Information & Ethics Committee on June 7th, 2012

Absolutely.

In terms of ideas for limiting use by social media companies, obviously, people are voluntarily putting information online on their profiles. The company should only use that data for the purposes that are clearly stated, and that's the whole principle of transparency.

If the company then wants to use the information for a new purpose, then it has to go back to the users and explain the new purpose and get their consent. A really good example is that if you're a Facebook user and then all of a sudden Facebook rolls out its facial recognition technology software. That's a new use of the data. It's a more precise use of the data. It can lead to all kinds of function creep. I think in that case the company needs to go back and explain the new uses, the shiny new toys that are available to users, and get their consent.

That's really important. If they have new partners, if there are more third-party applications that are using the data, again, let users know and make it easy for them to say no or to control the use of their data.

The second question you asked me is about the number of investigations we have done of social media sites versus investigations that involve social media. I gave you the example of our investigating, really, the employment situation and how employers or third parties are making use of social media. I wanted to draw that investigation to the attention of this committee because I think it's really important to look at how social media is used by litigants, by law enforcement, by employers, by post-secondary institutions, because I think that's part of your study as well.

We've done several of those investigations, and I will share our social media background check guidance with you. I'll send them to the clerk of the committee for your review.

I've met with people and spoken at both Facebook's headquarters and Google's, and there is considerable interest in privacy by design. With regard to Facebook, if I had to guess their position, I would say they view privacy by design as being incompatible with their business model. That view is essentially, use as much information for as many purposes as you can, and then if you go too far—as they did with the news feed—then you can pull it back in terms of people's privacy preferences.

I have the greatest respect for Mark Zuckerberg. I've spoken to him. He totally gets that privacy is all about control, and I would suggest that he certainly values his privacy and controls it. But in terms of the business model, I think they would not be interested in it.

Google, on the other hand, is interested. If you look at Google+, which is their online social media, they have tried to incorporate privacy by design features. They invited me to speak to their head engineers, who were designing it, about privacy by design and how you incorporate this in terms of data minimization and making privacy the default. That was the concept behind “circles” and trying to minimize data collections.

I'm not going to oversell this. I think businesses will come to this gradually, if the business model is predicated on reaching as many people as possible.

Having said that, there is a way you can have online social media and privacy, and that's the Google+ experience in circles. I know many people who are on it. I don't know what the numbers are right now. I think they've exceeded 50 to 60 million, but we'd have to confirm that. It has an ability to restrict the information you share to the narrow audience that you want to share or speak with.

If I may, sir, I want to add one comment relating to your first question. With regard to the notion of minimizing data and collections and how you restrict it to the primary purpose, one example we did in my jurisdiction involved the creation of an enhanced driver's licence that could be used across the border instead of a passport.

They, of course, have to collect information. We put directly into the regulation what information, what personal identifiers, could be collected: the name, one's address. We said they should identify the fields specifically, as opposed to leaving it open-ended. We were able to do that. One way of trying to restrict the collection of personal information is by identifying specifically, very narrowly, that which you are permitting.

In our discussion today we've been talking about how we need to get the law right. We also need to get the policy right. There needs to be incentives to get the private sector players on board. We also need public education to teach, especially, young Canadians how to properly protect their privacy online.

If social media companies won't play ball with Canadian law, then we really need strong enforcement because at the end of the day it's the essential tool to compel compliance. We can give all the guidelines we want, we can meet with companies, and we can give them great concepts of building privacy into their products, but at the end of the day we do have to have some teeth. We do have to investigate, and we do have to enforce.

In my view, order-making powers are the best starting point. I also think the mandatory breach notification increases the investment in protection of personal information and security and awareness.

Thank you.

I concur with my colleague, Commissioner Denham.

We have order-making power in Ontario, and I'm telling you it would not be the same without it. But let me be clear—it is a last resort. The order-making power, which gives you the teeth, is the stick. We rely on it infrequently.

I'll give you the example of PHIPA, the Personal Health Information Protection Act, which applies to both public and private sector health organizations in Ontario, of which there are many. That was introduced in 2004. I've only issued 11 orders under that—so in something like eight years, 11 orders—because there is enormous incentive on the part of organizations to work collaboratively with us early on, and we always try to do that. We work very collaboratively. We strive to reach informal resolutions to investigations and problems, and we've had hundreds, thousands of them. It works very well. The carrot is a much better inducement when they know the stick is there.

On occasion we've had to issue an order and we do it not gladly but certainly willingly, if necessary. Often the order serves the purpose of an educative tool. It sends out a very clear message to everyone of what the standard of practice is now, and what our expectations are in this area. So order-making power is absolutely essential.

We have mandatory breach notification under PHIPA. That is also very important because that informs the population involved in the breach. It gives them the openness and transparency of knowing what is taking place.

We've also had, through the Regulatory Modernization Act in this province, a policy-led hook, if you will, in terms of looking closely at how you embed privacy-types of solutions into regulatory activities. So it's very important to have that cooperation.

I should also tell you, though, that my staff and all of us are out there regularly meeting with organizations. So not only is public education very important, but you have to meet with the organizations that fall under your jurisdiction so that they gain a better understanding of what your expectations are and how they embed privacy by design into their practices, into their technologies, and into their day-to-day activities.

They need to learn that from us, and we do this regularly. I think that allows us to minimize the number of orders we issue, but everyone knows the order-making power is there. It's a very powerful tool.

For clarity, are you talking about the definition of work product information within PIPEDA?

I think it's important to have a work product definition, because it takes out of the definition of personal information what might be actually just the product of somebody's workplace—an opinion that they write as a lawyer, a report they write as an engineer. To me, that's not personal information, that's work product information and should not be regulated under the act.

I think that's the question you're asking.

I agree with Commissioner Denham that sometimes you're producing work at the workplace that has your personal information on it. It has your name and position, as it should, but it is not personal information as it is defined under our statutes, because it doesn't relate to you personally. It relates to your work and what you are required to do at your workplace. So properly, it should not only be identified but should be made publicly available.

I use myself as an example. Obviously I issue orders, and my name is on the order. I also issue many decisions, and my name is attached to them. It would be silly to say that it is my personal information. Obviously it has my personal identifier on it, but it's linked to the work I do and rightly belongs in the public sphere. Just because it has my personal identifier on it doesn't mean that it shouldn't be publicly available, if that's what you mean. It depends on how it's defined in the context.