ETHI Committee Report

New Democrat Members of the Standing Committee on Ethics, Privacy and Access to Information are pleased that the Committee chose to proceed with the NDP motion to study social media and its relationship to the privacy of Canadians. As social media and the commoditization of personal information reshape the privacy landscape world-wide, the Privacy and Social Media study offered a timely opportunity for Members to investigate the implications of these changes through a uniquely Canadian lens.

However, New Democrat Members are concerned that the recommendations in this report fall short in key areas. While guidelines issued by the Privacy Commissioner are important tools, they are not sufficiently strong to secure the privacy of social media users in the world of big data. In an effort to do justice to the testimonies heard, New Democrats propose nine additional recommendations that establish a balanced vision for the role of government in privacy protection.

Recommendations

Testimony from Privacy Commissioner Stoddart and others suggests that the Privacy Commissioner’s Office wrestles regularly with incidents of noncompliance[i]. On the whole, committee testimony suggested that the Personal Information Protection and Electronic Documents Act (PIPEDA) provided a good framework for data protection. However, the soft enforcement powers currently held by the Commissioner are no longer sufficient as personal information is increasingly commoditized and shared across borders in the form of data. It is little wonder that data protection authorities in countries such as the UK, Germany, Australia and France are equipped with enforcement powers (see Appendix B). Consequently, New Democrats believe that enforcement powers must be the first step in reforming PIPEDA. Without them, organizations that want to can continue to disregard the privacy rights of Canadians.

“The current law is particularly weak with respect to enforcement. The commissioner has no order-making powers and lacks the ability to impose fines or other penalties in the case of particularly egregious conduct” – Professor Teresa Scassa, University of Ottawa [ii]

Recommendation 1: New Democrats recommend that the government grant enforcement powers to the Privacy Commissioner such as order making powers and the authority to impose administrative monetary penalties.

As witnesses reported, even diligent and privacy-respecting organizations can fall victim to breaches to the personal data they hold[iii]. New Democrats believe that Canadians deserve to know when they are in harm’s way following a breach. Lost personal information can result in identity theft and fraud, heavily costing the victims. Data breach reporting requirements would encourage organizations to invest in better security measures that will also reflect well on the trustworthiness of their brand. The result is both greater security for the public and improved confidence in the online marketplace.

“Canada is in dire need of a breach notification obligation. Such an obligation will improve incentives to build stronger technical safeguards and provide users with opportunities to redress harm…” – Tamir Israel, CIPPIC[iv]

Recommendation 2: New Democrats recommend that the government require all organizations to report data breaches or losses to the Privacy Commissioner where a reasonable person would find that the breach or loss presents any risk of harm to the individuals affected.

The current review of PIPEDA is two years late and Canada’s personal information protection law is no longer the envy of the world. Canadians deserve a world-class personal information protection law. Yet, committee testimony repeatedly revealed that Canada lags behind many comparable jurisdictions in data and privacy protection. While New Democrats support a PIPEDA model that is flexible to the demands of new and changing technologies, we do not believe this should eclipse the need for periodic review. Indeed, PIPEDA is required to undergo a statutory review every 5 years.

“My office has been conducting extensive research and analysis in preparation for the second mandatory five-year review of PIPEDA by Parliament, which is now past due. We’re giving serious thought to how the current regime, which predates all these novel technological developments, should be modernized to keep up with the times.” – Jennifer Stoddart, Privacy Commissioner[v]

Recommendation 3: New Democrats recommend that the government modernize Canadian privacy laws to measure up to privacy protections in comparable democracies and to ensure that the personal information of Canadians is well protected in the digital age.

As online services and applications continue to multiply, so too does the quantity of license agreements and privacy policies requiring the consent of Canadians. These license agreements are generally long, jargon-filled and incomprehensible, yet they can have a staggering impact on an individual’s control over their personal information. Indeed, Professor Valerie Steeves stated that license agreements and privacy policies are often designed to reduce the liability of the service-provider rather than to better inform the user[vi]. The result undermines the effectiveness of the consent principle in PIPEDA. New Democrats believe that as surveillance capacity grows, through mechanisms such as geo-location and facial recognition, Canadians deserve transparency when they give consent for the use of their personal information.

“One of the main issues with the protection of personal information on social media sites is the proliferation of standards and protection policies in relation to privacy. We are concerned about the lack of an exhaustive, clear and consistent framework that provides social media users with a set of clear standards on the protection of personal information.” – Professor Normand Landry, TélUQ[vii]

Recommendation 4: New Democrats recommend that the government review Schedule 1 of PIPEDA to clarify that express consent should generally be sought for disclosure of personal information to third parties and that this is especially necessary where such disclosure is a requirement of an end-user license agreement.

In addition to dragging their feet on the privacy file, this government has shown a reluctance to articulate a comprehensive digital economy strategy despite years of promises. Examples of such strategies abound in countries as diverse as Australia and Estonia. New Democrats agree with testimony suggesting that the lack of leadership and ambition by this government on the digital file will prove to be a costly error. Further, our party believes that a digital strategy of any kind, should it materialize, must tackle head-on the challenges that the digital world presents to the privacy of individuals in Canada.

“I believe that the failure to articulate and implement a national digital economy strategy comes back to haunt us in these circumstances” – Michael Geist, University of Ottawa[viii]

Recommendation 5: New Democrats recommend that privacy issues constitute an essential part of a comprehensive digital economy strategy for Canada.

Consumers and users deserve control, choice and transparency in how they manage their personal information. During the study, the Committee heard testimony acknowledging the positive initiatives of some social media organizations to improve the accessibility of their privacy framework and defaults to their users[ix]. However, these practices are not universal. Increasing commoditization of personal information provides incentive for organizations to set very weak default privacy settings. What’s more, tracking mechanisms such as cookies are widespread. New Democrats believe that government should partner with industry to promote the integration of privacy-by-design into default settings and develop do-not-track functions for users.

“We always say privacy is good for business. There should be a privacy payoff to business that follow good privacy practices.” – Anne Cavoukian, Ontario Privacy Commissioner[x]<

““The Devil is in the Defaults”. In short, the architecture of every technology includes a number of design choices” – Professor Ian Kerr, University of Ottawa[xi]

Recommendation 6: New Democrats recommend that the government consider reviewing PIPEDA and corresponding regulations to encourage organizations to implement the practice of privacy by design.

Recommendation 7: New Democrats recommend that PIPEDA, corresponding regulations, and any relevant statutes be amended to encourage organizations to implement Do Not Track functions.

New Democrats believe that, in today’s world, a study like this demands further recommendations regarding the protection of children. The Committee heard witnesses emphasize the growth in online advertising targeting children,[xii] and in her testimony Commissioner Stoddart questioned whether children could indeed provide meaningful and informed consent as defined under PIPEDA[xiii]. Numerous experts at committee testified to the challenges of legislatively protecting the personal information of children. University of Toronto professor Sara Grimes spoke of the need for child-specific regulations in Canada and University of Ottawa professor Valerie Steeves raised the tiered consent options based on age studied during the last PIPEDA review. New Democrats believe that in order to fully benefit from the social, cultural and democratic opportunities in social media, children must also benefit from the security that only strong privacy protections can provide.

“There is a clear and growing need for child-specific regulation on the collection, management, and use of children’s data.” – Professor Sara Grimes, University of Toronto[xiv]

Recommendation 8: New Democrats recommend that the government continue to study ways in which to best protect the personal information of children online while encouraging that they too benefit from the social, cultural, and democratic benefits of the online world.

Digital footprints are left every time an individual surfs the Internet or uses social media. Under PIPEDA, data should only be retained as long as it is necessary to fulfill a specific purpose.  Commissioner Stoddart, however, indicated in her testimony that compliance with this principle under PIPEDA is not always achieved and many social media organizations still maintain vague retention schedules[xv]. Furthermore, much of this data is stored internationally and has become more difficult to track down. Some committee testimony referred to recent European studies seeking to codify a right to be forgotten[xvi]. As the digital footprints of internet users multiply, New Democrats believe that Canadians should be empowered to control their online histories.

“It’s almost a human right. You should have a chance to ask a company to remove the information. It’s clear in the act that you are supposed to delete it if it’s no longer used, so we don’t see why you shouldn’t have the right to remove it.” – John Lawford, PIAC[xvii]

Recommendation 9: New Democrats recommend that the government conduct a study on the privacy policy known as the “right to be forgotten” and report back to Parliament.

******

These nine recommendations reflect a balanced New Democratic vision for privacy reform in the age of social media, big data and instant digital connectivity. The flourishing of social media has afforded us unprecedented opportunity to connect, to share knowledge, to democratically engage and to open up new markets for goods and services. New Democrats believe that the future success of Canada’s digital economy and society demands recognition of the new challenges facing privacy protection. Government must adapt and update its policies on and approach to privacy in order to preserve this fundamental civil liberty in the digital realm.