:
Merci. Thank you very much, Chair and honourable members, for the invitation to appear before your committee today as you begin your very important study on social media companies and the steps they are taking to protect the personal information of Canadians.
I'm joined here by two social media experts from my office, Daniel Caron, legal counsel, and Barbara Bucknell, policy analyst, on this issue.
I'd like to start by giving you a brief overview of social media. I'm sure you've now all had experiences with these online platforms. They've become important channels for news, for communications, relationships, the sharing of photos, videos, and almost anything else that can be digitized. That said, I think it is useful to start with an overview of the industry to help clarify what it does and how its activities have an impact on the privacy of Canadians.
Social media involve applications that allow individuals, organizations, and communities to share information and to generate content. Building on traditional business models where businesses required personal information in order to provide a service, today individuals young and old voluntarily share their personal information on social media sites to connect with other people, or in some cases, to draw attention to themselves and to their views. Indeed, many social media sites encourage users to establish profiles that reflect who they are, what they are interested in, who they know, and what they like. Many provide their services for free in the hopes of gaining a larger user base.
To suggest that these services are "free" however is not entirely accurate. Social media companies can quickly amass a staggering amount of personal information. In addition to the preferences, habits, and social interactions of their users, these companies also collect vast amounts of background information that is not visible on public profiles, including search histories, purchases, Internet sites visited, and the content of private messages. This collection of billions of data points allows social media companies—using sophisticated algorithms—to analyze user behaviour in order to refine their services, and to identify ways to generate revenue. It can also enable others, such as researchers, employers, school administrators, and law enforcement, to learn more about individuals and their activities.
This is the age of big data where personal information is the currency that Canadians and others around the world freely give away.
[Translation]
My office has a mandate to ensure private sector compliance with the Personal Information Protection and Documents Act, which applies to the commercial use of personal information by social media companies operating in Canada.
Over the course of the past five years, we have engaged with, and conducted investigations into, many players in the industry, both big and small. A significant part of our recent research and policy work has focused on understanding and explaining to others the privacy implications of the social media phenomenon.
Ever mindful of the importance of innovation in today's digital economy, we have tried to strike a reasonable balance between companies' desire to experiment with new products and services, and an appropriate level of protection of Canadians' personal information.
[English]
That said, I have become very concerned about the apparent disregard that some of these social media companies have shown for Canadian privacy laws. Although we've made some headway with some of these campaigns, I would like to identify the following significant privacy concerns that I believe require more attention on the part of all social media sites, and these are the four following issues: accountability, meaningful consent, limiting use, and retention.
I'll start with accountability. Too often we have seen privacy concerns being addressed after a major problem is uncovered or there is a backlash on the part of users. While it appears that many of the major players are making improvements on this front, the social media world is constantly evolving with new entities popping up regularly in a hurry to get their new service on the market. Privacy does not appear to be a top priority for them.
This is one of the reasons that my office, together with my counterparts in Alberta and British Columbia, recently issued accountability guidance to companies on the internal privacy processes and procedures that need to be in place, including having an individual in charge of privacy.
Second, the issue of meaningful consent is critical. Social media companies need to clearly explain the purpose behind their collection, use, and disclosure of personal information, and what third parties, such as application developers, they are sharing this information with. And they have to clearly obtain users' consent.
This is a particularly challenging issue, since privacy policies tend to be too long, too convoluted, and largely ignored by users. Providing adequate information, which users can easily understand, read, and consent to, is a challenge for social media companies and data protection authorities.
Further complicating the issue of consent is the fact that children are online from an increasingly young age. The youngest users may not yet be able to provide meaningful consent required under PIPEDA.
[Translation]
The third issue is limiting use. Social media services are constantly evolving in an effort to be innovative and competitive. This has meant that personal information can be used in new, and sometimes, unexpected—even unwelcome—ways. It is important to keep users properly informed, explaining new features in a timely fashion, and seeking their informed consent for new uses of personal information. I think we also need to learn more about how personal information on these sites could be used, beyond advertising, and the onus should be on social media companies, as with all other organizations, to be fully transparent about their personal information practices.
The fourth issue of concern is organizations failing to establish retention schedules of personal information and true deletion options for individuals. Social media companies need to be clear about how long they retain the personal information they are collecting. They should also spell out how they treat personal information differently when an account is de-activated versus when an account is actually deleted.
Under the Personal Information Protection and Documents Act, firms are obliged to keep data only as long as is necessary for a specific purpose and then they must destroy it. Vast quantities of data, often located in other countries, can also pose security issues.
[English]
Honourable members, as you proceed with your study into privacy and social media, you may wish to use these principles—that of accountability, meaningful consent, limiting use, and retention—as a guide for assessing how social media companies protect the personal information of Canadians.
In conclusion, Mr. Chair, in public opinion polling commissioned recently by my office, we asked more than 2,000 Canadians about social media, and 83% of respondents said online companies should be asking for explicit permission before tracking their Internet usage and behaviour. Clearly, Canadians value their online privacy. That's why we feel it is so important to hold companies to account for how they collect and use personal information.
To that end, we have made steady progress with the tools available to us under the present law, but I believe much more needs to be done. The reach of digital companies using Internet and mobile technologies to collect and share personal information will only grow in the coming years.
My office has been conducting extensive research and analysis in preparation for the second mandatory five-year review of PIPEDA by Parliament, which is now past due. We're giving serious thought to how the current regime, which predates all these novel technological developments, should be modernized to keep up with the times. Top of mind is how the existing enforcement powers could be further strengthened to curb industry non-compliance and encourage greater accountability from companies for the personal information they collect, use, and share with others.
In recent years there has been a trend internationally toward more robust enforcement powers. Canada has long been a leader in terms of privacy protection laws, but I believe we now risk falling behind.
I look forward to sharing my office's detailed position on this matter when the parliamentary review gets under way.
Thank you very much for the time, Mr. Chair. I would be happy to answer any questions the honourable members have.
Thank you, Madam, for coming. I'm very pleased that you are our first witness, because your office is one of the few recognized beacons out there dealing with this issue.
I think, from a legislative point of view, there were many years where we felt that it was probably dangerous for politicians to step in on this emerging technology, because we didn't know where it was going. We had to allow this market to develop. We had to allow the technology to come of age. Suddenly it came of age, and very quickly; it moved faster than any of us ever conceived. We feel we're playing catch-up.
In terms of the issue of privacy in particular, people are now living almost entirely online, and there are enormous implications. Social media is an incredible force for good and for communication, but there are issues of privacy, security, safety. There's a whole manner of issues that we have not even begun to get our heads around.
In the short time I have, I'd like to focus on your four main points: accountability, meaningful consent, the limitation of use, and retention of data.
In terms of the issue of accountability, we have government legislation with PIPEDA coming forward, yet in this law, when they're looking at the issue of the breach of privacy, the onus is on the company to decide whether or not to share that with the citizen. It's based on the issue of significant risk or harm.
Do you believe we need to have a clearer standard? I cannot imagine a company ever calling its consumers and saying, “Guess what? Someone has been breaching our data, but don't worry; stick with us.” The obligation of the company to the consumer I think should outweigh the risk to its bottom line, because at what point is the consumer going to be able to be assured that their privacy is being respected? What role do you think your office plays, and what role do you think should be the standard, for issues of breach of privacy?
:
Thank you, Mr. Chairman.
Thank you to the witnesses today.
It's very interesting testimony. You indicated, Ms. Stoddart, that we live in the age of big data, and I think it's actually remarkable. Mr. Angus talked about the short time period in which this has evolved. I think companies have been studying consumer behaviour for generations. They test-market things, and in fact, Peterborough was long a test market community for various products. They don't do that much anymore, because they are working off data that they are actually gleaning.
You talked about the algorithms and so forth that they use to determine consumer approval or consumer likes and dislikes. You also talked about how Canadians, but also people around the world, give this information away freely, and about actual informed consent.
It seems to me that when you go to sign up for any of these sites—and I've signed up for them myself—they have a very long legal agreement that I would argue is beyond the comprehension of many people using the sites, especially young people, especially very young people. Should there be almost a disclaimer that says, “We are going to study what you are doing. We are going to note where you go. We're going to use these observations to report back to firms that will pay us for this information. Do you consent to that?”
Would that be a real simple way of putting it out in just basic English as to what their end is? We know what people's ends are. If you go to Facebook, it's one of the greatest communication tools. YouTube and so forth, these are incredible tools. Frankly, like a lot of people, I really like them. But their end in providing it is that they are gaining value out of it, correct?
It's not well understood, the value they're gaining from people. You indicated this information, big data, is something people are giving away freely. It's not being resold freely or repackaged freely.
I'd like to introduce my colleagues who are with me today: Bruce Wallace, director of security and privacy policy, and Jill Paterson, a policy analyst with our digital policy branch.
Your committee has chosen to study a very important and timely issue. The protection of personal information online is a prerequisite for a strong global digital economy. I am here today to provide some background on the federal legislation that protects the privacy of Canadians in commercial transactions, online and elsewhere, the Personal Information Protection and Electronic Documents Act or PIPEDA.
[Translation]
Since it was implemented, PIPEDA has provided a solid foundation for the protection of privacy online. Canada's federal private sector privacy law is regarded around the world as a model for other countries to follow when seeking ways to protect the privacy of individuals. Much of its strength comes from the manner in which PIPEDA addresses privacy in a technologically neutral way, using a flexible, principle-based approach.
PIPEDA deals with two distinct issues. Part 1 sets out the privacy protection obligations under the act. Parts 2 to 5 deal more with electronic documents than with privacy, and as such are not relevant to your current study.
Part 1 of PIPEDA sets the rules for the private sector in protecting personal information used in the course of business. It establishes clear ground rules that govern the collection, use and disclosure of personal information.
[English]
The act balances two central considerations: the need to protect the privacy of individuals, and the need of organizations to collect, use, or disclose personal information in the course of commercial activities. Striking this balance is particularly relevant in the online environment, where large amounts of information can be rapidly collected and stored, and financial transactions can be completed in just a few seconds.
There are some key features of the act I'd like to touch on today.
First, the act applies only to personal information that's used for commercial purposes. It applies to personal information in all formats—electronic and non-electronic. The act applies across the economy as a whole, not just to individual sectors.
Second, the law is based on a set of principles taken from the Canadian Standards Association's Model Code for the Protection of Personal Information. The code was developed by the private sector and consumer representatives and was adopted well before the act came into force. The code is a set of 10 core privacy principles, which were incorporated into schedule 1 of the act.
I'd like to draw your attention to the most central principle, which is the need for consent. Privacy legislation in Canada, and in many other countries, is founded on the principle of consent, whether that be expressed or implied, to collect, use, and disclose personal information.
The act also requires that any collection, use, or disclosure of personal information by an organization should be considered by a reasonable person to be appropriate in the circumstances. This is an overarching test that applies to all provisions of the act. This requirement brings a significant degree of flexibility to the legislation, allowing PIPEDA to remain applicable while social norms, behaviours, and expectations change over time and in different situations, both online and offline.
PIPEDA first came into force in 2001, before the onset of online services and activities—such as Twitter, YouTube, Google, and Facebook—which today we take for granted. Yet as the Internet has evolved, and as new services have been introduced, the legislation has proven to be an effective tool. Its flexibility, resulting from its technology-neutral and principles-based approach, has enabled Canada's Privacy Commissioner to address the challenges that have arisen online, including in social media environments. She has enforced privacy provisions on an international scale against some of the world's largest online service providers, including Google and Facebook.
For example, following an investigation by the commissioner, Facebook took corrective action to bring practices in line with obligations under PIPEDA. Facebook agreed to provide information to help users better understand how their personal information will be used so that they can make more informed decisions about how widely to share that information.
Overall, the legislation continues to provide a robust framework on which to find a balance between business practices and protecting the privacy of Canadians. However, technological innovation, combined with continual changes to individuals' online practices, highlight the importance of reviewing PIPEDA to ensure that it can appropriately address emerging challenges.
[Translation]
In particular, the development of applications for individuals to share information about themselves—a key aspect of what is known as "Web 2.0"—is changing online behaviour. Much personal information is volunteered by individuals themselves. And despite being active participants in the flow of personal information, many users may not fully understand the way their information is used, or the associated privacy risks.
Research indicates that social media users may not anticipate how broadly accessible information they post will be. In addition, the use of "cookies" and other online tracking tools is pervasive, and yet largely invisible to the average Internet user. The potential exists for personal information to be aggregated and used in ways which the individual may never have even imagined and with which they may disagree.
[English]
There are complex issues involved in the development of policy frameworks to maintain privacy protection in this environment. Canada is one of many jurisdictions currently grappling with this. The OECD, for example, is currently conducting a review of its privacy guidelines, which were the first internationally agreed-upon set of principles and which influenced the development of the CSA model code, upon which PIPEDA is based.
Likewise, a good piece of legislation like PIPEDA can be made even better with regular review to ensure that it keeps pace with advancing technology and evolving business models.
Bill , will update PIPEDA in a number of important ways. The bill, which is awaiting second reading in the House of Commons, is the result of the first review of the act, which was undertaken by your predecessors on this committee in 2006-2007. At that time the committee concluded that no major changes to the act were needed; however, they did make a number of recommendations aimed at improving some elements, notably the need for mandatory data breach reporting requirements.
Following the committee's report, Industry Canada conducted extensive consultations, leading to the government response, which indicated that several amendments to PIPEDA would be made to address the committee's recommendations. These amendments were first tabled in May 2010, but subsequently died on the order paper. The amendments were later reintroduced as Bill C-12, which was tabled in September of 2011.
Significantly, Bill C-12 will create a powerful tool to protect and empower consumers online. The bill establishes a framework under which businesses must notify customers when their personal information has been lost or stolen. Canada's Privacy Commissioner has long called for a legislative approach to data breach notification. In 2007, her office published voluntary breach notification guidelines, but she has expressed concern that not all businesses are reporting data breaches, nor have all organizations taken appropriate security precautions to protect their holdings of personal information.
Bill requires organizations to notify individuals in cases where a breach poses a real risk of significant harm, such as identity theft or fraud or damage to reputation. The Privacy Commissioner will also be informed of any material breach, thus allowing her to exercise oversight of compliance with the new requirements. Consistent with her current compliance powers, the Commissioner will be able to publicly name organizations that fail to meet their obligations if she feels this is in the public interest. This is a powerful inducement for organizations to act in good faith. In fact, we have seen this power compel change in the practices of well-known social media companies such as Facebook and Google. Several high-profile data breaches in the past several years, such as those experienced by Sony and the large e-mail marketing firm Epsilon, have underscored the need to pass this bill and its new notification requirements quickly.
The bill also includes enhancements to the consent provisions designed to protect the privacy of minors online. Research shows that children may not have the capacity to understand the consequences of sharing personal information. Not all marketing activity directed at children is inappropriate; however, some online services surreptitiously collect personal information about children in an environment that is often designed to look like playgrounds or educational websites. Therefore, Bill C-12 requires organizations to make a reasonable effort when collecting the personal information of minors to clearly communicate why it is being collected in a way that would be understood by the target audience.
We believe these changes are an important step towards ensuring that our privacy legislation continues to protect Canadians.
Thank you for the opportunity to come before the committee today. My colleagues and I would be happy to take your questions.