Privacy and the Public Interest

Remarks at the Public Interest Advocacy Centre Annual Dinner

November 29, 2013
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good evening and thank you very much for that introduction.

My mandate is indeed down to the final few days. In many ways, it’s appropriate that this final public event is with the Public Interest Advocacy Centre – an organization I admire greatly.

I know many of you feel the same way, so let’s take a moment to offer a toast to our hosts.

I’ve been asked to speak with you about my Office’s work in defining the public interest in privacy. I would also like to share my thoughts about the key role played by advocacy groups such as PIAC.

Given that I am in the unenviable position of being the only thing standing between you and dinner, I promise to keep my remarks brief!

Role of PIAC and the Advocacy Community

Some of you will know that my relationship with PIAC dates back to the very beginning of my first term.

I’d been on the job for mere days when a letter landed on my desk from John Lawford, offering up the first of many bits of advice and calls for action I received from PIAC over the years.

John offered a few words of congratulations; then got straight to the point: I should break with the office’s previous practice and begin naming respondent organizations – and I should do so immediately!

In many ways, the letter illustrates our relationship over the years.

The natural dynamic of the back-and-forth between advocacy organizations and regulatory bodies includes at least a touch of healthy tension.

At times we disagree about how to approach an issue or how far the law will allow us to go.

But pushing us to go further is a good thing. And don’t think we don’t know it!

I have long believed that the role that advocates play in challenging privacy and data protection commissioners is extremely valuable.

We need independent voices asking questions and offering different points of view.

Advocates and groups like PIAC can sometimes force us out of our comfort zone.

You all know, for example, that – once I developed a better sense of the landscape I was regulating – I did begin naming respondent organizations more often.

I would also like to congratulate PIAC for bringing forward its complaint against Nexopia, a youth-oriented social networking site.

That complaint provided opportunity for us to further explore further the privacy implications of social networking, and to build our positions on these issues.

It led to a very comprehensive investigation, which ultimately highlighted a number of issues around consent, retention, online behavioural advertising, and the need for organizations to consider the special circumstances surrounding youth users and privacy.

PIAC also deserves our thanks for its work on many privacy issues – anti-spam, lawful access, data breach notification and identity theft, to name a few.

All of these issues matter deeply to Canadians. They are lucky to have PIAC’s creative, thoughtful and dedicated advocates working in the public interest to defend and promote privacy rights.

Defining the Public Interest

When he asked me to speak, John suggested I reflect on my work on privacy in the public interest.

Service to Canadians is a concept that has factored into just about every major decision of my mandate. It has played out differently during a few distinct phases.

The early part of my mandate was focused on getting our house in order.

The only word I can find that suitably describes that period is surreal.

I arrived to an Office whose administrative powers had been seriously curtailed. We couldn’t hire staff – the Public Service Commission had to do it for us. The RCMP, the Auditor General and other investigative bodies had quite literally set up shop with us on Kent Street.

We needed to concentrate on re-building an Office that was capable of serving Canadians effectively.

After a couple of years, we were able to get our full attention back to where it belonged – on privacy.

For the most part, our early years of enforcing PIPEDA were focused on examining complaints from individuals about their particular grievances about organizations.

Many of these were important cases in that the results helped to clarify for organizations how the general principles set out in PIPEDA needed to be implemented in day-to-day practices.

We helped a number of individuals, and our recommendations went a long way to improving the privacy practices of many organizations.

But in more recent years, we have tried to adopt a more strategic approach that better serves the public interest.

We have become more focused on the bigger picture and have consciously gone after big, systemic issues.

On the investigations side, we’ve looked at large multinationals such as Facebook, Google and WhatsApp. Through our policy work, we’ve closely examined issues such as online behavioural advertising and cloud computing.

On the Privacy Act side, meanwhile, we have used audits to address some important systemic issues with consequences for significant number of Canadians.

We recently took a close look at Canada Revenue Agency’s privacy and security practices. You may also recall our Veterans Affairs audit.

We have also spent many years working on important issues such as lawful access.

On this point, I would like to tell you that we are still reviewing Bill C-13, the new cyberbullying legislation, but we have noted that many troubling aspects of the former Bill C-30 have not been repeated, for example, warrantless access to personal information.

That being said, we have questions about the following issues:

  • new investigative powers, (including preservation orders) proposed by the Bill and the thresholds for their use;
  • the potentially large number of “public officers” who would be able to use these significant new powers; and
  • a lack of accountability and reporting mechanisms to shed light on the use of new investigative powers.

Enforcement Powers

Our strong advocacy for reform of privacy laws is also aimed at furthering the public interest.

It’s time for PIPEDA to be amended to include stronger enforcement powers to ensure that all businesses give privacy the attention it deserves.

Earlier this year, I saw a news report about a Competition Bureau investigation into price fixing of chocolate bars and learned that the penalty there could run up to $10 million and up to five years in prison. That’s for fixing the price of chocolate bars.

Why is there no financial sanction for violating the privacy rights of Canadians?

Canadians deserve a Privacy Commissioner who can – as Theodore Roosevelt famously said – “speak softly and carry a big stick,” not one who can “speak softly and carry a big, banana cream pie.”

While it has had some effect, I believe that the threat of naming and shaming is no longer enough to ensure compliance.

The world has changed dramatically since I became Commissioner in 2003.

Back then, there was no Facebook; no Twitter; and no Google Street View. Phones weren’t particularly smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.

Technological advances have created many new risks – and, when things do go wrong, millions of people can be affected.

It’s always dangerous to try to read the tea leaves in Ottawa, but I’m hopeful we’ll see action on PIPEDA sooner rather than later. The Privacy Act, unfortunately, is a different story.

Business Community

Some of the business people here may disagree with my views on enforcement powers – but this is PIAC’s dinner and my mother always told me it’s a good idea to keep the people feeding you happy!

But I won’t close without saying some nice things about those folks as well.

Over the years, the odd time, you have heard me express disappointment with the actions of certain organizations.

But – and this is where I get to the nice part! – I must tell you before I ride off into the sunset that I have also met many corporate privacy professionals who do “get” privacy

They understand that privacy compliance is more than checking boxes; they demonstrate moral leadership; and they do serve the public interest.

It has been my great privilege to work with these individuals.

Conclusion

I will close by once again thanking PIAC for its support and for being here to speak on behalf of Canadians, and in the public interest.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: