Oversharing on a Public Stage: The Privacy Commissioner of Canada's Annual Report

Peter Waldkirch is a second year LL.B. student at the University of Ottawa.

The Privacy Commissioner of Canada, Jennifer Stoddard, recently released her office's Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA).  Several press outlets have covered the report.  The Office of the Privacy Commissioner of Canada's (OPC) press release, and the Report itself, can be found here.  While the report itself covers a wide range of topics, including statistics on complaints received and summaries of recent litigation in which the Office has been involved, the press coverage has focused almost exclusively on one of the “Key Issues” identified in the report:  youth privacy online.

This focus of the report is made clear in the Commissioner's opening message, in which she notes that, “Many young people are choosing to open their lives in ways their parents would have thought impossible and their grandparents unthinkable.”  Moreover, she notes, many young people don't seem to be taking online privacy seriously; the word used in the report is “indifferent”.  Underlying these observations, it seems to me, is the acknowledgment that even strong statutory protection of privacy is ultimately meaningless if the people the statute is meant to protect don't care about their own privacy.  PIPEDA revolves around the concepts of notice and consent, and if someone just doesn't care about their privacy, consent will be trivially given.

As the Commissioner points out, many young people do not think of privacy in the same terms as previous generations.  The OPC is concerned about serious issues such as identity theft and fraud, problems that most young people simply do not consider.  The Report notes that recent research suggests that many young people care about online privacy only to the extent that it impacts their online reputation and status.  One’s online life and “real life”, however, are not totally distinct.  Information published online can have definite real life consequences, ranging from identity theft to the loss of a job.  A good example of how carelessly posting information publicly can have serious repercussions is the BC MLA candidate who had to withdraw from a Provincial election because of inappropriate pictures posted on Facebook.

The indifference of youth towards online privacy seems symptomatic of a profound shift in attitudes I have noticed over my years on the Internet.  When I first started “surfing the Infobahn” (am I dating myself?), it was drilled into me that one should never, ever use one's real name or other identifying information online.  The very value of today's social networking websites, however, depends on the publication of such information.  For many people, the whole point of being on a website like Facebook is to make oneself (and one’s personal data) publicly accessible.  If you don't use your real name, how will people find you?

The major role that technology plays in mediating the social interactions of young Canadians affects how identity and relationships are constructed and perceived.  As the current generation of people who have been raised with these sorts of technologies matures, what sort of norms will develop?  When everyone has pictures of “regrettable moments” online, how will reputation and social status be measured?

That being said, I'm no technological fatalist, and obviously neither is the Privacy Commissioner, who sees room for intervention and education.  Regardless of the social consequences, identity theft and fraud remain concrete problems.  To that end, the Report details some steps the OPC has taken to raise awareness of the importance of privacy amongst Canada's youth.  These include a new website dedicated to youth, educational modules for use in the classroom, and a Youth Privacy Video contest.

In addition to the focus on youth, the Report provides a lot of valuable information for anyone interested in the activities of the OPC.  Amongst other things, the privacy complaint against Facebook, initiated by the University of Ottawa's Canadian Internet Policy and Public Interest Clinic (CIPPIC), is discussed (as it is here on IPilogue by Virgil Cojocaru).  Details on the substance of complaints and the process with which they are handled are also provided.

I was also interested in two elements of the Report that haven't received much media attention.  The first is the massive backlog of cases the OPC is facing.  Despite the addition in 2008 of significant human resources (for example, ten new investigators were hired in addition to the previous four), the average resolution time for a complaint was 20 months, which the report itself called “unacceptable”.  The report also reiterated the Commissioner's call for a statutory mandatory notification scheme when a data breach occurs, writing that, “Our Office feels strongly that private-sector organizations should be obliged by law to inform individuals if their personal information may have been put at risk in a data breach.”  Without such a requirement, Canadians have little opportunity to manage and mitigate the risk of identity theft or fraud.

Despite these challenges, the report gives an ultimately optimistic view of the efficacy of PIPEDA to protect the privacy of Canadians.  PIPEDA has only been in effect since 2004, and while outreach and education are clear priorities moving forward, the sheer volume of complaints the OPC receives (422 in 2008) illustrates that PIPEDA and the Privacy Commissioner have a vital role to play in helping Canadians protect their privacy.