A New Era at the OPC: Some Early Insights into the Strategic Orientations of the Office

Remarks at the Lexpert Information, Privacy and Data Protection Conference

Toronto, Ontario
November 27, 2014

Address by Patricia Kosseim
Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch

(Check against delivery)

---

You have asked me to speak about the OPC’s priorities and perspectives under the new federal Privacy Commissioner. So let me try to give you a few insights as I see them so far. 

Now almost six (6) months into his mandate, the “new” Privacy Commissioner has stayed true to the vision he affirmed when he appeared before the Standing Committee on Access to Information, Privacy and Ethics on June 3, 2014 as nominee for the job, just a few days before his appointment.  The goal of his actions, and his overall priority, would be to work on the factors that can enhance the level of control individuals have over their personal information.

He has also said that he would like to build on the international and Federal Provincial and Territorial (FPT) relations established by his predecessor, recognizing how fundamentally important it is to further collaborate with our counterparts around the world if we stand any chance of curbing privacy threats that have become global both in nature and scope. 

In terms of style, the Commissioner has signalled a very consultative approach, affirming how important it is for him to hear from a broad range of stakeholders so he can orient the privacy priorities of his Office over the next five years or so, in a manner that aligns with what is truly most relevant and of concern to Canadians. 

These early strategic orientations have already manifested themselves in several ways over the past few months, which is what I would like to share with you today. 

1. Helping improve individual control over their personal information

What are some of the factors that can improve individual control over their personal information?   Such factors can include: giving individuals more meaningful choices over what information they give up and for what; imposing clear outer limits on collection and uses that can be made of personal information; being transparent with Canadians about what is done with their personal information; and, increasing Canadians’ knowledge about new emerging technologies so they can be well informed of the privacy implications before readily adopting them.  

Let me give you a few examples:

Choices:  A recent investigation into the personal information management practices of Apple helps illustrate very well how we can work to increase meaningful choice.   In this case, an individual complained about the information he was required to provide in order to download free apps, including oddly enough, credit card information.  On investigation, we found that although Apple’s website support section did contain instructions for downloading free apps without providing payment information, this could only be found by entering the search term “credit card”.  We reviewed hundreds of comments from frustrated users in an Apple open forum who could not figure out why they needed to provide credit card information if all they wanted were free apps!  In the end, we found that the available option to download free apps without entering credit card information was not nearly evident enough and we recommended Apple make it clearer at the point of registration.  Apple agreed to implement our recommendation.

Limits: An example of how we try to enhance individual control by setting outer limits on the collection and use of personal information is our recent Position Statement on the use of genetic test results by life and health insurance companies.  In it, we call on the industry to refrain from asking applicants to provide genetic test results until the industry can clearly show these tests are necessary and effective in assessing actuarial risk.  Right now, the industry position is, if an individual has undergone a genetic test and obtained results then he or she must provide those results to the insurer to equalize knowledge on both sides of a good faith contract.  But people may undergo genetic tests for myriad purposes, including genealogical purposes, ancestry, parental testing, familial planning, experimental or recreational purposes online, many of which have little if any actuarial relevance.  Whereas the industry says, “hand it all over to us, and we’ll decide what’s relevant or not”, we say, “unless it can be shown to be relevant upfront, then it should not be provided in the first place”.

Transparency:  In terms of being transparent with Canadians about what is done with their personal information, our Office has recently published guidance and tips for organizations on how to develop more effective online privacy policies for users.   On the public sector side, we have called on government to be more transparent with what is done with Canadians’ personal information by publicly reporting in aggregate form on the numbers of access requests made by law enforcement to private sector organizations. In his recent appearance on Bill C-13, the Commissioner expressed deep concern with the fact that several months after R. v Spencer, Canadians are still in the dark about what can happen with their personal information.   He urged Parliamentarians to put an end to this state of ambiguity and clarify what, if anything, remains of the common law policing powers to obtain information without a warrant, post Spencer.

Knowledge: Increasing Canadians’ knowledge about emerging technologies can help them become better informed of the privacy implications before too readily adopting them.   On the research front, our Office remains committed to staying ahead of the curve so we can disseminate knowledge about emerging trends to help Canadians better understand the novel privacy issues associated with new technologies and make informed choices.  For example, we just recently published a research paper on wearable computing as well as a legal and technical analysis of meta data.  Through our Office's 2014-15 Contribution Program we have funded projects on the connected car; analysis of online payday lenders’ privacy policies;  security options for mobile health apps for seniors with chronic diseases; online privacy app for kids; and, open badges for privacy education with Canadian youth. 

2. Building International Collaborations to address Global Privacy Risks

A second strategic orientation of the new Commissioner is to further build on the Office’s collaborations with its provincial, territorial and international counterparts in order to establish a more common front against global privacy threats.  Since his appointment, the Commissioner has had the opportunity to attend his first International Data Protection Commissioner’s Conference in Mauritius this summer.  There, he co-chaired a working group of data protection authorities from around the world that endorsed a historical Global Cross Border Enforcement Cooperation Arrangement. This arrangement sets out ground rules for the sharing of confidential information between them, thereby facilitating and coordinating their enforcement efforts.   Absent this arrangement, we would have had to continue to develop bilateral or multilateral agreements with dozens of authorities on an ad hoc basis.

While in Mauritius, the Commissioner also signed onto International Resolutions on Big data and the Internet of Things, signalling a universally held commitment by the data protection authorities worldwide not to stop innovation, but to help enable its progress in a manner that is respectful of peoples’ privacy. 

Face-time in Mauritius also allowed reinforcement of the international relationships and collaborations needed to lay the groundwork for successful future joint initiatives, such as the planning of the next international Global Privacy Enforcement Network (GPEN) sweep. Stronger relationships also allow for quicker and more agile global responses to major threats as they arise.  Just last week, an urgent joint letter was sent to the operators of Insecam, a website that emerged out of nowhere to show live video footage from internet connected cameras operating with the manufacturers’ default username and password.  While the website states that its operators’ intention is to raise public awareness by demonstrating the importance of changing security settings for surveillance cameras, its decision to show online live video footage of unsuspecting individuals inside the sanctity of their homes without their knowledge or consent, in itself poses a serious threat to individuals’ privacy. This was further heightened by the inclusion of precise geographical location information of people around the world.  The data protection authorities of Canada, BC, Alberta, Quebec, Australia, Macao, and UK were able to mobilize quickly and jointly called on the operators to close down the website. The operators have since taken down some of the webcams, and the situation continues to evolve.

3. Stakeholder engagement across the country

In keeping with his consultative approach, the Commissioner in the first few months of his mandate, held meet and greet sessions with private sector stakeholders in Toronto and Ottawa.  He also met with civil society and many of the major government departments.  In the coming days, he will be meeting with academics in order to consult them on emerging issues and the strategic directions of our research Contributions Program.

The Commissioner has also announced plans to engage with stakeholders across the country to help inform the identification of policy priorities for the next five years.  This includes broadening the scope of stakeholders beyond the usual to include various consumer groups, as well as public opinion polling and focus groups with Canadians!

The purpose of this exercise is to identify those strategic areas which pose the greatest threat to Canadians’ privacy and in which the OPC is likely to have greatest positive impact over the next five years. These priorities will help focus the OPC’s efforts and guide discretionary resource allocation decisions in order to increase chances of making a real difference. 

This exercise will serve to renew the former priorities that served the office well over the past seven years, namely: public safety, information technology, identity management and genetic information. 
In choosing new priorities, we will be taking into account the following considerations:

1. The intrinsic importance of the issue:
1. Is the issue national or international in scope?
2. What is its relative urgency?
3. Is it relevant for Canadians?
2. The OPC’s role and possible contribution:
1. Is it within federal jurisdiction?
2. Is it well-aligned with the OPC’s mandate?
3. What type of leadership is needed?
4. What is the potential for advancing privacy protection?
5. Is it relevant to both the public and private sectors?
3. The practicality issues:
1. Is the OPC likely to have a meaningful impact?
2. How feasible is it to achieve results within five years?
3. What is the OPC’s commitment to date on this issue?

Some potential themes for future priority areas include, as examples:

Government services and surveillance: Government is adopting new technologies and increasing information sharing between different departments, levels of governments and in some cases private-sector organizations, in a bid to improve programs and modernize service delivery to Canadians, while those same technologies are used to conduct more surveillance for program integrity, public safety and national security purposes.  But at what point does enough, become enough, from a privacy perspective?

Economics of personal information: Online, there are innumerable services that we can access for “free” (e.g., email, search engines, and social media sites). The unstated business models underlying these transactions are premised on users trading their personal information (i.e. usage, contacts, interests, surfing experience etc.) for benefits or access to services. In essence, personal information has become a commodity—and finding ways to profit from our information has become big business. But what happens when privacy-protective alternatives become less readily available, either at exorbitant prices or get pushed out of the market altogether?

Reputation and privacy: The Internet has had a profound impact on personal reputation management.  We ourselves create our online reputation by posting social media profiles, photos, online comments, etc.  Our digital trails can also paint a picture of us, sometimes unbeknownst to ourselves, and others can shape our reputation as well. Once personal information makes its way online in one context, it can be extremely challenging to remove it or keep it from being used in different contexts.  Though we grow and change over time, unfortunately the personal information we post online does not.

The Body as Information: The information generated by our bodies is uniquely personal, and as such it can be highly sensitive. As more and more information about our bodies is collected and digitized through wearable computing devices and connected with other online and offline information about us, the impacts on privacy can be profoundly game-changing.  While we may seek out this information for our own medical or recreational purposes, what are the implications for our future insurability or employability?

Strengthening accountability and privacy safeguards: As more and more information is collected, processed and stored electronically, organizations must take responsibility for their personal information management practices.  They will have to find continually novel ways of updating privacy practices and security safeguards to protect themselves effectively against the growing proliferation of threats of loss, theft or misuse of information.  Accountability and governance measures will become more important than ever.

Protecting Canadians in a Borderless World: In a globally networked and integrated economy, personal information and data can move quickly and effortlessly around the globe, including in countries that have weak privacy protections or none at all, potentially compromising the privacy of Canadians abroad.  How can we effectively protect personal data flows in a virtual world that knows no checks or borders?

We hope to have identified new priorities by the end of March 2015.

Conclusion

While the footings for the next era at the OPC are being set, there are likely to be strong cross-winds ahead. Enhancing the factors that contribute to individuals having increased control over their personal information will be particularly challenging in a world where the odds are stacking up against it.

In a world of big data, there is a growing plea to challenge the very fundamental principles that underlie most data protection laws. Some leading thinkers have begun calling for revision of the traditional fair information principles reflected in the Organisation for Economic Co-operation and Development (OECD) Guidelines that were created in far simpler times.  They question the continued application of consent and purpose specification principles in a world of big data where the amount of data has increased to mind-boggling proportions and where powerful algorithms operate by automation to detect and reveal patterns for yet unknown purposes. 

The tide of national security and law enforcement is necessarily going global.  Writing for the majority of the Supreme Court of Canada in Wakeling v. United States, Moldaver J. recognized the inevitability of this general direction: “Multi-jurisdictional cooperation between law enforcement authorities furthers the administration of justice in all of the jurisdictions involved.  It must not be forgotten that Canada is often on the receiving end of valuable information from foreign law enforcement authorities...Inter-agency cooperation is critical to the prevention, detection and punishment of cross-border crime.” 

Even the “right to be forgotten,” recently recognized by the European Court of Justice and heralded as the ultimate backstop for exercising individual control over one’s personal information, is proving to be challenging to apply.  From a practical perspective, the Googles of the world are now charged with making difficult determinations about when personal information has become inaccurate or inadequate, irrelevant or excessive. Already there is talk of possible user work-arounds by searching with Google.com vs. Google.uk for instance thereby defeating the very purpose of the European decision. From a more fundamental perspective, how do we brace ourselves for the rocky collision with other fundamentally important societal values also in need of balanced consideration — like access to information, freedom of expression, truth-seeking and historical integrity?

Enhancing the factors that can strengthen individual control over their personal information will not be an easy mission.  It will require thoughtful, creative solutions to meet innovation on par with innovation.  Far from being an impediment, privacy can actually enhance consumer confidence needed for a digital economy to thrive and the trust needed for governments to serve their citizenry.  

It will require greater openness and transparency on the part of organizations and governments in order for individuals to know what the rules of the game are and to make discerning choices about how to play, or whether to even play at all. 

And finally, it will require stronger resolve than ever on the part of data protection authorities to protect that minimal zone of privacy around each one of us that must be jealously guarded from commercial hands and state eyes.  Our private thoughts and actions should never be reduced to mere commercial products for companies to profit from nor always presumed to constitute potential threats for the state to act on.  Rather, they should continue to be protected as forming part of the fundamental freedoms which go not only to our autonomy, but also, our very dignity as human beings.