Audience de la Chambre des communes
Ian Kerr, Avner Levin
, Chambre des communes (Ottawa) Lien vers l'événement
12 juin 2012
Thank you, Mr. Chair.
I would like to use my 10 minutes to share the opinion of someone who is not quite an expert on privacy issues. For some 20 years now, I have been interested in the relationship between the law and technology. It is from that perspective that I would like to expand on three points. Very often, I discuss those points to deal with the complexity that characterizes new technology. Those three points are very simple: who, what and how.
Let’s begin with the “who”. Who should take action when it comes to those issues? I would like to begin with the first instinct we have—that of thinking that the legislator should act in such matters. I would nevertheless like to repeat the opinion of an old civil lawyer who said that legislating should be done carefully. This means that, in such a new field—which is so poorly controlled—adopting a piece of legislation very quickly is often a factor that prevents our habits from developing.
Therefore, I think that, in terms of legislation, we should be careful. We should take a step back and focus more on establishing a strictly minimalist approach in legislation, without developing, in my opinion, any new concepts. We have seen such concepts in Europe—including the “right to forget”, which was developed in a number of European pieces of legislation and seems to me overly difficult to apply.
Conversely, even if the goal is to limit the legislator’s role, it does not mean that nothing should be done. There are some possibilities when it comes to privacy management as far as organization goes. I think that the options established in Bill are very interesting, especially with regard to providing the Office of the Privacy Commissioner of Canada with a bit more power.
This means that my second stakeholder in terms of privacy is the Office of the Privacy Commissioner. Let’s compare what we do here with what is done elsewhere, in all of western democracies or, at least, in Europe. If we compare ourselves with countries such as Germany, Sweden or France, we realize that the office has fairly limited prerogative powers. Overall, the resources and the number of people who work within the Office of the Privacy Commissioner are, in Canada, half of those in Europe. I feel there could be some more resources to help develop habits. That’s something I will talk to you about later. So it’s a matter of informal standards in terms of privacy management.
As for the third stakeholder that would be likely to act in privacy matters, I have in mind organizations themselves—in other words, companies and public organizations that manage data. Pursuant to a point I will develop later on, I feel that those organizations are becoming increasingly accountable when it comes to the way they must manage personal information. The notion of accountability is hard to render in French. It has developed in all international fora—increasingly so over the past few years, or since 2004-2005. The notion of accountability is a concept that, in my opinion, should be promoted in this committee’s projects.
So there you have the “who”, and that’s what I had to say about the stakeholders who should be involved in those issues.
Let’s now talk about the “what”. I would like to use a single sentence to summarize my thoughts on this: I fear the shade much more than the light. What do I mean by that? There are many fantasies and fears when it comes to social media. There are of course some genuine fears. My opinions differ from those of my colleagues, but there are some real fears. There are also some imaginary fears. In some respects, what I can put on a Facebook page does not frighten me at all. I encourage my three children to use Facebook, but I am sorry to say that they don’t want to.
However, it’s quite possible to use Facebook without privacy being affected. If schools and the Office of the Privacy Commissioner educate us, we should be able to manage that. I am referring to Twitter. Two days ago, the office posted a cartoon on Twitter to explain how people should manage privacy. That kind of a solution is not of a strictly legal nature. Law is not the only possibility in life; there are other solutions that can help change Facebook or Google users’ behaviour.
In many ways, I have no fear of how Facebook may use information. I am also not worried about Google Street View, and that is something I would like to discuss. I am bringing this up because the Office of the Privacy Commissioner has made some recommendations against Google Street View. However, Google Street View is not dangerous. I have no problem with being seen in front of my home taking out the garbage. This is one example of imagined fears that are sometimes associated with social media.
That being said, there are nevertheless real problems and fears. We must keep an eye on new behaviours, and I agree with my colleagues when it comes to that. What scares me more is when the objective is changed, the reason why information was placed on Facebook or Google. In many respects, those changes of objective are made through a contract no one reads. An average social media user would have to spend 20 hours a month to read the privacy policies that apply to Google and all the websites they visit. That is unfeasible. Saying that protection goes through information and consent is an illusion. As Professor Kerr mentioned, that is a totally inapplicable legal tool.
As my colleague was saying, there are some cases where consent should not be given. For instance, some law firms—in Quebec and the rest of Canada—ask their students for their Facebook account to see who they are in real life. Such cases go against the law, and a judge could consider them to be a violation of the law. In fact, it may be useful to explicitly state that in a piece of legislation.
I have covered the “what”, but I will now talk about the “how”. I would like to come back to the notion of accountability, which is becoming increasingly developed. According to that notion, organizations must establish policies that will make it possible to objectify, if I may put it that way, their diligence in managing personal information. Forcing Facebook, Google or any other public sector company or organization to show everyone how they manage data internally would be a way to check how diligent they are. That notion is fundamental and very useful. It is actually the basis of an agreement concluded last November between the Federal Trade Commission, in the U.S., and Facebook, whereby the latter committed to open its books and show its management of data over a 20-year period. The future lies in the notion of accountability.
Once again, we have to be careful. This is coming from a technology expert who goes beyond the notion of privacy. There have been some rather unfortunate cases, especially in the area of securities. In 2002, several financial scandals erupted in the United States. To remedy that situation, all companies listed on the stock exchange were asked to open their books and produce internal reports to show how they were managing financial information. Many U.S. authors showed that large quantities of documents had been produced and financed by accounting firms, some of which were at the source of the financial scandals. Some $60 billion or $70 billion later, they ended up with a magnificent documentation that, in the end, is sometimes difficult to apply.
That is why this notion of accountability should not be introduced through a piece of legislation, but rather through informal practice standards, through codes of conduct. With a more negotiated approach, there would be no law imposing things within a generally quite short time frame, and the situation would be conducive to dialogue for establishing practice standards. Informal standards and codes of conduct are often criticized because they are not restrictive enough. When I compare our privacy system with the European one—with fairly substantial resources for monitoring the strict application of the legislation—it seems to me that a more in-between approach, a more negotiated approach, could have better results.
Mis à jour le 23 février 2017 à 22 h 57 min.