The Privacy Commissioner of Canada has tabled her annual report for 2009 addressing PIPEDA. Here's the executive summary:
The dominant theme of our work in 2009 was the protection of privacy in an increasingly online, borderless world.
A case in point was the investigation that resulted in more public attention than any other in our Office’s history: Facebook.
The investigation was a huge undertaking for us because it was wide-ranging and the issues were incredibly complex and, in some aspects, highly technical. We were also dealing with a multinational organization based in the United States.
We expect that, as people continue to spend more time online, we will see a growing number of complaints about online organizations. And, with the digital world erasing the borders between countries, more complaints will be about organizations outside Canada.
Data without Borders
We live in a world in which global data flows have become multipoint and multidirectional.
These streams of personal information circling the globe are only going to increase as more individuals take advantage of information and communication technologies.
There are currently some 1.5 billion Internet users. A billion more people are expected to join the online world in the next 10 years, with many of the new users coming from countries such as China, India and Brazil.
The need for a global privacy standard is clear, given global data flows and ubiquitous communication and information technologies. In our interconnected world, we need to take a co-operative approach to protecting personal information.
In 2009, our Office worked with several organizations and initiatives to develop a global privacy solution, including the Organisation for Economic Cooperation and Development, Asia-Pacific Economic Cooperation, International Conference of Data Protection Commissioners and the International Organization for Standardization.
Responding to Canadians
One of the most important ways we serve Canadians is through our inquiries service and investigations branch.
In 2009, we handled 5,095 new inquiries about issues that fall under PIPEDA. These calls and letters dealt with everything from how to ask an organization for access to personal information to whether a particular company has the right to collect a digital fingerprint.
We find that more people are turning to our website when they are seeking information about privacy issues. In 2009, we developed many materials and tools for our website, including complaint and data breach reporting forms and numerous fact sheets and guidance documents for business.
Our Office received 231 new PIPEDA-related complaints for investigation in 2009 – a drop from the 422 we received the previous year.
Part of this decrease is explained by the fact that we are encouraging people to try to resolve issues directly with organizations before they make an official complaint. We’re finding that many problems can be dealt with quickly – and in a way that is satisfactory to would-be complainants.
Our investigations dealt with a wide range of issues, including the online collection and use of personal information; covert surveillance by private investigation firms; workplace surveillance, such as the use of video cameras and location-tracking devices, and the collection of driver’s licence information by retailers.
We closed 587 complaints in 2009, a significant increase compared with 412 the previous year. Our concerted effort to eliminate a backlog of complaints was successful, and this will allow us to complete future investigations far more quickly.
We were pleased that many private-sector organizations voluntarily reported data breaches to our Office. We received 58 breach reports in 2009. That was fewer than the previous year, when a large number of mortgage brokers reported breaches to us.
Protecting Privacy in a Changing Environment
We continued to stress the need to ensure that laws keep up with changing threats to privacy.
We welcomed the adoption of legislation to combat identity theft through amendments to the Criminal Code.
Important legislation aimed at fighting electronic spam, the Electronic Commerce Protection Act, was also introduced and we hope it will be passed into law in the near future. Canada is currently the only G-8 country without anti-spam legislation.
That bill also included legislative amendments that would increase our Office’s ability to share information about spam and other privacy issues with provincial and foreign counterparts who enforce laws similar to PIPEDA. It would also provide the Commissioner with greater discretion to accept complaints or discontinue investigations.
New technologies sometimes put privacy laws to the test – and this was the case in 2009 as well. Social networking sites and online street-level imaging applications, for example, highlighted new ways of collecting and using personal information.
We found that PIPEDA – a technology-neutral and principles-based law – appears to be flexible enough to guide commercial uses of new technology.
While we addressed privacy concerns in social networking as part of our investigative work, we dealt proactively with our concerns about street-level imaging during a series of discussions with Google Street View and Canpages. These discussions resulted in improved privacy protection on both websites.
We also did extensive work on the issue of deep packet inspection – both as part of an in-depth investigation and submissions to the Canadian Radio-television and Telecommunications Commission (CRTC). As well, we created a website showcasing a series of essays on deep packet inspection by leading academics and professionals working in telecommunications, law, privacy, civil liberties and computer science. The project grew out of our desire to better understand a technology that can be a tool for network traffic management, behavioural advertising, and law enforcement. We hope it will promote discussion about the privacy implications of deep packet inspection.