I appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics for a hearing on privacy and social media.
Appearance before the Standing Committee on Ethics, Accountability & Privacy
May 31, 2012
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I was a member of the National Task Force on Spam struck by the Minister of Industry in 2004 and I currently serve on the Privacy Commissioner of Canada’s Expert Advisory Committee.
I appear before this committee today in a personal capacity representing only my own views.
My opening comments will identify several areas for potential government action, but I want to provide a bit of context with three key caveats.
First, it may be stating the obvious, but social media is an enormously important, positive development. The number of users is staggering and its role as a key source for communication, community, and political activity grows by the day. The opportunities presented by social media should be embraced, not demonized and government should be actively working to ensure that it incorporates social media into its policy consultation processes.
Second, Canada has been a leader in the use and regulation of social media. The Privacy Commissioner of Canada was the first to conduct a major privacy investigation into Facebook and has led on other issues involving social media and Internet companies.
Third, while we have had some influence through those investigations, Canada has not led in creating the social media services used by millions around the world. The failure to articulate and implement a national digital economy strategy comes back to haunt us in these circumstances, where the ability to place an unmistakable Canadian stamp on social media is undermined by the policy failures that have done little to encourage the development of Canadian social media sites.
What Is There to Be Done?
With those caveats, what is there to be done? I’d like to point to four areas and issues.
1. Finish What We’ve Started
The government has introduced and even passed legislation that can be helpful in addressing some concerns that arise from social media, yet these initiatives have stalled short of the finish line. Anti-spam legislation, which received royal assent in 2010, has still not taken effect as final regulations have not been approved. In fact, Industry Canada officials now indicate it could go well into 2013 before the regulations take effect. Given the amount of work that went into the legislation, it is shocking that the law has been left in limbo.
Moreover, Bill C-12, the PIPEDA reform bill that seeks changes arising from the 2006 privacy review, lags in the House of Commons with seemingly no interest to move the bill forward. Indeed, the bill is now outdated and a full PIPEDA review to address emerging concerns such as order making power, statutory damages, and tougher security breach requirements than those found in the bill is needed. In fact, the C-12 security breach reporting rules are primarily bark with little bite given the absence of penalties for failure to comply.
The government has also promised a digital economy strategy for years and has failed to deliver. The strategy has come to be known as the Penske File, a reference to the Seinfeld episode that involves working on an imaginary file. While other countries are now years into implementing their strategies, Canada still lags behind.
It should also be noted that these issues must increasingly be addressed in concert with the provinces. The line between federal and provincial jurisdiction on many of these issues is blurry and legal challenges against federal legislation is a real possibility. Work is needed to begin to develop minimum standards that can be implemented at the provincial level should federal leadership be challenged in the courts by companies seeking to circumvent their privacy obligations.
2. Devil is in the Defaults
In many respects, social media and Internet companies are the most powerful decision makers when it comes to privacy choices. As my colleague Ian Kerr says, the devil is in the defaults. In other words, the choices made by leading social media companies with respect to default privacy settings are the defacto privacy choices for millions of users. Given the increasing pressure to generate revenues, we can expect those default choices to change in aggressive ways to make greater use of user data.
There are examples of companies doing great work in the area. Twitter recently implemented do-not-track options that won plaudits from the Federal Trade Commission in the U.S. Similarly, Google offers its users transparency tools so that they can obtain detailed information about what information is collected, how it is used, and how they can modify their privacy choices. The company has also been transparent about law enforcement requests for information and copyright takedown demands.
There needs to be continued work on these defaults, initiatives to provide users with greater information and transparency, and steps to ensure that companies live by their privacy commitments.
3. Lawful Access
The introduction of Bill C-30 brought with it an avalanche of public outrage and concern over the proposed Internet surveillance legislation. While much of the focus was on the mandatory warrantless disclosure of subscriber information by telecom service providers, the potential for social media and big data Internet sites to serve much the same purpose cannot be overlooked.
A recent investigation by the Privacy Commissioner of Canada into Nexopia, a Canadian social network, identified hundreds of law enforcement requests for customer name and address information, frequently for accounts that should have been deleted months earlier.
Social media generates a treasure trove of personal information that must enjoy full privacy protection and court oversight before disclosure. Indeed, documents recently obtained under Access to Information indicate that Public Safety is thinking about how the rules are applied to social media sites and services. Bill C-30 needs to go back to the drawing board to effectively account for these issues.
4. New Legal Issues
While I think that much can be done to use or augment existing rules, social media and the Internet do raise some unique issues that may require targeted responses. In the interest of time, let me name two. First, do-not-track. As you may know, cookies can be used to trace the web browsing habits of users, including when they visit third party sites. For example, Facebook inserts a cookie on user browsers that traces your activities as you surf the net. Any site with nothing more than a Facebook “like” button – as found on Conservative, NDP, and Liberal sites – means that Facebook records a visit to the site and retains the information for months.
A growing number of sites, including Yahoo, AOL, and Twitter, respect functionality found in Firefox browsers that allow a user to choose not to be tracked. Google has said it will implement similar technology in its Chrome browser.
However, many sites have been slow to adopt do-not-track and Facebook has thus far declined to do so. Given the failure of industry to self-regulate, it is appropriate for government to step in with stronger measures to ensure that user choice is respected.
Second, there is a growing problem of social media misuse. For example, in recent months there have been an increasing number of stories of employers requiring employees to provide their Facebook user id and password as a condition of a job interview. Seeking the same information with direct questions would typically be prohibited, so this is used as a circumvention of longstanding standards and principles within employment law. In response, the State of Maryland has passed a law banning employers from requiring employees or job applicants to provide access to their personal digital/social media accounts. Several other states are working on similar legislation and Canada should consider following suit.