Mission Possible: A shared vision for boosting control over personal information

Remarks at the Public Interest Advocacy Centre (PIAC) Dinner

November 27, 2015
Ottawa, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

I would like to begin by thanking the Public Interest Advocacy Centre for the invitation to speak this evening. My Office has enjoyed a long and constructive relationship with your organization which I hope to maintain going forward.

Earlier this week I had the pleasure of talking with John Lawford and others from civil society and consumer groups. Now that I have settled into my role and have a strategic plan in place for the coming years, I look forward to meeting on important privacy issues, on a regular basis.

My leadership style is one that favours consultation and collaboration. Hopefully some of you got a taste for that, having participated in our priority setting exercise.

I set an ambitious goal coming into this job to increase the control Canadians have over their personal information.

So without further ado, as I know I am keeping you from the main course, I would like to talk about a few of the issues that go to the heart of this shared mission — children’s privacy, consent in the digital age and transparency in terms of lawful access and government surveillance.

Children’s Privacy

With respect to children’s privacy, I think we can all agree that young people are among the most vulnerable in our communities and as such, their privacy is deserving of special consideration.

When it comes to the Internet and mobile applications, for instance, children dance circles around those of us with a few grey hairs. But in their haste to access their favourite game or social network, they are often asked to hand over personal information with little explanation of the potential privacy ramifications.

This is why we produced a classroom activity for Grade 7 and 8 teachers just in time for back-to-school. We want to encourage students to examine their favorite apps and websites, to learn how to read privacy policies, to learn about tracking, the different types of personal information that might be collected and to discuss their observations with their teaches, peers and parents.

This initiative was actually inspired by our most recent Global Privacy Enforcement Network Privacy Sweep. We and 28 fellow data protection authorities from around the world assessed the privacy features of nearly 1,500 websites and mobile applications targeted at, or popular among, children.

We learned that a majority of websites and apps were collecting personal information from children — some of it particularly sensitive. Many shared this information with third parties, easily redirected kids to other sites with different privacy standards and we saw too few examples of privacy protective controls, such as parental dashboards and pre-set usernames, to limit collection.

In 2015, digital literacy is among the fundamental skills every child must learn. But protecting children’s privacy online is not just the responsibility of parents, teachers and kids themselves.

Companies and advertisers must be mindful of who their online users are and limit, if not eliminate, the collection of personal information from children who may not be fully equipped to provide meaningful consent.

As you may know, boosting privacy protections for vulnerable groups is a big part of our strategic priority related to reputation and privacy. In the coming years we will increase our partnerships with organizations that serve youth and produce guidance on youth privacy issues. We are also working on targeted campaigns to better reach parents and young people.

During a meeting last month with my provincial and territorial counterparts, I also stressed the need to work together to ensure privacy and data protection issues are being adequately covered in Canadian schools. I am happy to say that my counterparts are very interested in moving forward on this idea.

Being a digitally literate citizen is partly about protecting your privacy and being able to exercise control over your personal information. It is also about respecting the privacy of others. We want to ensure the next generation of Canadians is able to participate fully, albeit safely and responsibly, in the digital economy.

Consent in the digital age

Which brings us to the important issue of consent in the digital age.

In the age of big data, the Internet of Things and the mobile environment, massive amounts of personal information are being collected and powerful algorithms are being used to detect patterns for purposes that range from marketing to national security.

Too often, consumers are confused by incomprehensible or non-existent privacy policies or feel compelled to blindly accept certain conditions if they want to access a product or service.

Over the last year, we have had a couple of opportunities to examine the issue of consent as it relates to online behavioural advertising.

In June, my Office released the results of a study that looked at online behavioural advertising by websites frequented by Canadians and subject to PIPEDA.

We were disappointed to find that online searches on sensitive topics, such as divorce lawyers and depression, could lead to related ads appearing on the user’s computer, without the user’s explicit consent, as set out in our guidelines on online behavioural advertising. We are continuing to follow up with advertising organizations to ensure improvements are made.

As many of you know, my Office received more than 170 complaints when Bell announced its relevant ads program, which involved tracking the Internet browsing habits of customers, their app usage, TV viewing and calling patterns. Combined with demographic and account data already collected from customers, detailed profiles were created to enable third parties to deliver targeted ads to Bell’s customers for a fee.

Given the sensitivity of the information involved and the reasonable expectation of Bell’s customers, we concluded Bell should obtain opt-in consent to proceed with the program. In the end, the company decided to withdraw the program and delete all existing customer profiles. I understand Bell plans to reintroduce the program using an opt-in model. Of course it will be up to the company to ensure any new program is consistent with PIPEDA.

I know the issue of consent is of great concern to PIAC.

Some of you may know that we have embarked upon a project to examine the challenges with the current consent model. In the spring we will release a discussion paper outlining the various challenges and exploring potential solutions, such as self-regulation, greater accountability and enhanced regulation. We will be seeking stakeholder input into this paper and look forward to hearing from you.

Transparency: Lawful access and surveillance

Before wrapping up, I want to touch on one final area — transparency with respect to lawful access and government surveillance. This is an area that civil society has championed tirelessly and to great effect. I think of the Citizen Lab and its work on lawful access, and the Canadian Civil Liberties Association and its challenge to Bill C-51.

We do not need to look very far to find threats to our national security. As a result, governments around the world are collecting more and more data about their citizens, and new technologies are enabling the collection and analysis of previously unimaginable amounts of information.

I am very much attuned to the reality of both the threat and the government’s response, given my previous role at Justice Canada. Finding the right balance is critical.

Canadians do not have a choice when dealing with the government on this topic and due to the sensitivity of surveillance operations, they may never know if their personal information has been caught up in the proverbial net. They want leadership from us and over the last year we have tried to be up to the task.

With respect to Bill C-51, a new government is in power and has promised to amend the legislation. How that will take effect is yet to be determined but my Office welcomes the opportunity to share our views with the new government which, I understand, is planning to consult on changes to the Anti-terrorism Act, 2015.

My Office’s position ultimately remains the same. We have significant concerns that the information sharing provisions are excessive and lack balance.

With respect to thresholds, only information which is “necessary” should be shared, rather than the current threshold of “relevance,” which, we believe, exposes the personal information of law-abiding citizens.

We also expressed concerns that 14 of the 17 agencies receiving information for national security purposes are not subject to dedicated independent review or oversight.

For now, Bill C-51 is law. As such, going forward we will use our powers to review how information sharing is occurring, we will assess whether information sharing is being done lawfully and we will advise Canadians of our findings in order to inform public debate and potential future amendments.

With respect to transparency reporting, Industry Canada recently issued guidelines for companies, such as telecommunications service providers, that are frequently asked to provide customer information to law enforcement agencies. We worked with Industry Canada and provided input into these guidelines and published a comparative analysis of transparency reports voluntarily produced by some telecommunications companies.

I expect more companies will be encouraged to produce these reports, and more consistently. If not, we may call for legislative changes.

My Office had been calling for greater transparency with respect to lawful access for many years and we believe the Industry Canada guidance is a positive first step — one even more necessary now in the wake of the Supreme Court of Canada’s landmark decision in the Spencer case. 

Private sector reporting, however, provides only part of the picture. Greater transparency from the public sector is just as important. It is, after all, the public sector that is seeking and receiving this sort of information.

A modern approach to public reporting on electronic surveillance, built with today’s communications capabilities in mind, would give both citizens and Parliament greater insight into how federal institutions are using their lawful access powers.

To this end, we have urged all federal institutions to issue transparency reports about requests to private sector organizations for customer information and remain hopeful this comes to fruition.

I can also tell you that last month, during the 37th International Conference of Data Protection and Privacy Commissioners in Amsterdam, we proposed a resolution on transparency reporting that was supported by our international counterparts.

Canadians are concerned about how surveillance might infringe on their own basic rights and freedoms, including their right to privacy. We have heard repeated calls for more transparency with respect to government information sharing agreements and warrantless access to telecommunications data and we intend to hold the government to account on these matters. 

Conclusion

I hope this gives you a sense of our past work and future plans with respect to children’s privacy, consent in the digital age and transparency in terms of lawful access and government surveillance. I look forward to the opportunity to delve deeper into these and other topics of mutual interest in the future.

I think we have time for a few questions.

Date modified: