Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Response to the OPC’s Online Reputation Discussion Paper (Canadian Marketing Association)

Canadian Marketing Association

August 2016

Note: This submission was contributed by the author(s) to the Office of the Privacy Commissioner of Canada’s Consultation on Online Reputation.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

The Canadian Marketing Association (CMA) commends the Office of the Privacy Commissioner (OPC) for taking on the task of analyzing the implications of online reputation and how digital footprints can have an impact on individuals’ privacy. We are pleased to offer commentary on the Online Reputation Discussion paper released by your office in January 2016.

Shaping and maintaining one’s reputation is a phenomenon that is social in nature, and happens both online and offline as people naturally share, communicate, and inevitably make judgments about others. Nowadays, individuals have more ways to connect with one another than ever before, and this inevitably changes the way society creates social bonds and the way it behaves.

Before addressing some of the ideas presented in the discussion paper, it is important to mention from the outset that online reputation is not entirely about privacy. This subject cannot be examined only through a privacy lens as there are other considerations that go beyond the privacy aspect, including social norms, personal safety, etc. Moreover, the publication and public availability of some personal information is the result of a range of laws and practices designed to achieve particular public policy objectives related to such broad subject areas as public awareness of key developments, the openness of judicial processes and the freedom of expression. Accordingly, the CMA submits that any material change to the legal framework for the management of online reputation would require targeted legislative change, following a broad policy dialogue among government, consumers and all industrial sectors.

For the purpose of this submission we will focus solely on the privacy implications of online reputation. CMA would like to address the following questions which are outlined in the document:

Who are the key players and what are their roles and responsibilities?

The OPC has an important legislative mandate to promote public education, digital literacy, and critical thinking, in addition to playing a role in helping develop individuals’ awareness on what information is appropriate to share. CMA encourages the OPC to collaborate with organizations with expertise on this subject and related privacy issues and to help them fund and organize educational events. It also encourages it to form partnerships with key industry organizations and the Canadian education boards to work together and develop a school curriculum on digital literacy. This would be an extremely beneficial educational opportunity for young students who are nowadays introduced to technology at early ages; just as students take courses to learn to drive a car, they should also learn about the rules and consequences of the online world, and how to mitigate its risks.

Organizations have an important role to play in protecting and educating consumers on their privacy rights and responsibilities. Sometimes this leads to industry partnerships, in the form of best practices, which can be productive in enhancing current methods of protecting consumers’ online reputation. Reputable organizations consider it their responsibility to give their customers the information and basic tools necessary to protect their privacy. This is done, for example, through giving consumers options on controlling their own privacy settings and providing explanatory notes on how to do so. They also have a responsibility for being transparent with customers in all interactions, including when explaining when and how data and personal information about them will be used.

In the workplace, employers also have an important role to play in setting digital and social media norms among their staff. Many companies engage in training their staff on how to protect on social media not only the reputation of the organization, but also the personal reputation of individual employees. Nonetheless, any potential legislative developments related to the workplace should be dealt with by labour laws.

Finally, CMA believes that combined with education, individual responsibility also needs to be an important part of the conversation about online reputation. While organizations and the government have a responsibility to ensure a certain degree of protection to consumers in the online world, individuals also have a primary role to play in protecting themselves and their families. Much of the debate respecting online reputation focuses on self-posted or peer-posted personal information that is posted on social media platforms. These platforms include many controls to allow individuals to manage the availability and uses of such information. Individuals should empower themselves by understanding as much as possible about how to protect their online reputation. Parents in particular have an important role to play in protecting their children’s personal information. While every parent has their own ideas on what privacy means to them and their children and what they are comfortable with sharing online, at a certain point it’s necessary for each individual to assess the potential negative outcomes. This can be done through educating themselves about how certain technologies work and the potential ways in which their information could be misused by others.

Should there be special measures for vulnerable groups?

The CMA has long recognized that special consideration need be given to the collection, use and disclosure of personal information respecting vulnerable groups, and this is reflected in the CMA’s Code of Ethics and Standards of Practice. CMA Members believe that special attention needs to be given to the sensitive issues surrounding data-collection and marketing to children and to teenagers. See CMA’s guidelines on marketing to children and teenagers.

Children and teenagers, in particular, are increasingly exposed and reliant on the Internet, and are sharing a great deal of personal information on social media and other Internet based platforms. As discussed previously, protecting vulnerable groups starts with good educational tools and programming. This also feeds into the reality that over the long-term there is a need for some level of personal accountability; as children become teens and then adults they need to be better equipped to take this on.

It is important to note, once again, that PIPEDA already recognizes, through its consent provisions, that vulnerable groups need to understand the nature, purpose and consequences of the collection, use and disclosure of personal information. In addition, there are other frameworks like Human Rights Laws that also be relied upon to protect members of vulnerable groups from discrimination based on a number of prohibited grounds that could arise from the online reputation of an individual.

What practical, technical, policy or legal solutions should be considered to mitigate online reputational risks?

As we discuss some of the facets of online reputation, we also need to consider what are acceptable norms in our society today. How have they changed over the last ten or twenty years, and are they bound to change in the next few years?

Also, we need to have a closer look at how information gets posted online. What are the avenues through which information about individuals ends up online and what are some of the ways that individuals could control that information? CMA notes that many tools to manage online reputation already exist, particularly in social network environments, where a great deal of personal information may be self-posted. For example, if someone posts a photo on a social network, are they aware that they can adjust their privacy settings to manage which social network users can see that photo, or whether the photo may be viewable by non-users or search engines? Before considering potential new tools and approaches to managing online reputation, we must first examine the inventory of tools that are already available, how they are used and how aware users are that these mechanisms are available to them. These are just some of the questions that we need to consider as we propose and devise potential new solutions.

Can the right to be forgotten find application in the Canadian context and, if so, how?

The CMA notes that Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) already establishes a workable framework for the management of online reputation based on a fair information practices approach, imposing a number of relevant obligations on organizations that collect, use or disclose personal information, as well as creating relevant rights for individuals relevant to the treatment of their personal information. For example, the law already includes the following important rights and obligations:

  • A consent framework that restricts the collection, use and disclosure of personal information to the parameters of consent provided by the affected individual
  • The requirement that an individual must be able to understand the nature, purposes and consequences of such consent
  • The right of individuals to withdraw consent at any time, subject to legal and contractual restrictions and reasonable notice
  • The requirement that collection of personal information be limited to that which is necessary for the purposes identified by the organization
  • The requirement that personal information be collected by fair and lawful means
  • The requirement that personal information be retained for only as long as necessary for the fulfilment of the identified purposes
  • The requirement that personal information be as accurate, complete and up-to-date as is necessary for the purpose for which it is to be used
  • The right of individuals to access personal information that organizations hold about them, and the right to challenge the accuracy and completeness of such information

Organizations already have policies in place to ensure compliance with these and other requirements of PIPEDA, and to the extent that some do not, investigation and enforcement processes are available to promote compliance. As mentioned in the discussion paper, many online websites and services have long-established policies and procedures for addressing information that users or administrators no longer wish to share or have displayed, for example, the ability to delete an individual’s own posts upon request, or the ability to remove user comments that violate privacy policies or terms of use.

The CMA submits that while a consistent application of this existing framework would go a long way toward addressing many of the issues identified in the discussion paper, the law stops short of providing a legislative basis for the imposition of a true RtbF. In the CMA’s view, this is appropriate, and strikes the right balance between a myriad of factors, including individual privacy, social norms, business needs, the reasonable expectations of users and freedom of expression.

The CMA notes that the implementation in Canada of a RtbF would raise significant issues with respect to the guarantee of freedom of expression contained in the Canadian Charter of Rights and Freedoms. In this regard, the Supreme Court of Canada has repeatedly recognized that the guarantee of freedom of expression protects both speakers and listeners, and also applies to commercial expression. A RtbF would generally deprive listeners and commercial organizations in the interest of protecting individuals, creating a framework that inherently assumes that individual rights will always trump these other rights.

If this were to be the case, search engines and Internet users would be denied the benefit of an important constitutional right. Website publishes would be constrained in reaching audiences and internet searches would lead users and organizations to incomplete and less relevant information, with significant implications for personal, professional, commercial and public policy decision-making.

In fact, the CMA submits that a proper implementation of anything like a RtbF is much more nuanced and context-dependent, and must take into account an extremely broad range of social, economic and political interests. This is a fundamental question that goes well beyond the finite sphere of privacy law and policy. At worst, a RtbF could essentially amount to a legal right to rewrite or obliterate history or a deliberate action to limit the scope of potentially relevant information available to individuals, organizations and governments. This outcome would seem contrary to many other valid public policy objectives.

Moreover, the implementation of a RtbF may have a broader chilling effect on the public availability of information, motivated by the desire of industry players to minimize potential legal liability. Taking as a case study the European “model”, the onerous responsibilities of assessing and deciding upon the merits of requests to access information, and the added costs to develop and implement an appropriate policy, are left to search engine operators and not to the original publisher. Facing uncertain liability, search engine operators may err in favour of removing information upon request, even if the public has a legitimate right to know. The original publisher, it seems, ought to be the more appropriate target for correcting, updating, or removing irrelevant, incorrect, or excessive information.

As noted above, PIPEDA already imposes a number of relevant obligations on organizations, and gives individuals a number of important rights, including the right to access their personal information and to “challenge the accuracy and completeness of the information and have it amended as appropriate”. As such, a RtbF where search engine operators would become responsible for protecting and removing an individuals’ personal data is not necessary in Canada. In cases where someone’s private information is posted online without consent on websites that host illegal content (i.e. those infringing intellectual property or displaying libelous or criminal information), in addition to the avenues of recourse noted above, individuals also have the legal right to make a complaint to the OPC.

Moreover, Canadians also have additional rights and protections through other pieces of legislation and legal remedies, for example the right to limit the use of their image online, and to protect their reputation through copyright and defamation laws.

In conclusion, CMA strongly believes that PIPEDA already considers many of the issues analyzed in the discussion paper, so further legislation should not be introduced. Instead, the available tools that PIPEDA provides/allows for should be emphasized through the key players and education components mentioned above. While there is no gap in the law in this area, the gap which may exist would be due to a lack of awareness of the protections that PIPEDA affords to all Canadians in this space.

Sincerely,

Wally Hill
Vice President, Government & Consumer Affairs
Canadian Marketing Association

About the CMA: The Canadian Marketing Association (CMA) embraces Canada’s major business sectors and all marketing disciplines, channels and technologies. The CMA programs help shape the future of marketing in Canada by building talented marketers and exceptional business leaders and by demonstrating marketing’s strategic role as a key driver of business success. The Association’s members make a significant contribution to the economy through the sale of goods and services, investments in media and new marketing technologies and employment for Canadians. Against this backdrop, the Canadian Marketing Association is the national voice for the Canadian marketing community, with CMA’s advocacy efforts designed to create an environment in which responsible marketing can succeed.

Date modified: