Canadians are among the most active social media users in the world, yet the growing reliance on sites such as Facebook, Twitter, LinkedIn, and Google+ has generated unease with the privacy implications of massive data collection. My weekly technology law column last week (Toronto Star version, homepage version) notes I was recently invited to appear before the committee and used my time to identify four areas in need of action.
Moreover, Bill C-12, the privacy reform bill that seeks changes arising from the 2006 privacy review, lags in the House of Commons with seemingly no interest to move the bill forward. In fact, the bill is already outdated as it fails to address issues such as privacy commissioner order making power, damages for privacy violations, and tougher disclosure requirements for security breaches.
Second, in many respects, social media and Internet companies are the most powerful decision makers when it comes to privacy choices. As my colleague Professor Ian Kerr says, the devil is in the defaults. In other words, the choices made by leading social media companies with respect to default privacy settings are the defacto privacy choices for millions of users. Given the increasing pressure to generate revenues, we can expect those default choices to change in aggressive ways to make greater use of user data.
There needs to be continued work on these defaults, initiatives to provide users with increased information and transparency, and steps to ensure that companies live by their privacy commitments.
Third, the introduction of Internet surveillance legislation earlier this year brought with it an avalanche of public outrage. While much of the focus was on the mandatory warrantless disclosure of subscriber information by telecom companies, the potential for social media and big data Internet sites to serve much the same purpose cannot be overlooked.
A recent investigation by the Privacy Commissioner of Canada into Nexopia, a Canadian social network, identified hundreds of law enforcement requests for customer name and address information, frequently for accounts that should been deleted months earlier. Social media creates a treasure trove of personal information that must enjoy full privacy protection and court oversight before disclosure.
A growing number of sites, including Yahoo, AOL, and Twitter, respect functionality found in Firefox browsers that allow a user to choose not to be tracked. Google has said it will implement similar technology in its Chrome browser. However, many sites have been slow to adopt do-not-track and Facebook has thus far declined to do so. Given the failure of industry to self-regulate, it is appropriate for government to step in with stronger measures to ensure that user choice is respected.
Besides Social Media, Some Commerce Sites Need a Rules Change
Has there been any thought to regulating e-commerce sites? When I tried to buy tickets online through Ticketmaster.ca, I had to agree to them being able to use all the personal data I had filled out in the purchase form, even to the point of them sharing it with third parties. There was no opt out button. You want to buy tickets online? Agree that your data is theirs to use as they wish.
I did not buy, will never buy tickets through their site.