Looking back – and ahead – after a decade as Privacy Commissioner of Canada
Remarks at the International Association of Privacy Professionals (IAPP) Canada Privacy Symposium 2013
May 23, 2013
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
This is indeed my 10th year as Privacy Commissioner of Canada. It is with some sadness that I address the IAPP Canada Privacy Symposium for the last time as Commissioner. I have met so many impressive individuals at these events – thoughtful, passionate people with a real commitment to privacy.
My mandate will come to an end in December and it will be time to move on to new challenges.
With that in mind, this seems a good opportunity to look back and reflect on the lessons of the last decade; but also to look forward, with a few thoughts on how to protect privacy in a future that will hold even greater challenges.
Today my Office is releasing a position paper which explores these issues and offers a roadmap for modernizing the Personal Information Protection and Electronic Documents Act (PIPEDA) so that it more effectively tackles current and future privacy issues.
For some time now, it has become increasingly clear to me that PIPEDA is not up to the task of meeting the challenges of today – and certainly not those of tomorrow.
Canada’s private-sector privacy law needs to be updated to better protect the privacy rights of Canadians and also to ensure consumer trust in a thriving digital economy.
What the paper speaks to – and what I would like to discuss with you today – is how PIPEDA should be modernized to include stronger enforcement powers, mandatory data breach reporting provisions and increased accountability and transparency measures.
The world of privacy has changed – and Canada’s laws need to keep up.
First, let’s briefly consider the dramatic transformation of the privacy landscape.
Back in 2001, when PIPEDA began coming into force, - and even when I became Privacy Commissioner in 2003 – there was no Facebook, no Twitter and no Google Street View. Phones weren’t smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.
In an incredibly short period of time, we have seen dramatic advances in information technologies that have paved the way for a massive expansion in the role personal information plays in the digital economy.
Personal information has been called the oil of the digital economy. As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially.
Some organizations that amass vast amounts of Canadians’ personal information have grown into data giants; quasi-monopolies that have the ability to glean deep insight into the interests, habits and opinions of individual Internet users.
Some of the largest companies boast customers or users in the hundreds of millions – take Facebook with its one billion users worldwide, including almost 20 million in Canada, or Twitter with over 500 million users.
Even small organizations, particularly those with a digital presence, are increasingly collecting large quantities of personal information. Think of the photo-hosting site Instagram – before being purchased by Facebook last year, it had only 13 employees but five million users.
Most Internet companies offer their services at no monetary cost. However, they are under increasing pressure to find ways to turn a profit from these services.
One of the most popular options, it would seem, is to make money from the personal information they collect – to build profiles of users; to have better understanding of them; to serve ads; or to market their services.
In sum – as others have said before me – If you are not paying for the product, you are the product.
In this highly competitive environment, our personal habits and details are tracked, analyzed and profiled.
Increasingly, many companies are seeking to combine online and offline data to provide more insight into their customers and enable them to anticipate their needs and wants – sometimes even before their customers are aware of those desires.
New Risks for Privacy
At the root of many of the privacy challenges we are seeing is the fact that technologies are advancing so incredibly quickly that some organizations are failing to proactively identify and address privacy issues in the competitive rush to bring products and services to market.
Companies are using personal information in ways previously unimaginable – creating risks that it could be used in highly privacy intrusive ways. We see personal information used in ways that consumers do not anticipate – or knowingly consent to. The environment is so complex that it is hard for people to give true meaningful consent to these uses.
A poll released by my Office earlier this year found that 56 percent of Canadians aren’t confident that they know how new technologies affect their privacy. That’s up from 47 percent in 2000.
Meanwhile, security lapses may leave personal information vulnerable to loss or theft.
We have seen some major corporations display carelessness in privacy protection – again, and again, and again. We see more, and ever-bigger data breaches as a result of so much personal information being collected by so many organizations.
Late last year, my Office undertook a study examining the issue of web leakage. We ultimately found that one in four of the websites we tested were either unaware that they were disclosing information to third parties, or they were not clearly informing users that they were transferring personal information to service providers. That is troubling.
New Challenges and PIPEDA
The conclusion I draw from these – and many other examples – is that our law does not contain the right incentives to make privacy a significant consideration when organizations conduct risk assessments.
Given current trends – rapid technological advances, increasing power of data analytics and greater movement towards globalization – it is clear that, without amendments, PIPEDA will be even less up to the task of protecting our privacy in coming years.
The balance that PIPEDA is supposed to bring is increasingly not there.
I say this knowing that my Office has been successful in many instances.
But PIPEDA is losing its ability to achieve its raison d’être – to balance privacy rights and legitimate business needs.
Right now, the only real power I have is to name. This provides Canadians with information about where they may – or may not – wish to take their business. But how can Canadians vote with their feet when increasing amounts of their personal information are being held by fewer and fewer organizations?
Things are changing and the law needs to keep up.
As well, I can tell you that achieving those successes – prompting organizations to improve their privacy practices – can often require a great deal of effort.
We are a small entity with limited resources and prompting change often requires the investment of significant resources.
Too many organizations only agree to address privacy issues after our Office has investigated or audited their practices – and sometimes only after a matter has gone to Court.
There has to be a better way – a way that puts the onus on an organization to comply and demonstrate that they are complying – right up front, before problems materialize.
During the first review of PIPEDA back in 2006, my Office did not ask for enhanced enforcement powers. We took that position for two reasons: first, the law was still quite new and we felt more time was needed to assess its effectiveness, and, second, my Office was still in a period of rebuilding after some challenging times.
As we said then, the time was not right to make such a fundamental change to enforcement mechanisms.
We have come a long way since then. In the intervening years, my Office has sought to make the most of existing powers under PIPEDA.
We have investigated thousands of complaints received by individuals, and I have initiated 38 complaint investigations; conducted three audits; named companies in the public interest 32 times, and initiated 17 court actions under PIPEDA.
What we take away from our experiences over the years is that greater incentives are needed to ensure that organizations are investing in – and effectively addressing – privacy protection in the early development of any new product or service.
Many of you have talked with members of my Office about competing priorities within your organizations. As Chief Privacy Officers, you want support for your privacy compliance programs because you believe in the importance of privacy. But I do understand how it can sometimes be a challenge to convince others up the management chain.
Our answer, of course, is that data protection is good business; and that is certainly true.
But you need more powerful reasons – compliance incentives – to gain support for your work.
Our new position paper outlines what these incentives could be.
A stronger enforcement regime would help to encourage organizations to make privacy protection a more important priority. Other incentives include more robust accountability and transparency principles to ensure that Canadians’ personal information is appropriately protected in a complex, globally connected environment.
This is the direction that has already been undertaken by other jurisdictions. It is important that PIPEDA evolve to keep up with the rest of the world.
Specifically, we think the following changes are needed…
First, we are recommending reform of PIPEDA to provide for stronger enforcement powers.
There are a number of options that, alone or in combination, could strengthen the current enforcement model and encourage greater compliance.
These include introducing an explicit range of statutory damages to be administered by the Federal Court under section 16 of PIPEDA.
Another option would be to give the Privacy Commissioner power to order organizations to do or cease doing something in order to bring themselves into compliance with PIPEDA.
A third option would be to afford the Commissioner the power to impose administrative monetary penalties where the circumstances warrant.
Our paper explores all of these options in some detail. You might notice that we don’t state a preference. That is for Parliament to decide. We are simply contributing to the public discussion of these issues.
We think any of these options would provide incentives, but certain models have greater or fewer implications for how our Office is organized or how we might function. I will leave those operational issues for another day.
To be clear: This would not spell an end to the Office of the Privacy Commissioner of Canada working cooperatively with organizations. Different enforcement models can accommodate various roles.
Our second recommendation is to shine a light on privacy breaches.
Specifically, organizations should be required to report breaches of personal information to the Commissioner and to notify affected individuals, where warranted, so that appropriate mitigating measures can be taken in a timely manner. The stronger enforcement model would apply to such breaches as well.
The current situation is unacceptable: Organizations that voluntarily – and quite appropriately – do report breaches may face reputational damage and the expense of cleaning up. Meanwhile, those that do not report may escape with no negative effects on their reputation or bottom line. (Unless, of course, they are found out – in which case, I would argue, the reputational impact is far worse.)
The uneven playing field is unfair and I think it is time to change the game so that everyone plays by the same rules.
Our third recommendation deals with transparency and lifting the veil on authorized disclosures.
PIPEDA allows law enforcement agencies and government institutions to obtain personal information without consent for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws.
While a few organizations publish “transparency reports”, we generally have no idea (nor does anyone else) how often this occurs and under what circumstances, though we do know that the provision is regularly used by police seeking information from ISPs to link IP addresses with names.
More transparency is needed to show how, and why, and how often this mechanism is used.
We believe organizations should be required to publicly report on the number of disclosures they make to law enforcement under PIPEDA’s paragraph 7(3)(c.1), without individuals’ knowledge or consent, and without judicial warrant.
Amending PIPEDA to require this transparency would shed light on the frequency and use of this extraordinary exception.
I believe this is in line with the expectations of Canadians, who have expressed deep concern over warrantless access by law enforcement to personal information, particularly during the debate of proposed “lawful access” legislation.
The vast amounts of personal information that many organizations hold make improvements in this area even more urgent.
Finally, our fourth recommendation is that the accountability principle in Schedule 1 be amended to include a requirement for organizations to demonstrate accountability upon request; to incorporate the concept of “enforceable agreements”; and to make certain accountability provisions subject to review by a Federal Court.
PIPEDA currently requires organizations to be accountable for their privacy practices and procedures, and specifies how to do so. But there is very little in the legislation to encourage and reinforce proactive compliance.
Too often – as illustrated by some of the examples I highlighted earlier – our investigations have revealed that organizations have repeatedly failed to adapt their privacy governance processes to address certain problems, in some cases even after we had investigated them.
Some of these problems would have been obvious if the product or service had been examined more carefully from the start.
It will take more to ensure that privacy attains the prominence it deserves within organizations – we need incentives that will help support your critical work as privacy professionals.
Requiring organizations to demonstrate they are accountable should help to create that incentive.
Another significant issue for my Office has been the amount of time required to follow up with organizations to ensure they are doing what they have committed to do.
Many changes can take some time to implement and there are only 45 days for my Office, or the complainant, to go to Court if changes are not made.
We believe the solution is to amend PIPEDA to explicitly introduce “enforceable agreements.”
In other words, spell out in the legislation specific consequences if an organization fails to honour its commitments to my Office within a certain timeframe following the conclusion of an investigation and spell out our recourse to Court.
All of these measures will help to ensure that Canada has an up-to-date, balanced privacy framework. Far from hampering innovation, stronger privacy protections would enhance consumer trust in the digital economy and reinforce Canada’s economic growth.
We live in a global world. Canada needs to ensure its privacy legislation evolves to keep up with laws in other countries with stronger enforcement powers.
We cannot afford to be left behind other jurisdictions, with little in the way of consequences for those that do not respect our privacy law.
Financial incentives in PIPEDA would support the work of privacy professionals – your work – by enhancing the profile of privacy as part of a company’s integrated risk calculation that informs its compliance programs.
PIPEDA reform will provide key opportunities for Canadian businesses by building consumer trust and creating a competitive advantage domestically and internationally through sound privacy protection.
I know there may be discomfort in the business community with moving to a stronger enforcement model. But I do think that many of you here support increased accountability, level playing fields and the responsible use of personal information.
I am heartened that the privacy profession in North America is growing – and here I offer credit and my thanks to the IAPP for its work to help make this happen.
I look forward to the discussion that will follow the release of our paper and I hope that you will support such changes.
We need a modern, effective privacy law that Canadians expect and deserve.