Privacy and Confrontation | previous

Recently, the privacy and Internet landscape experienced a major tremor when what was initially dubbed a David and Goliath confrontation returned some startling results. In one corner was California-based Facebook, with over 200 million users, and in the other was Jennifer Stoddart, Canada's privacy commissioner.

The confrontation was sparked by an eleven-part complaint in May 2008 by the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa alleging that Facebook violated key provisions of Canadian privacy law. At the heart of the complaint was Facebook's policy of indefinitely keeping user's personal information (even after accounts were deactivated) and the manner in which it shared this information with third-party companies. Added to this debacle was the confusing manner in which Facebook provides information to users about its privacy practices.

There are over 12 million Canadian users of Facebook, huge in Canadian terms but small relative to Facebook's overall operation. Furthermore, Canada's privacy commissioner has no direct legal authority to enforce compliance. Yet, in the end Facebook blinked first and submitted a listing of remedial actions to the Office of the Privacy Commissioner of Canada (OPC).

The victory underscored the ever-increasing global concern that personal information must be kept confidential and shattered the misconception that privacy issues are satisfied if information is collected with the consent of the individual. The collection of personal information does require consent but it also requires a clear statement of the purpose for which the information will be used, that it will be kept safe and that it will be securely disposed of at the end of the stated purpose.

Legislation

Canada has two federal privacy laws: the Privacy Act, and the Personal Information Protection and Electronic Documents Act (PIPEDA). Both are administered and overseen by the OPC.

The Privacy Act, in place since 1983, protects the personal information collected by government institutions. Essentially, the Act is a code of ethics for the government's handling of our personal information and ensures that Canadians can access information collected about them, and can challenge the accuracy of the information. Under its provisions, such information should be:

• collected by government institutions in relation to operating programs or activities;
• collected from the individual personally;
• accurate and up to date;
• subject to correction by the individual, and
• used only for the purpose for which it was originally collected. continue

1 | 2 | 3 | 4