Remarks at the 11th Annual Privacy and Security Conference

Amanda Carpenter is a JD Candidate at Osgoode Hall Law School.

The Privacy Commissioner of Canada (Jennifer Stoddart) recently delivered a speech entitled “The future of privacy regulation” at the 11th Annual Privacy and Security Conference held in Victoria, British Columbia. In her speech, she described the changes that have occurred in cyberspace over the past decade. These changes not only encompass the creation of Facebook, Twitter, and YouTube – they encompass changes regarding the expectations people hold as to what technology will do for them, as well as increased globalization.

These changes have resulted in great challenges for the current regulatory framework that protects private and personal information, and she says that it will need to be strengthened to face further challenges caused by the next decade of change. The Privacy Act, governing the public sector, and PIPEDA, governing the private sector, will need to be dramatically modernized to address technologies that didn’t exist when they came into force. For example, she cites the need for amending PIPEDA so that commercial entities would be obliged to report large data breaches instead of such reporting being voluntary.

She described in depth some of the changes that have occurred in cyberspace. As a result of the creation of new technology, information about the way we interact, shop, and learn is now online, and this information is now recognized as having commodity value. It is the biggest commercial asset of social networking sites and free online search engines. It has spawned a whole new economic sector – the tracking, profiling and targeting of consumers for various types of behavioural advertising, or even for employment purposes. This shouldn’t seem odd to many who have, after searching the Internet for a particular item, received an email from a merchant like Amazon advising them that they have that item available for purchase. She says that the rise of this technology has also resulted in a typical data breach no longer affecting just a handful of people, but potentially hundreds of thousands of them. For example, how many people would be affected if everything posted on Facebook suddenly became public? Through increased globalization, our online data knows no borders: through many of our routine activities such as email, we’re sending our personal information abroad, where it ends up in countries with less robust privacy-protection regimes than our own. This results in a loss of privacy rights, such as the right to request access to one’s information and to challenge its accuracy. Social norms about how much people are prepared to share their personal information online have evolved. For example, young people have a more liberal concept of privacy. However, concerns about privacy are not gone: there remains a powerful belief that the choice to disclose information belongs to those who have shared their personal information online.

Successes in the regulation of online privacy concerns that have been achieved have hinged on the co-operation of organizations to submit to the authority of Canadian privacy law. Citing the example of cyber-thieves, she worries that this will not always be the case. To better respond to recent challenges, she lists as a possibility the Office of the Privacy Commissioner reforming its administrative structure to result in stronger enforcement and order-making powers. To respond to the challenges posed by globalization that regulators are confronting with local solutions, a global standard for protection of privacy is required. This will solve the problem of the existing privacy regulations being ignored by creators of new technology because no one has stopped to consider privacy implications, or find that whatever rules that do exist are vexed by a lack of clarity, predictability and harmony in global data-protection regimes. She cites that a global response is in the making, such as the Spanish Initiative, where dozens of the world’s data-protection authorities endorsed a draft international standard on the protection of privacy in Madrid. Ten giant global corporations such as Microsoft, Google, and IBM were instrumental in causing this to happen by signing a letter calling for rules of this sort on the grounds that they would bring legal certainty.

In conclusion, she remarks that as a result of recent changes in cyberspace, personal information requires more protection than ever before. Without adequate protection, “the risks are significant – to consumer confidence, to global business, and, of course, to some of the very fundamental rights that Canadians expect”. Unfortunately, much of the world outside North America and Europe currently lacks adequate rules for handling this precious commodity. She predicts that the decade ahead will see a more concerted, consistent – and ultimately successful – approach to the protection of personal information.  A single, enforceable global standard for privacy is needed urgently to preserve and promote the privacy rights of Canadians, and thus we, along with other jurisdictions, need to move in that direction.