What role should governments and public servants play in safeguarding personal information? CGE asked three information and privacy commissioners – Anne Bertrand of New Brunswick, Ann Cavoukian of Ontario and Frank Work of Alberta – for their thoughts.
What is the most important contributor to our changing views of privacy?
Frank Work: Clearly technology is the most important contributor to our changing views of privacy, perhaps followed by our human psychology. Technology, in the form of the Internet, cell phone, global positioning technology, radio frequency identification, smart grids for utilities, smaller and more sophisticated cameras, backscatter x-ray devices, have done two things that shape our attitudes. First, the technology seduces us into being sloppy and complacent in terms of looking after our privacy. Second, it convinces us that everything can be known. In the first case, we trade our personal information for a chocolate bar. We do not engage the privacy protections on our Facebook pages. We are indifferent when our governments introduce ever more forms of surveillance. Our typical response is “I have nothing to hide.” In the second case, we expect the technology to solve every problem. We are the people who get impatient if the website we want takes longer than two seconds to open. Why can’t the authorities find thieves, terrorists, jaywalkers and graffiti artists? Bring on the technology and catch them. The only problem is that, at some point, the bad guys are us. One thing that the technology does that I think will radically change our lives is that it creates, for each and every one of us, a permanent record that is, well, permanent. Any stupid thing we say online, every case of foot in mouth, every ill-advised online act will be caught and kept and made available to others, possibly forever. There will be no forgetting our sins and mistakes.
Ann Cavoukian: I would agree that the biggest impact on how we think about privacy has come from the explosive growth of information and communications technology, specifically the rise of online social networks and the growing reliance on mobile devices. The information technology revolution not only brought with it a myriad of advancements with everyday benefits to society, it also gave birth to an entire new paradigm of concerns regarding privacy. Traditionally, government and business have always been seen as the two greatest threats to individual privacy. However, individuals themselves can now be added to the list because the growth of social networking sites and the rapid proliferation of mobile devices present unprecedented opportunities for the theft and loss of personal information. Individuals now have the opportunity to post every single detail of their lives online or on a mobile device. At the heart of the problem is the lack of education and awareness on the part of individuals who do not understand the dangers involved, such as identity theft, stalking, harassment, loss of employment opportunities, reputation. I believe that education and awareness about the privacy implications of new technologies and mediums is one of my most important roles. I have issued a number of publications on such matters as how to protect yourself online or how to secure data on mobile devices (www.ipc.on.ca). I encourage everyone to be proactive by referencing these materials and protecting their privacy.
Anne Bertrand: I believe this question is answered with the simple notion of “control” – control over our own private information. Over the last 30 years or so, people have woken up to the realization that their information was not as secure as it had been when it was, for instance, paper stored in a locked filing cabinet. Private and confidential information could only be accessed through an intermediary, such as a lawyer or doctor, and as a result, there was a sense that the information was being handled with care, and more importantly, with a good degree of control of the information. In the new age of electronic information, personal information that used to be contained in paper records has been transformed into “electronic data,” which creates new security challenges, given the fact that it can be copied, transferred or deleted with a simple click of a button. The Internet poses unique challenges to our notion of privacy. All of our online activities leave a permanent footprint of what websites we have visited, what we have searched for, what we have downloaded, who we talked to, etc. We have to assume that all of this information is creating a permanent record of our online activities – there is no shredder for the Internet. Companies see all of this activity as a virtual goldmine of consumer data. The commodification of personal information is not a new concept – telemarketers have been calling us during supper to ask about our opinions for decades. But while there has been a lot of discussion about the perils of the Internet, we must remember that technology itself is neutral. It’s how we use it that matters. Technological advances can be used to erode or promote privacy, depending on how much control these advances provide individuals on the question of sharing their information. The key question underlying all of this is what is privacy? There is no universal definition and privacy means different things to different people. What’s acceptable to one person may be completely unacceptable to another.
What role should governments play in protecting our privacy?
Cavoukian: I believe the role of governments should change marginally. Of course they should continue to set the norms and standards. However, they should adopt a more proactive approach instead of only offering reactive methods to address aggrieved parties. Governments should compel the requirements of Privacy by Design (PbD) on the part of both public and private sector institutions. PbD, in its essence, refers to embedding privacy directly into the design of information technology, accountable business practices and networked infrastructure. I believe we can benefit enormously by incorporating PbD into our regulatory structures. From that, we can transform a traditionally reactive instrument into one that instills proactive requirements. The concept of Privacy by Design has attracted the attention of officials on a number of continents. Both Viviane Reding (vice-president, Justice, Fundamental Rights and Citizenship, European Commission) and Peter Hustinx (European data protection supervisor) have spoken of how PbD will increase consumer trust in information and communication technologies, thereby accelerating their adoption. Hustinx has also noted that PbD is an approach which should be incorporated into the framework of revisions to the EU’s Directive on Data Protection. In the United States, a series of FTC-sponsored privacy roundtables identified what FTC chairman Jon Liebowitz described as the three key principles of online privacy. The first one on his list was Privacy by Design. At a more direct level, governments need to also generate education campaigns to make their citizens aware of the dangers that come with posting too much personal information online and using mobile devices that are unencrypted or not secure. Governments need to become aware that one of the greatest threats to privacy are individuals who are not aware of existing privacy threats.
Bertrand: The role is two-fold. Governments must protect the personal information they collect about us and control who has access to it, who will use, and for what purpose. Governments also