Evidence of meeting #51 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was nexopia.
A recording is available from Parliament.
NDP
The Chair NDP Pierre-Luc Dusseault
Good afternoon, everyone.
Thank you for joining us, Mr. Lawford. You are our only witness today.
According to the agenda, we are going to spend about an hour on evidence and questions. We are going to start with a 10-minute presentation. Members will then be able to ask questions, as usual. Finally, during the second hour, we will go in camera for the debriefing on working sessions abroad.
Without further ado, I will give the floor to Mr. Lawford for 10 minutes.
John Lawford Executive Director and General Counsel , Public Interest Advocacy Centre
Thank you, Mr. Chair.
I am here alone. Janet Lo, my co-counsel, sends her regrets. She's in a lock-up for CRTC on Bell-Astral.
The Public Interest Advocacy Centre is a non-profit organization that provides legal and research services on behalf of consumer interests, and in particular vulnerable consumer interests, concerning the provision of important public services. We have been deeply involved with the Personal Information Protection and Electronic Documents Act, PIPEDA, from a consumer perspective since its passage. We have published several recent reports: one on children's privacy online, one on a do-not-track list, and one on data breaches.
I've given the clerk a copy of references to those and summaries.
We're here today to talk about the immediate future of privacy. It is largely to be defined by services such as social networks. But social networks provide challenges to our concept of personal information and the commercial interests that are involved with that.
PIAC recently brought a complaint to the Office of the Privacy Commissioner of Canada under PIPEDA against Nexopia.com Inc., a social network based in Alberta and largely aimed at a teen audience. This real-life example illustrates the challenges of dealing with privacy and social networks, and unfortunately the inadequacies of PIPEDA to deal with improper privacy practices, even those where the improprieties involve children and teens.
PIAC alleged that Nexopia provided no comprehensible descriptions of the collection, use, and disclosure of the personal information of their largely underage users. We said that the company did not adequately detail its disclosure of information to advertisers, nor did it adequately detail how it used this information to serve up targeted teen ads. We complained that the default settings for personal information like gender, age, location, and pictures were open to the Internet—that is, not even closed to members of the site—and that this was unreasonable and even dangerous for the young users of the site. Finally, we noted that Nexopia appeared to keep personal information forever, even if an account were deleted.
The Privacy Commissioner upheld all our complaints. That was February 2012, some two years after we filed it.
Regarding default settings, the Privacy Commissioner wrote, in part:
We do not consider making portions of a user's profile available to anyone on the Internet to be consistent with users' reasonable expectations, particularly when a user has clearly indicated his or her preference to share information on a more limited basis.
However, Nexopia has said to the Privacy Commissioner that they will not implement the four recommendations related to retention of data. The Privacy Commissioner has had to go to Federal Court to enforce her findings. Why?
First, the Privacy Commissioner has no order-making power. She has no fining power. Social networks that judge privacy findings too inconvenient or expensive, it appears, can continue to operate in a privacy-violating manner.
Second, the refusal reveals the real nature of social networks: they are financed by personal information. Asking a social network to destroy data appears to them like removing an asset from the balance sheet.
The Privacy Commissioner's trip to Federal Court will show if business purposes or the personal privacy of individuals is paramount under PIPEDA. However, the larger issue for you at this committee is how to help design laws to avoid this type of conflict from arising in the first place, particularly in the fast-moving social networking and online space.
Now I'll move to Bill C-12 and breach notification.
LinkedIn and eHarmony suffered large data breaches this spring. Social networks are now major targets of hackers, and there is a risk of exposure of personal information that is not intended for general viewing from these websites. This is in addition to the leaking of personal information from websites noted by the Privacy Commissioner at the end of September in a recent study.
Bill C-12 is intended to amend PIPEDA to provide for data breach notification. However, it does not succeed. It allows the company suffering the breach to make the determination of whether the breach is material enough to even report to the Privacy Commissioner. Part of that determination is an assessment, again made by the company of itself, of whether the cause of the breach or a pattern of breaches indicates a systemic problem.
It's extremely unlikely, in our view, that any company, but particularly a social network that trades in data, will declare that it has a systemic problem with data breaches and data handling that leads to breaches.
Bill C-12 is asking companies to declare that they, in effect, are negligent. As a result, we confidently predict that under Bill C-12 a social network or other online company will almost never notify the Privacy Commissioner of a breach that has not otherwise been made public. Companies are expected to determine whether to report data breaches directly to the consumers as well. They must determine if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
First, this threshold is very high. It's higher than U.S. state law requirements and it's unrealistic. It's difficult to predict how personal information will be misused.
Secondly, Bill C-12 ignores the blindingly obvious incentive for companies to find no such risk to individuals and avoid notification and its cost. As a result, we confidently predict that under Bill C-12, social networks and other online media companies will almost never notify individuals of a breach that has not otherwise been made public.
There is another model in Canada for data breach laws: the Alberta Personal Information Protection Act. In Alberta, all breaches must be reported to the Privacy Commissioner of Alberta, on pain of fines. The Alberta Privacy Commissioner then determines if the breach is serious enough to notify individuals on a test of potential for any harm.
PIAC studied public attitudes to data breach notification in focus groups in 2011. Overwhelmingly, participants preferred the Alberta-type model to leaving companies to make this decision. We urge this committee to express these concerns about breach notification under Bill C-12 in its report.
I will turn now to privacy policies. Social network privacy policies are “take it or leave it” contracts. The burden of determining what is done with personal information is borne by the user. Yet social networks regularly rely on the consent of users to justify practices and point to the use of the site as the equivalent of consent to the entire privacy policy.
It's PIAC's view that this legal fiction is in fact used in place of informed consent in many social networks. Users simply do not read all the policy, and if they do, they do not understand it. Why is this? This is because major social networks define “personal information” in confusing ways, and none of them define it in the way it is defined in PIPEDA.
Many define personal information as personally identifiable information, which, as you recognize, is a U.S. legal concept. Recently, many larger websites have dropped any definition at all of personal information, only to give examples of treatment of certain data elements like gender or age. The clerk also has a copy, which should have been distributed to you, of wording of privacy policies that we're talking about.
This non-definition of personal information matters because users reading the privacy policy are not able to understand their real rights under PIPEDA in order to launch a complaint or to bring the company into compliance or even to contact the company.
The Privacy Commissioner appeared before this committee and stated that social networking sites do not do a sufficient job of explaining their use of personal information. She said she doubts in these situations that the social networking site has real consent. We think the Privacy Commissioner is right. But the complaint mechanism under PIPEDA is very poor enforcement. She needs order-making and fining power.
PIAC suggests, however, that given the challenges of big data collection by social networking and other online businesses, this committee go further and consider a full enforcement framework such as that for the do-not-call list for companies flouting Canadian privacy law.
I'm going to close with some forward-thinking ideas on social networking and privacy.
First of all, there are many related entities dealing with personal information created at social networking sites in order to monetize that information through advertising and other methods. This committee should study these relationships and consider rules for revealing related parties in personal information trafficking akin to those rules in securities law to bring increased transparency to data flows in social networking sites and marketing companies.
Secondly, the committee should consider a national do-not-track list.
Thirdly, the committee should study the nexus between privacy and competition law, and whether the Competition Bureau actually has a role to play in addressing privacy concerns and where a merger or other practice can reduce competition. For many online markets, competition for eyeballs depends on the currency of personal information or the value of big data.
PIAC thanks the committee for this opportunity to speak. We are happy to answer questions
in both English and French.
Thank you.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you for your wonderful presentation, Mr. Lawford.
We will now move to the seven-minute question and answer period, starting with Mr. Angus.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you, Mr. Chair.
Thank you, sir. This has been a very interesting discussion. If you've been following the course of our looking at the issue of social media, you'll know that we've been dealing with two major issues. One is the issue of not interfering with development, but ensuring that more vulnerable people—particularly young people—are not unfairly targeted, and that people's privacy is protected when it needs to be.
What we've heard from some of the main drivers on this new information highway is that they never speed, they always stop at the lights, they never do illegal left-hand turns, and there's no need to have police anywhere on any of this data-flow highway, and that things will just drive better.
I'm concerned that we have a case with Nexopia, which has breached the Privacy Commissioner's.... I think the Privacy Commissioner has found 24 breaches in Nexopia's handling of information. They haven't bothered to meet the deadlines set by the Privacy Commissioner; they're taking her to court to stand in the way of some of them.
Do you believe the Privacy Commissioner should have more tools to ensure compliance, so that we make sure that all the players in the market are following the rules?
Executive Director and General Counsel , Public Interest Advocacy Centre
We do, and the Nexopia complaint is a good illustration. But we could have chosen other social networking websites as well. The point is that we've gone through the process of identifying a site that seemed to not have made it clear to users what information would be used. The Privacy Commissioner upheld the complaint, and then they still didn't do anything. It may be that eventually Nexopia will follow the Privacy Commissioner's ruling, but it's a very inefficient way, I think, for her to go about it—especially since you see in Alberta and in B.C. and in Quebec that all those privacy commissioners can simply order a certain result.
It seems much more sensible and direct to have had, for example, the Privacy Commissioner's order made an order in February, and not to have to wait to see whether the company will comply. As far as the Privacy Commissioner is concerned, they're quite far offside.
NDP
Charlie Angus NDP Timmins—James Bay, ON
We're not trying to damage the reputation of Nexopia, but their business model is focused on young people, and young people using the Internet should feel free, should feel that when they use it they're talking to their friends and are not dealing with trolls. Yet you seem to be telling us that Nexopia's business model is that anybody, at any time, anywhere can track who is on it, what school they go to, what their sex is, what their preferences are. Is their orientation or other things on there? Is that the kind of information that anybody can find out?
Executive Director and General Counsel , Public Interest Advocacy Centre
That's the core of our complaint. It was triggered by the fact that you can go on to Nexopia, and they even provide a handy-dandy database searching tool for outside users—or anyone—to search from the front page for age, gender, and the city where you live. And if you do that, you can also choose interests and target people, and you get real profiles. You get real profiles from the outside world.
They're also indexed on Google or any other major search sites, so you can put in “female, 13, Calgary, dancing” followed by “:nexopia.com” and pull up profiles from that source as well. We thought that was not exactly....
It's not the expectation of a 13-year-old who signs up. The expectation is that you're going to share your information with your friends, not be available to everyone on the entire Internet.
NDP
Charlie Angus NDP Timmins—James Bay, ON
The Privacy Commissioner found the same. The Privacy Commissioner said that these rules did not meet the standards of the rights of protecting a vulnerable class in our population. Has Nexopia changed these settings?
Executive Director and General Counsel , Public Interest Advocacy Centre
They were asked to change their privacy policy and some other information on June 30, and they missed that deadline. They were asked to change their default settings by September 30 so that when you become a new member you are defaulted into “friends only”, and that this not be searchable outside of the site. They missed that deadline as well.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I'm concerned because I know they've taken the Privacy Commissioner to Federal Court on their refusal to delete data. All of us have been struck by the horror story, the Amanda Todd cyber-bullying case, and that heartbreaking line in which she says, “I can never get that photograph back. It's out there forever.”
If a 15-year-old feels that they don't like what's happening on Nexopia or don't feel like they want to be part of it and they delete their account, the information is still being held by a commercial company. Are you saying that Nexopia has gone to court to be able to hold that data regardless of whether a young person wants it deleted or not?
Executive Director and General Counsel , Public Interest Advocacy Centre
No, I'm saying that when the Privacy Commissioner asked Nexopia to have a data retention policy and to provide users with a real delete key, if you will, they said no. And then the Privacy Commissioner thought it was important enough to go to Federal Court on her own to try to enforce her ruling, because she can't enforce rulings; she can only recommend.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Explain to us why it's important to have a delete button for young persons, or any person who decides they don't want to participate anymore. Maybe it's just getting a little too weird out there and they just want to have their lives back. Why should that option be very clear and very available?
Executive Director and General Counsel , Public Interest Advocacy Centre
We think that users and people.... It's almost a human right. You should have a chance to ask a company to remove the information. It's clear in the act that you are supposed to delete it if it's no longer used, so we don't see why you shouldn't have the right to remove it.
In Europe they're talking about a right to forget or a right to remove. It's a debate that's just starting in Canada. I think we should have it, because our group feels that it's a right of the user to delete the account.
NDP
Charlie Angus NDP Timmins—James Bay, ON
These companies set up operations whereby young people can trade information and do all kinds of great things, but we need to ensure there are some basic rules that those companies play by so that bad actors don't come in and so that young people aren't exposed.
Are we placing undue responsibility on companies such as Nexopia to have privacy settings or to delete accounts when they're asked to delete them?
Executive Director and General Counsel , Public Interest Advocacy Centre
The Privacy Commissioner did a pretty good job of saying that even with the present act, these are the rules.
The trouble comes when the company says, “That's nice. Thank you for your finding. We'll continue to do business as we wish.” The problem is in the enforcement. The act covers this. We won in 24 of 24 complaints. It's hard to say how you could improve the act. Perhaps certain tweaks would make it clearer. That's something the committee could study. For example, on data retention, it's not clear that the user has the right to delete. It just says, “have a data retention schedule”. Maybe it should be made clearer.
NDP
The Chair NDP Pierre-Luc Dusseault
Mr. Angus, your time is up.
I am now going to give the floor to Ms. Davidson for seven minutes.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Thanks very much, Mr. Chair.
And thanks, Mr. Lawford, for being with us this afternoon. We're certainly hearing very interesting statements from you.
I want to continue where Mr. Angus left off. You're talking about the fact that there could be certain tweaks to the act. You talked about data retention. Are there other things that you wanted to talk about concerning tweaks to the act?
Executive Director and General Counsel , Public Interest Advocacy Centre
It's interesting to stay slightly on that one as well. We haven't heard much in the committee—I've been watching it—about de-identification of personal information. That's used as an equivalent in the act. You can either de-identify or delete.
The research we've done in our paper tends to suggest some things never totally de-identify. Often they can be re-identified. So that would be a tweak. Perhaps we shouldn't have de-identification equated with deletion. Maybe they're different things.
October 18th, 2012 / 3:50 p.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
I don't even know what de-identify is. We're all familiar with delete.
Is it another method people use to delete, or feel they're deleting?
Executive Director and General Counsel , Public Interest Advocacy Centre
Yes, and it's a very attractive model for some commercial uses. You can aggregate or de-identify and then use the information for other purposes: monitoring who comes to your site, what they buy, telling advertisers and your customers, and tweaking your site so that it works right. It has some good uses.
Just as with health information for secondary health purposes, you have to be very careful that the person's particular health record can't be linked back to him or her, even when you take out certain identifiers. It's a bit of an art to design that.
In terms of other tweaks for the act, the consent mechanism is the right way to go. The trouble we had with Nexopia and with our paper on youth on the use of social networks was that kids didn't understand the extent to which information would be used for other things once it was out there. Is there any sense, in this committee or otherwise, in talking about a different level of consent for certain ages?
In the States, as I think you've heard from Mr. Elder, there is an act whereby companies can't collect information on those under 13 years of age. I think that's a pretty good rule. But we haven't been having that conversation here in Canada. It's still possible to collect information on two-year-olds. It's likely offside, according to the Privacy Commissioner, but it's possible to take a swing at it.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Continuing on a bit more on the privacy policies, I think you described it as a take-it-or-leave-it policy with no informed consent. I think we've talked about this a whole lot at this committee, about the privacy and the consent forms. Nobody reads them, whether they're teenagers or adults. People just scroll down to the bottom and push “I accept” and away they go.
Do you think there is a way to standardize it and to make it understandable for the user?
Executive Director and General Counsel , Public Interest Advocacy Centre
One of the things I mentioned in my presentation was that companies define personal information in terms of the uses they're going to put it to for their own company. While that might be fine, a standard statement of what personal information is, according to the law of the jurisdiction they're working in, such as Canada, would probably be a good addition. That way the average user could compare. I know it's more language rather than less, but that's certainly a possibility.
We've also talked in a couple of papers about trying to produce easy-to-understand icons or shorter descriptions. For a website that shares personal information, you might have two hands handing over a document, that sort of thing. That's helpful, I think, for people who are time pressed. That might be one way to go. Definitely, getting people together and seeing if there's any common ground for standardization would also be a really smart move.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
How would that be enforced? Would it be legislated? How would it be done?
Executive Director and General Counsel , Public Interest Advocacy Centre
Perhaps tweaking the act to say you have to state the act's own definition of personal information might be something you'd legislate. Otherwise, I think that would be something led by the Privacy Commissioner in a round table with stakeholders. It could be in the form of guidelines if it was going to come from the top down, but most likely it would be through the Privacy Commissioner and not through legislation. I see it as something that might be too difficult to legislate.