Media Centre

Taking on the Privacy Challenges Ahead

7th Annual Privacy and Security Conference: Privacy and Security is Everyone's Responsibility

February 9, 2006
Victoria, British Columbia

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Introduction

It is fitting to hold this conference in Victoria. After all, Victoria, or at least the office of David Loukidelis, very quickly became the epicentre of the Canadian debate about the transfer of personal information beyond Canada’s borders. I think we all owe a debt of gratitude to David for taking on this issue. In many ways, this examination of the privacy implications of transborder data flows in general, and the USA PATRIOT Act in particular, has become a seminal event in the debate about the appropriate treatment of personal information in our security conscious and fearful world.

Privacy and Security

Ensuring a place for privacy in the public policy debates of the 21st Century is the challenge we all face. The intersection – or perhaps, more accurately, the collision – between privacy and various commercial and security interests is central to our thinking.

One of the participants at a privacy session held at the recent World Economic Forum in Davos noted that privacy regulation cannot take place in isolation any longer. This is because the world is highly connected and countries are increasingly notional rather than physical entities. It is clear that, individually, we can play only a limited role in protecting this right. Ensuring a place for privacy requires strategic collaboration among the players – provincial, territorial and federal privacy commissioners’ offices, government departments and agencies, non-governmental organizations, international bodies, academics and concerned citizens. It is a collective effort. And we must bring it back on the political radar screen. As you know, privacy was not an issue in any party’s platform in the recent federal election.

Good investigative journalism also has a part to play in protecting privacy, awakening us to the risks posed by technology, governments and commercial interests for whom protection of personal information is just an added cost. I saw the value of investigative journalism first hand this past November when Maclean’s magazine reported that it had obtained my telephone records from a U.S. data broker. This happened in spite of comprehensive privacy legislation in the Canadian commercial world, unlike the situation which prevails south of the border. I know that the telcos complain about being over-regulated, and don’t want to be forced to maintain a higher privacy standard than that in the Personal Information Protection and Electronic Documents Act (PIPEDA), but it seems that they are having trouble even meeting that standard.

Upon learning of the Maclean’s report, the Canadian Radio-television and Telecommunications Commission (CRTC) wrote to the three major Canadian telecommunications players reminding them of their responsibility to contribute to the protection of the privacy of persons. The Commission requested that they outline the specific details of what occurred, the safeguards then in place, and any additional safeguards that have been or will be introduced. The CRTC is now looking at their responses. My own Office is also investigating the issues raised in the Maclean’s report, and so I cannot comment further at this time.

I can note, however, that both the U.S. Federal Communications Commission and the Federal Trade Commission recently called for bans on the sale of phone records. The U.S. House and Senate are both holding hearings on this issue as well, and we will monitor these hearings closely.

Today, I would like to remind you what my Office has to offer and to explain some of the new directions we hope to take. Those of you who know the recent history of my Office understand that I have spent much of the last two years dealing with “housekeeping” issues. We rebuilt our Office and created management structures to serve as the basis for administering programs and taxpayer dollars. We have attracted new and promising talent to our privacy team. Like my provincial and territorial colleagues, we also faced budget constraints. In short, our focus was on getting the Office back on its feet. With that largely resolved, we can now address with renewed vigour some very key privacy issues.

The Privacy Landscape

First, however, I want to remind you of the lay of the privacy landscape – or perhaps it is better called a battlefield. On that battlefield, the world has become a more dangerous place.

Stories of privacy disasters in the United States abound. You will remember the story last summer about the U.S. commercial data broker ChoicePoint, which was duped into releasing sensitive information on over 160,000 customers, including Canadians.

Canada has its own stories. Three years ago, an information management company in Saskatchewan found that a hard drive containing personal information on about one million Canadians had disappeared. At the time, some described this event as Canada’s greatest privacy disaster.

A short while ago, the media reported that anyone could go to the Rogers web site and learn details about another subscriber’s cable package simply by supplying a few bits of publicly available information. We have not received any complaints about this, but such a gap in corporate security is totally unacceptable. This, to my mind, constitutes reasonable grounds for an audit of Rogers, something we may yet decide to do.

Even where organizations take great pains, as they should, to protect the personal information entrusted to them, PIPEDA is being eroded by the reach of government into the private sector for personal information.

Since September 11, 2001, the Canadian Government has introduced a series of measures to strengthen its surveillance powers. The reach by government into private sector databanks to do surveillance on citizens blurs the distinction between the public and private sectors, leading to the potential use of private sector companies as agents of the state, often without the safeguards that are elemental in a democracy. Fears of terrorist attacks or impending pandemics provide superficially attractive, but not substantive, justifications for such intrusive powers.

There is another dimension of this issue that is perhaps even more troubling – the increasing acquisition of personal information by information brokers, and their apparent eagerness to provide that information to government agencies. Enter the era of business as agent of the state.

In the U.S., the Electronic Privacy Information Center (EPIC) reports that ChoicePoint has managed to attain a large share of the commercial data broker market. No wonder Canadians worry when they learn that their personal information is being shipped across the border to the U.S. Canadians have to be concerned about USA PATRIOT Act requests for information about them held by companies in the U.S. Perhaps even more important, they need to worry about data brokers building information empires and then acting as the willing providers of information to agents of the state. Will the data broker industry make it possible for agents of the state to sidestep search warrant requirements – that are fundamental to a democracy, we must remember – as long as the government can come up with the cash to pay a broker?

Enforcement

Do we in Canada need enforcement capacities similar to those of the U.S. Federal Trade Commission (FTC) or the Federal Communications Commission?

A couple of weeks ago I met with representatives from the FTC. I am encouraged by the dialogue that we are having with our U.S. counterparts and by the possibility of working together to curtail invasive practices at the ground level.

In the case I described earlier about disclosure of customer records to fraudsters, ChoicePoint had to pay the piper. Late last month, the FTC announced that ChoicePoint will pay $10 million in civil penalties and $5 million in consumer redress to settle charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement also requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes. It must also obtain audits every two years by an independent third-party security professional.

The Maclean’s article on the sale of phone records revealed that, contrary to my own expectations, industry standards here are not up to existing legal standards. We have long assumed that such things could not happen in Canada, where telecommunications companies have been subject to PIPEDA for the last five years.

With hindsight, I venture to say that security and privacy issues are not being taken seriously.

Several information and privacy commissioners in Canada have powers of enforcement. Whether such powers should be available to the federal Privacy Commissioner is still a matter of debate. But even without such powers, there is more we can do through the audit process.

As many of you know, section 18 of PIPEDA allows me, on reasonable notice and at any reasonable time, to audit the personal information management practices of an organization if I have reasonable grounds to believe that the organization is contravening the data protections provisions in the Act. I intend to make more use of this power and have requested significant new resources to do so.

Companies generally seem to pay attention to what we say when we investigate them in response to consumer complaints, and I expect that that companies will do the same in response to our audits.

New Vision for the Office of the Privacy Commissioner

Each of us has a role to play in this process of protecting personal information. My Office recently went through an exercise in assessing where we needed to go to protect and promote this right – a “vision” exercise. The document that resulted is part of the business plan we presented to Parliament in the fall. We identified four major directions for the Office.

First, we want to strengthen our capacity to address the needs of Parliament – both the Senate and the House of Commons – by supporting the work of parliamentary committees reviewing privacy legislation, policies and initiatives. That means increasing our capacity to analyze legislation and bills with significant privacy implications. It also means developing our capacity to review government and private sector policy initiatives and practices.

We intend to contribute substantially to this year’s planned parliamentary review of PIPEDA, and to the eventual review and reform of the Privacy Act.

Addressing the needs of Parliament also means helping to educate parliamentary staff – Library of Parliament and caucus researchers, for example – and surveying the impact on privacy of trends and issues, then reporting to Parliament.

Second, we need to strengthen our ability to influence changes in attitudes and behaviours within the Canadian commercial sector so that commercial organizations not only comply, but even exceed, the principles enshrined in PIPEDA. We intend to do this by several means, including working with business, industry and professional associations on privacy guidelines, standards and self-assessment tools, and by promoting exemplary practices in privacy protection and personal data management practices. This also means getting the laggards in the commercial sector – some banks spring readily to mind – to educate their employees about the importance of privacy and how to protect it.

They have not done so enough, in my view, and there have been too many lapses of security of personal information as a result. Organizations that have been covered by PIPEDA since its first phase came into force in 2001 no longer have any excuse for failing to bring their privacy practices up to snuff. I am particularly concerned that organizations covered by PIPEDA since 2001, and the banking sector is not alone, seem to be so vulnerable to employee misuse of customer personal information. Has training been neglected? Are supervisory procedures deficient? Does no one check the data trail periodically?

With increased resources, we will be able to explore these issues in an audit. In fact, I have recently seen many reasonable grounds for an audit in several organizations.

Along with an expanded audit role, we are developing an enhanced capacity for policy research. Equally important, given the interprovincial and transborder nature of commercial activity, we will work with our provincial and territorial counterparts to offer Canadians a harmonized privacy regime. We will contribute to establishing workable international privacy protection standards.

Where warranted, we will serve as a catalyst for privacy jurisprudence by bringing significant test cases to the Federal Court. A complaint that is determined, after an investigation, to be well-founded must not go without redress. A finding of well-founded involves suggested remedies and the organization is given 30 days to accept them.  If the organization refuses to rectify the problem, we are prepared to take the case to Federal Court. I'm pleased to say that, up to now, all but one have decided to follow our recommendations. And we are pursuing that matter in Federal Court.

My Office also needs to improve its investigation process and strengthen its capacity to deliver more well-targeted public education and communications to Canadians, on issues of national significance – identity theft, for example.

Finally, my Office wants to reinforce its ability to promote change in the federal government’s privacy management framework. That means increasing our audit and review capacity to ensure better coverage of federal activities involving privacy, reviewing Privacy Impact Assessments and working with central agencies and departments to ensure that privacy is integrated into what is known, in government-speak, as the Management Accountability Framework.

This vision is not some grandiose wish list. It simply reflects our mandate. We have operated under a disability, since we have not been permanently funded since the coming into force of PIPEDA in 2001. I am pleased to report that, in November 2005, we presented our budget submission to an all-party House of Commons panel. The panel received our submission positively, and we are confident that we will receive a substantial increase in funding, and that the funding will be approved by the new Parliament.

Legislative Reform

Legislative reform also has to be part of the mix. The Privacy Act is long overdue for an update. It was crafted in the era when trans-border data flows consisted almost entirely of shipping goods, reel-to-reel tapes or paper, not digital bits. Privacy has fared somewhat better with PIPEDA because it was drafted with an awareness of today’s more technologically sophisticated environment. However, in general, Canadians’ privacy rights are seriously hobbled by the existing legislative framework for the federal government’s use of their personal information.

But that is a topic for another day.

Conclusion

Inadequate attention to privacy carries many costs – costs to Canadians in terms of their privacy (and possibly even their identities), costs to companies in terms of their customers, and costs to governments in their relationships with the citizens who elect them.

Canada has a proud tradition of upholding the rights of its citizens. This does not mean sacrificing our standard of living. It is possible to combine both under a regime of adequate privacy and security standards. It will be the job of my Office to make certain that we uphold these rights. If necessary, and I hope it will rarely be necessary, we will show our teeth to get things done.