Thank you, Mr. Chairman.
The Public Interest Advocacy Centre is a national, non-profit organization and registered charity that provides legal and research services on behalf of consumer interests, in particular vulnerable consumer interests concerning the provision of important public services. We have been deeply involved with PIPEDA from before its passing.
Five years ago, we came to this committee to talk about privacy and social networks. Today, we come to discuss your review of PIPEDA. It is still about social media, but this time it has brought along its friend, big data.
Social networks and most smartphone apps routinely gather personal information as defined by PIPEDA, and retain that information on central servers. That information is then used, as permitted by PIPEDA, to target advertisements to that person, their friends, families, and colleagues on social media.
The term for this is “behavioural advertising” or marketing, as the vast amounts of very personal data, including one's preferences as to a myriad of products, previous purchases, location, age, gender, ethnicity, and much more, allow advertisers using this information to target these ads to your presumed behaviour and profile.
They call it “big data” when advertisers or other companies are able to combine data sets from various apps and website visits, and even from only one site over a long period. Then data mining occurs, using algorithms to look for patterns that suggest how successful targeting ads may be, or even attempting to find presumed ways to know or influence your future behaviour.
The companies doing this will tell you today that they are doing it lawfully under PIPEDA, that they have privacy policies, that they have your consent, and that they follow all the rules of sharing and processing data. The fact, though, is they often do not have your informed consent. Informed consent, whereby you understand the consequences of the provision of your information and what it will be used for and how it will be shared, is the standard for collecting, using, and disclosing information under PIPEDA.
Companies now are asking and beginning to ask that the consent standard be changed, largely because it impedes data gathering and big data. They will ask you to abandon informed consent as the standard that protects consumers and the reasonable expectations and conceptions of privacy. They will ask you for a risk-based model, or more implied consent. This should be resisted. Indeed, PIPEDA needs to enable the informed consent standard, and all it needs is some new rules to protect that and consumers.
Moving now to enforcement, if we are to address the problems with online privacy and big data, the Privacy Commissioner of Canada needs real enforcement powers, including a mandatory order-making power and an AMP or fining power.
PIAC advocated for these powers at the first PIPEDA review in 2008. At that time, the Office of the Privacy Commissioner did not want them. Then the OPC crossed swords with Facebook in a complaint in 2010. After that, Jennifer Stoddart asked you and the government repeatedly and loudly for order-making power and fining power. Her reasoning was that her office could not make large social media companies comply with only non-binding findings and name and shame.
Mr. Therrien, the current Privacy Commissioner, is more careful, and he may ask you only for order-making power. This will be cumbersome to enforce in court. You should also be giving him fining power.
In any case, if the Privacy Commissioner says that he or she needs it to do the job, why not give it? The OPC is up against the biggest corporations in the world right now, and needs tools. It is frankly embarrassing that provincial privacy commissioners have this power and not the Office of the Privacy Commissioner. Only by enforcing the present standards in PIPEDA can we see if it is effective or needs change. It's unfair to judge the act without enforcement.
Moving now to children, a new rule is needed regarding the treatment of children's privacy. I saw an extraordinary op-ed last week. In it, Owen Charters, the president and CEO of the Boys and Girls Club of Canada, said:
The Wall Street Journal reports that...children's websites in the US install more tracking software than sites aimed at adults. These tracking tools follow our children as they surf the web, collecting data about their behaviour and interests. This information is often sold to marketing companies.
There are endless public awareness campaigns dedicated to cyberbullying. Change is happening. But with the focus on those discussions, children's privacy rights in Canada have been placed on the back burner.
That a general children's welfare charity would underline online privacy is indeed telling. This letter closes with an exhortation to the Canadian government to pass a dedicated children's privacy act.
Our sentiments are similar, but we think that this protection can be added to PIPEDA. We have first-hand insights on the problem. In 2011, PIAC brought a privacy complaint against Nexopia.com, a social network based in Alberta and largely aimed at the teen audience. The Office of the Privacy Commissioner upheld all of our complaints, which were focused not so much on online safety, but on targeted marketing to minors.
Unfortunately, besides some voluntary guidelines from the Office of the Privacy Commissioner, we see no improvement in children's privacy in Canada since then. We have a detailed proposal to address this—and Europe is also adding regulations—but given our time to present, we invite you to ask about these solutions in your questions.