Destination Privacy: Mapping a course for greater protection

Remarks at the International Association of Privacy Professionals (IAPP) Canada Privacy Symposium 2015

May 28, 2015
Toronto, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

View the video

(Check against delivery)


Introduction

When I appeared before a Parliamentary Committee to discuss my nomination for the position of Privacy Commissioner of Canada I was asked to describe my vision. 

I said that during my mandate my goal would be to increase the control Canadians have over their personal information. 

One of my very first initiatives after assuming the role was to launch a priority-setting exercise that would guide the discretionary work my Office does towards realizing this vision.

Among other things, we held focus groups across the country to gauge what average Canadians think.

At one of these focus groups, a woman stood up. She had an idea: Canada, she said, should appoint someone responsible for protecting people’s privacy.

Ladies and gentlemen, between me, my provincial counterparts and all of you, it seems we are ahead of the game!

I am very happy to be here today among fellow privacy advocates for the annual IAPP Canada Privacy Symposium. Clearly, our work is not always known or fully understood. But over the last year, I can honestly say I have been very impressed by your dedication to improving privacy protections for consumers around the world. I look forward to working with you over the course of the next six years as we aim to boost privacy protections for Canadians.

Thank you for the invitation to speak with you today. I’d like to focus the bulk of my remarks on unpacking the priorities that we have developed during my first year following careful reflection — as well as public and stakeholder input, including input from some of you here in this room.

But before I discuss the new priorities that will guide the work of my Office, I would like to briefly touch on my background and some of the key challenges we faced in my inaugural year.

My first year as Commissioner

Some of you may still be wondering what fuelled my move from my previous position as senior legal adviser on national security issues at Justice Canada.

My father was a criminologist who, after a career as a parole officer, served as Commissioner of the Canadian Penitentiary Service in the 1970s.

There he championed the rights of inmates during a difficult period which saw riots at the infamous Kingston Penitentiary. Discussions around the dinner table often centred on the importance of public service, the dignity of individuals, even the most disadvantaged, and the relationship between the state and its citizens.

Becoming Privacy Commissioner of Canada is an extension of the same passion for human rights that my father instilled in me — a passion that has driven my entire career as a public servant since the day I began advising the government on legal matters shortly after being called to the bar.

As for my first year — can you say trial by fire?

Or perhaps that was the first week following my nomination. An unknown in the privacy world, my nomination raised many questions. I had my fair share of critics even before I uttered a word. And while I cannot say that was an easy moment, I saw firsthand that there was a real interest and care in who was to fulfill the role.

But there was no time to dwell. Almost immediately I was plunged into the debate over a new cyberbullying bill, legislation to reform PIPEDA, a review of the RCMP’s lawful access practices, I had two annual reports in the works and a policy position on the use of genetic tests by the insurance industry.

And then there were the tragic events on Parliament Hill and St-Jean-sur-Richelieu, which led to Bill C-51. While I was not invited to speak to the House Committee that studied this bill, I used other means to add my voice to the public debate, so that people have a clearer understanding of the privacy issues at stake. And although the bill was largely unamended, public support for it waned and I hope further debate will have an impact on politicians in the longer term.

At the end of the day, I expect to be judged on my actions. So far, I hope they show that I am thoughtful and thorough, that I like to offer concrete solutions and that I am outspoken when necessary and have an independent mind. And for those of you who have followed or perhaps even participated in the priority-setting exercise, I hope you will also have taken note that I am somebody who very much favours consultation and collaboration.

Which brings us to the heart of my talk today.

Establishing privacy priorities

The priority-setting exercise began with a vision: To increase the control Canadians have over their personal information. It is perhaps a lofty goal in the age of big data, where massive amounts of personal information are being collected, and powerful algorithms are being used to detect patterns for purposes that range from marketing to national security.

Certainly, the digital age has brought huge social and economic benefits; from scientific innovation and marketing efficiencies, to increased convenience and opportunities for individuals. Among these opportunities: ease of access to knowledge and communicating with new people, thus broadening our horizons. But it has come at a cost. Increasingly, individuals who want to participate in the digital economy are being asked to close their eyes, hold their noses and to click “I accept.” It should not have to be this way.

In a bid to find better solutions to this pervasive problem, my team fanned out across the country to speak directly with public and private sector stakeholders, academia, civil society organizations, consumer groups and the public. Through focus groups and round table discussions, we sought opinions on six privacy themes that come up frequently in our work at the OPC.

We wanted to know if we had captured the issues correctly, which were most important, and why and what specific things could be done and by whom — be it individuals, organizations, regulators or legislators — for maximum impact.

The exercise was extremely insightful. It gave us a much more fulsome understanding of the concerns of different groups and a better sense of where my Office should focus in order to leverage our limited resources.

In June, my Office will issue a report outlining in greater detail the four priorities that emerged from these discussions, the strategies that will help us reach our goals and some of the concrete activities we plan to launch in the weeks, months and years ahead.

Let me now give you a bit of a preview.

Based on our discussions, we have narrowed the themes to four broad priorities, which I had a chance to share with Parliament earlier this week. They are, after all, my boss.

The priorities are:

  • The economics of personal information;
  • Government surveillance;
  • Reputation and privacy; and
  • The body as information.

Ultimately, we seek to better understand privacy in each of these areas, and in turn to inform organizations and the public of the issues at stake, to influence behaviour and to use our regulatory powers most effectively.  So, what will success look like?

With respect to the economics of personal information, we aim to enhance the privacy protection and trust of individuals so that they may confidently participate in the digital economy.

Our goal with respect to government surveillance is to contribute to the adoption and implementation of laws and other measures that demonstrably protect both national security and privacy.

On reputation and privacy, we want to help create an environment where individuals can use the Internet to explore their interests and develop as people without fear that their digital trace will lead to unfair treatment.

And finally, when it comes to the body as information, our goal is to promote respect for the privacy and integrity of the human body as the vessel of our most intimate personal information.

How will we do this?

Our plan is to focus our activities around five cross-cutting strategies:

  • Exploring innovative and technological ways to protect privacy;
  • Enhancing accountability and promoting good privacy governance;
  • Taking into consideration the fact that privacy knows no borders;
  • Enhancing our public education role; and
  • Paying special attention to vulnerable groups.

To make good on our priorities, I intend to ensure we make full use of the tools, the resources and the authorities at our disposal. Where we see gaps, we will not hesitate to press for legislative changes.
Let us delve into each of the priorities a little further.

Discussion of the four privacy priorities

The Economics of Personal Information

The economics of personal information certainly provoked some of the liveliest debates among both the public and stakeholders we spoke with.

It has been said repeatedly that “if you are not paying for something, you are the product.” It is a notion that resonated with many of the people we spoke with.

Some stakeholders felt the power relationship skews in favour of industry and since being online is becoming less of a choice for individuals, that more regulation is needed. Others emphasized the benefits of the online business model, such as access to free and innovative services, convenience, economic growth, fraud prevention and economies of scale.

Online behavioural ads were one of those love-it or hate-it issues that were discussed.  I must confess, the OBA ads that pop up on our shared home computer are usually the key to finding out what to buy my wife for Christmas.

The issue of consent, meanwhile, was raised by almost everyone as a key area of concern. Many noted that privacy policies were incomprehensible and longed for a clear explanation as to how their information would be used and by whom. Others questioned whether it is realistic to seek consent in the age of big data, the Internet of Things and the mobile environment.

I agree that this is an issue that needs attention on a priority basis and we will start by drafting a paper outlining the current challenges and possible solutions, for example, self-regulation, greater accountability and enhanced regulation.

We will engage in a dialogue with stakeholders and seek their views, and then communicate our position. This would include identifying any improvements to enhance the current model, applying those solutions that are already within our legal framework and, if necessary, recommending legislative change. Through this work and by initiating this important discussion, we want to ensure privacy remains protected in a manner that gives individuals meaningful control over their personal information while at the same time respecting innovation.

The last thing we want is for privacy protection to become a barrier to technological advancement, which is why we too need to be innovative in our search for solutions. For example, just-in-time privacy notifications and pop-ups are a great way to obtain consent for the collection of personal information online. We also want to explore anonymization so that researchers can use data without fear of inadvertently identifying individuals. We want to encourage creative, cutting-edge ways to use technology to enhance privacy protections.

Government Surveillance

We don’t need to look very far to find threats to our national security. As a result, governments around the world are collecting more and more information about their citizens, and new technologies are enabling the collection and analysis of previously unimaginable amounts of information.

I get it. I am of course very much tuned into the reality of both the threat and government responses, given my previous role at Justice Canada. Finding the right balance is absolutely critical because the repercussions can be so serious when that equilibrium shifts too far one way or the other. I can tell you that this is an issue that keeps me up at night.

While Canadians are comfortable with some surveillance for the purposes of national security and crime prevention, they are concerned about how surveillance might infringe on their own basic rights and freedoms, including their right to privacy. We also heard repeated calls for more transparency with respect to government information sharing agreements and warrantless access to telecommunications data.  

Given Canadians don’t have a choice when dealing with the government, stakeholders told us they want leadership from us on this issue, particularly as the government moves to implement several related bills.

Despite our efforts, we were unsuccessful in our attempts to encourage Parliament to amend the Anti-Terrorism Act. But we are not done with that file. Going forward, we will commit significant resources towards compliance activities to ensure the provisions contained in the bill are implemented in accordance with the Privacy Act. That includes provisions related to the collection of large amounts of personal information and the sharing of that information between departments and agencies. We will report to Parliament and to the public on what we have found. If our investigations confirm problems or shortcomings in law or practice, we will call for amendments.

We will also engage departments to try to reduce risk as they develop their information-sharing arrangements and through Privacy Impact Assessments. And we will push for greater accountability from the public and private sectors on lawful access through more transparency reports. We will also conduct research into the effects of surveillance activities on vulnerable populations.

Reputation and Privacy

Now if only I had a quarter for every time I heard somebody my age say, “thank God the Internet didn’t exist when I was young.”

With the advent of social media and new communications technologies it is far easier and faster than ever to share information. In fact, it is so fast that sometimes we forget to think about what we are sharing and how many people might see it given the nature of the Web.

But that only speaks to the information we can control. What about the information others post about us? What about the fact that everything we read online, every subject we search and every purchase we make can be tracked and used by government and businesses to classify and categorize our interests, predict our future behaviour, create profiles about us and assess us in terms of potential risk?

Misinformation, mistakes and missing context can put our very reputations at risk, the consequences of which could be devastating.

Everyone we met with was aware of the potential reputational harm that could come from sharing personal information online.

Canadians raised concerns about confusing privacy settings and the lack of mechanisms to delete or correct information. Profiling by organizations and the potential for discriminatory practices such as differential pricing was also identified as a serious concern. While some stakeholders felt our role in this area should be restricted to education, others believe we should stake a stand on things like the right to be forgotten. For me, this priority really speaks about the intersection between privacy, human rights and the potential for discrimination, hence its importance.

In the coming year, we will launch a dialogue through, for example, research initiatives on reputation and privacy. We will then establish a position on the right to be forgotten or other recourse mechanisms in the Canadian context. We will build on initiatives such as this year’s Children’s Privacy Sweep of websites and mobile apps. And we will conduct education and outreach initiatives with the public and with vulnerable groups such as youth and seniors in particular, to help improve digital literacy.

The Body as Information

Whether trading biometric data for the convenience of a Nexus “trusted traveller” card, strapping on a fitness tracker as part of a diet and exercise regimen or relying on an implant to monitor blood pressure following a cardiac arrest, Canadians who use new tools and technologies that collect and store information extracted from the body face a myriad of potential privacy risks.

For example, premiums have been affected when insurance companies have accessed the results of genetic tests. And last fall, a personal injury lawyer in Calgary became the first to use evidence collected by a fitness tracker to try to prove his client’s diminished capacity, thus paving the way for such data to be used in all sorts of ways.

Canadians we spoke to appeared to be blissfully unaware of the potential hazards. This emerging concern resonated more with academics and consumer groups. They expressed concern about the potential for analytics to be applied to a myriad of secondary purposes, including some that have not yet been conceived of.

Some suggested Canada needs new laws to clarify the appropriate uses of such information, while others called for enhanced transparency to ensure people are aware of what is being collected and why.

But we also heard that privacy must not stand in the way of innovation as such data has such tremendous scientific and research potential.

In this area, the OPC intends to explore and better understand the wide range of technologies and applications to manage health and fitness. We will reach out with information to ensure Canadians understand the privacy risks associated with things like wearable technology and other types of assistive devices. We will also provide guidance to help developers build privacy into new products at the front end.

Given how uniquely personal and sensitive this personal information is, and given the risks involved, I can also assure you that it will be a serious factor in the discussions we will be having around the consent model.

Conclusion

Now I must confess: it was not until I became Commissioner that I began more vigilantly reading the privacy policies of my favorite websites and getting excited when a pop-up privacy notification would appear on my smart phone.

Although I have always been a private person, you might say I have become a bit obsessed with privacy. Occupational hazard? Perhaps, but it has become even more clear that invasions of privacy are lurking around every corner and behind every click of the mouse. 

It is why I felt it was imperative that one of my first tasks should be to identify the most pressing privacy concerns facing Canadians in the 21st Century and to chart a course to address those concerns in partnership with individuals, organizations, legislators and fellow regulators. I want to continue to build on the successes and the important work that was done by the OPC and my very accomplished predecessor, Mme. Stoddart, during her tenure. I too, intend to have a meaningful impact on privacy for Canadians.

After much discussion, we have now identified our priorities and we have set clear goals. We have developed a strategy for reaching those goals and over the next five years, you will see and hear more about our efforts on all fronts.

The last several months have been both interesting and inspiring to say the least. And now, as they say, “this is where the rubber hits the road.” I am energized when I think of the path ahead. And I very much look forward to working collaboratively with all of you in this dynamic field, to produce the kind of concrete results that will give Canadians more control over their personal information. 

Date modified: