Thank you very much.
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I was a member of the national Task Force on Spam, and I currently serve on the Privacy Commissioner of Canada's expert advisory committee, but I appear before this committee today in a personal capacity representing only my own views.
My opening comments will identify several areas for potential government action, but I want to provide a bit of context with three key caveats.
First, which I think may be stating the obvious, is that social media is an enormously important and positive development. The number of users is staggering and its role as a key source for communication, community, and political activity grows by the day. The opportunities presented by social media should be embraced, not demonized, in my view, and government should be actively working to ensure that it incorporates social media into its policy consultation processes.
Second, Canada has played a leadership role, to a certain extent, in the use and regulation of social media. The Privacy Commissioner of Canada was the first to conduct a major privacy investigation into Facebook and has led on other issues with respect to social media and Internet companies.
Third, while we have had some influence through those investigations, Canada has not led in creating the social media services used by millions around the world. I believe that the failure to articulate and implement a national digital economy strategy comes back to haunt us in these circumstances, where the ability to place an unmistakable Canadian stamp on social media is undermined by the policy failures that have done little to encourage the development of Canadian e-commerce and social media.
With those caveats, what is there to be done? I'd like to focus on four areas of interest.
First, I think we need to finish what we've started.
The government has introduced and even passed legislation that can be helpful in addressing some of the concerns that arise from social media, yet these initiatives have stalled short of the finish line. Anti-spam legislation, for example, received royal assent in 2010, yet has still not taken effect as final regulations have not been approved. In fact, Industry Canada officials now indicate that it could be well into 2013 before the regulations take effect. Given the amount of work that went into this legislation, I find it shocking that it has been left in limbo.
Moreover, Bill C-12, the PIPEDA reform bill that seeks changes arising from the 2006 privacy review continues to lag in the House of Commons, with there frankly seeming to be no interest in moving forward with the bill. Indeed, I'd argue that the bill is even now outdated, and a full PIPEDA review to address emerging concerns such as order-making power—as you just heard—and damages, and tougher security breach requirements than those found in the bill is needed. In fact, the Bill C-12 security breach reporting rules are primarily bark with little bite, given the absence of penalties for failure to comply.
Successive governments have promised a digital economy strategy for years and have failed to deliver. The strategy has come to be known as the “Penske file”, a reference to the Seinfeld episode that involves working on an imaginary file. While other countries are now years into implementing their strategies, in Canada we still lag behind.
I think it also should be noted that these issues must increasingly be addressed in concert with the provinces. The line between federal and provincial jurisdiction on many of these issues is blurry, and legal challenges against federal legislation is a real possibility. Work is needed to begin to develop minimum standards that can be implemented at the provincial level, should federal leadership be challenged in the courts by companies seeking to circumvent their privacy obligations.
Second, the devil is in the defaults. In many respects, social media and Internet companies are the most powerful decision-makers when it comes to privacy choices. As my colleague Professor Ian Kerr says, the devil is in the defaults. In other words, the choices made by leading social media companies with respect to default privacy settings are the de facto privacy choice for millions of users. Given the increasing pressure to generate revenues, we can expect that those default choices are going to change in more aggressive ways to make use of user data.
There are examples of companies that are doing good work in this area. Twitter recently implemented do-not-track options that won plaudits from the Federal Trade Commission in the United States. Google offers its users transparency tools so they can obtain detailed information about what information is collected, some of the ways Google uses it, and how they can modify some of their privacy choices. The company has also been transparent about law enforcement requests for information and copyright takedown demands.
There needs to be continued work on these defaults, as well as initiatives to provide users with greater information and transparency, and steps to ensure that companies live by their privacy commitments.
Third is the issue of lawful access. The introduction of Bill C-30 brought with it an avalanche of public outrage and concern over proposed Internet surveillance legislation. While much of the focus was on mandatory warrantless disclosure of subscriber information by telecom service providers, the potential for social media and big data Internet sites to serve much the same purpose cannot be overlooked.
A recent investigation by the Privacy Commissioner of Canada into Nexopia, a Canadian social network, identified hundreds of law-enforcement requests for customer name and address information, frequently for accounts that should have been deleted months earlier. Social media, as we've heard, generates a treasure trove of personal information that must enjoy full privacy protection and court oversight before disclosure. Indeed, documents that I recently obtained under access to information indicate that Public Safety is thinking about how these rules are applied to social media sites and services. I believe that Bill C-30 needs to go back to the drawing board to effectively account for these privacy concerns.
Fourth is the question of new legal issues, which Professor Scassa has identified a number of. I would argue that while much can be done to use or augment existing rules, social media and Internet sites do raise some unique issues that may require targeted responses. In the interest of time I would like to quickly identify two.
First is the issue of “do not track”. As you may know, cookies can be used to trace the web-browsing habits of users, including when they visit third-party sites. For example, Facebook inserts a cookie on user browsers that traces your activity as you surf the Internet. Any site with nothing more than a Facebook “like” button, as found on Conservative, NDP, and Liberal websites, means that Facebook records a visit to that site and retains that information for months. A growing number of sites, including Yahoo, AOL, and Twitter, respect the functionality found in Firefox browsers that allows users to choose not to be tracked. Google has said it will implement similar technology in its Chrome browser.
However, many sites have been slow to adopt the do not track option, and Facebook has thus far declined to do so. Given the failure of the industry to self-regulate, it is appropriate for government to step in with stronger measures to ensure that this form of user choice is implemented and respected.
Second is the growing problem of social media misuse. For example, in recent months there has been an increasing number of stories of employers requiring employees to provide their Facebook user ID and password as a condition of a job interview. Seeking the same information with direct questions would typically be prohibited, so this is used to circumvent long-standing standards and principles within employment law. In response, the State of Maryland recently passed a law banning employers from requiring employees or job applicants to provide access to their personal digital and social media accounts. Several other states in the United States are working on similar legislation, and I believe that Canada should follow suit.
Thanks very much for your attention.