The Future of Privacy Regulation
Remarks at the 11th Annual Privacy and Security Conference
February 10, 2010
Victoria, British Columbia
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Once again it is a great pleasure to have been invited to speak to you at this important annual event. And I want to pay tribute to the organizers for pulling together such an engaging program.
Sadly, it will be my last opportunity to address this forum as Canada’s Privacy Commissioner, as my seven-year term draws to an end later this year.
On the plus side, though, I guess I’ve become something of a ‘village elder’ in the privacy community. And that means I’m apt to speak my mind about what I’ve observed over the past decade, at both the Quebec and federal levels!
And what I’ve seen – what we’ve all witnessed – have been dazzling changes, over incredibly short timeframes.
When I took over as Privacy Commissioner, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare, iPods and all the many novel ways in which people now routinely connect with the rest of the world.
And it’s not just technology that’s different; it’s other drivers of change as well. Like real-time globalization, for instance, and the instantaneous worldwide flow of data.
It’s the way people embrace and respond to technology. Their expectations of what the technology can do for them, and at what cost. Is it desirable, for example, to buy greater convenience at the cost of less privacy?
In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold.
But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested. We have bent and stretched it in many different ways.
And, if we don’t want it to snap, we need to figure out how to fortify it for the decade ahead.
For that, we need to look at our privacy laws and administrative structures. We need to dramatically modernize the Privacy Act, which governs the public sector, and to consider whether PIPEDA, the private-sector Personal Information Protection and Electronic Documents Act, remains suited for the next 10 years.
But we cannot function in isolation. We need to examine what’s happening in other jurisdictions, and work with them on common approaches to the challenges we all share.
Challenge of Technology
Of the many challenges we face, none is more dramatic than the impact of technology.
First and foremost, there is the sheer scope of the Internet, and the myriad ways in which we can now interact, shop, learn, and pretty much live online.
There’s also the staggering growth of computer capacity, which allows massive amounts of personal information to be collected, manipulated and shared.
Much of the content swirling through this Web 2.0 world is also generated by individuals, which poses new challenges for regulators.
From a privacy perspective, one consequence of these developments is that personal information can live on in cyberspace, pretty much in perpetuity. And so a typical data breach may no longer affect just a handful of people, but potentially hundreds of thousands of them.
Another consequence is that our lives have become open books. Even if we don’t advertise our whereabouts on Google Latitude, surveillance cameras and GPS-enabled cellphones are able to capture our movements.
Even if we don’t broadcast our latest purchases on Blippy.com, our online browsing habits are being quietly monitored and mined for their value to merchants and marketers.
And concepts of consumer knowledge – never mind consent – are become increasingly strained.
Challenge of Globalized Data Flows
A related challenge is that data knows no borders. With virtual businesses and cloud computing, data flows are instantaneous and global.
Through many of our routine activities – e-mailing, searching the Internet or buying things online – we’re inadvertently sending our personal information abroad.
Some winds up in countries with less robust privacy-protection regimes than our own. As a result, Canadians may lose some of their customary privacy rights, such as the right to request access to their information and to challenge its accuracy.
Challenge of social change
One more driver of change I want to mention is that social norms about notions of privacy and personal information have been evolving rapidly over the past decade.
Most people today want to be online, to a greater or lesser extent. Ten years ago you might have asked somebody, “Do you have e-mail?” Today, it’s become practically inconceivable that someone would not be online.
But where we’re seeing differences is in what people do online – the extent to which they are prepared to share their personal information.
We want to be careful about generalizing, but I think it’s fair to say that young people in particular appear to have a more liberal concept of privacy.
They’re typically first to embrace applications that tell others who they are, where they are, what they’re doing, and what they’re thinking.
That said, however, I disagree strongly with the fashion, in some circles, to declare privacy as good as dead.
All the evidence we’ve seen from our own polling underscores that privacy remains a deeply-held value.
Regardless of how people choose to act, they maintain a powerful belief that the choice must be theirs. Increasingly, the disclosure of personal information boils down to questions of knowledge and consent.
They’re hard to ignore, and companies are wise to listen.
Challenge to regulators
All these trends are having a major impact on our work as regulators. For example, my Office has received complaints about online companies that have little or no physical presence in Canada.
In our Facebook investigation of last summer, we were successful in getting a U.S.-based company to commit to complying with our law. On the other hand, in the case of an American online data broker called Abika.com, we had to rely on the U.S. Federal Trade Commission for enforcement.
Another huge problem for regulators is that, under the pretext of rolling out new technology, existing privacy frameworks are simply ignored. Often as not, it seems as if no one has even bothered to stop long enough to consider what the privacy implications could be.
As regulators, meantime, we may have one hand tied behind our backs. We’re addressing a global challenge with what are, for the most part, local solutions. And we’re equipped with 20th century tools for a 21st century undertaking.
So far, we’re lucky in that much of the reputable business community is doing its best to understand and comply with whatever rules exist. But they too are vexed by the lack of clarity, predictability and harmony in global data-protection regimes.
That is why we, in Ottawa, are exploring ways to increase collaboration with data-protection authorities – at the provincial level, as well as in other countries. It’s about building common rules and standards, as well as a coherent and shared approach to enforcement.
I will have more to say about that shortly.
Let’s look at where we are now.
At the federal level, the Personal Information Protection and Electronic Documents Act has governed the protection of personal information in the private sector for the past nine years.
So far, PIPEDA has served its purpose, even in this increasingly complex global environment. Time and again, we have been able to apply the law to technologies and business models that didn’t even exist when PIPEDA came into force.
Our investigations of Facebook, last summer and again now, underline the effectiveness of PIPEDA’s flexible, principles-based approach.
The truth, however, is that our successes have so far hinged on the co-operation and goodwill of organizations that are willing to submit to the authority of Canadian privacy law.
But will this always be the case?
Unlikely. Just think of all those shady spammers and cyber-thieves who prey on the vulnerable. Who are they? Where are they?
Changes to PIPEDA
Fortunately, PIPEDA is not a static law. It contains a provision that requires periodic review by Parliament.
Several important amendments are expected to emerge from this process. Some were tantalizingly close to passage as part of Bill C-27 to create ECPA, the Electronic Commerce Protection Act.
The measures got stalled by the prorogation of Parliament, but we are optimistic they will be resurrected when business on the Hill resumes in the spring.
One measure would give me discretionover which complaints to investigate. That allows me to skip over some narrow complaints, in favour of more systemic privacy problems.
A second would enable us to share information with other authorities, whether they be provincial commissioners, other federal institutions, or international authorities.
A third measure that we are also anticipating as part of a package of amendments to PIPEDA would oblige commercial entities to report large data breaches. Breach notification is currently voluntary, but with the exponential growth of data storage, a mandatory regime is overdue.
While we seek to refine the law, my Office is also examining its own structure and function as a data-protection authority.
Should we, for instance, continue down the path we’re on now, which emphasizes my role as an ombudsman?
Or should we suggest to Parliament the need for stronger enforcement and order-making powers?
We have engaged two noted academics – the U of T’s Lorne Sossin and France Houle, of the Université de Montréal – to look at the broad economic, legal and political context under which PIPEDA was first enacted, compared to the environment in which we find ourselves now.
One of the issues they’re exploring is the emergence of “soft law,” which exists in the space between the traditional legislative and judicial branches of government.
It’s widely argued, for instance, that the adversarial court system is no longer as appropriate for the kinds of issues we face. It’s too cumbersome, too costly, and the courts may not be set up to grasp the intricate, specialized issues that are our bread and butter.
Soft law, by contrast, is based on such tools as model codes, best practices, informal dispute resolution processes, and alternate modes of redress.
Professors Sossin and Houle are comparing our regulatory model against those in selected provinces and other countries. They hope to have a final report to us in a matter of months, and it will be made public.
Indeed, it is always prudent to study and learn from the experiences of others.
In the U.S., for instance, there is no comprehensive private-sector data-protection law. And yet, promising developments are underway.
Recently, Lydia Parnes, the former head of the Federal Trade Commission’s Bureau of Consumer Protection, predicted that the FTC would start to crack down on privacy invasions, turning to litigation if it felt negotiations were no longer effective.
Her successor at the FTC, David Vladeck, has agreed that it is time for the organization to seek out a new framework for privacy issues.
Since his appointment last year, Mr. Vladeck has argued that data protection is not just about the potential for consumer harm; it’s also about human dignity and privacy.
Putting some meat on those bones, the FTC and other regulatory agencies have introduced ‘Red Flag Rules,’ which require financial institutions and creditors to develop and implement formal identity-theft prevention programs.
But no matter what countries do within their own borders, it’s becoming increasingly apparent that that’s not enough. Worldwide data flows are demanding global solutions.
The truth is that, in the past, international rivalries between trading blocs, and the national fiefdoms established by many privacy czars, have stood in the way of meaningful collaboration.
Big changes, however, are underway
We’re witnessing gratifying work on international efforts to find common ground. We’re seeing work on standards and closer co-operation in enforcement. There’s also increasing dialogue between data-protection authorities and other important interests, including academics, business, and privacy advocates.
Let me give you a quick overview of some of the leading initiatives underway around the world.
The Spanish Initiative
Most recently, dozens of the world’s data-protection authorities endorsed a draft international standard on the protection of privacy in Madrid.
Known as the Spanish Initiative, the standard was put together by an international working group with representatives from a broad range of stakeholders, including our Office.
Reaching agreement on broad data-protection principles was a valuable first step towards a harmonized approach to data protection.
Interestingly, this was not just a case of regulators imposing rules on reluctant businesses.
On the contrary, in the lead-up to the event, 10 giant global corporations – including Oracle, Microsoft, Google, IBM, Walt Disney, Procter & Gamble and General Electric – signed a letter calling for rules of this sort, on the grounds that they would bring a measure of legal certainty.
Their point was that a set of well-understood regulations, shared by many jurisdictions, would promote both data privacy and robust global data flows.
Important work is also unfolding within the Asia-Pacific Economic Co-operation group, and Canada is at the table. We want to know that the personal information of Canadians is protected wherever it flows – and, increasingly, it is flowing to our Asia-Pacific neighbours.
APEC’s 21 members are at very different stages of development. Canada, New Zealand, Australia and Hong Kong have roughly comparable privacy regimes, but the majority of APEC economies have no privacy legislation.
APEC’s Data Privacy Subgroup is therefore working on cross-border privacy rules to govern trans-border flows and facilitate co-operation among enforcement authorities.
The Organisation for Economic Co-operation and Development, meanwhile, has been another key player in developing global solutions to privacy and security issues.
Indeed, the OECD blazed a trail 30 years ago with its Guidelines on the Protection of Privacy and Transborder Data Flows. Those principles-based guidelines, which are directly reflected in PIPEDA, have so far stood the test of time.
Still, the OECD is planning a series of events to kick-start a discussion about how the guidelines have been put into practice.
I am pleased to have been asked to head a volunteer group helping the OECD plan these events.
Among other things, my Office will help draft an OECD discussion paper that describes the new privacy environment, and identifies the challenges to protecting personal information in the 21st century.
Other International Initiatives
Other initiatives could also have an impact on international privacy.
- For example, the International Organization of Standardization is working on standards and guidelines to deal with the security aspects of identity management, biometrics, and the protection of personal information. Our Office has been actively engaged in those efforts.
- Meanwhile, the new EU Commissioner of Fundamental Rights, Viviane Reding, has already said she would make data protection and Internet privacy a top priority. She has signalled her support for a review of the European Data Protection Directive, which dates back to 1995. Changes to the more distinctive features of the European model could bring us closer to a harmonized global approach.
- Another interesting international initiative that we’re involved in is called The Accountability Project. Spearheaded by Marty Abrams of the U.S.-based Center for Information Policy Leadership, the project is reflecting on what it means for an organization to be accountable for the personal information it collects, and how it can demonstrate its accountability to data-protection authorities and individuals.
At a Crossroads
If we think in terms of decades, 2010 is a good time to take stock.
A decade ago, as Parliament was putting the final touches on PIPEDA, we were living in a much different world.
Today, the task of protecting personal data is fraught with unprecedented challenges – from technology, from globalization, and from the barrage of ever-changing societal norms.
At the same time, there is a growing recognition that personal information has become a commodity, and that it has monetary value.
Indeed, personal information has become the principal commercial asset of social networking sites and free online search engines. This asset has spawned a whole new economic sector – the tracking, profiling and targeting of consumers for various types of behavioural advertising.
And those are just some of the legitimate uses. Personal information also has tremendous value to spammers, identity thieves, fraudsters and other cyber-crooks.
For all these reasons, personal information requires more protection than ever before.
Without adequate protection, the risks are significant – to consumer confidence, to global business, and, of course, to some of the very fundamental rights that Canadians expect.
Unfortunately, much of the world outside North America and Europe currently lacks adequate rules for handling this precious commodity.
But, like those economists forecasting the end of the recession, I do see some gratifying green shoots.
I predict that the decade ahead will see a more concerted, consistent – and ultimately successful – approach to the protection of personal information.
We’ll see greater collaboration, within Canada and abroad. We’ll see an intensified international dialogue, involving all the players who need to be around the table.
A single, enforceable global standard for privacy won’t materialize overnight – if ever.
But we need to move urgently and resolutely in that direction. We need to work in a variety of forums toward approaches that are at least consistent and harmonized, even if they reflect differing social and cultural values.
A robust and coherent set of principles and guidelines, adopted around the world, will do much to preserve and promote the privacy rights of Canadians.
Canada should continue to play an active role in this important work.
Thank you for your attention.