Jump to Left NavigationJump to Content Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada Government of Canada
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewAbout UsFAQsSite Map
Mandate and Mission
Privacy Legislation
Information for Individuals
Information for Businesses
Parliamentary Activities
Media Centre
Speeches
Upcoming Events
Blog
Commissioner's Findings
Privacy Impact Assessments
Reports and Publications
Resource Centre
Key Issues
Fact Sheets
Privacy Quiz
Proactive Disclosure

Media Centre

The Privacy and Security Partnership

The International Security Managers Association Conference

Montreal, Quebec
June 25, 2007

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Media reports often refer to me as a “privacy guardian,” but it seems to me that everyone in the room deserves this title.

More and more, privacy advocates are coming to realize that good security is absolutely critical to good privacy. When security fails, the privacy of potentially thousands of people, even tens of thousands of people, is at risk.

As security experts, you have a vital role to play in protecting privacy. We are partners in this task.

It is clear that your task of ensuring the privacy of your company’s customers – and ultimately the reputation of your company – is more and more challenging.
In both Canada and the US, we’re seeing increasingly sophisticated online attacks by cyber criminals and the proliferation of identity theft. The post-Sept. 11 security environment is raising issues for the protection of personal information as new government measures turn many businesses into information-collecting agents of the state.

Businesses must take both security and privacy seriously. Many companies do recognize the importance of adequately safeguarding personal information. Still, headline-making data breaches and a recent poll showing a significant number of businesses haven’t provided employee training on Canada’s privacy law suggest there’s more work to be done.

Close cooperation between countries – especially neighbours such as Canada and the US – is also an important factor in ensuring the best-possible data protection.

I’d like to talk about these privacy challenges in a bit more depth, but first allow me to offer a quick explanation of Canada’s privacy laws and my role in enforcing them.

The Canadian Approach

Canada’s first stand-alone privacy legislation, the Privacy Act, deals with privacy issues in the public sector and has been in place since 1983. It was largely inspired by the US Privacy Act. However, unlike the US law, Canada’s legislation created the job of a Privacy Commissioner – an ombudsman who reports directly to Parliament and oversees the application of the Act.

I understand there has been talk recently of updating the US law. Our own Privacy Act was not designed with the digital age in mind and is desperately in need of reforms – a message I give the federal government every chance I get. Unfortunately, years of urgent calls for a Privacy Act overhaul have been overlooked. We’ll keep pushing for this.

Canada’s private-sector privacy legislation – the Personal Information Protection and Electronic Documents Act, or PIPEDA - began coming into force in 2001.  It now covers virtually all commercial activities in Canada, with the notable exception of provincially regulated businesses in a few provinces which have passed their own similar privacy legislation.

With PIPEDA, Canada has taken a different approach than the US. Americans have addressed private sector privacy on a sectoral basis, adopting specific laws on, for example, financial privacy, children’s online privacy and, more recently, pretexting issues.

PIPEDA sets overarching ground rules for how businesses may collect, use or disclose information about people in the course of their commercial activities. It outlines fair information principles that businesses must follow, such as seeking consent and using adequate security safeguards.

People who feel companies are not living up to PIPEDA's requirements can complain to my Office and we will investigate.  At the moment, for example, we are investigating the TJX breach, which affected both Canadians and Americans.

Our approach is to try to resolve problems through mediation. Some people hear the word ombudsman, and they assume I am toothless. This is not the case. Yes, we try persuasion first and we conciliate what can be conciliated. But if a company refuses to follow our recommendations, we go to Federal Court to seek an order forcing them to comply. Not surprisingly, we’ve found that the possibility of court action is an extremely persuasive tool – virtually everyone complies with our recommendations.

We also work to avoid problems that lead to complaints with proactive public education initiatives, funding of privacy research, and audits of businesses to verify compliance with the law.

The Value of Personal Information

The way we think about the protection of personal information has evolved over the decades.

In the 70s and 80s, with the advent of computers, the focus was on government collecting more and more information about citizens – leading to the birth of the Privacy Act and other public sector pieces of legislation around the world.

In the 90s, the Internet began to take off and we started talking about the information economy. We understood that personal information was becoming more and more valuable to business – raising new threats to privacy – and we responded with PIPEDA.

We are now entering another era for data protection. We are beginning to recognize just how valuable names, birthdates and other personal information are to crooks. Identity theft is being called the crime of the 21st century and online scams such as phishing are multiplying.

You, as security professionals, have a starring role to play in this new age of data protection.

New Threats Facing Business

Information technologies are providing businesses with the means to collect, use, analyze and store far more personal information than ever before. Those growing mountains of information create the risk for ever-bigger data breaches.

The theft of just one US Veterans Affairs laptop compromised the records of 26 million veterans. The TJX breach involved the theft of at least 45.7 million credit and debit card numbers. These kinds of numbers were unimaginable not too long ago.

Attacks are also becoming far more sophisticated and threats are evolving daily. As we fix one problem, cyber criminals are finding another entry point.

Businesses are a key player in the fight to keep personal information from getting into the hands of identity thieves. Organizations need to start handling personal information as they would actual cash. After all, personal information is a goldmine for identity thieves and organized criminals. The complaints I receive suggest some organizations – small and large – have yet to adopt this kind of mindset.

My Office has prepared a number of documents, all available on our web site, to help businesses better protect personal information. For example, we have developed Guidelines for Identification and Authentication, which can contribute to the protection of privacy by reducing the risk of unauthorized disclosures. The guidelines are intended to help organizations devise methods of identifying and authenticating customers in ways that respect PIPEDA's fair information practices. At the same time they ensure compliance with its security provisions by providing the strongest protection for customers' personal information.

We are also working with the business community and privacy advocates to develop breach notification guidelines. These will be complete in the very near future.

Good Privacy is Good Business

I need hardly tell a group of security experts that it is in the best interests of business to get security right. But I do give this message to other corporate leaders every chance I get. Data breaches hurt the bottom line.

According to media reports, TJX has spent at least $25 million to deal with the fallout since it disclosed that hackers had cracked into its systems and stolen credit and debit card information. The company faces some 20 class action lawsuits, not to mention investigations in about 30 states, by the Federal Trade Commission and by my own Office, which is jointly investigating with Alberta’s Privacy Commissioner. Total costs to TJX could eventually exceed $1 billion, according to some technology analysts.

Consumers want strong privacy protections – and they’re willing to pay for it. A new study by Carnegie Mellon University found online shoppers will pay a premium to protect their personal information. The study found that, on average, people were willing to pay 60 cents extra on a $15 purchase when they were satisfied with a seller’s privacy policy.

The vast majority of businesses say they agree with the notion that taking privacy seriously is just good business. Sadly, this does not always translate into action.

A poll commissioned by my Office found a significant number of Canadian businesses have still not fully implemented PIPEDA’s provisions. The poll showed 16 per cent of businesses were in the process of implementing and, worse yet, 15 per cent were not even in the process of doing so.

Also alarming was a finding that only one third of all businesses have trained staff about their responsibilities under Canada’s privacy laws. Larger businesses are doing better on training, but still have plenty of room for improvement. Good training for employees is obviously a key factor in preventing privacy breaches.

Good privacy practices are the law in Canada. There is no excuse for businesses not to adopt a strong privacy framework.

Business and National Security

Another new challenge for business is the fallout from the terrorist attacks of 2001.

We are seeing a growing number of private-sector organizations deputized to collect personal information for the state. There has been a radical reshuffling of where we draw the line between the private and the public sector. Companies are being turned into agents of the state, something I believe is inappropriate.

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act, for example, calls for a broad range of businesses and professions, including banks, casinos and accountants, to collect information about clients and report information to FINTRAC (the Financial Transactions and Reports Analysis Centre of Canada) – without the knowledge or consent of those clients.

What’s particularly troubling is that the legislation requires companies to collect personal information over and above what they actually need for business purposes. It also calls on them to make a judgment about what constitutes suspicious behaviour.
Privacy advocates agree with the need to combat money laundering and terrorist financing, but we don’t see such privacy-intrusive measures – which treat everyone as a suspect – as a good way to do this.

The Act requires my Office to review FINTRAC every two years and report the results to Parliament.

US Law Worries Canadians

Another post 9-11 law – this one in the United States – also continues to worry us, and a majority of Canadians, because of its impact on privacy in Canada.

The USA Patriot Act could lead to US-based corporations being ordered to acquire personal information held by their affiliates in Canada without revealing to those affiliates that they are taking the information.

Canadians don’t want personal information about them that is being held in Canada to be vulnerable to disclosure under another country’s laws. We have designed our own privacy standards, and those are the rules that must govern the handling of personal information within our borders.

PIPEDA requires organizations in Canada to provide appropriate levels of security for personal information. It also limits what can be done with personal information that has been collected in Canada. In short, organizations in Canada have a legal obligation to introduce security measures to prevent surreptitious access to their databases from outside Canada.

The USA PATRIOT Act also affects Canadians’ personal information when it is outsourced to companies in the United States.

PIPEDA doesn’t limit trans-border data flows, but it does require a company to inform customers that it may send their personal information out of the country and that while such information is out of the country, it is subject to the laws of the country in which it is held.

My Office has investigated a few cases related to transborder data flows.

In April, we concluded our investigation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative supplying messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada.
We launched the investigation after an article in the New York Times alleged that, following September 2001, the US Department of the Treasury had used administrative subpoenas to access tens of thousands of records from SWIFT. The disclosed records included personal information originating from or transferred to Canadian financial institutions.

We found that SWIFT is subject to PIPEDA. Simply because companies might operate in two or more jurisdictions does not relieve them of their obligations to comply with Canadian law.

In this case, we found SWIFT did not contravene PIPEDA when it complied with lawful subpoenas served outside Canada by disclosing personal information about Canadians to the US Department of Treasury. PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates.

I believe, however, that there are more privacy-friendly ways for US authorities to obtain information about financial transactions with a Canadian component. I’ve urged Canadian officials to try to persuade their US counterparts to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.

An earlier investigation we conducted involved a number of complaints we received after the Canadian Imperial Bank of Commerce (CIBC) sent a notification to its Visa customers referring to the use of a US service provider and the possibility that US authorities might be able to obtain access to cardholders' personal information under US law. The complainants objected to the possible scrutiny of their personal information by U.S. authorities.

We found the complaints were not well-founded. As I’ve said, when personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country. A Canadian firm outsourcing information processing to the US should notify customers the information may be available to the US authorities under a lawful order. This was what CIBC did.

Canada-US Relations in the Post-9-11 Era

The terrorist attacks in New York and Washington are also changing long-standing trading and social patterns between Canada and the US.

Besides the USA PATRIOT Act, we see US officials moving to adopt far more stringent identification requirements at the border under the Western Hemisphere Travel Initiative. The tougher scrutiny has meant huge traffic delays and has harmed trade between our very inter-linked economies.

The changes at the border are also having a human impact. My family has a farm in Quebec with a wonderful view of Vermont’s mountains. When my children were younger, we used to make an afternoon of popping over to Vermont for ice cream. We would whiz across the border with a quick flash of a driver’s licence. Those days are over – a sad development in the relationship of our two countries.

On a more positive note about cross-border issues, I am happy to report that my Office has developed very cooperative relationships with the Federal Trade Commission and other US government organizations with a privacy mandate. This is extremely important given the growing volume of personal information flowing between our two countries.

I expect my Office will see more and more investigations which straddle the border. The Federal Court ruled earlier this year in a case involving Abika.com, a US-based search services web site, that we have jurisdiction to investigate a company operating almost entirely in the US, but that targets or sells to Canadians. A case like this one, which we are still investigating, shows the importance of good working relationships with the FTC and other US counterparts, as well as the need to exchange information.

International Cooperation

Cooperation on trans-border issues is also important on an international level.

I have the privilege of chairing a Working Group of the Organization for Economic Co-operation and Development (OECD) Working Party on Information Security and Privacy to address the cross-border challenges to effective enforcement of privacy laws.

We are also involved with the Asia-Pacific Economic Cooperation (APEC) countries. The APEC countries commissioned a Data Privacy Subgroup to develop an Information Privacy Framework, which has been adopted by APEC Ministers.

Conclusion

In closing, let me say that I hope we’ll continue to see closer links developing between the privacy and security worlds. The topics I’ve touched on today give you an idea of the breadth and the depth of the issues before us.

Until recently, a lot of privacy advocates tended to think that those in the security field did not “get” privacy. But it is also true that those of us in the privacy world have only just started to understand security. The dialogue we are continuing today is more evidence that we are making progress

Security is getting more respect in privacy circles than it used to. Big data breaches and increasing concerns about identity theft and related scams have put the importance of security into sharp focus. We need to work closely together.

With this in mind, I would like to invite all of you to attend the 29th International Conference of Data Protection and Privacy Commissioners, which we are hosting in Montreal this September. We’ll be talking about emerging privacy threats and possible solutions. It will be important to have security experts taking part in the discussions.

Thank you for inviting me to speak with you today. I hope we will have further opportunities to share ideas in the near future.
 

Date published: 2007-07-31
Date modified: 2007-07-31

 Top of Page Important Notices