Regulating in Rapidly Changing Times

Remarks at the Community of Federal Regulators National Workshop

November 4, 2013
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

It is a pleasure to be amongst fellow regulators.  Although we work in vastly different fields, we share many common experiences.  It’s wonderful that you are able to gather each year to exchange best practices, ideas and stories.

As you know, I have been Privacy Commissioner of Canada for a decade.  My last day on the job is December 3rd.

It has been a fascinating time to be Commissioner.  I have had the great privilege of being in the thick of some historic privacy issues in both the public and private sectors – the birth of social networking and the fallout of 9-11, to name but two.

As Commissioner, I have the mandate to enforce both the Privacy Act, which covers federal departments and agencies, and the Personal Information Protection and Electronic Documents Act, or PIPEDA, the federal private-sector privacy law.

I’d like to speak with you today about what has been the principal challenge of my mandate - and also about how we have worked to address it head on.

This challenge is the absolutely astonishing rate of change in the environment in which we operate. 

The privacy landscape is constantly weathering dramatic change – a trend we can expect to continue for the foreseeable future.

I suspect that the rapid transformation of issues is something many of you face as well.

I’d like to begin with a discussion of how privacy issues are evolving and then walk you through some of the ways in which my Office has responded from a regulatory management viewpoint.  

These responses include:

  • adopting a culture of ethics, excellence and transparency;
  • having staff with the right skill sets;
  • identifying priorities;
  • re-tooling our investigative processes;
  • holding organizations accountable; and, finally,
  • building partnerships.

I’ll come back to these in a moment.  First, let’s look at the changing nature of privacy.

Transformation of the privacy landscape

Consider for a moment just how different the world was when I began my mandate as Privacy Commissioner in 2003.   

There was no Facebook; no Twitter; and no Google Street View. 

Phones weren’t particularly smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.

In an incredibly short period of time, we have seen dramatic advances in information technologies.  This has paved the way for a massive expansion in the role personal information plays in our digital economy.  And, as a result, the risks to privacy have grown exponentially.

You’ve all heard that we now live in the era of Big Data.  Big data really means taking information from the past in order to try to discover things about the present and future.

In his book The Power of Habit, for example, Charles Duhigg tells the incredible story of how retail giant Target was apparently able to figure out when women are pregnant, including one teenager who hadn’t yet told her father. 

Through the magic of data analytics, Target figured out that pregnant women tend to buy large amounts of unscented lotion, a lot of cotton balls and hand sanitizer – well before they start shopping for maternity wear. 

Target created a “pregnancy prediction” score and then used it to send coupons to women based on their presumed due date. 

The driver of much of the transformation we are seeing is, of course, technology.

Change is not limited to the online world.  For example, technology has led to rapid advances in genetic science – where protecting privacy is increasingly challenging as genetic tests become more common. And, in the realm of public safety, powerful technologies have enabled the extensive online surveillance by governments we’ve been hearing so much about in the news.

So, what is a regulator to do when faced with a plethora of urgent demands and challenges and – as always – fewer resources than optimally needed?

My own Office has adopted a multi-pronged approach.

1. Adopt a culture of ethics, excellence and transparency

I arrived in Ottawa to become Privacy Commissioner on a snowy, bitterly cold December day to an organization that was only beginning to recover from trying times.

In those early days, I was running an Office whose administrative powers had been seriously curtailed.  We couldn’t hire staff – the Public Service Commission had to do it for us.  The PIPEDA implementation part of our budget was about to lapse. We were consumed by questions from the RCMP, the Auditor General and other investigative bodies that had quite literally set up shop in our office.

It took a lot of hard work, but we were able to get our house back in order. 

That experience reinforced a notion I have held tight throughout my public service career – the importance of public trust.

Trust in us is absolutely essential to our success as regulators – especially in turbulent times. 

We need to always remember that trust is a fragile thing.

We must uphold the highest standards of excellence and the ethical behaviour that Canadians expect of their civil service.  And – as much as possible as we carry out our mandates – we must be transparent.

2. Have the right resources for the times

Related to my reference a moment ago to the need for excellence is the critical importance of having top-notch people with the right skill sets in place.

We have worked very hard to build our expertise and capacity, particularly in the legal and technological areas.

I am proud to have a team of lawyers who come from a number of Canada’s best law schools, and many interesting and challenging backgrounds, including clerking for the Supreme Court of Canada, the Federal Court of Appeal, and stints in respected law firms and other government departments.

On the technical side, we created a Technology Analysis branch and hired some highly specialized technologists.  As well, we set up a technology lab, which allows us to understand what’s happening behind the screen.

This has been incredibly important for so much of our work.

You’ll recall, for example, the investigation we launched after Google admitted its cars – which were photographing neighbourhoods for its Street View map service – had collected data transmitted over unprotected wireless networks in Canada and around the globe.

Google initially insisted the data did not include personal information. Our technical experts travelled to Google headquarters and were able to confirm personal information had been collected. 

More recently, our technologists were able to back up some of our privacy concerns with respect to the federal government’s proposed lawful access legislation.

The Bill’s proponents suggested this was akin to information in a phone book.

But, unlike a telephone directory, information behind an IP address is not generally publicly available and can unlock doors to much more information about people.

Our technologists looked at the degree of privacy intrusiveness in relation to the specific information that the Bill had proposed to make readily accessible to police. We saw that an IP address can, in fact, provide a starting point to compile a picture of an individual’s online activities, including, for example, online services for which an individual has registered; personal interests based on websites visited; organizational affiliations; and even physical location.

3. Identify Priorities

In 2007, my Office undertook a process to identify key strategic priorities that would serve as focal points for our work.

We set out a number of criteria to help us choose.  For example: How urgent is the issue? What is its relevance to Canadians? And is there an opportunity to make a meaningful impact within a few years? 

In the end, we identified the following key areas of focus: 1) information technology; 2) public safety; 3) identity integrity and protection; and, 4) genetic information.

Over the years that have followed, these priorities have helped us to prioritize incoming requests and demands on our Office, develop work plans, and leverage resources.

My Office has just published a report on our four strategic priorities to highlight a few of our achievements and set out what we’ve learned about these issues.  The report is in e-book form and is available on our website.

4. Re-tool investigative processes

Another way we have been adapting to the new environment is by retooling our investigation processes in order to be able to expend our energies on investigations with the broadest impact on Canadians.

We made a number of changes, including the increased use of early resolution.

When we accept a complaint that appears amenable to a speedy resolution, the case is referred to an Early Resolution Officer. The officer works with the complainant and the respondent organization to resolve the complaint in a co-operative and often conciliatory manner.

For us, the big advantage of early resolution is that it dramatically reduces the time and the resources needed to address an individual complaint. 

Having concerns addressed quickly is also a huge advantage for complainants and respondent organizations.

Not all complaints can – or should – be handled this way, but early resolution has been a major success story for my Office.

5. Promote accountability

I’ll turn now to the importance of promoting accountability by the organizations we regulate in both the private and public sectors.

This is really about holding organizations to account for how they manage privacy issues – or, if you like, holding their feet to the fire.

As personal information handling and uses become more complex, the importance of accountability increases.

Accountability is not a new concept.  It was included in the OECD’s guidelines on privacy and transborder data flows more than three decades ago and is also explicitly referenced in PIPEDA.

That being said, we have seen enhanced interest in the concept on the global stage in recent years.

The notion of accountability means that an organization does more than merely comply with legal requirements. It has to take responsibility for the personal information that customers and clients entrust to its care. It has to demonstrate that privacy considerations are built into business decisions and that people’s privacy rights are being respected.

This can be done, for example, through self-assessment processes, internal audits, and third-party evaluations and validation.

Although PIPEDA has been in place for over a decade, my Office still encounters some fundamental accountability problems during investigations and audits.

Accountability is really about building trust with consumers and citizens. It is far better to proactively address privacy issues than to mop up a mess after the fact.

Veterans Affairs Canada would undoubtedly agree.  You’ll remember the negative publicity they received over the mishandling of one veteran’s personal information.  His sensitive medical and personal information was shared – seemingly with no controls – among departmental officials who had no legitimate need to see it.

Our investigation of that matter prompted an audit, which led to substantive changes.

If you’d like to know more about accountability, I would point you to an accountability guidance document my Office developed with our Alberta and B.C. counterparts, as well as a guide for submitting privacy impact assessments to my Office.  Both are on our website.

6. Build Partnerships

Working with partners – including our provincial counterparts and global data protection authorities – has been a key component of helping us to meet the challenge of a changing environment.

Cooperation is crucial because of the nature of information flows and Canada’s federal structure.    In many commercial transactions, personal information crosses not just provincial, but also international boundaries.   

As confirmed by the Federal  Court in a case known as Abika, my Office has jurisdiction to investigate complaints relating to the transborder flow of personal information.  That has had a particularly significant impact in the online realm.

Earlier this year, we announced the results of a collaborative investigation with the Dutch Data Protection Authority into the handling of personal information by WhatsApp – a California-based mobile app developer.

We have signed cooperation and information sharing arrangements with Ireland, the United Kingdom, Germany, the Netherlands and Uruguay.  We are also party to a multilateral arrangement with APEC which allows us to share information with the U.S. Federal Trade Commission.

Enforcement cooperation is essential to protecting privacy rights in a world where privacy transcends borders and where resources to enforce privacy laws are limited.

It seems to me that if a privacy issue affects multiple jurisdictions, you don’t need all of the data protection authorities in those jurisdictions to conduct investigations.

We’ve made great strides in enhancing enforcement cooperation in recent years, but we still have a ways to go.

Conclusion

Before closing, I want to mention an issue that I suspect a number of other regulators can relate to (and I see it is on your agenda this afternoon):  The importance of ensuring that legislation and regulations keep up with the times.

Over the last decade, I have devoted quite a bit of energy to trying to convince Parliamentarians of the need to update privacy laws.

Our laws have solid roots, but they are under pressure.

The Privacy Act dates back to 1983 – when most public servants were still working on typewriters – and it hasn’t been updated since.   PIPEDA also needs some refreshing. 

Sadly, I haven’t seen the changes that are so badly needed to protect the privacy of Canadians during my mandate – and I pass this torch on to the next Privacy Commissioner.

I have covered a lot of ground in a short time. I hope my comments will be relevant to your work as regulators.  Thank you – and I hope we have a few minutes left for questions.

Date modified: