Canadian Federal Privacy Legislation: The First Ten Years
Remarks at the VIII Ibero-American Data Protection Meeting
Mexico City, Mexico
September 29, 2010
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
At the Office of the Privacy Commissioner of Canada (OPC), we followed the process leading up to the order of the Ley Federal de Protección de Datos Personales en Posesión de Particulares. We are very pleased with the passing of this law, which will better protect the privacy rights of Mexicans, our fellow North Americans.
The passing of this Mexican federal law is timely. We live in an age where information technology is challenging our privacy expectations as well as the means at our disposal to protect our personal information. The volume, volatility and vulnerability of personal information in the digital age calls for an enhanced and modernized legal framework for privacy protection.
My presentation this morning will look at the following:
- First, I will provide a brief overview of the Canadian privacy framework.
- Second, I will discuss the parallels and contrasts between Mexico’s new federal law and the Canadian law.
- Lastly, I will share some of the lessons we have learned over the first ten years since the Personal Information Protection and Electronic Documents Act came into force by providing a few examples of specific cases.
Canadian privacy framework
As Mexico celebrates the adoption of its new privacy law for the private sector, Canada is celebrating the 10th anniversary of its own legislation. In fact, in 2000, the OPC was in a very similar situation to the one the IFAI is going through this year.
When Canada’s federal private sector law, the Personal Information Protection and Electronic Documents Act or PIPEDA, was enacted, the OPC had been in existence for almost 20 years and was already ensuring compliance with the federal privacy law in the public sector. We were therefore dealing with circumstances almost identical to those facing the IFAI today. However, at the risk of stating the obvious, I should point out that despite these similarities, the context is not the same as it was ten years ago.
In April 2000, when PIPEDA received royal assent, we still had to ask people if they had an email address. Today, we are shocked to meet someone who is not on Facebook.
Ten years ago, Foursquare, LinkedIn and Twitter did not exist yet, and Google had just barely moved into a building in Palo Alto — two years before, the company was being run out of a friend’s garage.
Ten years ago, multinationals were well-established businesses. Their practices had been refined as the corporation grew. Today, multinationals are businesses that are still in their adolescence, at best.
The Canadian approach to privacy is often said to be the “middle ground” between Europe and the United States.
In many ways, Canada’s legal culture is a hybrid of the British and French traditions that shaped its history. However, the Canadian privacy model also owes to the contemporary influence of the European Union and the United States.
The Privacy Act, our public sector law, has been in force for a quarter of a century and applies to federal departments and agencies.
Three provinces — Quebec, Alberta and British Columbia — have adopted their own private sector laws, which have been recognized as substantially similar to PIPEDA. A fourth province, Ontario, has legislation covering personal health information, which is considered substantially similar to the federal law in that regard.
Even in these provinces, PIPEDA continues to apply to the federally regulated private sector — banks, transportation and telecommunications companies, for example — as well as to personal information in inter-provincial and international transactions.
The ground rules set out under PIPEDA focus on 10 principles of fair information practices, which follow the OECD’s principles.
The Privacy Commissioner is first and foremost an ombudsman who tries to resolve disputes through negotiation, mediation and conciliation. However, we can — and do —take cases to Federal Court when we fail to achieve our goals in this way. Most cases are settled without having to go to court.
So far, PIPEDA has served us well. Its neutrality concerning technology means that PIPEDA can be used to settle cases that would have been inconceivable at the time the law was created.
However, changes will have to be made to the law so that it can continue to protect the privacy rights of Canadians for the decades to come. Lawmakers provided for a parliamentary review of PIPEDA every five years; the next review should take place in 2011.
Lesson: We need the ability to investigate jointly with other countries
We hope that our ability to cooperate with other international data protection authorities will be clarified and strengthened. It is a necessary measure now that our personal information is constantly circling the globe and increasingly sought by multinationals, whose activities take place exclusively online and for whom user-generated content is often the sole asset.
We hope that our power to conduct discretionary investigations is expanded to allow us to deal more effectively with emerging challenges to privacy rights.
Lesson: Data breach notification should be mandatory
We also think that data breach notification, a practice that is recommended by the Treasury Board of Canada for public institutions and completely voluntary for private sector organizations, should be mandatory.
Lesson: The notion of consent should be modernized
Lastly, it is important to look more closely at the issue of consent. What is employee consent? How can proper consent be obtained in circumstances where it is difficult to identify the purposes for which the information is collected? When the technology involved is complex and the goal of the data collection itself can change along the way — think research on health and genetic information — can consent ever be valid?
Parallels and contrasts between the Ley Federal de Protección de Datos Personales en Posesión de Particulares and the Personal Information Protection and Electronic Documents Act
We read the Ley Federal de Protección de Datos Personales en Posesión de Particulares with a great deal of interest. We found many parallels and contrasts between the Mexican law and Canada’s PIPEDA, which I will put into context.
I considered the following points in particular:
- Where does PIPEDA apply?
- What is personal information?
- What are the principles of personal information protection?
- Does PIPEDA include specific provisions for transborder data flow?
- What are the enforcement procedures under PIPEDA?
- What are the penalties under PIPEDA?
I will now look at each of these points in more detail.
Where does PIPEDA apply?
PIPEDA covers commercial activity, meaning that the law applies only in the course of a transaction. Section 2.1 of PIPEDA defines commercial activity as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” This fundamental concept in the interpretation of the scope of the law is therefore based on the nature of the activity in question.
All activities of an organization that is in business and that collects, uses or discloses personal information in the course of commercial activities is subject to PIPEDA. However, a non-profit organization, such as a university or a charitable organization, is not subject to the law, unless it sometimes sells graduate or donor lists, in which case these particular activities would be subject to PIPEDAFootnote 1.
What is personal information?
PIPEDA does not distinguish between personal data and sensitive personal data. However, during the first year of PIPEDA’s implementation, the question of what constitutes personal information was a common theme, as illustrated by many of the cases we looked at during the time.
For example, many organizations scrambled to lay claim to certain client information, particularly their account and credit card numbers, arguing that this information belonged to the company and not the client since it was produced by the company and not provided by clients.
However, section 2 of PIPEDA states that personal information refers to “information about an identifiable individual.” It does not say that the information must come from or be provided by the individual; it is not about ownership of the information. It says only that the information must concern an identifiable individual.
What are the principles of personal information protection?
Instead of the eight principles underlying the Ley, the architects of our private sector legislation adopted general principles — reliance on ten fair information practices, a right of access and correction, and a supervisory authority by a privacy commissioner with strong investigative powers — but not more formal requirements such as registration or controllers, notification of processing or breach notification.
The ten principles of fair information practices on which PIPEDA is based are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
Does PIPEDA include specific provisions for transborder data flow?
As I said at the beginning of my presentation, the explosion of online activities — be they social or economic — has led to unprecedented data circulation from one jurisdiction to another.
The Ley itself does not address the transfer of data beyond Mexican borders, but does provide a framework for the transfer of data to third parties. The principle is similar to the one set out in Canadian law: under PIPEDA, an organization remains responsible for information that it discloses to a third party.
PIPEDA does not hinder our global economy. In fact, the legislation itself states that it is intended to support and promote electronic commerce by protecting personal information.
The global marketplace will be enhanced if consumers are confident that their personal information will be protected even after it travels beyond Canada’s borders.
That is not to say it should be a free-for-all. The law requires that personal information is protected, regardless of whether, or where, it is transferred. The onus is on you – if you’re in Canada and transferring personal information, you need to ensure it is protected and treated up to Canadian standard.
In contrast to the EU’s state-to-state approach, where the “adequacy” of another jurisdiction’s data protection regime is assessed, Canada has opted for an organization-to-organization approach.
Under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement.
The organization needs to use contractual or other means to provide a level of protection comparable to PIPEDA while the information is being processed by a third party.
“Comparable level of protection” means that the third party processor must provide protection that can be compared with the level of protection the personal information would receive if it had not been transferred.
It does not mean that the protections must be identical across the board. It means they should be generally equivalent.
If an organization does decide to outsource processing, it must take all reasonable steps to protect the personal information from unauthorized uses and disclosures while it is in the hands of the third-party processor. It must be satisfied that the information is properly safeguarded at all times.
What are the enforcement procedures under PIPEDA?
The Ley sets out a clear and rigorous process to deal with potential violations.
There are four ways in which the OPC usually intervenes:
- We conduct investigations into complaints that are submitted to us by individuals;
- We conduct investigations on our own initiative, when we have reasonable grounds to suspect there has been a contravention;
- We conduct audits when we have reasonable grounds to suspect that an organization or industry’s personal information management practices are not in compliance with PIPEDA; and
- We review privacy impact assessments submitted by organizations.
In many cases, whether it is as part of an investigation, audit or privacy impact assessment, we apply a four-part test to determine whether the personal information collection is reasonable.
We used this test for the first time in 2003, in a case between a railway employee and his employer. The employee was concerned that the digital video cameras recently installed in work areas could be used to monitor employees, specifically their conduct and work performance.
The then Privacy Commissioner was inspired by a case heard by the Supreme Court of Canada in 1986, the Oakes decision, which established the circumstances under which it was reasonable to limit individual rights and freedoms in a free and democratic society.
The four questions that we drew from this case are the following:
- Is the measure necessary to meet a demonstrable need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportional to the benefit gained?
- Is there a less privacy-invasive way of achieving the same end?
The Commissioner acknowledged that the company’s objectives to reduce vandalism and theft and ensure personnel safety were appropriate. However, after reviewing the facts according to the four-part test based on the Oakes case, the Commissioner concluded that the use of video surveillance in this particular case was unfounded.
We also use the four-part test when we look at issues affecting the public sector. Most recently, it helped us settle the debate on the use of millimetre-wave security scanners in Canadian airports.
What are the penalties under PIPEDA?
The Office of the Privacy Commissioner of Canada does not have the power to impose fines on organizations.
However, if a company refuses to follow our recommendations, we go to Federal Court to seek an order forcing them to comply and provide for damages where appropriate. Not surprisingly, we’ve found that the possibility of court action is an extremely persuasive tool – virtually everyone complies with our recommendations.
Nevertheless, we recognize the value of setting out specific penalties in the Ley.
Lessons learned over the last ten years
The Facebook case: How the data protection authority for a country of 34 million people can make a difference for hundreds of millions of Internet users
You are already familiar with the first case I will discuss this morning: Everyone has heard about the investigation we conducted into the personal information management practices of Facebook.
The Office of the Privacy Commissioner of Canada examined the company’s privacy policies and practices following a complaint submitted in May 2008 by CIPPIC, the Canadian Internet Policy and Public Interest Clinic, which is based at the University of Ottawa.
This made Canada the first country in the world to carry out a comprehensive investigation into Facebook's privacy practices.
The complaint, made under PIPEDA, concerned 11 aspects of the social networking site. Key issues included:
- the site’s default privacy settings;
- the collection and use of personal information for advertising purposes;
- disclosure of users’ personal information to third-party application developers; and
- the collection and use of personal information of people who do not have Facebook accounts.
A central issue was knowledge and consent. We wanted to know whether Facebook was providing sufficient information for users to give meaningful consent to the collection, use and disclosure of their personal information.
We also wanted to see whether that information was being conveyed to them in a clear and transparent way.
Facebook’s retention of personal information was another issue of concern, especially in relation to users who wanted to deactivate or delete their accounts.
Security safeguards also figured prominently in the allegations, particularly in relation to the million or so third parties who develop games, quizzes, horoscopes and other applications that run on the Facebook platform.
Our investigation wound up in July. We concluded that there was no evidence of any contravention of PIPEDA in the four areas, including allegations of deception and misrepresentation by Facebook.
In other areas, related for instance to the default privacy settings, and the collection and use of user’s personal information for advertising, we found that Facebook had, in fact, contravened PIPEDA. However, the Assistant Commissioner was satisfied that the concerns were resolved by remedial measures proposed by Facebook.
However, we found some areas where Facebook’s activities were not in line with PIPEDA.
Our concerns related to:
- third-party applications;
- account deactivation and deletion;
- the accounts of deceased users, and
- non-users’ personal information.
Facebook, for instance, was not doing enough to ensure that meaningful consent was obtained from individuals when their personal information was being disclosed to third‑party application developers.
Those hundreds of thousands of developers, in turn, had virtually unrestricted access to the personal information of users — and their friends.
Facebook did not immediately agree to implement our recommendations for these four unresolved issues.
Our office therefore entered into extensive — and often intense —discussions with Facebook.
Commissioner Stoddart was pleased to announce last week that these negotiations were successful and that the outstanding issues have been resolved to both parties’ satisfaction.
However, she emphasized that the settlement focused on the specific issues raised in the complaint brought forward by the CIPPIC. The OPC is currently investigating new complaints against Facebook that raise concerns about other aspects of the social networking site.
We learned a number of things from our first investigation of Facebook. Here are a few of them:
- First, this case showed that mediation can be used in new, unprecedented cases, even the most complex.
- Second, the success of this first investigation of Facebook is a good illustration of the advantages of a law that is neutral in terms of technology. As I said before, not only did Facebook not exist when PIPEDA was created, but the Internet was also not nearly as predominant as it is today, and social networking even less so.
- Lastly, our investigations of Facebook — and other investigations that we conducted or are currently carrying out in commercial sectors heavily influenced by technology, such as our current investigation into Google’s collection of data from unsecured wireless networks — highlight the importance of high technological competence within a privacy commissioner’s office. It is absolutely essential for a data protection authority to have among its ranks people with expertise in the industries that it regulates. These key individuals within the organization help the data protection authority fully understand contemporary issues and their impact on privacy. Since personal information is being collected and stored in a technological infrastructure, protection authorities need to be experts on the features of this technology.
We were able to use our powers of persuasion to get Facebook to pledge significant improvements to the operation of their site. What’s more, these enhancements are not restricted to Canada; they’re going to apply everywhere in the world.
Even global giants like Facebook acknowledge that implementing our recommendations is the right thing to do.
It is a major victory for privacy advocates in Canada and around the world.
The Abika case: How to enforce legislation in a world where borders are disappearing
The second major case I wish to address also involves the Internet, but this one illustrates how two areas of jurisdiction can work together within already established regulations.
The case involved Accusearch Inc., a Wyoming-based company operating an online business under the name Abika.com.
Abika offered a range of search services on individuals by having third-party researchers obtain personal information about those people from public and private records and databanks.
Our Office received a complaint back in June 2004. It alleged that Accusearch routinely collected, used and disclosed the personal information of Canadians -- for inappropriate purposes and without their knowledge or consent.
The complainant further alleged that, even though Accusearch was based in the United States, its actions violated Canada's PIPEDA.
Our office initially declined to investigate the complaint, citing a lack of jurisdiction. On judicial review, however, the Federal Court acknowledged the difficulty in investigating an entity located outside Canada, but confirmed nevertheless that our office had jurisdiction to investigate Accusearch Inc.
According to the Court, the Commissioner had the authority to investigate in this case because there were real and substantial links between the organization and Canada. This decision served as the basis for establishing our jurisdiction in other similar cases.
And so we launched our own investigation of Accusearch and its Abika.com site, largely on the basis of information provided to us by the U.S. Federal Trade Commission (FTC).
Our investigation concluded that Accusearch had violated key provisions of PIPEDA in its collection, use and disclosure of the personal information of residents of Canada.
In particular, we found that it disclosed the personal information of Canadians, without their knowledge or consent, to third parties.
What’s more, we found that the company typically accepted and fulfilled requests for personal information without considering whether the request was for an appropriate purpose. Among the documents we received from the FTC was a spreadsheet listing the names and contact information of requesting individuals or organizations, the dates and status of the requests, as well as a column headed “notes,” which contained details about the requests.
The comments recorded in the “notes” column give us an idea about the kind of information that Abika agreed to obtain on behalf of their clients.
For example, one entry said, “I hope this works. My ex-boyfriend’s current girlfriend stole my email address and has been harassing me. I need help!”
In another, the requestor wrote, “My boyfriend says that he has been working in Oaxaca, Mexico. However, I think he has returned to Madrid Spain because when I reply to his emails, I noticed that the time he sent the his [sic] email and the time I received them show a 6 hour difference...the same time difference from Madrid Spain to Toronto, Canada not from Oaxaca Mexico, I just want the truth.”
Although most of the requestors appeared to be individuals, some were businesses. Our office was able to contact one such business, a Canadian paralegal firm, which the spreadsheet indicated had successfully used Abika’s services six times in 2004 and 2005. In an interview with our office, the firm readily cooperated with our investigation and did not hesitate to answer all questions posed by us.
Indeed, we determined that the company in some cases had knowingly turned over personal information for purposes that a reasonable person would consider highly inappropriate. The Assistant Commissioner recommended that Abika.com stop collecting, using and disclosing the personal information of people living in Canada without their knowledge and consent.
In the meantime, the U.S. Federal Trade Commission had separately investigated Accusearch’s activities, successfully bringing suit before the District Court for the District of Wyoming to curtail the sale of confidential consumer information — a decision that was subsequently affirmed by the U.S. Tenth Circuit Court of Appeals.
The appeal case related to data flows between the U.S. and Canada, how data-brokers collect, use and disclose personal information without the knowledge or consent of the individual concerned, and how online trade in personal information affects privacy rights.
Considering our office's involvement with Accusearch, and the cross-border nature of the issues, we were granted leave to file an amicus curiae brief in the appellate proceedings.
Our brief outlined how the Court’s decision would have a direct impact on the privacy rights of Canadians and on the business reputation of Canadian organizations affected by the actions of data brokers.
Our brief stressed in particular that the unauthorized collection, use and disclosure of personal information over the Internet by data brokers can cause harm, and has extra-territorial effects.
In its decision, the Tenth Circuit Court of Appeals said the company knew that its researchers were obtaining confidential information through fraud or illegality. In so doing, the business "knowingly sought to transform virtually unknown information into a publicly available commodity."
As a result of this decision, Abika.com remains under an injunction prohibiting it from trading in confidential customer phone records, as well as other non-public “consumer personal information,” without express written permission from the consumer.
This U.S. appellate decision clearly recognizes the harm to privacy resulting from the unauthorized online trade in personal information. It offers important new protection to citizens on both sides of the Canada-U.S. border.
I should add that the Court’s recognition that this company’s practices are illegal under U.S. law has led to greater consistency between our two countries in terms of how we deal with privacy.
This, in turn, will help to guide organizations that are considering outsourcing data-processing functions to the U.S. It will also help boost the confidence that individuals need when they conduct business over the Internet.
In sum, this case marked an important advance in international co-operation and collaboration – an approach that will become increasingly necessary to protect privacy rights on both sides of the border.
From the Accusearch case we learned that it is no longer necessary for businesses to have a physical presence in a country in order to do business there. As a result, data protection authorities have to be ready to work together to ensure that the privacy of the citizens in their respective countries is respected, even — and inevitably — when their citizens’ personal information ends up in other areas of jurisdiction.
The TJX case: Not complying with the laws will cost you
The last case that I will discuss this morning is the TJX case, the largest personal data breach to date.
TJX is a U.S. retail giant that owns stores in a number of countries, including Canada. When thieves hacked into the TJX system, they had access to the personal information of consumers not only in the United States, but also in Canada, the United Kingdom and Ireland.
Stolen information included credit and debit card information and information collected from consumers who returned merchandise without a receipt, specifically names, addresses and driver’s licence numbers.
According to TJX, the hackers initially gained entry to the TJX system through wireless local area networks outside two of its stores in Miami in July 2005. Customer information was stolen for over a year and a half before TJX finally learned suspicious software had been detected on a portion of its computer system.
The investigation, which we conducted jointly with a provincial privacy commissioner, concluded that TJX did not comply with the law.
Our investigation pointed to a few major failings:
- TJX collected too much information and kept it too long.
- TJX failed to update its security systems in a timely manner.
- TJX did not adequately monitor its system for intrusions.
So, what can we learn from these security and privacy breakdowns?
Lesson 1 is one of the basics: If you don’t need it, don’t collect it. If you don’t have personal information in the first place, you can’t lose it.
The investigation raised concerns about how the company was keeping driver’s licence and other identification numbers collected when merchandise was returned without a receipt.
TJX told us it asked for this information in order to prevent fraud. We understand the need to identify fraudulent returns, but have serious concerns about recording people’s driver’s licence and other sensitive identification numbers and keeping them indefinitely.
In response to our concerns, TJX proposed an innovative new process to deal with fraudulent returns. Store staff will continue to ask for identification where there is a valid business reason to do so. However, when information such as a driver’s licence number is keyed into the point-of-sale system, it will be instantly converted mathematically into a unique identifying number that can’t be readily linked back to the individual. The new system will allow the company to track unreceipted merchandise returns without keeping original driver’s licence numbers in its system.
Let’s turn now to the issue of holding on to information for too long. Some of the stolen TJX information involved transactions dating back to 2002. Keeping information longer than is necessary is contrary to good information management practices.
Lesson 2: If you don’t need it, get rid of it — securely, of course.
The third major lesson is to use appropriate security to protect personal information.
We found TJX failed to properly manage the risk of an intrusion against the amount of customer data it was collecting. As a result, it did not adhere to the industry standard. TJX’s plan to switch to a stronger data encryption standard took two years, during which time the breaches occurred.
A fourth critical message is the importance of monitoring systems for an intrusion. For roughly a year and half, TJX had no idea hackers had free rein of their computer system.
During our investigation, TJX kept telling us: We were only doing what a lot of other retailers were doing.
Indeed, just before the TJX breach became public, Visa USA revealed that just over a third of the very biggest retailers in that country were complying with the industry security standard.
I understand the picture in the US and Canada has been improving. My hunch is that one word – TJX – goes a long way when security experts go to senior executives looking for money to pay for upgrades.
It's not good enough to offer the excuse: "We were moving as slowly as other companies." Yes, good security costs money, but it’s less expensive than cleaning up after a major data breach.
TJX reported breach-related costs of more than $200 million dollars. A number of analysts put the actual cost higher.
There seems to be universal agreement among security experts that getting security right is far less expensive than mopping up after things go awry.
All the lessons learned from the TJX case can be summed up like this: Failing to protect clients’ personal information will cost dearly.
Administrative issues: Changes to the internal culture and a new audience
I am confident that the IFAI will have just as many lessons to share with the international community on the 10th anniversary of the Ley Federal de Protección de Datos Personales en Posesión de Particulares.
Right now, IFAI staff is probably more concerned about the major operational challenges facing them over the next few months.
One of the greatest challenges will certainly be to find the most effective ways to reach organizations responsible for handling information in the private sector.
In the first years of PIPEDA, we used a number of tools to educate our new private sector audience. We used primarily printed brochures and guides and offered in‑person presentations and talks. We also used the OPC’s website to post our publications and speeches, as well as summaries of the findings of our investigations, which provide concrete examples of the application of the law.
I should emphasize again that in 2001, the Internet did not have the importance it does today. In 2001, we distributed a little over 34,000 printed publications, and there were almost 193,000 visits to our website. In 2009, we handed out less than 14,000 printed copies, less than a third compared to 2001, but recorded over 2 million visits to our website, ten times as many as in 2001.
During our first year of implementing Canada’s private sector law, we heard companies proudly proclaim that they had adopted a model privacy code, in full compliance with the company’s legal obligations.
However, since the first year of implementation, our investigations of public complaints have shown that companies often neglected to ensure that their codes were effectively put into practice.
A privacy code is pointless without comprehensive and detailed policies and procedures, and these in turn are pointless unless they are known and consistently observed and applied.
The privacy violations that give rise to complaints are often attributable to problems or defects in an organization's information-handling processes or system as a whole. In the first few years, problems derived from unquestioned adherence to traditional practices that may no longer have been acceptable under the Act.
For example, information was kept for too long or not long enough. Personal data was not protected by the appropriate safeguards. Some companies did not have any procedure for handling access requests and complaints, or these procedures were not known or upheld within the company. Other companies continued to collect information without identifying the purposes for which it was collected, or collected sensitive information, such as social insurance numbers (an identifier used by the Government of Canada), for no reason.
Over the first few years, we therefore strived to support organizations in their efforts to comply with the law, while promoting the commercial benefits they would gain.
In closing, I would like to summarize the major lessons we have learned from the first ten years of PIPEDA’s application, which was the subject of my presentation today.
- No company, not even a multinational giant, is above the law or can escape enforcement authorities.
- International cooperation is essential in the context of international transfer of personal data.
- The ubiquity of information technology requires protection authorities to have resources with high technological competence.
- Information technologies usually go beyond the general public’s knowledge, which makes continuous public education essential.
- Personal information protection is an economic advantage, and its contravention is an economic vulnerability.
Lastly, I wish to applaud the members of the IFAI. They will be guiding organizations of all stripes and all sizes through one of the most significant cultural changes in recent history, while their own organization is undergoing an equally monumental change as it takes over this new mandate.
I wish to thank them and to remind them of the importance of their work. I want to assure them they can count on our continued support.