Information & Ethics Committee on Oct. 16th, 2012

Thank you, Mr. Chair, ladies and gentlemen members of the committee.

As I have read previous testimonies, I am submitting eight comments on the issues that have not yet been addressed.

The first comment is that social media do not constitute a commercial sector. Social media are rather made up of a variety of applications that make it possible to create and exchange content used not only by a few well-known specialized companies, but also by all kinds of commercial companies, public organizations, associations, employers, schools, universities and even hospitals, which are currently developing social media applications.

Social media are not only used by people. They are also used by machines. For instance, police officers, social workers and people working in shelters now have to explain to the adults and children under their protection that their computers, tablets, telephones and cameras automatically send out information that helps locate them.

In short, social media constitute an environment. Therefore, the solution cannot be based on a sector-by-sector approach that applies to certain companies—or even to the whole private sector—but rather on a universal approach that would also apply, to an extent, to the makers of certain machines that produce such information. We are now living in an era called the Internet of things.

Second, the transparency of social medium processes is not only important for operators so that they can meet their legal obligations, for individuals so that their rights are respected or for the commission so that it can do its work. That transparency is also important so that third-party organizations can meet their own obligations.

I will give you a very simple little example. The Sleeman Brewery launched the Break into Alcatraz contest, which had to be entered by accessing a Facebook page. However, the operation of that Facebook page was breaking the official contest rules. So Sleeman was more or less in violation of laws on draws and promotional contests and the personal information protection legislation. I have two points to raise with regard to that.

The application required individuals to be Facebook members in order to enter the contest, but that was not listed in the eligibility conditions. Contest rules stated that no personal information would be transmitted to Facebook, but the application required people to click on the “Like” button on that page and, therefore, to produce and disseminate members' personal information.

The most likely explanation in a case like this one is that the professionals hired by Sleeman did not understand the Facebook processes, or how Sleeman's application process was tied to it. That brings me to the third comment.

The user-friendliness of social media gives a false impression of transparency. To illustrate, I refer you to the first figure distributed to you. The common perception is that a tweet has 140 characters. That is false, as you will see in the figures. A tweet has several hundred characters, making up about 30 different personal information fields. The same goes for the process. Users think they can see what their information goes through. In reality, the application is sort of like a black box where we can only see what the operator shows us.

Fourth, the wording of consumer contracts, conditions of use and statements regarding the use of personal information is not appropriate for explaining the processes involved. I want to point out that the first pieces of legislation for protecting personal information were adopted in the 1970s. So they were developed in the 1960s. At that time, this area was dominated by public or private bureaucracies where officials ensured that the information produced on an individual was compatible both with the internal organization processes and the individual's situation.

That challenge is called information pragmatism. I am now referring to the second figure, which sets out the factors that could determine the selection of good information for obtaining good results. I have a very simple example regarding that.

School admission and enrolment in a school year are two different processes requiring the identification of the mother, in both cases, unless we are not talking about the same person. The school secretary ensures that the right person is described. As part of the admission process, the person in the civil register is identified to distinguish among the little Tremblays, Smiths or Nguyens, while the enrolment process identifies the person who takes care of the child on a daily basis. So we may not be talking about the same person.

In the classic bureaucratic context, general implementation texts were sufficient because organizations had hundreds of officials who ensured mediation between the individual's reality and the organization processes. Today, millions of individuals are asked to manage processes on their own, and that's practical only on these two conditions:

1) that the individual obtain timely and specific explanations on the exact process they are undertaking;

2) that those explanations be comprehensible—including for children, technophobes or half the Canadian adults with low literacy levels.

Here, however, applications can be the solution because they are interactive and provided in multimedia. I want to go back to the Valerie Steeves example. On May 29, if the system has profiled me as a 16-year-old Vancouver teenager and listed the relevant interests of that profile, why would it not display that profile right away along with what exactly it is used for and by whom? That would help me adjust the parameters so that the system would be better able to meet my expectations and needs, somewhat like it is laid out in the figure I referred to earlier. This is not about revealing the industrial secret of the profiling algorithm, but rather about establishing a dialogue that will elaborate the relationship, and perhaps even the algorithm at the same time.

Here is my fifth comment. Even though personal information protection legislation has emerged largely in response to a risk of totalitarianism, and they remain a prerequisite to respecting personal rights, which are often guaranteed—for instance when it comes to issues related to child consent—those laws are nevertheless basically only an expression of principles that have to do with effective information management. I have participated in their implementation in over 500 organizations—both large and small—across all sectors. However, once the management was streamlined, the law was de facto respected. In addition, costs were reduced and processes enhanced.

Here is my sixth comment. The Canadian legislative model in terms of personal information protection basically covers only three logical and critical phases—production, conservation and communication of information. It is much less apt at covering the processing phase and the phase that consists in concluding the process that often leads to a decision. However, the processes cannot be explained adequately to users who deal with administration on their own without making all the phases transparent. As much as that individual empowerment is impossible without this understanding, the democratic dialogue among user communities, on the one hand, and developers and operators, on the other hand, is impossible without that transparency.

Here is my seventh comment. If the improvement of the Canadian legislative model continues through management principles applied at the level of logical phases rather than through the imposing of specific procedures, those standards could endure despite technological changes and be more easily accepted by operators.

However—and I am getting to the eighth and final comment—the way personal information protection legislation is organized is based on the ultimate purpose rule, or the principle whereby a predefined relationship with the individual is established.

Consequently, companies that have no clear business model or that favour the approach according to which they should generate any kind of information, as they will always find a way to use it, will never be able to accept any kind of legislation straight away, since the two logical approaches are contradictory.

In such cases, it is clear that those types of stakeholders can only be dealt with by clearly setting out the values and principles that are given force of law and by setting out powers to issue orders, as well as a substantial criminal sanction system that would help enforce the law.

So there you have the eight comments I thought I could add to the debate so far. Obviously, I am available to answer any questions you may have.

Thank you very much.

Good afternoon, Mr. Chair and honourable members. My name is David Elder and I am a communications and privacy lawyer with Stikeman Elliott here in Ottawa. I also act as special digital privacy counsel to the Canadian Marketing Association, and it is in this role that I appear before you today.

The Canadian Marketing Association, or CMA, is the largest marketing and advertising association in Canada with 800 corporate members, embracing Canada's major business sectors and all marketing disciplines, channels, and technologies. CMA programs help shape the future of marketing in Canada by demonstrating the strategic role of marketing as a key driver of business success. The association's members make a significant contribution to the economy through the sale of goods and services, investments in media and new marketing technologies and employment for Canadians. Against this backdrop, the Canadian Marketing Association is the national voice for the Canadian marketing community, with the CMA's advocacy efforts designed to create an environment in which ethical marketing can succeed.

On behalf of the CMA, I would like to thank you for the invitation to appear before you as you consider the privacy issues arising in the evolving environment of social media. This afternoon I propose to address industry practices generally with respect to privacy issues that may arise with social media, focusing on the CMA codes and guidelines, in particular. However, as a representative of an industry association, I will refrain from discussing the policies and activities of any particular organization or company.

The roots of the CMA's involvement with the development of private sector privacy legislation and policy run very deep indeed, as it has been at the forefront of the Canadian privacy landscape for many years.

In 1995 the association was the first business association to call for national privacy legislation in order to establish basic principles for the protection of personal information. And it was one of the original members of the Canadian Standards Association's technical committee that developed the 10 CSA privacy principles.

Later, the CMA publicly supported the Personal Information Protection and Electronic Documents Act when it was introduced by the government. Association members were strong advocates for a law that would provide clear direction on how personal information could be collected, used, and disclosed, while at the same time retaining sufficient flexibility to enable businesses to take advantage of new and emerging technologies and to help grow the Canadian economy.

The CMA continues to believe strongly that this delicate legislative balance between individual interests and business needs produces significant benefits for both consumers and for information-based marketers, who comprise an increasingly significant sector of the Canadian economy.

Moreover, after the passage of PIPEDA, the CMA continued to be an active participant in the ongoing public policy debate concerning Canadian privacy law and its implementation. For example, several years ago the CMA proposed that the Privacy Commissioner of Canada initiate consultations with interested stakeholders with a view to developing breach notification guidelines, even in the absence of a statutory notification requirement. This consultation resulted in the issuance, in 2007, by the OPC of guidelines entitled, “Key Steps for Organizations in Responding to Privacy Breaches”.

Over and above its interest and involvement in legislative and public policy approaches to privacy, the CMA has long emphasized that marketers themselves have a responsibility to implement responsible and transparent personal information management practices, and they have an important role to play in promoting such practices.

In this regard, since the early 1990s the association has had a mandatory code of ethics and standards of practice, a self-regulatory code that provides CMA members, and marketers generally, with a comprehensive set of best practices for ethical marketing.

In 1993 the CMA was the first major private sector organization to publish and make compulsory a comprehensive privacy code governing members' activities, which is today structured to reflect PIPEDA's 10 privacy principles. The CMA's privacy code strives to give consumers control of their personal information and to make the process of gathering and using customer information by marketers more transparent.

The CMA code is recognized as the best practices document for Canada's marketing community and is viewed by many governments and regulatory bodies as the benchmark for ethical marketing and effective industry self-regulation. For example, the CMA was one of the 10 members of the federal anti-spam task force, which used the code as an important guide to the best practices of ethical marketers. Adherence to the CMA code of ethics is mandatory for all CMA members as a condition of their membership in the association.

The CMA code is also a continually evolving document. The association regularly monitors the marketplace to ensure that its code keeps pace with new marketing practices and technologies. Over the years, it has struck several task forces to consider emerging issues.

As the privacy environment has evolved, so too have the self-regulatory requirements and guidelines governing the activities of CMA members.

For example, in 1999 and 2002, the CMA concluded examinations of the sensitive issues surrounding marketing to children and teenagers, and revised the code to provide marketers with clear guidance on appropriate business practices for marketing to these distinct demographics. Among other requirements, collecting or requesting personal information from children under 13 requires the express consent of a parent or guardian, and all marketing communications must be age appropriate and presented in simple language that is easily understood by children.

A few years later, in response to the introductions of new technologies, marketing techniques, and regulations, CMA task forces critically reviewed Internet marketing activities, issued new self-regulatory guidelines for the industry at large, and amended the code of ethics with new mandatory provisions for its members, including requirements to identify the purposes for the collection and use of email addresses, to engage in email marketing with unknown parties only with consent, and to provide a clear and easy to use unsubscribe link.

In 2010, the CMA revised its code of ethics to provide members with guidance on marketing best practices for online, interest-based advertising, also known as behavioural advertising, which is perhaps most relevant to the committee's study. The new requirements cover transparency, consumer choice, and marketing to children when using this marketing technique and stem from discussions among the CMA ethics and privacy committee and with other Canadian associations.

More specifically, on the subject of transparency, the guidelines require that marketers using online, interest-based advertising should ensure that they, and the ad networks and website publishers that display interest-based ads on their behalf, provide clear explanatory information about how browsing information is collected and used, and provide an effective means to draw consumers' attention to that information. With respect to consumer choice, the code requires marketers to take the appropriate steps to ensure that the ad networks and website publishers used to display interest-based ads on their behalf offer consumers a clear, easy to see, easy to understand, and easy to execute means to opt out from having their online activities tracked over time to support the delivery of tailored marketing offers.

Finally, on the topic of marketing to children, consistent with the association's existing guidelines, the interest-based advertising guidelines prohibit marketers from engaging in online, interest-based advertising directed at children under age 13, except where express opt-in consent has been obtained separately from parents or guardians.

In conclusion, the Internet in general and social media in particular have opened up tremendous opportunities for individuals, society, and business, fundamentally shifting how we connect with each other, democratizing media, and presenting new and innovative ways for businesses to interact with their existing customers and grow their customer base. At the same time, consumers are demanding more tailored offers, convenience, and better service, requiring business to become more sophisticated to be able to anticipate and meet these needs.

To be sure, as we move toward the great promise of the rapidly developing information-based economy, some privacy challenges have arisen along the way for marketers and consumers alike. However, as the features and capabilities of social media emerge, and as consumer awareness and expectations evolve, these challenges are being addressed and overcome. This is because, regardless of any legal requirements or sanctions, legitimate businesses have every incentive to anticipate consumer privacy needs and resolve any concerns.

Canadian marketers have long recognized that consumer confidence is of paramount importance, and that privacy protections and transparent information practices are the foundation of their continued success. Simply put, marketers know that respect for personal information is good for business, whether online or in the bricks-and-mortar world.

I thank the committee for its attention and would be pleased to answer any questions honourable members may have.

Very good. Thank you, Mr. Chair.

My name is Jason Zushman and I am a lawyer practising law in Winnipeg, Manitoba.

Good afternoon, Mr. Chair and honourable members. I am humbled to be asked to speak with you this afternoon with regard to privacy and social media. I look forward to our discussion which will touch upon these important issues that affect the lives of so many Canadians.

It's become cool to share information about ourselves, and it's become cool to share a lot of information. On a daily basis Canadians share an overwhelming amount about their daily lives. By way of example, there are over 18.5 million Canadians on Facebook, around 55% of our population. That is a shocking number in comparison to what Facebook was even just a few years ago. Because of this broad reach, adequate legal protections are necessary for the benefit of all Canadians.

The technological world and the Internet have changed many aspects of our societal interaction. The sharing of information is immediate. There are many benefits from our ability to share information in such a broad fashion, but there are also dangers that are found in this rapid evolution where technological advent can outpace the ability of Parliament and the applicable law to keep up.

As we analyze the issues related to online privacy, we should note that threats to the privacy of information shared by Canadians are found not solely on what are commonly thought of as conventional social networking sites. Threats to personal information can be found in quasi-networking sites such as online gaming communities. Many of these sites are pay-for services that contain sensitive information. If these sites suffer a successful hack or breach, they can reveal critically confidential user information such as home addresses and credit card numbers to rogue individuals.

As the online presence of many users can be correlated with their names, phone numbers, emails, and passwords that are found on their profiles in the conventional social networking sphere, identity theft can become that much easier. Many users have identical passwords or other means of access that are duplicated throughout the existence of their online presence. A breach of one of these services can lead to a breach of all services that are used by these Canadians.

Specifically, I would like to comment with a view to privacy and social media aspects. I wish to share the following observations.

First, the provision of informed consent by the user is a necessity. That means when a user gives their consent to utilize the service, they must be asked to give consent throughout the entire process and for any subsequent evolution of that service or its terms of use. Users shouldn't be asked merely to provide their initial grant of consent to terms that could then be unilaterally modified by the service provider.

At times when a user submits information to a social networking service, they do so with the intent of limiting the release of their submitted information to a trusted circle. It can cause great harm and unexpected consequences when the information that those users share is subsequently treated in a different fashion than what that user had originally intended. When the terms of use are changed or subsequently modified by the service provider, that modification must require the fresh consent of the user prior to the change and the implementation of the new terms.

Many times the user is placed in a position where the modification of the terms is simply displayed in a pop-up window which may be given only a cursory inspection by the user and can be overshadowed by the user's desire to return to their social media experience. Users may not always be given a means by which they can continue to use their service ostensibly without their agreement to the newly modified terms.

All changes should be clearly communicated to the user, and users should be made aware of any substantial impact to their rights. It is paramount that users always be made aware of how the information they provide is used and retained and how steps can be taken that allow for its removal from the social media site. Further, users should be told exactly how their online habits are being tracked and how that collection of information that determines their psychographic, or we have seen recently with facial recognition software, their biometric makeup is harvested for purposes such as ad placement or other such uses.

Users should also be told to what degree this information is shared not only within the organization but also with the public and also how it is shared with any third parties for which certain uses of that information are not necessarily foreseen by the initial contract that the user enters into with the social media provider.

Second, I think we require more robust privacy laws. If breaches to personal information do occur, there should be laws that effect meaningful and substantive remedies. Powerful consequence-oriented law will deter an organization from engaging in an unauthorized practice in the first place. Further, such laws provide incentive for organizations to take preventive measures prior to the occurrence of a privacy breach, or any modification of terms that result in the unauthorized use or release of user information.

Any use, unilateral change, or subsequent modification of the terms that grant access to that user information, for which consent has not been provided, should have meaningful consequences. Misuse of information that is provided in good faith by users should not simply be calculated as a cost of doing business. It may be of benefit to consider laws that provide for quantification of damages that are in direct relation to the profit, or to multiples of profit, that the misuse of this user information has provided to the companies that are in play. To my mind, robust parliamentary solutions that enhance and shore up our privacy laws will go a long way to ensuring that the privacy of Canadians is truly acknowledged and respected.

There is a third point I'd like to discuss. I noticed that Mr. Péladeau spoke to rules regarding a contest, I believe, that was offered by Sleemans, and how it exported some of the potential legal protections that were available to, perhaps, law that was not applicable within the Canadian sphere.

Finally, I'd like to speak to the use of form selection clauses. As I previously discussed, most of the terms of service to which the consumer agrees to be bound are boilerplate or standard form contracts, and those contracts are crafted in the language of the issuer or the social media site. There is no real bargaining power on the part of the consumer to change or to modify the terms of these agreements.

As we engage in a lively debate about the potential change of law and the grant of powers to those who would be able to enforce consequences against those in the social media sphere that may not respect the privacy rights of Canadians, I would like to say to the committee that contained within many of the contracts of service offered by these social media sites are what we refer to in law as choice of law or form selection clauses. These clauses aren't necessarily easily understood by the consumer, but they are engineered to have a very practical and beneficial consequence by the draftsperson.

It is all fine and good to have a body of tort law and statutory codifications that place privacy in high regard and that protect Canadians, but this is all in vain when a dispute arises and Canadians are potentially told that the agreements they have entered into don't allow for the application of that same Canadian law. Instead, Canadians are told that their social media use or breaches of privacy that arise pursuant to that use, is instead governed by the laws of California or the laws of New York.

Pursuant to a form selection clause, our domestic law may be displaced and any available remedies are to be made subsequent to foreign law, a law that doesn't necessarily reflect the values and protections that we hold dear as Canadians. It is essential when organizations target Canadians and use their personal information with a view to profit, that meaningful consequences can be brought to bear if that same information is abused. It is essential that Canadians are protected by the laws that are enacted by Parliament so they can be assured that the societal legal norms that we have established are respected and enforced.

Many social media companies explicitly cater toward Canadians for their profit. They accept and they run local advertisements. They have head offices that are set up in Canada. They offer promotions and services that are tailored to our national experience. When these companies make the choice to conduct their business in Canada by catering to our local trades, they should be willing to similarly acknowledge and conform to the laws and consequence that exist within our jurisdiction.

I would like to recap the three primary points I'd like to stress from my observation for the committee's consideration.

The first would be informed consent for the user. That informed consent must be required not only for a user's initial grant of use, as related to their personal information, but also for the subsequent modification of terms that will affect the user's experience or the social media company's use of that personal information.

Second, I believe that privacy laws should become more robust. Effective consequences should be brought to bear in relation to damages in tort, common law, or other breaches of statute. Consequences should be strictly enforced to effect deterrence and to protect the privacy rights of all Canadians.

The third thing I'd like to stress is the jurisdictional aspect. An essential component of any parliamentary response to privacy law should displace the need for the legal test known as real and substantial connection, to establish a jurisdiction simpliciter, and to have jurisdiction over the subject matter to which Canadian law can be applied.

It should be made clear and unambiguous that companies choosing to do business in Canada will be bound by Canadian law. I believe this should be explicitly codified.

Thank you very much for the opportunity to appear before you today. I look forward to answering any questions you might have this afternoon.

Here is the short answer. The issue is being raised in the United States. In 1986, I participated in a study the Government of Quebec commissioned to look at all the laws in the world. One particularity of the American laws, when compared with all the other laws in the world, is that the Americans focused too much on details in their regulations. They were tinkering too much, and that froze innovation. That's why I said earlier that personal information protection legislation should apply to the development phases and not to procedures. That was actually one of the recommendations set out in the report called L'identité piratée, where that approach was recommended regarding Quebec's personal information protection legislation. I understand that legislative approach in the U.S. context.

However, Canadian and European laws are more broad. They don't necessarily impose any procedures. They set management objectives that apply more broadly to the production, storage and communication of information. Companies are left with the responsibility to enforce those laws. That approach is more robust with regard to technological evolution, and it enables companies and organizations to enforce the laws.

Since then, I have noted that those are basically sound governance rules, as I was saying earlier. If sound governance rules are applied, companies will benefit. I will give you three quick examples.

In a large communication services company, they realized that the section covering Montreal Island produced 80,000 memos a month. It took one to three minutes to write those memos, which were totally useless and overburdened people who provided customer service. When I did the work in 1995, I realized that small companies, such as day-care centres, consisted of very small units: a secretary and a business manager. At the time, we succeeded in reducing the quantity of useless information managed to the equivalent of three months per person, to say nothing of the impact that had on the service.

In short, there should be as much involvement as possible in logical information phases—the major phases of the information life cycle—and not procedure phases, so as not to complicate everyone's life.

As I was saying, we must also realize that, when it comes to personal information protection, we should stick to sound governance and transparency rules. Issues such as child consent can be resolved from the outside. That matter does not apply only to the use of personal information, but also to all interactions with children. That may be held as a separate and universal principle.

To summarize, we should not deal with this in a sector-based way, like in the United States, or in such a detailed way, but rather as universally as possible, based on governance phases and principles.

Yes, that's a fact. We don't have enough feedback to verify that and be able to confirm it. However, there are very clear signs. The Facebook case speaks for itself. Facebook made certain changes that were disliked by its members. They reacted strongly. That made us realize that, basically, relationships are being managed. The trust relationship issue is a key element.

That being said, trust aside, we should understand that some of those applications develop in a local monopoly. It's a temporary condition, but we are talking about a monopoly.

Let's look at the Facebook case again. In some schools and classes, if you are not on Facebook, you are not part of the gang. Market mechanisms exist. We see them operating on a macroeconomic level. However, when we consider them from the individual's microsociological situation, we see that people don't necessarily have the option to be part of one group or another.

I have a very simple example for you. I have been a grandfather for 18 months. I had to join Facebook to see photographs of my grandson. My daughter is on Facebook and has about a hundred contacts. So although I would have preferred for her to use Google+, Flickr or another site, she told me that Facebook was the place to be, and thus left me no choice. So trust has an influence on a community level. However, it cannot necessarily have an influence on an individual level because market mechanisms are unavailable.

That has a consequence. If market mechanisms are not necessarily available, other mechanisms need to be used. If the walking is not working, we need to use talking. That's why I was saying that processes must be as transparent as possible. People must be allowed to make their own decisions and change the parameters themselves in full knowledge of the facts.

That social medium imposes a set of rules on us. It's an exercise of social power I have to participate in. As I was saying, the market mechanism does not necessarily work on an individual level. However, on a community level, social media are a place for discussion where communities of members can enter into a relationship—into what I earlier referred to as a democratic dialogue—with the developers and operators of those systems.

The legislator must ensure that this happens transparently. Afterwards, we must rely on social relationships and communities to decide in what direction things should move. That's how we can call for a boycott or service change, as people are doing at universities, where various social media are being used to discuss matters with students. They can decide together to go elsewhere if that is not working.

That along with privacy protection laws helps achieve transparency and hold a dialogue among individuals or a community, on the one hand, and the operators of those systems, on the other hand.

Is it an option to do neither of those?

I would argue that we've come somewhat close, I think, to option number two in terms of simplifying and codifying an approach. This is exactly what PIPEDA does, recognizing that technology is evolving very rapidly and the legislative process will always be behind. PIPEDA takes the approach that sets out basic principles that all organizations must follow. That allows for a great deal of flexibility to users and ultimately to a privacy commissioner in determining what is required, what level of disclosure, what type of consent, and what sort of uses are within the reasonable expectation of consumers, etc.

I think we're very close to having the right approach.

With respect to more powers to privacy commissioners to enforce, I would say that for many businesses, certainly the larger and more reputable businesses, fines and those kinds of enforcement powers are almost beside the point. The real stick, and where the rubber really hits the road for such companies, is the type of publicity you described.

When there is a major privacy breach and the company's name is all over the headlines about being hacked or about doing something inappropriate with data, that really does a lot to damage the company's brand. It makes people question their trust in the company. It makes people think that maybe they should be using alternate providers. Regardless of what the laws might be, that is what most businesses are really focused on.

One of the problems with having more enforcement powers is that it changes the essential nature of the relationship between privacy commissioners and business. Right now we generally have a fairly cooperative, sort of ombudsman-type model. I think it works fairly well. That is more conducive to organizations proactively sharing information with privacy commissioners.

If we move to a regime where there are more sanctions to be applied, it becomes much more like litigation, and I don't think that's the environment we want for privacy in Canada.

Yes, I do.

First of all, the privacy commissioner performs an essential role. There is the question as to whether you would give more powers to the privacy commissioner or you would lead to a hybrid sort of judicial model where you're describing different statutes and codifications that would give more power to enforce litigation.

Part of the theory seems to be that when a company receives bad publicity—shall we say, the changes that were enacted by Facebook in 2009—consumers at that point proceed to vote with their feet and the company doesn't want to be seen in that particular light. But as we've heard from Mr. Péladeau, it becomes a social norm to be part of Facebook. It becomes a social norm to be part of these other social media sites, so people still return even though they realize there have been affronts to their rights, which can occur.

Perhaps you could also look at developing a hybrid model by which you could have the cooperation of businesses and different companies within the social media sphere with whom you could work to jointly develop those same laws and regulations, which could then be utilized for the protection of all Canadians and their privacy.

I'll jump in.

Certainly, one of the most difficult things is getting this balance exactly right. As a former chief privacy officer, I can tell you that it's extremely frustrating. On the one hand, you'll have people saying that it's too short, that you didn't disclose this and that. On the other hand, if you put everything in your privacy policy, you get accused of having a document that's longer than the Declaration of Independence.

I think we're starting to move toward models, and the web itself provides a great model for this. We're seeing layered policies where all of it is there, but it's presented through a series of hyperlinks that allow users to get very quickly to the aspects that are of particular concern to them, and therefore they can inform themselves and make an educated choice about how they want to proceed.

I agree. It's another process. As I said earlier, it's not done in an upfront way, where users are given a form to fill out once, and that's it. The process has to be ongoing. An interactive solution would allow users not just to access hyperlinks, but also to see what's going on. Text isn't the only option. A pop-up window could appear to tell people that if they do something in particular, their information will be sent to person X. The message could also tell people what the information will be used for. That would be a visual solution. We have to find Internet-based methods, because the Web gives us that kind of flexibility.

I think my 30 seconds are already up.

Just to chime in, yes, you would obviously receive my consent to the terms and conditions that a user would agree are more straightforward and simple.

I guess it becomes difficult for users to provide consent potentially to unseen or unforeseen uses of data, for example, facial recognition. Let's say you upload a photo. A future development in that technology related to the use of that photo could be something that the user wouldn't necessarily consent to. To my mind that would be found in the ability to recall and remove the information that a user has provided from the social network.

But, yes, simplicity would be advantageous for sure.