Information & Ethics Committee on June 7th, 2012

Mr. Chair and honourable members, thank you very much for the opportunity to speak to you today.

With me today are Caitlin Lemiski and Helen Morrison, senior policy analysts with my office.

I first appeared before this committee in my previous role as assistant privacy commissioner of Canada. Also in February of this year, I appeared before you in my capacity as registrar of lobbyists for British Columbia.

As assistant privacy commissioner of Canada, I led the first investigation by a data protection authority of a social media platform. As information and privacy commissioner for British Columbia, I conducted the first investigation in Canada of the use of a social media site by a political party. Following that investigation, we issued guidelines on social media background checks.

Today I would like to provide you with an overview of British Columbia’s privacy oversight model, followed by a review of some of our recent work related to social media. I will then offer my views on the ways in which Canada’s privacy laws are meeting the challenges posed by social media and how governments could strengthen enforcement of our laws.

In terms of regulating the private sector, the Office of the Information and Privacy Commissioner monitors and enforces B.C.’s Personal Information Protection Act, known as PIPA. PIPA determines how organizations may collect, use, or disclose personal information. We share the regulatory space with the federal privacy commissioner because B.C.’s PIPA has been declared substantially similar to PIPEDA. PIPA has wide application, though, including coverage of non-profits. It also applies to employee personal information.

PIPA provides the commissioner with order-making powers. For example, I can order an organization to stop collecting, using, or disclosing personal information. I can also require an organization to destroy personal data collected in contravention of the law. In my experience, order-making power provides me with the authority necessary to ensure that businesses are meeting their statutory obligations.

The purpose of PIPA is to govern the personal information practices of businesses and organizations in a manner that recognizes both the privacy rights of individuals and the need of organizations to collect and use personal data for reasonable purposes. Recognizing this balanced approach, privacy laws do not and should not prevent organizations from developing and using technologies that benefit our digital economy.

I fully appreciate the innovation and value of social media. It allows human expression to manifest in new and exciting ways, and it facilitates public participation. Social media also allows people to connect with family and friends, to follow the latest news, and to build online communities.

That said, I share the privacy commissioner of Canada’s concerns that social media companies may not be giving Canada’s privacy laws enough attention. All organizations, including social media companies, must follow the rules around knowledge and consent and limiting collection, use, and retention of personal data. These rules are particularly significant given the speed with which information on social networks can move and replicate.

I also acknowledge that the international context in which these companies operate can be a complicating factor. Canada has a very different statutory framework for privacy than in the United States where most of the world’s most popular sites are based. However, this does not absolve social media companies from complying with Canada’s privacy laws. All organizations doing business within our borders are accountable for their personal information management practices. They must follow the law.

Some of the recent investigative work undertaken by Canadian commissioners demonstrates that Canada is able to address some concerns with social media and privacy. However, it's an uphill battle.

In British Columbia, my office recently investigated the collection of Facebook passwords and profile information by a political party that used this information to vet potential leadership candidates. What we found was that although the political party obtained consent from the leadership candidates, the collection of passwords and profile information contravened the act. Under PIPA, an organization may collect personal information only for the purposes a reasonable person would consider appropriate in the circumstances.

We also found that in viewing the candidates’ social media profiles, the political party collected information about the candidates' friends and the friends of friends, without their knowledge or consent. As a result of our investigation, the party agreed to stop collecting passwords and adopted the guidelines issued by our office on social media background checks.

In another investigation, we examined the Insurance Corporation of British Columbia’s offer to the Vancouver Police Department of the use of its facial recognition database to identify possible suspects from the 2011 Stanley Cup riot. The relationship between social media companies and facial recognition technology is very significant, as many of these companies integrate this technology into their services. For example, last year, Facebook integrated facial recognition into its photo services, allowing for the automatic tagging of persons in uploaded photos. Facebook chose not to roll out this functionality for its Canadian users.

Indeed, ICBC’s offer to the Vancouver police highlighted our awareness of the power of facial recognition technology and how attractive it may be for law enforcement. Law enforcement’s use of social media is a particular concern, because social media companies possess some of the largest corporate collections of photographs of individuals.

There are important questions about whether individuals actually provide meaningful informed consent for the collection of their biometric information for facial recognition. If social media companies collect this information without proper authority, then any subsequent use of that information by law enforcement may not be authorized. Moreover, tests have called into question the reliability of this technology. For example, at one U.S. airport, a facial recognition pilot project correctly identified volunteers only 61% of the time. Based on this low success rate, the airport abandoned plans to use facial recognition. Yet, those issues remain, because technology will improve, and law enforcement will want to use it. The relationship between law enforcement and social media, particularly in relation to facial recognition software, is an area that would benefit from greater attention and study.

Statutory requirements, regardless of their content, can have little effect unless organizations actually follow them. In my view, the greatest challenge to privacy and social media is a lack of awareness among businesses of their obligation to limit the type of personal information they collect. For example, in British Columbia, many organizations do not understand, and are surprised to learn, that PIPA does not allow them to collect personal information just because it may be publicly available on the web.

In the context of pre-employment screening, an organization’s casual approach to collecting personal information online can lead to unsettling results. For example, although it would normally be inappropriate and illegal for an employer to collect information about a prospective employee’s age, sexual orientation, or the fact that they may or may not have children, an employer may learn these details by accessing a social media profile. Personal information on these sites is prone to inaccuracies. In addition, like a dragnet, organizations may catch far more than they intended when collecting personal information from these websites.

Some say that individuals just have to take responsibility for what they post online. While it is true that we should think before we post, this doesn’t mean that we should refrain from reasonable opportunities to express ourselves. In the end, it's all about context, and Canada’s privacy laws recognize this by limiting collection and use to what is reasonable in the circumstances.

As Canadians’ views about communication and expression evolve, the challenge for commissioners and governments is to help organizations understand these new distinctions. Mothers should not refrain from posting information about their parenting experiences for fear of repercussions from their employers, and friends should be free to make comments about products and services to each other without unreasonable market surveillance and profiling.

These observations are consistent with a 2010 report by the Office of the Privacy Commissioner of Canada, which states that “traditional notions of public and private spaces are changing. Canadians continue to consider privacy to be important, but they also want to engage in the online world.” Sustained public education and engagement will be necessary to promote awareness and compliance with Canada’s privacy laws in the world of social media.

In conclusion, social media companies should use the innovations that make them so popular to uphold the values of privacy that are important to Canadians. Protecting privacy is about more than obtaining an individual's informed consent. It is about what is appropriate in the circumstances.

Although principle-based, technology-neutral laws adapt to new technology, in my view, strong enforcement tools, such as order-making power and mandatory breach reporting, are critical for the federal privacy commissioner to regulate the space.

Thank you very much for the opportunity to appear before you today. I'd be pleased to respond to any questions.

Good morning, ladies and gentlemen. My thanks to the chair and members of the committee for inviting me to speak to you today.

I'm not going to speak to you about privacy regulatory matters and existing statutes. The reason for that is you've heard from Commissioner Stoddart on that subject. You've heard from legal scholars like Michael Geist. You've just heard from Commissioner Denham. There's very important work that needs to be done in the regulatory and legislative space.

The reason I'm not talking to you about that today is not because I do not have strong regulation in my own jurisdiction; I have order-making power, and I cannot emphasize enough how important order-making power is to a regulator. I also have, under PHIPA, the Personal Health Information Protection Act, a wonderful ability in terms of mandatory breach notification. We have these tools at our disposal, and they're excellent, but I'm not going to be talking to you about that today.

I'm going to talk to you about the future of privacy. I'm going to take the next 10 minutes to talk to you about something called privacy by design. Before I start that, though, please allow me to introduce my colleagues. I'm joined by Michelle Chibba, my director of policy, and David Goodis, my director of legal services.

Privacy by design is all about ensuring that the user has control of their data. Increasingly what we are experiencing all around the world is that with the enormous growth of mobile technologies, wireless WiFi everywhere, online social media, mobile devices, with the growth of information sharing and availability, it is becoming extremely difficult to regulate this information strictly after the fact—meaning you allow the privacy harm to arise, someone complains, we investigate, and then we offer a system of redress. That's very valuable and must continue, but using those tools, we only catch, in my view, the tip of the iceberg in terms of the potential pool of privacy infractions and privacy-invasive activities. Privacy by design is all about being proactive and trying to prevent the privacy harm from arising to begin with.

You'll see that privacy by design was adopted as an international standard two years ago in Jerusalem by the international community of privacy commissioners and data protection authorities. It was unanimously passed as an international standard and has since then been actually reflected in work coming out of both the United States and the EU. The FTC in the United States, the Federal Trade Commission, has just in January of this year put out its piece on how it sees privacy moving forward in terms of regulatory structures and private sector self-regulation. They've recommended three practices. The first of those three practices is following privacy by design.

If you look at the regulation put out by the EU on data protection earlier this year, you'll see the language of privacy by design, and privacy as the default permeates the entire regulation. You may be interested to know that privacy by design has now been translated into 25 languages. I assure you this is no small feat. It is reflected in all of the major languages around the world. I just want to give you an idea of the import of privacy by design and how seriously it's being taken all around the world.

Now I'm going to walk through, very quickly, the seven foundational principles of privacy by design. Let me try to summarize this for you. The essence of privacy by design is to embed privacy into the design of not only information technologies but accountable business practices, policies, and procedures in a proactive way, in an effort to prevent the privacy harm from arising as opposed to reactively offering a system of redress after the fact.

The essence of privacy by design is being embedded as what we call the default setting. By that I mean that when privacy is the default condition, you, as the user, the data subject, can be assured of privacy. You don't have to look for the privacy. It's guaranteed. It's automatic. It's embedded in the system as the default setting. That is key, and that is an integral part of privacy by design.

The other essential feature is that it talks about operating in a positive-sum, not a zero-sum, environment. Zero-sum means that you can have one or the other of two interests. You can have privacy versus security, privacy versus social media, or privacy versus biometrics. Get rid of the versus.

Positive-sum means privacy and other functionalities. You have to have privacy functioning in an environment in which it can operate in unison with other interests, as it must. The future is all about creativity and innovation. Who knows what's around the corner in terms of the next technology and the next development? We welcome that. We insist upon privacy being part of the package.

You've all heard a great deal about big data. I'm not going to talk to you about that today, because there is no time. Just for your information, here's a little teaser. Tomorrow we're launching a paper we did jointly with IBM called “Privacy by Design in the Age of Big Data”. We're releasing this tomorrow morning at conferences in Washington, D.C., and Toronto. If you look at our website tomorrow, please take a look at our paper on how you can have privacy and big data.

I'm going to talk to you for the remaining four minutes I have about an example of how privacy by design actually works on the ground. I don't want you to think this is simply a theoretical formulation or some academic construct. It's real. It's operating right now on the ground.

Let me tie this to Facebook and other social media. As Commissioner Denham mentioned, Facebook has the capability of facial recognition technology. So photographs that are uploaded to Facebook can be tagged with an identity through facial recognition technology. You can imagine what a treasure trove this will be for law enforcement and other interests, with the pictures, the faces, of 900 million users, potentially, being tagged, using facial recognition technology, and potentially matched with pictures of faces taken from a crime scene, for example. The police would come knocking on the door of Facebook with a warrant. Of course, Facebook would have to give them the information.

I'm going to tell you about a technology we've introduced here in Ontario that would not allow that to happen, even though it would allow facial recognition technology to happen. It is facial recognition technology using privacy by design biometric encryption.

Let me just tell you very briefly what this is. In Ontario, the OLG, the Ontario Lottery and Gaming Corporation, is the corporation that runs our casinos in this province. We have 27 casinos in Ontario. They're run by the OLG.

They came to me a few years ago and said that they had a problem. They have an addicted gamblers program, a problem gamblers program, called the self-exclusion program. Quite simply, if you are an addicted gambler, and you're going through the equivalent of a 12-step program, such as Gamblers Anonymous, and you go through the entire program, the last thing they'll ask you to do is go to the casino of your choice and ask to be placed on the self-exclusion program. That means that you want to give up gambling, have gone through the whole program, but know that you might fall off the wagon and try to go back into that casino and gamble, and you don't want to do that.

The self-exclusion program is completely opt-in. It's voluntary. You go to the casino of your choice and you say, “Sign me up. I want you to keep me out. If you see me trying to enter your premises, I'd like you to ask me to leave, please.” You fill out the form. They take your picture. You sign it, and this is completely your choice.

The problem was that this program wasn't working very well. In the past, the form you filled out with your picture on it and all that would live in some back office somewhere in a file cabinet.

In the meantime, these addicted gamblers who fell off the wagon would try to sneak back into a casino. They would go to the front of the casino—there are 27 of them across the province—and they would sneak back in. They were very good at it and they would successfully get back in. Unfortunately, many of them would lose their life savings. They would lose their families. They would lose their jobs. It was terrible. Then they would sue the Ontario government—the casino—for not honouring this program and keeping them out. It was a lose-lose.

So when the OLG, the Ontario Lottery and Gaming Corporation, came to us and asked for a solution, they said, “Here's what we can do”. They said they had cameras at the front of all casinos. Casinos all around the world have cameras at the front for security purposes. They said that if they were to match the cameras at the front with the faces in their backroom files, then they could identify these self-excluded gamblers and keep them out.

Here's the problem with that—facial recognition technology can pick up the faces of a lot of people entering the casino, not just the problem gamblers. Plus, this could then be made available to others for secondary uses like law enforcement. I wanted to ensure that wouldn't happen.

So what we did was that we asked them to use a program called biometric encryption. What this means, very simply, is that this is a system of using a facial recognition data capture in a way such that it cannot be used for any other purposes. When you use biometric encryption, no biometric template—as it is called, which is a digital representation of the face or the finger—is retained in the database.

Quite simply, all that means is that if law enforcement comes knocking on the door and wants to access your database of biometric templates to see if there's a match to a crime scene, you can't give them the biometric template because it doesn't exist. The only use that can be made of this information is for this particular purpose, the primary purpose which is intended.

I can explain to you later, if we have time in questions, how this works. But this has been tested in other jurisdictions. In the Netherlands, priv-ID, another company, has done this, and I can give you other examples.

This is a wonderful, privacy-protected biometric solution that allows the particular privacy biometric problem to be addressed, but doesn't allow the information to be used for any other purpose.

I'm going to ask you to consider privacy by design as a solution on a go-forward basis in terms of how we protect privacy. For example, if we ask Google, Facebook, and others to implement privacy by design solutions such as biometric encryption for their facial recognition program, we will have far greater privacy, as well as the functionality that was intended by the social media in that particular program.

You can have both privacy and other core functionalities operating in unison, but I urge you not to allow one at the expense of privacy.

Thank you very much, ladies and gentlemen.

Thank you very much for that question.

I think there's one way that we can do it. I'll refer you to a paper that we released this past summer—I'm trying to remember the name of it—“Privacy by Design in Law, Policy and Practice”. The idea for the paper came from Commissioner Pamela Jones Harbour, who is a former commissioner with the Federal Trade Commission. When she was talking to me about privacy by design, she said we could impose it as a requirement, a condition, in our consent decrees, in decisions that the FTC issues upon completion of an investigation, and we could include it as something on a go-forward basis that a company would have to follow proactively from that point on.

Justice La Forest kindly reviewed the paper that I just mentioned, which you can find on our website, and he said that privacy by design is an excellent idea that should be incorporated into administrative means of law addressing privacy on a go-forward basis.

One way we could do it—I know that Bill C-12 is looking at changes to PIPEDA—would be to have some way of saying that on a go-forward basis, at the conclusion of an investigation, a company would be required to follow privacy by design in any particular area that was problematic.

The other thing about privacy by design is that it's not a punishment. We always say privacy is good for business. There should be a privacy payoff to businesses that follow good privacy practices. Consumer confidence and trust are being eroded very quickly in this day and age, and you can strengthen that on the part of your customers. It is not something that is in fact a stick. It is both a carrot and an inducement to introduce privacy protections in a way that ultimately will save the company resources, because they'll be able to avoid privacy infractions and privacy investigations, and potentially, class-action lawsuits that are coming out.

There's so much happening on the privacy front that when we talk to companies about privacy by design we do it because they invite us to tell them how to do it. They want to do it, not only for the right reasons but for business-related benefits as well.

I think there is a way forward by imbedding it into new regulatory structures.

Yes.

Mr. Angus, I love that you refer to “unintended consequences”. I didn't use the slide here, but I have a big slide when I talk to, especially, tech companies. My slide just reads: beware of unintended consequences. That is always the fear.

I called last year the year of the engineer, because I talked to engineers at all of the leading companies around the world. I talked to Adobe. I talked to Intel, and HP, to Google. I've talked to Facebook and others, but I specifically wanted to talk to their engineering, computer science technical teams to translate, if you will, or operationalize the principles of privacy by design into code.

Of course, we've been talking to lawyers for years, so I'm not worried about lawyers and policy writers understanding how to translate the policy requirements into policy codes, etc., but the engineers were being left out and the computer scientists. When I talked to them, I said, this is very simple. I can't write the code for you, but I can translate this into what does “primary purpose” mean, and how do you ensure that data minimization principles are being reflected in your operational procedures.

Privacy as the default is such a critical feature. We try to explain this not only to engineers—and they get it, of course—but to laypeople. I always have what I call my neighbours' test. I have very clever, smart neighbours, but they're not in the privacy field. So I try to explain it to my neighbours, and if they grasp the concept, which they will, then we're off and running. It has to be accessible to the public and to engineers alike, and the notion of privacy as the default resonates. As one of my neighbours said, does this mean I get it for free? I don't have to ask for it? I don't have to scour the privacy policy to find it? I just get privacy for free? I said, yes, it would be embedded in the system by default as an automatic feature. She said, “Sign me up. That's what I want.”

That's the kind of discussion we have. As I said, we talked to all of the major companies. For Google+, when they were doing their beta test for Google+, their new online social media, we participated in the beta. They're very interested in the privacy issues. They've come up with this concept of circles and restricting privacy and sharing within a given circle. So you could have one for your workplace colleagues, one for your neighbours, one for your family, etc.

We've talked to all of the major companies about privacy by design, and I would hazard a guess that if you went to any of them they would know about it.

I think consent is very significant in the online world, but it's only part of the answer. I also agree with you that end user agreements, with the lengthy notices and the legalese is not the solution to the problem. Some very good work has been done in short, just-in-time notices. That's even more important in the mobile environment because you certainly can't read consent and user agreements at the end of the day.

Our laws in Canada are flexible. They require the collection of the data to be reasonable, and there needs to be transparency. In an ecosystem as complex as a social media site, it is difficult because I think consumers don't understand what is behind the curtain. They don't understand all the groups they are communicating with, how the data is flowing, and how third parties are using their information. It's a brand new environment.

Historically, we have dealt with a consumer doing business with one brick and mortar company. It is very clear whom you are doing business with. Consent works quite well in that environment. I think what is needed here is a much more sophisticated approach.

I think it starts with accountability. Our office, in conjunction with the Alberta and the federal office, has just issued guidance on accountable data governance, what privacy looks like on a comprehensive level. That's where we go down the road. We look at the company overall to make sure their practices, policies, and control, such as privacy by design, are dealt with in a comprehensive way across the board.

For starters, users, consumers, and all of us have to be more vigilant, and we have to speak up with the companies that we do business with. You may say that's hard to do. Facebook is the way it is. How are you going to get changes? You would be surprised at the number of times they have changed. When they introduced a privacy practice, like their news feed in 2006, everyone blew up at that, and then they reversed it. There have been a number of missteps, and it's only because the public has spoken out that they have pulled back.

Let's talk for a moment about what companies can do and what we can ask businesses to do and governments as well. Mobile devices, as you know, are the way of the future. Everyone is going into mobile. You can't read anything on that in terms of the policy and other things. For example, in the United States people are using a blue button. I think the blue button was made available for veterans in the U.S. to access their health data. What did Veterans Affairs have on them? They had this blue button, and they would immediately see what they had on them. The same idea is coming out for a green button for the energy sector. If you want to see how much energy you've used, people have said there should be a green button. You'd press it, and you would see how much energy you are using, and you can compare it to others like your neighbours, etc.

What this speaks to is not only companies being far more careful but circumspect about the information they automatically collect from consumers without their knowledge or consent. The opposite of privacy as the default is public as the default. We have to reverse that. We have to change that. Also, they have to know they have to be accountable to you, the user, the data subject. They have to be transparent with the information they have about you in their possession, in their databases. You should know what they have. Unless you know what they have in their possession, you won't know what's at risk, and what might be, if it's hacked, or if there is a data breach.

LinkedIn was just hacked and their passwords accessed. You are not going to know what they're going to have access to. It's very important to have that kind of transparency. Then, all of us speaking up and getting on the case of business. Don't misunderstand me, I'm not anti-business at all. I love business. We have to have strong businesses to have a strong economy. They also need to know they have to protect their customers and their customers' information. How can they do that? We can help them figure out how to do that and be transparent with their customers.

Yes, that's a very good point.