Thanks to the committee for your invitation to appear again.
I'd like to start by offering my congratulations to the standing committee for their recommendations to reform the Privacy Act, which were published late last year and which I thought were excellent.
It is, I believe, fairly clear that the current consent-based model of privacy protection is broken. The core dynamic that underlies this model and that drives much of the digital economy is that users may choose to trade their personal information for services. There are undeniable benefits to this model, which has assisted in the rapid spread of the Internet by lowering costs of entry. However, this dynamic relies on meaningful consent, which in turn requires at least a nominal understanding by the contracting party of what they're signing on to. In fact, virtually nobody reads their terms of service agreements, a state of affairs that significantly undermines the legitimacy of the consent obtained.
The OPC report points in part to the length of these agreements and the frequency with which they're presented to users as a cause of this lack of understanding, but it's also worth noting that these agreements are often drafted in a highly convoluted, confusing, and even self-contradictory manner that even technically and legally trained people struggle to understand. There's a vicious cycle at work. The fact that very few users read these agreements or use their substance as a basis for accepting or declining a service gives companies licence, and indeed an incentive, to draft them incredibly broadly. This drafting style and the lack of accessibility further depresses engagement with the agreements by their signatories and so on.
It's also worth noting that the company that presents the agreement and offers a service may often be distinct from the ones that actually collect and process the information. Third party data brokers play an increasingly common role in the Internet's ecosystem. A 2014 study showed that of the 950,000 most popular websites, 88% of them automatically shared visitor information with third parties, an average of 9.5 different third parties per website. The vast majority of this tracking is carried out surreptitiously, with only 2% of third parties including a visible prompt alerting users to their presence.
There's a clear problem here. However, it's important to try to look for solutions that will not derail the current digital economy. Although there are pros and cons to a system where personal information is used as a major currency by which online services are procured, potential avenues forward should be crafted with an eye to maintaining the tremendous benefits that Internet access provides.
One solution, which we strongly support, is to boost the quality of consent by improving the information available to users. A better practice here may include publishing a summary or explanatory guide of the terms of service alongside the full legal version, ensuring that the agreement is easily available for review, and clearly notifying users when a substantial change to the change of service has been made.
The OPC has an important role to play here: to promote better practice in terms of clarity and accessibility of terms of service agreements, and to audit existing agreements for their clarity and accessibility, as well as their accuracy against how information is actually collected and processed. In addition to these steps, the proposal to shift to opt-in consent as a default to the required approach is one that we support.
The move to expand transparency is another important factor to boosting the quality of consent, allowing people to look under the hood of the services and platforms they use. This may include, for example, a right to request an explanation of how their personal information has been used to customize their online experience, or what factors went into a particular decision by the company that they were subject to. However, while there is substantial room by which the quality of user engagement and of consent may be improved, these improvements alone are not sufficient to safeguard the privacy rights of Canadians. The CLD supports the creation of clearly defined no-go zones, as well as proceed-with-caution zones, as mentioned in the OPC report. One important area to consider here is the need for greater clarity on how information can be transferred out to third parties or resold, and what rules should govern these external uses. Broader investigative powers by the OPC are also needed to promote good practice in terms of information management and security.
In terms of the de-identification or anonymization of information, while I think it should certainly be encouraged, it is not a panacea for the current privacy concerns. I would add to the commentary contained in the OPC's report by noting that as anonymization gets stronger, the commercial value of information can often decline, giving businesses an incentive to pursue incomplete solutions. Moreover, the fact that information has been, quote-unquote, anonymized may create a false sense of security, prompting companies to be less vigilant in safeguarding it and consumers to assume that threats to privacy have been nullified.
I also want to speak briefly about reputation and privacy and the right to be forgotten.
The Internet's transformative impact on our social functions has made a person's online footprint a vital aspect of his or her identity. However, the permanence and increased accessibility of online information has led to concerns from some about the Internet's impact on privacy and reputation.
There are benefits to making people's pasts more accessible. A Holocaust museum, for example, has a legitimate interest in knowing if a person it is considering for a job has a history of making racist comments. However, we are also a society that believes in giving people second chances. There can be problems with how the digital records present themselves, such as where a decision by a prosecutor to drop charges may not generate as much coverage as the initial arrest, or where an erroneous and sensational media report may attract more attention than a later retraction.
However, experiences in Europe with the right to be forgotten should be viewed as a cautionary tale about what not to do. Namely, any move to develop a right to be forgotten should be grounded in clear and limited definitions of how it applies, strong transparency, and robust due process. I will address each of these in turn.
First, the application of a right to be forgotten requires a careful balancing of freedom of expression, privacy, and the right to information. Any such balancing will have to be based on a clear test to determine where the public interest lies. People have never had a right to control or curate their reputations. Any move to create a right to be forgotten should be aimed only at the novel aspects of reputation that have come about as a result of the Internet and should be reserved for significant and demonstrably unfair circumstances, such as when a person has been wrongly arrested.
Second, transparency is a key ingredient, including making available detailed information about how decision-making processes work and how they have been applied. There should be as much information as can be provided, short of undermining the efficacy of the processes themselves.
Third, as with any restriction on freedom of expression, due process is critically important. Search engines are simply not equipped to engage in this careful balancing of rights, and unfortunately have an incentive under the current European system to err on the side of removing the information without providing the careful due process such a tricky issue should warrant. Any order to remove material or to reduce its accessibility should be left in the hands of a court or a quasi-judicial authority, including careful due process considerations.
I want to emphasize that none of the above should be interpreted as an endorsement of the right to be forgotten. Indeed, there is a strong argument to be made that the present reputational challenges will sort themselves out over time, as people will gradually become inured to the preponderance of embarrassing or unpleasant information out there and will learn to take such information with a pinch of salt. However, insofar as the right to be forgotten is being considered, it is important that we not repeat the widely criticized mistakes of the Court of Justice of the European Union in how it handled the matter.
I look forward to your questions in the discussion.