Privacy is big news these days, particularly when it comes to online activity. Internet users are increasingly being tracked by websites they visit, by advertisers on those sites, and by their mobile apps. Profiling practices are ubiquitous. Information and activities on social networking sites are mined by “big data” for purposes that are hardly transparent to users. It is in this context that the Standing Committee on Access to Information, Privacy and Ethics has just released its report on Privacy and Social Media in the Age of Big Data.
The report outlines many of the challenges and issues facing individuals and regulators in the social media context. There are significant issues around how consumer consent is obtained to the collection, use and disclosure of their personal information, the unlimited nature of information collected, the uses to which harvested information is put, and the length of time information is retained. Some testimony before the Committee specifically addressed the added challenges raised by the collection of the personal information of children. Issues of accountability, transparency and security are also considered in the report, and the Committee heard testimony regarding the practices of specific social media companies, and the measures being adopted by the Federal Trade Commission in the US.
Given the broad scope of the inquiry and the importance of the issues, the Committee’s recommendations are a letdown. The first three recommendations consist largely of statements urging the Privacy Commissioner of Canada to develop new guidelines to address privacy challenges with social media. The recommendations which follow encourage both government and social media companies to support education, to promote safe online activities and to support digital literacy. While guidelines and education clearly have a role to play, the recommendations do not go far enough, and in particular, they ignore the sorry state of Canada's private sector data protection law.
During the course of its inquiry, the committee heard plenty of evidence about the lack of movement on long overdue legislative reform to the Personal Information Protection and Electronic Documents Act (PIPEDA), and about how the proposed amendments to this law in Bill C-12, which has languished for some time now, may already be out of date. The Committee also heard evidence about the need for enhanced powers of enforcement for the federal Privacy Commissioner who managed to do her job admirably well with largely only the power to cajole and encourage compliance. That the recommendations of the Committee are entirely silent on the need to amend PIPEDA to add data breach notification requirements, the power to levy fines, order-making powers or other enforcement measures is simply stunning.
One can be grateful, at least, for the recommendations contained in the Supplemental Report of the New Democratic Party of Canada. The NDP members of the Committee clearly took away a different message from these hearings than did the other members. The NDP makes a number of recommendations for legislative amendments that would enhance the enforcement power of the Privacy Commissioner. These include recommendations for legislative change to require companies to notify the Privacy Commissioner in cases of serious breaches of data security, to enhance the enforcement powers of the Commissioner, and to implement “do not track” functions. Indeed, earlier this year, the NDP’s Charmaine Borg (who sits on the Standing Committee) introduced a private members bill (Bill C-475) that would amend PIPEDA so as to implement some of these recommendations around data breach notification and enforcement powers.
The soft approach to privacy protection has not proven adequate to deal with the pervasive, intensive and ubiquitous data collection practices which have become the norm in our digitized society. The almost daily accounts of data breaches and their negative impacts on individuals are evidence of the failure of gentle encouragement to achieve regulatory compliance with even the most basic privacy norms. It is past time to update and upgrade Canada’s data protection legislation. It is most disappointing to see a Standing Committee report that can study these issues and conclude only that gentle encouragement is still the path to follow.