As a big user of social media, both personally and particularly for work, I am always concerned about privacy. My privacy settings are set on the highest options on Facebook, I’m still loathe to do online banking via my smartphone. Our publications — Canadian Lawyer, Law Times, InHouse, and 4Students — are all represented in various social media be it Twitter, LinkedIn, Facebook, or blogs like Legal Feeds. What I say and do is everywhere online and controlling it is important.
Beyond that, practically every adult Canadian at some point banks online, checks their credit card statements online, uses a debit card, takes advantage of online e-mail services like Gmail or Hotmail, has bills or statements sent to them electronically, files their taxes online. And if you’re not doing it yourself, your credit card company, bank, online music or video service, and more are maintaining and/or transmitting your personal information electronically. Even the pictures and signatures on our driver’s licences or passports are now transmitted across the country electronically.
I want to believe my information is safe, but I cannot. I’m not alone and this is probably not news not anyone. So I am big supporter of Canada’s Privacy Commissioner Jennifer Stoddart, who is at the forefront of identifying online privacy issues.
Yesterday, she released her annual report to Parliament that focuses heavily on online privacy. Stoddart and her office are making a difference on this front internationally, not just within our own borders, which is absolutely necessary as the Internet is borderless. In the last year, the privacy commissioner’s office has stepped in and been instrumental in changes at Google Buzz and Wi-Fi, eHarmony, and Facebook.
In a bit of a bombshell in the report, Stoddart reported that consumers’ social insurance numbers, banking information, and tax records were discovered on used electronics being resold by Staples Business Depot. It chastised the office supplies chain for not fully deleting data on returned devices such as laptops and USB hard drives, leaving customers at risk of identity theft or fraud.
However, as privacy expert Michael Geist points out on his blog today, why do consumers have to wait for the annual report to find out about these things?
While these are important privacy developments, the release of this information weeks or months after the investigation or audit was concluded points to a significant flaw in the current reporting approach. I recognize that that is how the system currently functions - the OPC reports to Parliament on audit findings and only occasionally publicly reports on PIPEDA investigations - yet there is something fundamentally flawed with a system that keeps consumers in the dark for months about privacy risks. This is particularly ironic given the OPC’s emphasis on data breaches and the need for the private sector to disclose breaches as quickly as possible. The same should be true for audits and investigations to allow the public to react to newly identified privacy risks.
In 2006, Law Times reported that the privacy commissioner was seeking more power to force organizations to make changes if they’re found to have breaches of the Personal Information Protection and Electronic Documents Act. The role of the commissioner was and still is much more of an ombudsman than an enforcer. Just last month, she commented at the Canada 3.0 conference — citing the case of Sony and its PlayStation Network — that her office should have the power to fine large companies over their ever-increasing privacy breaches. Even the latest updates of PIPEDA, which died when the federal election was called, did not include such powers.
The privacy commissioners role is increasingly important in today’s wired (or rather wireless) society. She should have more flexibility and power in order to position that role at the level is should be.
