provincial court proceedings, in another, because we felt provincial court proceedings available to the complainant were the most appropriate means of addressing the issue.
We have also discontinued 17 investigations on various grounds: 6 were withdrawn by the claimant; 3 were abandoned; 3 were discontinued because the Commissioner felt the issue would be better addressed under another procedure; 3 because the matter had already been the subject of a report by the Commissioner; 1 because the organization had provided a fair and reasonable response to the complainant; and 1 because the matter was being or had already been addressed under another procedure.
e) Making the case for new powers
Still, we feel these powers are not enough in the face of Internet giants and other multinationals. We want legislative amendments to get new powers. As you may know, we have taken our distance from C-12, specifically in relation to breach notification where we would like to see sanctions, and we have called for amendments to PIPEDA that would provide us with enforcement powers.
In a statement before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on December 11, 2012, Commissioner Stoddart reiterated the importance of strong enforcement powers and mandatory breach notification in today’s marketplace.
Such measures would bring Canada up to par with international counterparts such as the U.K.—we feel that falling behind in this matter would have a negative effect on the consumer confidence needed for the digital economy to thrive.
These measures would also “reinforce accountability and, with penalties, provide financial incentives to better protect Canadians’ personal information.”
On that, I really would appreciate your comments to help me understand your challenges so we can better take them into account.
f) Fostering accountability
In order to help businesses, particularly small and medium enterprises, we have developed a guidance document entitled “Getting Accountability Right”. This step-by-step guide to implementing Principle 4.1 of Schedule 1 of PIPEDA supports organizations in building the right governance structure to ensure and demonstrate compliance. This document, which was a collective effort between our Office and our colleagues in BC and Alberta, is available on our website.
In relation to Internet giants, we often make recommendations aimed at enhancing transparency and consent.
IV. Where do we go from here?
So where do we go from here to maintain and even increase our effectiveness in this fiscal, social and technological context?
Let’s start by summarizing our context:
- life is now lived online;
- a handful of companies have a monopoly on Internet activity; and
- there is a globalization of privacy issues.
1. What are the ramifications of “life online”?
The fair information principles, which form the basis of Schedule 1 of PIPEDA, still matter online.
As such, they form the basis of recent guidelines issued by the OPC on online behavioural advertising, mobile apps and cloud computing.
In addition, to keep abreast of recent developments and inform our policy, communication, investigation and audit work, we have created within the office a Technology Analysis Branch which conducts its work in an in-house computer lab specifically designed for this purpose.
2. What are the ramifications of Internet monopolies?
To address the issue of Internet monopolies, we employ three main strategies:
- We exercise our power to name respondents in the public interest;
- We conduct public education campaigns to inform Canadians about online privacy risks and to give them tools to protect themselves;
- We continue to call for stronger enforcement powers that would bring us up to par with our international counterparts.
3. How do we deal with globalization of privacy issues?
Two main strategies emerge in the face of globalization of privacy issues:
- The consolidation of international normative frameworks—be it the buildup to a strong new European data protection regime, of which the draft Regulation is the cornerstone, or the work of the volunteer group chaired by Commissioner Stoddart, charged with proposing possible updates to the OECD guidelines;
- Unprecedented international cooperation between Data Protection Authorities.
After the adoption at the International Conference of Data Protection and Privacy Commissioners in Mexico City of a Resolution on Privacy Enforcement Co-Ordination at the International Level, we have taken some concrete steps:
- We have signed MOUs with four other DPAs to exchange information and work together—and we continue to be approached by others still;
- We are in fact, on the verge of going public with the results of concerted investigations between the OPC and a European counterpart against an American company — both data protection authorities have applied their own laws, but are working hand-in-hand;
- At a meeting in Montreal in May 2012, co-chaired by our Office and by the UK, a temporary working group of privacy enforcement authorities formed under the Mexico Resolution came together to lay the ground work for more coordination; and
- We are also making inroads among our international counterparts to bolster cooperation in public-sector issues as well.
- Date modified: