Thursday, August 06, 2009

Opinion: Give privacy laws teeth

The next in the series of three privacy OpEds in the National Post goes to Phillipa Lawson, formerly of CIPPIC:

Give privacy laws teeth Internet use in Canada has had enormous economic and social benefits; individuals and organizations can now broadcast their ideas, promote their businesses and build communities of interest instantly, at minimal cost, worldwide. But technology is a double-edged sword; it can be used for bad as well as good, and the impacts of its use even for non-criminal purposes are not all positive. The greatest casualty of our enthusiastic embrace of the Internet is, without doubt, individual privacy.

Fraudsters, identity thieves, stalkers and vengeance-seekers are using the Internet to solicit, track and prey on victims, often by taking advantage of the vast amount of personal information available online. While such information is a gold mine for imposters and stalkers, its collection, use and trading by non-criminals can be equally damaging for the individuals whose personal information is at issue.

Careless or malicious posting of photos, videos and personal information online can have devastating reputational impacts on individuals -- impacts that may never fully disappear because the digitized information, once released online, never disappears.

A video posted on You-Tube, for example, can turn a small-town student into an instant celebrity, but it can also provoke ridicule worldwide. False rumours can spread like wildfire. Embarrassing photographs posted online can seriously impede future employment prospects. And because the digital medium is so persistent, reputational effects may never be overcome.

Easily abused personal information is offered up to a remarkable extent by individuals themselves on social-networking sites, personal blogs and chat rooms. But many users don't appreciate the extent to which such information is publicly accessible, easily gathered and compiled by others and thus vulnerable to abuse. Only a minority of Facebook users, for example, bother to adjust their privacy settings from the defaults set by Facebook, which are to share with everyone in the Facebook-determined networks they have joined.

Personal information is also made public by friends, acquaintances and organizations who post it online often without the individual's knowledge, let alone consent. Once discovered, it can be too late to undo the damage caused, for instance, by publication of an indiscreet photo or the home address of a high-risk social worker.

Furthermore, there is a huge industry in the collection and trading of personal information, much of it covert. Marketers want to manipulate us into buying more stuff. Insurers want to minimize their risk. Employers want reliable, mature employees. Governments want to make sure that we aren't threatening national security.

Privacy law is about protecting our right to control with whom we share information about ourselves. But it should also recognize that certain uses are simply inappropriate, and that "consent" is often no more than a fiction.

Canada has a reasonably good set of data-protection laws. In general, corporations are required to get our informed consent before collecting, using or disclosing our personal data, and can do so only for purposes that a reasonable person would consider appropriate in the circumstances. Government entities can collect, use and disclose our data only for certain specified purposes.

But these laws do not place explicit limits on the collection and use of personal information posted by children, who are most vulnerable to abuse online.

Nor do our laws, outside Quebec, Alberta and B. C., place significant limits on non-commercial and nongovernmental uses of personal data without consent. While courts are starting to recognize a common-law right to privacy that would fill this gap, there is little to protect most Canadians from privacy abuses that arise outside the commercial or government context.

Moreover, existing privacy laws are only as good as their enforcement. At least one study has shown that there is widespread non-compliance with Canadian privacy laws, especially in the commercial sector.

This is not surprising given that the costs of non-compliance are minimal. The federal privacy commissioner is limited to making recommendations. Complainants in most jurisdictions must engage in expensive lawsuits in order to get binding orders for which they will likely receive no compensation.

This is not good enough. Privacy laws should apply to non-commercial as well as commercial activities. They should prohibit collection and use of kids' data, other than in exceptional cases. They should require meaningful consent, not just an easily overlooked opt-out check box. And we should be able to hold others accountable under privacy laws without undue effort and cost -- it's time to put some teeth into our privacy laws.

Philippa Lawson was director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa from 2003 to 2008 and currently practises law in Whitehorse, Yukon.

No comments: