Privacy Priorities – Reflections on a Decade as Canada’s Privacy Commissioner

Remarks at the Access and Privacy 20/20 Conference

October 11, 2013
Vancouver, British Columbia

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

It’s hard to believe that almost a decade has passed since I first walked through the doors of the Office of the Privacy Commissioner of Canada. As my mandate draws to a close, I am struck by how lucky I have been to have the privilege of being Canada’s Privacy Commissioner at this point in history.

Yes, these are tumultuous and challenging times for privacy – but these are also fascinating times.

Some of the stories behind these titanic shifts for privacy are told in a report being launched by my Office today on the four strategic priorities which have helped to guide our work in recent years: information technology, identity integrity and protection, public safety and genetic privacy.

The report highlights some of what we’ve observed and learned over the last years – and that’s also what I would like to speak with you about today.

Three Trends

Over my mandate, I have been struck by three dramatic trends.

First, in the private sector, we have seen the rise of multinational online powerhouses, which play a central role in our day-to-day online activities.  

Second – and front and centre of our public sector work – has been the ongoing fallout of 9-11 – including the recent revelations about the extent of surveillance by the U.S. National Security Agency and similar bodies in other countries.

The third trend that has captured my attention is the issue of individual responsibility in an online world where anybody can say anything about anyone to everyone.   Privacy is no longer about only citizens and their governments, or consumers and businesses. 

All three of these trends have created new risks for our privacy.  Another common thread underlying each is the inadequacy of existing frameworks to address the new challenges. 

Canadians need to be protected by modern, effective privacy laws.  At the moment, Canada is lagging in this regard.

This is an issue also on the minds of my provincial and territorial colleagues.  Earlier this week, at our annual FPT meeting, we endorsed a resolution on modernizing access and privacy laws for the 21st Century.

We urged governments to recommit to the fundamental democratic values that underpin these laws by strengthening them in light of modern information technologies, evolving government practices and the expectations of Canadians.

Each of the trends I mentioned a moment ago is raising new privacy risks and demands that we consider the appropriate response.

Privacy and the Rise of Online Giants

All of you know the saga of my Office’s work with Facebook and Google.

They, along with a few other corporate giants, have radically changed the online world – and, at the same time, have created new challenges for data protection regulators.

These data giants amass vast amounts of Canadians’ personal information.  They are quasi-monopolies that can glean insight into our interests, our habits, and our opinions. Facebook, a company that was just about to be launched when I became Commissioner, now boasts well over one billion users worldwide. 

Every single day, Google's search engine processes three billion queries.  And, according to Twitter’s CEO,we collectively send 500 million tweets per day.

Personal information is central to the global digital economy.

We see that many Internet companies offer their services at no monetary cost, but look for ways to turn a profit from their services – and one of the most obvious options is to capitalize upon the mountains of personal information they hold.

We see organizations using personal information in ways previously unimaginable – and new risks for privacy. Meanwhile, globalization means my Office increasingly finds itself dealing with corporations headquartered in other countries, with or without their own regulatory privacy requirements.

In our PIPEDA reform policy position paper released earlier this year, we raised the question: How a small office with limited resources can attract the attention of such companies when there are very limited consequences for contravening Canadian privacy law?

We need greater incentives to ensure organizations effectively address privacy issues from the start – and sanctions when they don’t.

Theodore Roosevelt spoke of the need to “speak softly and carry a big stick.”  I have likened our current soft enforcement approach to “speak softly and carry a big, banana cream pie.” 

To carry the sweet treats analogy a little further, I point you to the recent news about a Competition Bureau investigation into price fixing of chocolate bars.  We learned that confectioners faced penalties of up to $10 million and up to five years in prison. That’s for fixing the price of chocolate bars.

What should the sanction be for violating the privacy rights of Canadians? In addition to stronger enforcement powers, the rise of multinational online corporations also highlights the need for concerted, cross-jurisdictional cooperation.

This is why my Office has worked so hard to encourage cooperation by actively participating in a number of international organizations. 

Privacy and Public Safety

I’ll turn now to privacy and public safety.

Over the years, my Office has been confronted with a very long list of public safety and law enforcement initiatives with implications for privacy – for example, the Anti-terrorism Act, the Proceeds of Crime (Money Laundering) andTerrorist Financing Act, thePassenger Protect Program (better-knownas the no-fly list), airport millimetre wave scanners, lawful access legislation and the Beyond the Border initiative.

Most recently, of course, we’ve heard Edward Snowden’s comments about the reported scope of collection of information by the U.S. National Security Agency.

Of course, this is not solely an American story. 

While the US has the National Security Agency, Canada too has a signals intelligence body, called Communications Security Establishment Canada.  It has a far-reaching mandate to acquire information from across "the global information infrastructure" and to analyse what it collects for intelligence value. 

In an attempt to ensure this is done in a way that respects Canadian laws and values, the government created the Office of the Communications Security Establishment Commissioner, with a dedicated Commissioner to review the activities of CSEC.

The recent revelations about the extent of surveillance have shed light into some dark corners.  What we have heard is troubling from a privacy standpoint, but is prompting us to think about the role of our national security agencies and also highlighting the importance of oversight and transparency.

The right to privacy, though fundamental, is not absolute. It must be exercised in relation to other fundamental rights – in the case of public safety and national security, the right to live one’s life secure from threats of harm.

Public safety and privacy are not at odds. Rather, both must be integrated and accommodated so that they may continue to co-exist in a free and democratic society. The relationship between public safety agencies and the people they protect needs to be built on trust.

Canadians will accept some inconvenience, including some sacrifice to their privacy, provided the state is acting with transparency, accountability and integrity. Part of the solution, I believe it to ensure we have effective laws to protect privacy rights in the context of public safety and law enforcement.

For many, many … many years now, I – and indeed Privacy Commissioners before me – have been calling for reform of the antiquated Privacy Act.

This law requires a complete overhaul.  Some of the improvements we have suggested in the past would help to build greater transparency, accountability and integrity into public safety initiatives undertaken by the federal government.

For example, we have recommended the creation of a legislative “necessity test” requiring government institutions to demonstrate the need for the personal information they collect.

We have said it is important to strengthen the provisions governing the disclosure of personal information by the Canadian government to foreign states.

And we have recommended broaden the grounds for which an application for Court review may be made.  As well, the Federal Court should be empowered to award damages against offending institutions.

At the moment, there is a lack of effective redress when the government does something wrong. 

This is particularly important when it comes to public safety and law enforcement issues because the consequences for people can be extremely serious.

The recent discussion prompted by Edward Snowden’s revelations has also highlighted the blurry line between the private sector and national security as well as law enforcement agencies.

We could also make improvements under PIPEDA.  A key recommendation of our recent position paper deals with lifting the `veil on authorized disclosures.

We called for public reporting requirements to shed light on the use of an extraordinary exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a judicial warrant for a wide range of purposes. 

Those include national security; enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws.

Role of Individuals

Let’s turn now to the third major trend. Increasingly, we see headlines about the role played by individuals in protecting – and violating – privacy in the digital world. We have learned the tragic stories of Rehtaeh Parsons and Amanda Todd – and other cases of cyberbullying. 

Last year, the Supreme Court of Canada heard a case which involved the sexualized cyberbullying of a young teenage girl by someone who set up a fake Facebook profile using a variation of her name, and her photo.  (My Office was an intervener.)   At issue was whether the girl could seek to unmask the cyber bully while remaining anonymous. 

The Supreme Court was unanimous in deciding that the girl could proceed anonymously in her efforts to find out the cyber bully’s identity. 

The current landscape raises a number of questions: What is the responsibility of the individual who authors the Internet messaging? How should responsibility for what gets posted be allocated between social networking platforms and users?

The Internet has put power in the hands of individuals because it allows them to easily disseminate information and viewpoints. While that can offer incredible benefits, this still relatively new-found power is also raising troubling issues for privacy and human dignity.

Like most privacy laws around the globe, PIPEDA does not apply to personal or domestic uses of personal information. I welcome the discussion we’ve seen to date about possible responses to the issue of young people and cyberbullying, but I hope we will broaden the discussion about privacy and the role of individuals.   For example, in Europe, we have seen an interesting debate about the “Right to be forgotten.”  California has just passed an “eraser bill” that will allow young people to remove their online indiscretions.

But legal frameworks are just part of the solution.

Digital literacy is incredibly important as people stumble through these early days of the Information Age.

This is an area of focus for my Office – particularly youth privacy issues.

At the International Conference of Data Protection and Privacy Commissioner conference in Poland last month, we endorsed a resolution on the importance of digital education to help people to make informed decisions about using the opportunities offered by digital technology.

As the resolution said, digital literacy education will help people understand how to act responsibly in the online world.

Privacy and Trust

So, what do these three trends mean for privacy – and also for trust?

I recently attended a conference where the central issue examined was a very interesting question:  Why do we lose confidence in government?  One could also ask:  Why do we lose trust in business?  Why do we lose trust in other people?

These are increasingly important questions in the context of privacy.

If you don’t meet the privacy expectations of your citizens, your customers or your friends, family and acquaintances – you very quickly lose their trust.

The age of big data has created a new kind of intimacy.  So much is known about us, or assumed about us as a result of the collection and analysis of those endless digital trails that all of us create.

Personal data is collected and used to achieve a multitude of goals.  

Many of them are laudable – keeping us safe from terrorists, providing us with better service, and to maintain friendships. But I would argue that these intense data relationships demand a whole new level of respect and responsibility for how information is treated. 

People are willing to share their personal information when they see a benefit.  But if you fail to meet their expectations, the fallout may be significant.

During the international conference in Poland, a theme that resonated was the need to take a “surprise minimization” approach – don’t surprise people when you collect, use or disclose their personal information.  That concept applies equally well in the private and public sectors, and in our social relationships.

Respect and responsibility – good privacy – will help to encourage trust and confidence.

Road Ahead

As we look ahead, I am hopeful that we will see some positive developments for privacy.

Media reports suggest that next week’s Throne Speech will unveil a “consumers first” agenda.

Let’s hope that leads to some improvements to PIPEDA to better protect the privacy of consumers in the digital economy.

I must confess that I am less confident we will see changes to the Privacy Act in the short term.  I pass this torch to the next Commissioner. 

Canadians deserve better public sector legislation to protect their privacy.  I leave with some regret that I have not been able to convince Parliament to fix this broken law.

And, finally, on the issue of the role of individuals in protecting privacy, I am pleased to see that the seeds of a discussion have been planted with respect to young people and cyberbullying.

That’s a start, but we need to think about how to address the legislative gap when it comes to personal uses of people’s information.  I encourage privacy advocates to take up that discussion over the coming years.

Conclusion

I’ll conclude my remarks with this observation:  Many emerging privacy issues are raising ethical questions.

Technology may allow us to do certain things, but should we be doing it?  How should we do it in an ethical manner?  Who decides what is appropriate?  Who do we trust to decide?

As a society, we need to be thinking very carefully about organizational ethics and individual ethics.

We need to re-centre our values in a more open and transparent society.

As we note in our new Privacy Priorities report, the decisions we make today about public safety initiatives; about the technologies in our daily lives; and about the policies and legislation that protect our personal information will all have impacts long into the future.

Governments, organizations and individuals need to ask themselves not only: Does privacy law allow this? But also: Should we be doing this? How do we define who we are? How do we relate to other individuals, organizations and governments? And, most importantly of all: What kind of world do we want to live in? 

Thank you.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: