The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, August 06, 2009
The next in the series of three privacy OpEds in the National Post goes to Phillipa Lawson, formerly of CIPPIC:
Give privacy laws teeth Internet use in Canada has had enormous economic and social benefits; individuals and organizations can now broadcast their ideas, promote their businesses and build communities of interest instantly, at minimal cost, worldwide. But technology is a double-edged sword; it can be used for bad as well as good, and the impacts of its use even for non-criminal purposes are not all positive. The greatest casualty of our enthusiastic embrace of the Internet is, without doubt, individual privacy.
Fraudsters, identity thieves, stalkers and vengeance-seekers are using the Internet to solicit, track and prey on victims, often by taking advantage of the vast amount of personal information available online. While such information is a gold mine for imposters and stalkers, its collection, use and trading by non-criminals can be equally damaging for the individuals whose personal information is at issue.
Careless or malicious posting of photos, videos and personal information online can have devastating reputational impacts on individuals -- impacts that may never fully disappear because the digitized information, once released online, never disappears.
A video posted on You-Tube, for example, can turn a small-town student into an instant celebrity, but it can also provoke ridicule worldwide. False rumours can spread like wildfire. Embarrassing photographs posted online can seriously impede future employment prospects. And because the digital medium is so persistent, reputational effects may never be overcome.
Easily abused personal information is offered up to a remarkable extent by individuals themselves on social-networking sites, personal blogs and chat rooms. But many users don't appreciate the extent to which such information is publicly accessible, easily gathered and compiled by others and thus vulnerable to abuse. Only a minority of Facebook users, for example, bother to adjust their privacy settings from the defaults set by Facebook, which are to share with everyone in the Facebook-determined networks they have joined.
Personal information is also made public by friends, acquaintances and organizations who post it online often without the individual's knowledge, let alone consent. Once discovered, it can be too late to undo the damage caused, for instance, by publication of an indiscreet photo or the home address of a high-risk social worker.
Furthermore, there is a huge industry in the collection and trading of personal information, much of it covert. Marketers want to manipulate us into buying more stuff. Insurers want to minimize their risk. Employers want reliable, mature employees. Governments want to make sure that we aren't threatening national security.
Privacy law is about protecting our right to control with whom we share information about ourselves. But it should also recognize that certain uses are simply inappropriate, and that "consent" is often no more than a fiction.
Canada has a reasonably good set of data-protection laws. In general, corporations are required to get our informed consent before collecting, using or disclosing our personal data, and can do so only for purposes that a reasonable person would consider appropriate in the circumstances. Government entities can collect, use and disclose our data only for certain specified purposes.
But these laws do not place explicit limits on the collection and use of personal information posted by children, who are most vulnerable to abuse online.
Nor do our laws, outside Quebec, Alberta and B. C., place significant limits on non-commercial and nongovernmental uses of personal data without consent. While courts are starting to recognize a common-law right to privacy that would fill this gap, there is little to protect most Canadians from privacy abuses that arise outside the commercial or government context.
Moreover, existing privacy laws are only as good as their enforcement. At least one study has shown that there is widespread non-compliance with Canadian privacy laws, especially in the commercial sector.
This is not surprising given that the costs of non-compliance are minimal. The federal privacy commissioner is limited to making recommendations. Complainants in most jurisdictions must engage in expensive lawsuits in order to get binding orders for which they will likely receive no compensation.
This is not good enough. Privacy laws should apply to non-commercial as well as commercial activities. They should prohibit collection and use of kids' data, other than in exceptional cases. They should require meaningful consent, not just an easily overlooked opt-out check box. And we should be able to hold others accountable under privacy laws without undue effort and cost -- it's time to put some teeth into our privacy laws.
Philippa Lawson was director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa from 2003 to 2008 and currently practises law in Whitehorse, Yukon.
Labels: facebook, privacy, social networking
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.