Evidence of meeting #46 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

  • Sara Grimes  Assistant Professor, Faculty of Information, University of Toronto
  • Tamir Israel  Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
  • Adam Kardash  Managing Director and Head of AccessPrivacy, Heenan Blaikie

Noon

Conservative

Patricia Davidson Sarnia—Lambton, ON

Thank you very much, Mr. Chair.

Thank you very much to each of our presenters today. This is an extremely interesting topic that we're studying here. Your input today I think raises a lot more questions and concerns that we need to address.

In particular, Ms. Grimes, you talked about some of the sites for kids and about some of the things that are available for kids. I think you said that their privacy rights can be infringed upon for commercial gain by some of these companies. You talked about other countries having safeguards. Some areas have a ban, for those who are younger than 13 years of age, with respect to whether or not they can be on these sites.

I agree, I think the consents that are required are totally inappropriate for kids. I think they're totally inappropriate for adults in most cases as well. I just fail to understand how anybody can be assured that just because there is a ban on children under the age of 13 that this ban can be enforced. I mean, anybody can say they're 13 years of age or over. If a kid is determined that they're going to go on this site because their peers are or for whatever reason, then they're going to indicate that they're over 13. I think it's just a ludicrous thing to even think that it could give anybody any type of comfort.

I'm wondering if you could talk a little bit about the other countries. You talked slightly about the U.S. and some of the safeguards they have in place. Are there other things in other countries we could look at?

As well, do you have any examples of social networks where children are specifically targeted and perhaps being used for commercial gain? And do you think kids themselves are concerned about their privacy rights?

Noon

Assistant Professor, Faculty of Information, University of Toronto

Dr. Sara Grimes

There have been some developments and some recommendations in the EU. I'm not up to date enough on that to know where they are in that process. They did a huge study in the EU, which ended recently. Academics and a number of government agencies studied these types of issues with kids of various ages online in something called the EU Kids Online project. After the reports came out, I know that discussions started about industry guidelines and implementing new guidelines and implementing potential regulations. Where they are in that process, I'm not entirely sure, but that would be one place to look. I know they have been considering it, and they've also grounded a lot of what they've been doing in research, which is great.

In terms of examples of children being specifically targeted and used for commercial gain, one of the big problems of studying this area and these processes is that there's a lack of transparency. Data is collected and you can read the terms of service and you kind of see the data coming out in different places, but it's not always clear what the links are and how data is being transferred and how it's being used. The examples I've looked at to see how this process can work tend to be sites that actually sell the data to other companies and that are quite open about selling the data to other companies. They function as a social media space, but they also do data-mining and data-brokering in-house.

An example from a few years ago was that of Neopets, which is an online community for kids. They sold the market research they had done to various different companies and had an annual report in AdAge, which is a big advertising industry trade publication in the U.S. They would include surveys and pretty easy-to-identify market research strategies within the site.

A more recent example is Habbo Hotel, which is based out of Finland but is popular all around the world. Most of the people who use it are between the ages, I think, of 13 and 18, but they do have a significant number of users who are 11 to 13, as well. They offer a similar type of service, called Habbel, through which they package data and sell it to other companies. Through that service, companies can also hire them in advance to sort of spy on conversations that kids might be having about a particular product, and tell them not just what the kids are saying about the product but the larger context within which that conversation emerges—what kinds of likes those kids have, what areas of the site they are gravitating towards, what other things they talk about, what time of day they are there, where they plan to go after if they plan to meet up in real life, because a lot of kids who meet and communicate in social media actually do know each other in real life and go to the same schools and that kind of thing. It can be very detailed information.

The only reason we know how detailed they are and we know about these kinds of processes is that they're openly selling the data. But in many cases they're not selling the data. They're keeping it or they're selling it through more covert means, so it's not as obvious what's happening to it.

Are kids concerned about privacy? Definitely. There's been a lot of talk about the different concepts of privacy that kids have. I think this comes back to Mr. Andrews' comment earlier about kids being born in this age of Facebook, and not knowing any different type of environment and having pictures of themselves online before they're even old enough to go online themselves.

They may have slightly different concepts of privacy, but a lot of them are very similar to traditional concepts of privacy. In study after study, what comes out the most is that they're most concerned with privacy infringements that impact them on an immediate level: friends infringing on their privacy or parents infringing on their privacy or perceiving that their parent is infringing on their privacy. These abstract forms are at a length. They doesn't seem to impact them on that day-to-day basis. They are dealing with these privacy issues in ways that we have yet to fully appreciate. They might not seem as concerned about these things, but oftentimes they just don't really understand how they're going to impact them and where. Frankly, because so many of us also don't understand how those types of privacy infringements are impacting us and where, we're worried about what might happen, but we're not completely seeing the consequences yet. It's more difficult to find out how they feel about that.

There is a new study of Canadian children and youth that has come out just recently and has explored these issues. Increasingly, kids are even able to articulate these concerns about abstract privacy infringement, which I think is a really important development. They're learning about it more, they're experiencing it more, and they're able to communicate more about how it makes them feel and whether they feel their rights are infringed.

The sad thing is that I'm not sure if they feel there's an escape, a solution, or an alternative. There certainly isn't one being presented to them right now.

12:05 p.m.

NDP

The Chair Pierre-Luc Dusseault

Your time is up, because it includes the question and the answer.

Ms. Borg, you have five minutes.

June 19th, 2012 / 12:05 p.m.

NDP

Charmaine Borg Terrebonne—Blainville, QC

My thanks to the witnesses for being here today.

My first question goes to Mr. Israel. According to what I have read, when the commissioner makes recommendations about a privacy protection policy, some companies completely change their platforms so that the recommendations become redundant.

Could you comment on that? Could that justify the argument that the commissioner needs more powers to impose financial penalties?

12:05 p.m.

Staff Lawyer, Canadian Internet Policy and Public Interest Clinic

Tamir Israel

Thank you. It's a very good question.

I think that in many contexts we do get a good level of compliance from industry, but the problem is that sometimes in the social networking context and the Internet context, some of the mechanisms that it takes to comply with the Privacy Commissioner's recommendation take a while to implement—to develop and to put in place. We've seen this in the United States with the Federal Trade Commission in a number of the privacy complaints they've looked at. We've seen it in Canada a little bit.

The problem is that the mechanism we have in place under PIPEDA is not very well suited for the Privacy Commissioner to have ongoing control of that issue. Forty-five days after they implement their recommendation, they're faced with a decision on whether to take the issue to the Federal Court—to start from scratch and to do it in the context of a trial, which is not a very flexible context to be in when you're trying to do privacy governance—or to enter into really undefined arrangements.

In one case we had, it was basically almost a contractual arrangement that was entered into with the party. In the United States you're seeing similar things, where it's a settlement agreement between the Federal Trade Commission and companies to do certain things over certain years. But there are not necessarily a very clear enforcement mechanism and a process in place to deal with those types of compliance processes.

12:10 p.m.

NDP

Charmaine Borg Terrebonne—Blainville, QC

Thank you very much.

Are there cases when companies completely change their platforms in order to avoid implementing certain recommendations? Is it a problem?

12:10 p.m.

Staff Lawyer, Canadian Internet Policy and Public Interest Clinic

Tamir Israel

I would say that it's a problem, yes, but part of the problem is that it's a two-tiered problem. These sites evolve at such a rapid pace that it's hard to.... You need something more flexible, so that the Privacy Commissioner can adapt. Six months in Internet time is a decade in non-Internet time, so what you need is a process for the Privacy Commissioner to be able to adapt, in an ongoing manner, what the intent of their principle is. Because what will often happen is that by the time the response get implemented, it ends up doing the opposite of what it was intended to do, for example.

12:10 p.m.

NDP

Charmaine Borg Terrebonne—Blainville, QC

Thank you.

Mr. Kardash, do you want to comment?

12:10 p.m.

Managing Director and Head of AccessPrivacy, Heenan Blaikie

Adam Kardash

May I offer a comment? Just by way of background, I've had the opportunity to represent companies across sectors in multiple investigations with the Office of the Privacy Commissioner of Canada. At least in my experience, once an investigation has been commenced, the companies always end up working out—or have worked out—a solution tailored to their business practices, but to the satisfaction of the OPC.

As I mentioned in my opening remarks, Commissioner Stoddart has been on record as saying that the mere threat of Federal Court action has been very effective. Nothing is more important to most companies—if not all companies—than their reputation. The prospect of being publicly named is something that they really want to make sure doesn't happen, so they comply.

12:10 p.m.

NDP

Charmaine Borg Terrebonne—Blainville, QC

Thank you.

Mr. Israel, you mentioned Acxiom as an example of a company that has gathered a large amount of data.

Should we be thinking of establishing principles that would limit the amount of data that companies are collecting? How could that be put into practice at the moment?

12:10 p.m.

Staff Lawyer, Canadian Internet Policy and Public Interest Clinic

Tamir Israel

That's a very good question. I think it's something that really needs a lot of closer study.

The same issue is starting to arise in the child gaming context. The marketing materials used to be easier to get because companies would have their practices out in their marketing materials. If I were trying to figure out what a specific site was doing, I could pick up their marketing materials and see it in there, as Sara was saying. Now they've moved away from that. They don't have those marketing materials available any more, so it's not as easy to do.

It's the same issue as with the data brokers. It's not very clear to me what they're doing. Some of their marketing materials are available, so you can get a sense, but I think you need.... I don't have a solution. I think what's needed is a more in-depth investigation, with those data brokers at the table, that tries to get them to explain what their processes are.

What's been suggested is to just have a centralized place where individuals can ping these data brokers and do searches of these data brokers all in one place to see if their names are on there. Then you have, under PIPEDA, for example, a right to request an organization to give you everything they have on you. But you have to first know which organization to go to, what the organizations are. I don't want to send out 100,000 of these. If there are 100,000 data brokers, I want to be able to go to one spot, see who these are, send them requests, see what data they have on me, and then maybe correct any errors that are there.

In addition to that transparency mechanism, there's probably an analogous regulatory-ish mechanism that could be put in place that would talk to these organizations and get a sense of where their data's going, how it's being used, and where it's being collected from. That's a fact-finding type of expedition that I think would be really useful, but it's very difficult for individuals to undertake on their own.

That's a starting point.

12:15 p.m.

NDP

The Chair Pierre-Luc Dusseault

Thank you. Your time is up.

I now recognize Mr. Butt, for five minutes.

12:15 p.m.

Conservative

Brad Butt Mississauga—Streetsville, ON

Thank you very much, Mr. Chair.

Thank you very much, witnesses, for being here today. I think the other committee members have said it well, that we're learning a great deal today. I really appreciate your expertise in this area.

Let me run a concept by you and get your feedback on it. I'm going to call it, for lack of a better term, a reverse negative billing option as far as the privacy or consent form is concerned. Would it be possible, or do you see it working, that unless a user specifically gives consent for their private information to be held by the user—Facebook, Google, whoever it is—and then disseminated, versus their providing specific consent that it may be used...?

As I understand it now with the privacy policies, it basically says that they can use all this information for anything they want. You click “I agree”. Nobody reads the 15 pages. You just click “I agree” because you want to sign up.

Can it work in reverse? Can we set it...whether through Parliament in our rules or laws, or through companies just getting together? I'm going to talk about your self-regulatory model in a second, as my follow-up question. Can we start to put pressure on these companies—and would it work—to have a privacy policy that works in reverse? For example, “You may not use any of my personal private information for any reason unless I specifically consent to your using that information”. Is that viable? Would it even work?

12:15 p.m.

Staff Lawyer, Canadian Internet Policy and Public Interest Clinic

Tamir Israel

I agree with what my colleague Mr. Kardash was saying before, that you do need a flexible framework in place. We do have a consent regime in Canada, so the starting point is that technically they do need my consent. It's a graduated consent regime, where the more sensitive the information is right now, under PIPEDA, the more explicit the consent you need to seek—in theory. The problem is that transposing that onto the social media context has been very challenging, just given the rate of evolution of these services.

So I think we have that to an extent. I think we would just need to maybe bolster it a little bit to make it more of an implemented reality.

12:15 p.m.

Conservative

Brad Butt Mississauga—Streetsville, ON

Do you see that as something that Parliament, through a law, through changes to the PIPEDA legislation, or in some other fashion...? Do we need Canadian law to enshrine that, or do you see that as something that industry could do through moral suasion, let's say?