Together with Professor Valerie Steeves, I co-lead a seven-year project funded by SSHRC called the eQuality project. It's focused on understanding how big data practices, especially targeted advertising, affect young people's online interactions and can set them up for conflict and discrimination.
Today, I'm going to be drawing from research from several Canadian studies on young people. Two are 2017 studies. One was conducted by the eQuality project for the Law Commission of Ontario and is related to online defamation. The other was co-conducted by the eQuality project and MediaSmarts, under a grant from the OPC. It focused on young people's decision-making about privacy in the context of posting photos online. I'll also draw from the eGirls project, which was a three-year project co-led by Professor Steeves and I that looked specifically at young women's and girls' online experiences. Finally, I'll draw from the results of the MediaSmarts study entitled “Young Canadians in a Wired World”, most recently reported on in 2015-16.
Basically, I think there are three take-aways from these studies of relevance to this committee. First of all, young people are very concerned about reputational harm, and for girls and young women in particular, permanent reputational harm is considered by many to be the danger associated with networked media. Second, privacy, particularly the mechanisms for controlling access to and use of young people’s data is foundational to addressing these harms, particularly as young people think about whether and how the information they post or that is posted about them now may be unfairly used out of context in the future in ways that interfere with their prospects for employment and maintaining healthy relationships, among other things. Third, young people do have strategies and norms to mitigate these dangers, but corporate practices and online architectures make it very difficult for them to implement those strategies, or invisibly undermine them through machine-based processes such as algorithmic profiling for targeted advertising.
In a nutshell, from the studies on youth perspectives from our Canadian research, young people do actively seek out online publicity, but they are also particularly aware of the complications that publicity introduces. Because of this, they rely on a number of strategies to protect their online reputations, including thinking very carefully about what they post, monitoring what other people are posting about them, and getting colleagues to assist them when material is posted about them that is negative. However, the commercial nature of networked media makes it very difficult for them to keep control over their reputations.
In what we've come to call a perfect storm, digital architectures incent young people to shed data that is in turn used to profile and categorize them for purposes of targeted advertising. This involves predictions about who they are and who they ought to be that are often premised on narrow, mediatized stereotypes and presumptions about the groups into which they are aggregated. When young people try to reproduce these stereotypes themselves in order to attract the “likes” and “friends” set up by platforms as numeric markers of success, they are opened up to conflict with others who monitor, judge, and sometimes stalk them.
In this environment, we asked young people what policy-makers should do. I have four things I want to share with you.
The first thing is that you need to directly engage young people in the policy-making process. Policy development models need to be reformed to require direct engagement by young people from diverse social locations as experts in the policy formulation process itself, because research to date indicates a serious gap between policies set by adults and the experiences of young people.
Second, we need to look for responses that go beyond telling youth what to do and what not to do. The young people in the research that I'm drawing from today understood that being involved in networked spaces was essential to their lives, and all indications of our social, economic, and cultural worlds affirm that reality. It's not just an impression that they have. In fact, we’ve spent billions of dollars and years of policy and program development trying to get them online and to keep them online as part of our economic development plans. As such, advice like just going offline if you want to protect your privacy or you don't want to be harassed is both unrealistic and insulting.
Fourth, we need to regulate platform providers to improve privacy and equality. Many of our participants suggested that platform providers should not be permitted to keep young people's data as long as they do. This was in part because they were so conscious of how the permanent cache of information about them opened them up to judgment and reputational harm that could affect them now and in the future.
There are a number of potentially responsive regulatory options. First of all, as many people have testified before this committee, we can ensure that the OPC has enforcement powers in order to deal with these issues effectively.
Second, we can mandate greater accountability and transparency by service providers as a first step to better understand what exactly it is they are doing with our data to profile us and shape our online experiences, and to find out how often that profiling and those processes are premised on discriminatory stereotypes or yield discriminatory outcomes that affect individuals' life chances.
This kind of profiling—machine-based, invisible to users, involving processes humans often cannot understand or explain—can lead to discrimination on grounds that are currently legally prohibited, some of which could have serious implications for young people in particular. Currently, it's very difficult to open up the black box and understand exactly what it is that's happening, although we get glimmers from research projects such as that of ProPublica, which recently revealed discrimination in the price of SAT prep tests such that Asian students were more than twice as likely to pay a higher price for a prep test because they were Asian or because they lived in a zip code that was associated with Asians from both high- and low-income groups. It may well be that insights gained from this kind of disclosure from service providers about what it is they are doing will make it even clearer that the best option is just to prohibit the use of young people's data for the purposes of targeted advertising, full stop.
Third, we can consider legislative provisions that are better aimed at supporting young people in protecting their reputations now and in the future than the current PIPEDA provisions relating to accuracy and completeness. These include examples such as the right of erasure, as seen in California, and the right to be forgotten, as seen in the European Union, which I can say more about if others are interested later on.
Finally, if we're simply too wed to the consent model to depart from it despite knowing its obvious limitations in the climate we're in, we could consider requiring service providers, regardless of their terms of service, to get separate, explicit consent from young people or their parents to use their personal information for targeted advertising, and to provide ongoing, easy opportunities to opt out of that decision. It's less likely to be as effective as any of the other things I've talked about, but at least it offers the possibility of interrupting the commercial cycle of presumed access to young people's data.
In conclusion, the current commercial “data for services” model of network communications renders young people vulnerable to discriminatory profiling and reputational harm that can have long-lasting impacts. It's time for us as adults to take responsibility for the economic and social policies that have resulted in their seamlessly integrated online-offline world. Carrying out that responsibility requires the direct engagement of young people from a variety of social locations in processes like these, rather than just asking for the opinions of adults like me who have had the privilege of working with some of them.
I'd like to thank the committee for inviting us to be here. I'm the president and CEO of the Boys and Girls Clubs of Canada. Rachel is our director of research and public policy. We're excited to be here to present as part of the study on PIPEDA. We're pleased, actually, that the committee is spending some additional time, especially on this issue of children's privacy. We've shared our full recommendations in a letter already, but I want to go into a little more detail today.
One of the things you should know is that the Boys and Girls Clubs of Canada is Canada's largest child and youth serving organization. We serve about 200,000 children and youth across the country in more than 700 locations. We're there during the critical out of school hours for children. Our clubs offer children safe spaces. They can explore their interests, develop their strengths, and realize positive outcomes in terms of self-expression and academics. We do all sorts of programs around healthy living, recreation, mental health, and more. Our trained staff and volunteers help young people build the confidence and sense of belonging that they need to overcome barriers, form positive relationships, and mature into responsible, caring adults.
What is really important is that we offer a range of programs that are focused on education, digital literacy, and coding. Many of our clubs have tech centres that facilitate children and teens' access to the Internet. We are often enabling young people's access to online environments, especially if they don't have have access in many other places. Part of that is what brings us here today.
While we're doing our part to equip Canada's young people with digital and media literacy skills to help them navigate the online environment, we are concerned that marketers are collecting private information from minors, without meaningful consent. We're here to ask the government to explicitly include children's privacy rights in the Personal Information Protection and Electronic Documents Act.
We think that's important for two main reasons. One, from a developmental perspective, young children are not able to properly determine the risks associated with sharing private information online. Media skills training is definitely not enough in that regard. Two, we recognize that children are online at a young age, and sharing personal information for years before they reach the age of majority. We know that corporations are compiling quite a profile of Canada's children, and we don't think that's right.
While guidelines do exist, we know for instance the Canadian Marketing Association has a code of ethics, and the Privacy Commissioner has also issued guidelines. However, the collection of children's private information by corporations is not regulated or enforced.
In 2015, the Office of the Privacy Commissioner participated in a global sweep that determined that many websites and developers were failing to adequately protect children's privacy. In Canada, that amounted to 62% of those who reported. We discovered that they may disclose personal information to third parties, and that is simply unacceptable.
Last February, we published an op-ed calling on the government to introduce a law that would protect children's online privacy. Such a law does exist in the U.S. The Children’s Online Privacy Protection Act, or COPPA, requires parental consent for collecting personal information from children under 13. We want to add our voice to those calling on the government to explicitly include children's privacy rights in PIPEDA.
Today we're asking for four measures to be undertaken.
First, we ask the government to prohibit the collection, use, and disclosure of all personal information from children under the age of 13. Children are accessing the Internet at younger and younger ages, and from their own personal devices. They're too young to understand the implications of data collection and use. There need to be limits on what is appropriate to be collected, and restrictions on the types of data that can be collected from websites and applications aimed at children. I, personally, have often noticed that my own children have wandered away from the website, or the application I have opened for them, and may be attempting to visit new sites. Clicking on surveys and answering questions is a game for them, and does not come with an understanding that this is trading personal information for access.
The second recommendation is that the government follow the lead of the European Union's general data protection regulation, and require parental or guardian consent for access to online services for children aged 16 and under, or as that particular guideline requires, a lower age but no lower than 13. It is important, we feel, that parents be involved, as only parents or guardians should be able to provide informed and explicit consent for the collection of information. Parents should be aware, and responsible for the activities of their children online, and mechanisms that require explicit parental consent also serve to ensure engagement and awareness of what children are visiting and exploring online.
We were particularly struck by Dr. Valerie Steeves' February 16 testimony. I know she is a colleague of Madam Bailey. She found that almost none of the 13- to 16-year-olds she surveyed could remember the point at which they consented to the collection of their information when they signed up or posted material on Snapchat or Instagram. When we also consider Dr. Steeves' finding that 95% of 10- to 17-year-olds surveyed said that marketers should not be able to see what they post on social media platforms, we can conclude that young people's consent is definitely less than informed.
Our third recommendation is that we ask the government to provide children and youth the right to be forgotten when they reach the age of majority, requiring that corporations be obligated to remove private information immediately unless the newly adult person gives his or her explicit consent to the continued collection, use, and possible future disclosure of their personal information gathered during their minority.
We know how children use the Internet, and the choices made while under the age of majority are not reflective of the identity and choices they will make once they have reached the age of majority. While we know there are also many out there who would like their online life to be erasable and forgotten, children should actually be able to benefit from this right.
Lastly, we want to make sure that these new rules are enforceable. We ask the government to give the Office of the Privacy Commissioner the power to enforce new children's privacy regulations. It is not enough to just create these laws. Companies and sites must be monitored and held accountable for their compliance with these provisions.
Some have argued that there are jurisdictional issues in overseeing consumer rights and that this might be a provincial issue. However, we would encourage two particular perspectives on this. First, the federal government needs to show leadership in this respect. The laws in the U.S. governing children's protection date from 1998. We are sorely behind in this regard, almost 20 years, which is an entire generation of children growing up on the Internet in this unregulated environment. Second, we'd argue that this is not about consumers, as children are not the purchasers in a household, but about protection and privacy of children's personal information.
Education is as critical as enforcement. Resources such as those that have been developed by the Privacy Commissioner, those that have been developed by MediaSmarts, as mentioned already, and those in the U.S. such as “Stop, Think, Connect”, from the National Cyber Security Alliance, need to be promulgated to Canadian families and educators and make sure that Canadian resources are further developed for use.
Some have commented that it is unusual for a general youth-serving organization such as ours, the Boys and Girls Clubs, to choose to advocate for the protection of children's privacy rights. However, we're proud to stand up for children and youth on a broad range of issues. We were conducting background research on Internet safety and were actually, frankly, surprised by the lack of protections for children in Canada. We are concerned about Internet access, and children are accessing the Internet more frequently, often within our clubs and our technology centres and on their own devices.
The review of PIPEDA offers an opportunity for the government to address that gap. Boys and Girls Clubs of Canada is proud to add our voice to this mix, and we're grateful for the opportunity to speak about the privacy rights of Canada's children and thank the committee for taking additional time to address concerns specific to this population.
We hope that the discussion will lead to stronger protections for children, protections that can be best asserted by explicitly including children's privacy rights in PIPEDA. We will welcome your questions.
Good afternoon, and thank you for the opportunity to be here today.
My name is Kristjan Backman. I chair the National Association for Information Destruction in Canada. This is a voluntary position. In my day job I run a small company called Phoenix Recycling. We're a Winnipeg-based company that does information destruction services.
NAID-Canada is a non-profit association representing companies that specialize in the secure destruction of information, with members in every province across Canada. Our mission is to raise awareness and understanding of the importance of secure information destruction, and in doing so we want to ensure that private, personal, and business information is not used for purposes other than for which it was originally intended.
NAID-Canada also plays an active role in the development and implementation of industry standards and certification. We provide a range of member services, which include advocacy, communication, education, and professional development. It's worth noting that NAID certification is often mandated contractually by clients who use information destruction services to ensure that service providers meet regulatory and security requirements.
The issue I'm here to address today is often overlooked, yet is a critical aspect of privacy protection, namely the secure destruction and disposal of records that are no longer needed. Our mantra in NAID is that information is only as secure as the weakest link in its life cycle, and far too often little attention is paid to the end of a document's life cycle. We see evidence of this on almost a daily basis in the media, with reports of information being left intact and publicly accessible in dumpsters, recycling bins, and discarded electronic devices sent for reuse and recycling.
It's difficult to measure how pervasive this problem is, but NAID-Canada and our sister associations around the world have conducted investigations into unsafe destruction practices. Our first such investigation was in Toronto, in the GTA, in 2010, when NAID hired a private investigator to go dumpster diving and look for personal information. In that survey, 14% of the commercial dumpsters that we examined had personal information intact and easily accessible to the public. That exercise has since been repeated in Australia and Spain and has sparked national conversations in those countries around the failure to securely destroy information that's no longer needed.
As the world becomes increasingly paperless, the threat of unsafe destruction of information has become more complex. All the electronic devices that we store information on, and wiping those devices of that information when disposed of, has become a major privacy issue. As evidence of that, in April our U.S. association released the results of the largest-ever study looking for the presence of personally identifiable information on electronic devices sold in the second-hand market. It found an astonishing 40% of the devices sold through publicly available channels contained personally identifiable information. These are tablets, cellphones, PDAs, and hard drives.
I know the committee is interested in youth privacy protection, and there is perhaps no demographic more impacted by a failure to securely destroy information stored on electronic devices. The implications for anyone having their entire private life exposed if personal electronic records are breached is severe, but for youth more so. We recently received a letter from the Privacy Commissioner about a recycled devices study, and we agree with his assessment in this area, where much more education is needed, particularly with youth.
With destruction more generally, we've had many cases in Canada of sensitive personal files, including those related to youth, being breached through a failure to destroy personal information. This has included medical records and client files from the Children's Aid Society. Again such breaches are potentially devastating for all ages, but more so for youth.
This is just a snapshot of the problem. Let me turn to some solutions, which are detailed in our written submission that we made to the committee.
NAID-Canada believes that PIPEDA should include specific requirements that information must be destroyed when it's no longer needed, and that destruction should be defined in the legislation. Currently destruction is only a recommendation in PIPEDA, not an obligation. We believe that making it an obligation would force organizations to treat destruction more seriously. As for a definition, NAID-Canada defines “destruction” as “the physical obliteration of records in order to render them useless or ineffective and to ensure reconstruction of the information, or parts thereof, is not practical”. This definition applies both to paper and to electronic records as we believe the specificity of the definition is required in the legislation to ensure “destruction” is not left to interpretation.
Recycling, for example, is not destruction as records may remain intact and vulnerable to a privacy breach for extended periods of time.
Putting a destruction obligation into PIPEDA and defining the term are our two primary recommendations, and I should note that they were endorsed by this committee the last time it reviewed PIPEDA. The government, instead, felt the issue could be addressed with guidelines, and those guidelines have been developed. However, we still believe destruction should have legal weight behind it.
Building on that point, I would note that other jurisdictions impose significant fines for failing to properly destroy information. For example, a Missouri medical company was fined $1.5 million for leaving medical records in a public dumpster. In Canada, we have an epidemic of cases involving medical records in dumpsters. Perhaps we wouldn't if we had proper fines like those in the United States.
NAID Canada supports fining and order-making powers for the Privacy Commissioner. Likewise, we support breach notification laws and look forward to their implementation here.
Finally, please let me close with a general comment about Canada's global standing in privacy protection. As our organization has branches around the world, we have considerable insight into that, albeit from our fairly limited perspective of information destruction. That said, Canada is falling behind. Other countries have been far more decisive in mandating safe information destruction, and the fines in the U.S. are punitive. The long delays in getting breach notification law into effect in Canada put us well behind many of our peers, though we are pleased to have seen the draft legislation to implement this law finally published earlier this month.
Also, we have noted the considerable attention paid during these hearings to the more aggressive general data protection regulation in the EU that will go into effect this year. European policy-makers have learned what all regulators eventually do—that clear, unambiguous direction and strong enforcement provisions are the only way to ensure the protection of personal information.
As we remind the committee, we service providers are subject to the same stronger penalties. Even so, we are willing to confront this increased liability because we realize it's better for everyone, and it's really the only solution.
In closing, let me state that we are sensitive to those who are concerned about compliance costs, and our members are businesses, so we get that. However, any smart business should already be securely destroying the information that's no longer needed since the financial and reputational risks of a breach are far greater than the costs of securely destroying the information.
That said, incidents related to a failure to safely destroy information keep happening, and it has been almost a decade since the last PIPEDA review. We think it's time to amend this legislation to include a secure destruction obligation and a definition of what that entails.
Thank you for your time, and I look forward to your questions.
Ms. Bailey, with respect to PIPEDA and meaningful consent, we all see these stats. I think they probably change weekly. Give or take, roughly 75% of youths 13 to 17 years old have cellphones now, 71% use more than Facebook, and 92% are on social media daily.
With respect to meaningful consent, here's what scares me. My kids aren't really kids anymore—they're young adults—but we certainly have friends with younger children. As recently as two weekends ago, we were home and had some of our friends over. Their kids were there and of course were on their cellphones. I took a little more notice of what they were doing. They were going through sites and apps and clicking on agreeing to this and that.
With respect to meaningful consent, especially in Canada with PIPEDA, I'd like you to elaborate a bit on the GDPR and on COPPA in the United States, but what can we do in Canada with respect to tightening up meaningful consent? Is it consent by 17-year-olds and up, as I think one of you mentioned, and you're good to go? For 13 to 17, do you maybe need parental consent?
Can you elaborate on meaningful consent and how you would like to see that tightened up in Canada? Can you compare it with the GDPR and COPPA?
We threw around the term “right to be forgotten” pretty easily just a minute ago; I did it, too. Just to be clear, to say what we mean.... What do we mean by a right to be forgotten? Even in the EU currently, without thinking about what's going to happen in 2018, it's not really a right to be forgotten. It's a right to request a delinking of your information from a search engine, which in some ways has the best of both worlds, in the sense that, practically speaking, most people are not going to go to more trouble than a Google search. If that link is no longer something that pops up in a Google search, you get effective, practical obscurity from that kind of measure, without the downside.
I am conscious of having colleagues who are interested in the Internet as an archive of our history for the future, and thinking about what full and permanent erasure might mean. Even if you said, “We'll take things off the market for 100 years”, as we do in archives sometimes, 100 years from now somebody can look at this.
I think the idea of a right to be forgotten that's a practical measure for delinking is actually an interesting practical response, provided that we have some understanding and accountability about how service providers are making these decisions when requested to make these decisions. We need accountability, transparency, and disclosure from them about how many requests they are getting, what the bases of their decision-making are, how many they agree with, how many they dismiss, and those sorts of things. I think that's a practical kind of a right to be forgotten that can give a certain amount of relief.
The other thing is, if we just did the preventative thing in the first place and said.... Just to point out, Google Classroom is used, mandated, across the Ottawa-Carleton District School Board, and we, as parents, have been assured that Google has agreed that it will not be collecting our children's information when they are using those services, and it will not be using those for commercial purposes. I guess we all believe that, because that's what they said.
To say it's not possible is more rhetoric. We have to be conscious, as consumers and citizens, that there is a certain rhetorical element to this: these things are impossible, too expensive, too difficult. We need to think about how to prevent the collection in the first place so that the destruction issues, the delinking issues, and the inaccessibility issues are not the monumental problem that they are now for a generation of kids. We can do something for the next generation of kids.
Under the current law, no. Then I guess the question is whether you are saying that erasure of their files is something that Canadians ought to be able to demand.
If you go back to the principles—and I want to use the right terms—accuracy, completeness, and being up to date, there are principles that require organizations to consider whether the material they're holding is accurate, complete, up to date, and still necessary for the purposes for which they're holding it.
They collected it. There is some case law of complaints around people saying that their file ought to have been erased and it wasn't. It was no longer accurate or complete. That may be a mild form of the sort of right you were talking about, where you're asking to have your file deleted completely.
Young people we talk to want to be able to go to Facebook, for example, when they're finished with Facebook, and say, “I'm not just closing my account, I want the record of my account deleted. I don't want you to have a backup of that on a server somewhere.”
We've talked to young people who said they would very much like to have the right to do that.
Sure, I can be general on that.
There are steps that good businesses take to protect the information of their customers and their employees, for example document destruction, shredding the paper documents that are in there, and dealing with their old electronic devices, their servers, their PDAs, their cellphones, things like that. These are not onerous costs for a business.
For small companies, it would be in the range of several hundred dollars a year. In large corporations it might be significantly more than that, but again, it's a very small fraction of the cost that it took to manufacture that information, and I like to look at it that way. When you look at the cost of creating the files and collecting the information, storing it and analyzing it, the actual cost of disposing of that information is a very small fraction of the amount it cost you to aggregate the information in the first place.
There's no cost to the destruction of data that is prohibitive to doing it properly. The industry is remarkably competitive across North America, so there's no issue there where a company would be making a choice other than pure bottom-line dollars to not do it correctly.