Elizabeth Denham, British Columbia’s Information and Privacy Commissioner since 2010, believes that although the principles and values underlying privacy laws have endured for 20 years, the challenges to information and privacy rights have grown in such scale and complexity that new approaches, tools and strategies are needed. She is hosting a conference this month called Privacy and Access: A New Vision for Information Rights. She spoke to editor-in-chief Toby Fyfe about her concerns.
What’s been your biggest preoccupation over these first three years of your mandate?
What concerns me is whether or not we’ve got the balance right between privacy and how the government is using personal information. My preoccupation has been to investigate and to provide advice and issue orders that affect how personal information is managed by public sector organizations.
I have been trying to pull back the curtain to demonstrate how these technologies work and how government is processing information behind the scenes so citizens can assert their rights. Many of our files have to do with the use of technology by law enforcement, such as automated license plate recognition and how facial recognition technology is used by the Insurance Corporation of BC. We also looked at smart meters and how smart meters actually process electricity consumption data of citizens.
Is the issue whether the information is being used appropriately by government, or simply that the government is collecting it at all? I’m thinking of the smart meter example.
With the smart meter example, the government was collecting that information according to the law. What we looked at in that act was whether or not they were repurposing it for other use, and whether they were properly securing the data against loss or theft, of tampering or intrusion.
And is the government doing a good job?
I think the government is doing a good job in properly collecting information. What I’m most concerned about is collecting it for one purpose, then using it for something else. Government hasn’t been as transparent as they’re required to be in law so that citizens understand why information is being collected. I also think the government has fallen down, in some cases, in securing personal information. For example, with the BC Ministry of Health investigation that we did, we found large amounts of data shared with third parties on unencrypted USB keys.
In the past, you have referred to the challenges of new technologies in the privacy sphere. What do citizens need to think about?
Data protection and privacy. They are more important now than they’ve ever been, especially in the face of the massive amounts of personal information that’s collected and analyzed by the public and private sectors. An individual’s ability to actually know what’s happening with their personal information and their ability to control their personal information is more challenging than it’s ever been.
This is an education issue, is it not?
It’s partly an education issue because I think that when individuals are using these shiny new tools such as social media and applications on their smartphones they need to be aware of who’s collecting their personal information and what’s happening with it. So it’s important that individuals make themselves aware of how these companies and how these technologies work. That said, what’s really important is that we have comprehensive privacy laws that set out the rules that organizations have to follow when it comes to processing personal information.
My sense is that you’re talking about a whole generation that is largely indifferent to the issues of privacy. How do you reach that group?
I actually think that this next generation, especially individual citizens who are in their twenties and thirties, are actually quite sophisticated when it comes to understanding how these new technologies work. When I talk to young people in their twenties and thirties, they are quite tech-savvy about how to use and engage their privacy controls, especially when it comes to social media.
I agree with you that very young people, teenagers for example, don’t seem to understand the implications and the potential harms that revealing everything online will bring to them, especially as they get older and look for their first job or try to get into a post-secondary education.
How do organizations such as yours deal with large, global organizations like Google or Twitter?
This is one of the greatest challenges that we face right now in enforcing local privacy laws. Now that we are in the Internet age, where data knows no borders, we have to look to models such as cooperative enforcement mechanisms with data protection authorities working together to change the behaviour of some of these global giants and to work together to enforce our laws.
Canada, federally, has been successful in changing the practices of some global companies such as Facebook and Google. What the law says in Canada is, if there is processing of Canadians’ personal information, and if a company has a real connection to Canada, then our laws apply to those companies’ information processing activities.
And do the companies get this issue, or is this a constant battle?
It’s a constant battle. I think that there are good players, companies and governments that want to do the right thing, but there are also bad actors out there, and those bad actors either don’t seem to be aware of the law or they’re working around the law. And that is a constant battle for regulators such as myself. We have to use education, and we have to use our enforcement tools when a company is not playing by the rules. That’s critically important.
How does government strike the right balance between fundamental privacy rights and law enforcement and national security?
Very, very tough issue. I think that the recent whistleblowing of Edward Snowden and the revelations about the U.S. Foreign Intelligence Surveillance Act, and even about our own Canadian Security Exchange, have really brought to light that thorny issue of how to strike that right balance. Excessive surveillance in the name of national security and public safety can threaten the freedoms we depend on. I think that awareness of widespread surveillance of our communications make people very nervous about speaking their minds or doing anything that arouses suspicion.
So what I could say, in answer to that question, is that in this age of Internet technologies and fear of terrorism, we need to decide what the limits are and how much secret snooping, and under what conditions, we’re prepared to accept as a society. I think, in Canada, governments and commissioners should carefully assess existing and proposed initiatives to make sure that they don’t improperly diminish privacy. I think this is probably the most important file that we have seen in a very long time.
You talk about a “new vision for information rights.” What do you have in mind?
I think that new technologies, social media, big data, facial recognition technology, smartphones that can track your location everywhere you go, mean that while the principles and values that underlie our legislation might still endure, the challenges to these rights have really grown in scale and complexity. I think it’s time for reform of our laws to make sure that they are keeping up to date with the technology. Right now they’re not.