Greater transparency required to protect privacy in the digital age
BY DALE SMITH
In the age of covert privacy degradation, commoditized data and profile harvesting, what should governments be doing to protect citizens and democracy? While corporations and governments are collecting, analyzing and sharing the personal data of Canadians on an unprecedented scale, tens of millions of us have fallen victim to privacy breaches, often due to outdated regulation or lack of enforcement. Before the Bell asked experts and stakeholders to address how policy needs to evolve to keep pace with privacy and security in the digital age.
Andrew Burtch, the Canadian War Museum’s post-1945 historian, helped to situate the context of the discussion, recalling episodes during which privacy and civil liberties were subordinated to national security, such as the purge of gays and lesbians from the civil service because they were viewed as being vulnerable to blackmail.
Rachel Curran, principal with Harper and Associates, noted that the previous Conservative government was surprised by the cross-partisan backlash to its proposal to give law enforcement basic subscriber data.
“For us, it started the conversation about privacy rights, what do Canadians really know about what’s being collected, what input they should have into what’s being collected and how it’s used,” said Curran.
Michael Curran, publisher of Great River Media and the Ottawa Business Journal, said that most people don’t understand how much their data is being collected with things like loyalty cards, even when they find advertising that tracks them around the Internet to be “creepy.” He also proposed that harmonizing privacy rules with the European Union’s new online privacy regulations makes sense for businesses.
“The more that governments can do to harmonize those regulations, the more it would allow those corporations to focus on the spirit of the law and not get caught in the slightly different variations of regulations,” he said.
Chantal Bernier, former interim privacy commissioner of Canada and currently counsel and head of Dentons’ Canadian privacy and cybersecurity practice, noted what’s different about privacy in the digital age: Firstly, the abstraction of the internet; that we think we’re alone when using it when we’re really not; second, that it’s more complex than even MIT PhDs realize; and third, the opacity of its business culture and practices leaves consumers more vulnerable than we know.
“All those algorithms that detect us liking this or that are trade secrets,” said Bernier. “It’s the secret sauce that companies don’t want to sell. There’s an opacity there that keeps us from knowing what’s going on.”
Bernier also noted that much of her practice nowadays is helping Canadians come into compliance with the new European privacy standards, which is a regime that more properly restores the balance between the users and the transparency of the collection of data.
Erin Kelly, president and CEO of Advanced Symbolics, said that because her company has always had a policy against micro-targeting, and in many ways exceeded the new European privacy standards, the recent Facebook/Cambridge Analytica situation has actually been beneficial to her business. She also noted that the collection of personal data doesn’t actually work.
“That’s why we do things at the population level,” said Kelly. “If I made my money as a fortune teller does, trying to figure out what you’re going to do on any given day, my margin of error is going to be huge — it wouldn’t be accurate. But looking at the trends of 200,000 people, I can pretty much say that this is the party that’s ahead [in an election forecast].”
Corinne Pohlmann, senior VP of national affairs and partnerships with the Canadian Federation of Independent Business, said that from a small business perspective, the new European privacy regulations have given rise to a lot of questions from business owners.
Sylvia Kingsmill, partner in the risk consulting practice of KPMG, was involved in creating the Privacy by Design certification program at Ryerson University. It enables Canadian organizations to demonstrate that they’re responsible, accountable and ethical with the information they’re entrusted with.
“We did it as a best practice because there was no legal requirement to do that,” said Kingsmill. “There was a real market appetite to address this and to have a diagnostic tool to demonstrate to Canadian citizens that they can be trusted.”
The goal of Privacy by Design is to build privacy into the architecture of a new system, on the following principles: being proactive; having strong privacy default settings; embedding privacy and security into any product or culture of an organization; avoiding zero-sum thinking; ensuring that there is transparency and openness; providing security throughout the entire data lifecycle; and respecting the end-user.
Nathaniel Erskine-Smith, Liberal MP for Beaches East-York and vice-chair of the Standing Committee on Access to Information, Privacy and Ethics, said that Canada has stronger privacy laws than many countries, but our Privacy Commissioner needs more tools to enforce those laws and to audit companies more proactively.
“A lot of what we’ve heard has focused on transparency,” said Erskine-Smith. “More information is required from companies to say ‘Here’s how we use the information, here’s why we collect the information, and here’s what we do with it’. Privacy policies need to be simplified by a significant degree.”
What do Canadians really know about what’s being collected, what input they should have into what’s being collected and how it’s used.” — Rachel Curran Harper and Associates