Privacy Regulation in the Digital World

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Canadian Internet Forum organized by the Canadian Internet Registration Authority

February 28, 2013
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you for inviting me to address some of the key privacy regulation issues Canadians will face in the next several years.

First, allow me congratulate the Canadian Internet Registration Authority on sprinting past the two million line in registered dot-CA Internet domain names.

The remarkable growth of the dot-CA domain name is in keeping with the continued exponential expansion of the Internet globally.

But, along with many wonderful opportunities, this explosion of interconnected-ness also brings numerous challenges.

One especially complex challenge lies in regulating the Internet.

Everyone here is aware of the controversy over Internet regulation at the World Conference on International Telecommunications in Dubai a few months ago.  The impassioned debate was perhaps a sign of how critically important the Internet has become to the daily lives of people around the globe; to business; and to governments.

Against that background, I would like to speak with you about a few of the key challenges that the Office of the Privacy Commissioner of Canada — and indeed many of my international counterparts — are facing when it comes to regulating privacy in the digital world.

I’ll focus on three areas:

  • First, law enforcement in an era of evolving communications technologies;
  • Second, the role of the individual in safeguarding privacy; and
  • Third, the importance of corporate responsibility, particularly in a world where privacy issues are global.

The relentless march of technology has made all three of these issues increasingly pressing in the decade since I became Privacy Commissioner.

Law Enforcement Challenges

As more and more people around the world are communicating online, the issue of access to information related to those communications by law enforcement and national security authorities has become an issue.

Earlier this month, Justice Minister Rob Nicholson announced that Bill C-30, the government’s lawful access legislation, would not be proceeding in Parliament.

When the Bill was tabled last year, Canadians reacted strongly against it and expressed concern that it would have a significantly negative impact on their fundamental right to privacy.

We were very pleased to see the government respond to those concerns.

My Office has been working on this issue for many years. We have expressed concerns that Bill C-30, like its predecessors, would have enabled law enforcement to gain warrantless access to subscriber information, such as an IP address.

The Bill’s proponents suggested this was akin to information in a phone book.

But, unlike a telephone directory, information behind an IP address is not generally publicly available and can unlock doors to much more information about people.

My Office’s technologists have looked at the degree of privacy intrusiveness in relation to the specific information that the Bill had proposed to make readily accessible to police. We’ve seen that an IP address can, in fact, provide a starting point to compile a picture of an individual’s online activities, including, for example, online services for which an individual has registered; personal interests based on websites visited; organizational affiliations; and even physical location.

The announcement related to Bill C-30 was a welcome development for privacy in Canada and I applaud the many, many Canadians who spoke out about their concerns with the Bill and their deep attachment to their privacy rights.

That said, the debate has also highlighted questions about existing provisions which permit law enforcement to gain access to personal information without consent.

The Personal Information Protection and Electronic Documents Act (PIPEDA) already allows law enforcement agencies and government institutions to obtain personal information without consent for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws. 

We have no idea (nor does anyone else) how often this occurs and under what circumstances, though we do know that the provision is regularly used by police seeking information from ISPs to link IP addresses with names.  I feel that more transparency is needed to show how, and why, and how often this mechanism is used.

PIPEDA requires that the law enforcement agency or government institution requesting personal information from an organization identify its “lawful authority” to do so.

The term “lawful authority” is not defined, which has led to some confusion and uncertainty.  ISPs have been inconsistent in how they respond to such requests, and some court cases raise questions as to the constitutionality of warrantless access to certain types of information in specific contexts.

Legislation currently before Parliament — Bill C-12 — includes a proposal to amend PIPEDA in an effort to more clearly define “lawful authority.”

The definition being proposed attempts to do so by setting out what lawful authority is not — that lawful authority is something “other than a subpoena, warrant or order issued or made by a court, person or body with the jurisdiction to compel the production of information”, or “rules of the court relating to the production of records.”

If this is what it is not, then what is it?

It is not clear to me that this approach will actually help to clarify lawful authority.  It may result in more disclosures without consent to government institutions.

My Office is, of course, paying close attention to these issues as we prepare for an eventual appearance to share our views on C-12 before a Parliamentary Committee.

I also believe this is an area that warrants further attention during the next mandated Parliamentary review of PIPEDA — something that is overdue.  The Parliamentary schedule seems to have overlooked the fact that PIPEDA contains a provision requiring such a review every five years, and the last review began in 2006.

Role of Individuals

I turn now to the role of individuals in protecting privacy in the digital world.

In the early days of the Internet, there were enthusiastic predictions about its potential to put power in the hands of individuals, to allow people to easily disseminate information and viewpoints — and to do so, for the most part, anonymously.

Well, those days are here. 

Increasingly, we see individuals posting content, uploading photos and videos, and creating blogs and their own websites.

All of this user-generated content is probably the greatest liberation of the means of mass dissemination since the printing of the Gutenberg Bible.

And while we do see tremendous, even awe-inspiring benefits, we have also discovered that having the ability to say anything about anyone to everyone is not without downsides.

From my perspective, it raises troubling issues for privacy and human dignity.

Like most privacy laws around the globe, Canada’s federal private sector legislation, PIPEDA does not apply to personal or domestic uses of personal information.

The current landscape raises a number of questions: What is the responsibility of the individual who authors the Internet messaging? How should responsibility for what gets posted be allocated between social networking platforms and users?

We are beginning to see the courts address some of these issues.

Last September, the Supreme Court of Canada rendered a precedent-setting decision in A.B. versus Bragg Communications, a case in which my Office was an intervener.

The case involved the sexualized cyber-bullying of a young teenage girl, A.B., by someone who set up a fake Facebook profile using a variation of her name, and her photo.

A.B. sought access to the identity of the person who set up the fake Facebook profile. While Facebook was prepared to give A.B. the individual’s IP address, she still needed the Internet service provider to provide her with the identity of the associated individual.

Two lower courts agreed that she should be given this information.

But they denied A.B.’s request for anonymity in the proceedings, citing her failure to submit evidence of specific harm to justify either request.

The Supreme Court of Canada overruled these decisions and allowed A.B. to obtain the order using a pseudonym.  The Supreme Court held that granting A.B. anonymity would cause minimal harm to freedom of the press and to the principle of open courts compared with the salutary effects of protecting youth from the greater harm of online cyberbullying and the risks of re-victimization upon publication.

The decision means that Canadian children and youth who have been the victims of cyber-bullying may seek justice without sacrificing their privacy.  That’s a very positive development.  But it leaves open the question of how adults obtain justice in the cyber world.

It is here that we acknowledge that enhancing privacy literacy is another important solution to addressing privacy harms that can result from individuals posting personal information online.

Privacy literacy — an important component of digital literacy — means having the skills to engage fully and confidently in the digital world, without compromising your own personal information — or that of others.

Individuals need a better grasp of privacy issues and their importance.

Why do I say this when there’s no denying that many Canadians already display sophisticated online skills?

As noted in CIRA’s 2013 Factbook, Canadians spend an average of 45 hours a month online, making them the heaviest users of the Internet in the world. (Maybe that has something to do with Canadian winters?)

We’re also quick to embrace the latest developments in the digi–sphere.  Yet while Canadians may be early adopters of new technologies, we could be doing better when it comes to privacy literacy.

Some of the ways in which individuals need to be privacy literate to engage confidently in the digital world include:

  • Respecting the rights of others, for example not posting photos of them without permission — especially embarrassing ones;
  • Understanding how to use privacy settings on social networking sites;
  • Realizing that personal information they place online may wind up being used in ways they never imagined, such as being fired from jobs or not even getting a job interview in the first place; and
  • Taking appropriate security steps — securing their home wireless networks, for example, which might have avoided some of the fallout from the Google WiFi story.

In recent years, our Office has developed a wealth of outreach materials for youth and others.

For example, we created a graphic novel, hoping it would be an effective way to speak to younger teens about privacy issues. We have also created youth presentation packages for various age groups with the goal of showing young people how technology can affect their privacy, and how they can build secure online identities.

Cultivating privacy literacy among individuals is vital in an era when people freely post vast amounts of information about themselves and others — an activity largely outside the scope of PIPEDA.

Let’s turn now to the subject of corporate responsibility for privacy...

Corporate Responsibility

It’s a truism to note that personal information is oftentimes treated like a commodity, and finding ways to make money from our personal information has become a big business.

Many companies — from huge corporations to small app developers — consider the Internet to be a treasure-trove of personal information that can be exploited for profit.

Too often, we have seen companies launch new online products and services with little thought to respecting our privacy laws.

It would seem that they have been content to let the innovators innovate and have the lawyers mop up after the fact.

And let me pause here to state very clearly: There need be no conflict between innovation and privacy.  In fact, getting privacy right can be a competitive advantage. It can help build trust with consumers.

My Office is working to enhance corporate responsibility in a number of ways.

We meet regularly with businesses and industry associations as part of our outreach efforts. 

We also provide concrete guidance to help organizations meet their privacy obligations.

Last year, for example, my Office, along with our Alberta and BC counterparts, launched new accountability guidelines which outline what we expect to see in a company’s privacy management program.

We have also issued guidance to help organizations involved in online behavioural advertising ensure their practices are in compliance with PIPEDA. (I mention that document in particular because I understand some of you work in the area of PR and marketing.)

Given the increasingly global nature of privacy issues, we are also working to enhance cooperation and enforcement collaboration with our international data protection colleagues.

For example, my Office and the Dutch Data Protection Authority recently collaborated in an investigation that focused on WhatsApp’s popular mobile messaging platform. We released our findings last month. 

The coordinated investigation was a global first — and it marked a real milestone in global privacy protection.

Enforcement Issues

A growing number of the complaints my Office receives raise issues that involve corporations based outside of Canada.

PIPEDA’s soft approach, based on non-binding recommendations and the threat of reputation loss, is only partially effective against the quasi-monopoly of these multinational Internet giants.

It seems to me that, with vast amounts of personal information held by organizations on increasingly complex platforms, the risk of significant breaches and of unexpected, unwanted or even intrusive uses of that information calls for commensurate safeguards and financial consequences not currently provided for in PIPEDA.

We have seen a number of other countries moving to impose substantial fines.

Last month, for example, the U.K. Commissioner fined Sony 250,000 pounds for the 2011 incident in which hackers stole personal information from the accounts of 77 million PlayStation users world-wide. 

The British investigation concluded that Sony could have prevented the attack by using up-to-date security software.

Here in Canada, a House of Commons Committee has been studying issues related to privacy and social media. When I appeared before the Committee in December, I called for new incentives under PIPEDA, including changes to the enforcement model.

I believe such changes are required to encourage organizations to be proactive, to build up-front protections, and to ensure secure treatment of individuals’ personal information.

We must start with mandatory breach notification — including financial consequences for egregious cases. Increasingly, other countries are implementing such legislation.

Such requirements would reinforce accountability and, with penalties, provide financial incentives to better protect Canadians’ personal information.

Conclusion

Increasing both corporate responsibility for privacy and public awareness of privacy risks is essential. So is the updating of our federal privacy legislation.

I’ll conclude with the following:  This audience in particular realizes that the rapid growth and evolution of Internet and mobile technology has the potential to radically improve our society — if we harness the potential appropriately.

I would be very pleased to answer any questions — about either the issues I have raised or other topics. 

I understand that a substantial number of you work for the federal government and may have questions with respect to my Office’s work under the Privacy Act, which covers the personal information-handling practices of federal institutions. 

As you may know, we’re currently investigating the Human Resources and Skills Development Canada breach involving student loan recipient information.  We’re also conducting an audit of the Canada Revenue Agency, which has been the subject of consistently high numbers of complaints. 

All of this to say, I look forward to an interesting discussion with you. 

Date modified: