Jennifer Stoddart is in the fifth year of a seven-year appointment as Canada’s federal privacy commissioner. During her tenure, she has witnessed privacy concerns shift from a person-to-person or person-to-organization realm, to one where privacy is consistently challenged by rapidly advancing information technologies. As she said in her address at the 2008 Privacy Invitational Strategic Forum last fall: “New information technologies and new implications of 9-11 are creating potent and novel threats to privacy. We live in an unprecedented period of transformation for privacy.” Commissioner Stoddart will deliver a keynote address at the upcoming IAPP Canadian Privacy Summit in Toronto. Here, she shares her views on social networking, trans-border data flows, and more.

Privacy Advisor: How is your office involved in issues related to social networking?

Stoddart: Social networking sites are raising important privacy issues—and will no doubt continue to do so as they evolve over the coming years.
Social networking sites can be a wonderful way to connect. They help us to keep up with friends and trade information with people who share our interests. They’ve become an indispensible tool for professionals.
But there are also privacy risks implicit in taking our personal lives online. It seems to me there is a social revolution underway and all of us—individuals, the companies operating these sites, and privacy advocates—are still trying to figure out the appropriate rules of engagement.

As you know, my office has been closely examining privacy issues related to Facebook. Our investigation was prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC). CIPPIC alleged that Facebook is in violation of several principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) regarding the collection and use of personal information.

This is an incredibly complex and challenging investigation. CIPPIC’s complaint was 35 pages long and included 22 separate allegations against Facebook.

One of the many issues that makes this investigation particularly interesting is that Facebook does not follow the business model PIPEDA was designed for—specifically, the traditional relationship between a consumer and an organization whereby the organization collects personal information it requires in order to provide a service.
When my office releases the findings of this investigation—which we expect to do this spring—it will be the first comprehensive investigation on social networking that’s been carried out by a data protection agency.
We are also working on public education, research, and opinion polling initiatives related to social networking sites.
We’ve created pages on our Web site that provide information on privacy and social networks. We’ve developed a video that looks at the question: ‘What does a friend of a friend need to know about you?’

Our academic research includes a comparative evaluation of the privacy settings of five social networks. We also commissioned and recently published research on privacy in the virtual world of the popular online game Second Life.

We’ve recently done some polling on social networks and we have used focus groups to gather detailed information on how people consider privacy issues in the context of social networking. We found, for example, that people don’t check privacy policies carefully and they tend to assume that the sites will keep their information private.

Social networks offer many benefits, but there are risks to privacy that need to be considered. People need to have a better understanding of the risks of not protecting and valuing their personal information

Privacy Advisor: Your office has directed efforts toward engaging youth in the privacy conversation. Why is this important to you?

Stoddart: Young Canadians are among the most wired youth in the world. Social networking sites have become one of their primary methods of communication—but they don’t always exercise caution.
Under PIPEDA, my office has the mandate to inform young Canadians about their privacy rights. It is our goal to give young people information that will help them use electronic environments in a privacy-conscious way.
We now have a Web site and blog directed to young people. We recently conducted a public service announcement video contest and received some fabulous entries from high school students across the country.
When we give presentations to high school students, we encourage them to think twice about the messages and images they post. Would I want mom or dad to see this? My teacher? A future boss? Someone thinking about hiring me for a job?

Our focus group research indicates that young people are desensitized to privacy concerns. They assume that everyone will see what they post and that people wouldn’t post something if they didn’t want to share it. They think short-term when it comes to privacy. And, while they realize corporate sites may target them for advertising, they believe the social networks will protect their interests.

Our goal isn’t to try to scare young people. We want to encourage them to think about the potential consequences of what they post and to develop good privacy habits.

Privacy Advisor: Is Canadian privacy law a trade barrier? How is your office involved in the matter of trans-border data flows?

Stoddart: PIPEDA itself states that the legislation is intended to support and promote electronic commerce by protecting personal information.
The global marketplace will be enhanced if consumers are confident that their personal information will be protected even after it travels beyond Canada’s borders.

Trans-border flows of information have become an essential part of how business is done around the world. In times of economic uncertainty, we may see more cross-border outsourcing as companies look for ways to cut the costs of processing information.

My office recently released guidelines on trans-border data flows. (See our Web site, www.privcom.gc.ca, for the Guidelines for Processing Personal Data Across Borders.) We hope these guidelines will help businesses better understand their obligations when it comes to sending personal information outside the country.

PIPEDA does not prohibit cross-border transfers, but organizations remain responsible for personal information sent for processing in another country and need to ensure a comparable level of protection while the information is being processed outside Canada.

They should consider the political, economic, and social landscape of the third-party country in order to assess the security risk of the information being transferred.

Canadians are entitled to the protection of their personal information—no matter where it is processed.
Organizations need to be transparent, making clear to customers that their information may be processed in a foreign country and that it may be accessible to the jurisdiction’s law enforcement and national security authorities

Privacy Advisor: What impact does the current economic climate have on the security of personal information?

Stoddart: Recent polling for my office shows Canadians are concerned that the current economic downturn could have a negative impact on the security of personal information. They are worried that, as businesses look for ways to cut costs, they may choose to spend less on protecting customer data.
My message to business is that this is not a time to skimp on privacy and security measures.

Cyber crime is exploding. According to police, criminal groups are stealing names, birthdates and credit card information as a way to supplement more traditional criminal activities such as drug trafficking. I suspect the problem of cyber crime will only get worse as criminals look for ways to exploit the global economic turmoil.
Organizations can’t use economic hardship as an excuse to cut corners. They are legally responsible for the security of the personal information of their customers and clients.

Consumers place their trust in businesses each time they provide personal information through a transaction. A serious breach will cause long-term damage to a company’s reputation.

It makes good economic sense to ensure you’ve got adequate security—even when money is tight. The cost of mopping up after a data spill tends to be far, far higher than getting security right in the first place.