Bouquets and brickbats: the informational privacy of Canadians
posted by:Jeffrey Vicq // 11:59 PM // October 03, 2006 // ID TRAIL MIX
Recently, I spent some time examining the Canadian data brokerage industry.
In the last several years, a number of scandals in the US data brokerage industry made American companies like ChoicePoint and DocuSearch household names, even in many Canadian homes. American journalists prepared several interesting and extensive exposes describing, in rich detail, the sometimes messy results of the marriage of technology and data in the name of convenience, commerce and security.
Yet, the activities of the industry’s players in this country have traditionally been less well understood. Accordingly, working as part of a team under the direction of the talented Pippa Lawson at CIPPIC, a number of us sought to gain a better understanding of the Canadian data brokerage industry—identifying its key players, determining the types of information commonly made available, and tracking personal data as it flowed from consumer to compiler, and from broker to buyer. The final report was quietly released earlier this summer.
In the course of our investigations, I frequently found myself reflecting on two broader questions: first, I wondered how best law could protect the personal information of Canadians—and by extension the privacy of Canadian citizens—in the Canadian marketplace. Examining the data brokerage industry afforded me the opportunity to consider the effectiveness of privacy legislation in the face of an industry whose sole purpose is to assemble and trade personal information about Canadians. Second, I wondered about who was the biggest culprit responsible for the slow erosion of personal informational privacy that has occurred in Canada over the last several decades. Having the opportunity to consider how data on Canadians was collected, compiled, distributed and used in the data brokerage industry afforded me the opportunity to consider culpability from several perspectives.
Given that Parliament has recently reconvened for the fall sitting—and cognizant that PIPEDA, the federal private sector privacy legislation in force in much of the country, is due for review—I thought I might offer up a few thoughts on these points.
With respect to the protection of the personal information, it is clear that Canadians enjoy greater informational privacy than our US counterparts—thanks primarily, it would appear, to the impact of private sector privacy legislation. There is seemingly less information available for purchase online about Canadians than Americans  , and several companies claim to have curtailed operations or ceased operating altogether in Canada following the introduction of Canada’s private sector privacy legislation. Using provisions contained in the legislation, Canadian consumers can learn what information Canadian companies have about them and can seek the correction of errors in those records—rights which are unknown to American consumers. In this light, Canada’s data protection laws are arguably the single most valuable instrument available for the protection of Canadian informational privacy.
But these laws are not perfect. This legislation—and most glaringly PIPEDA—is hamstrung by the absence of robust enforcement provisions. During my time in private legal practice, it was an all-too-common occurrence that once a client was apprised both of the extensive obligations of the legislation and the ramifications of non-compliance, the client would elect to ignore the law. And there is reasonably good evidence to suggest that private sector organizations that have attempted to comply with the legislation have done so poorly: see, for example, CIPPIC’s recently published study examining the compliance (or relative lack thereof) of retailers with Canada’s data protection laws. The legislation’s lack of a robust enforcement mechanism undoubtedly plays a role in the high rates of non-compliance CIPPIC’s found.
To a lesser extent, Canada’s private sector privacy laws have also been maligned for the way they define “personal information.” These definitions qualify the “personal information” to which the laws pertain to information about “identifiable individuals.” As such, information that has been “anonymized” accordingly falls outside of the scope of the legislation. However, data anonymity specialists (including the terrific Latanya Sweeney) have been demonstrating for some time the relative ease and accuracy with which “anonymized” information can be reconnected to identifiable individuals.
Interestingly, my own research into the data brokerage industry indicated that many of these companies were not particularly concerned with the granularity of the information they attributed to individual citizens. For example, several Canadian data compilers rely on data—like public-use microfiles—that Statistics Canada makes available and considers to be “sufficiently anonymized or aggregated to be made publicly available.” Absent the services of someone like Dr. Sweeney, it may indeed be difficult to connect this information to a particular household. However these data compilers use the aggregated information (like mean household income for dwellings located in a particular postal code set) to attribute characteristics to all households in the set. This information—which on a household to household basis may be erroneous—is nonetheless usually of sufficient accuracy for marketing purposes. As such, despite Statistics Canada’s anonymization efforts, this information is still being used by marketers as personal information, in order to build broader and richer—if somewhat fuzzy—profiles of Canadians.
Given this, some in the privacy community have suggested that the definition of “personal information” should be amended to include all information about an individual, whether identifiable or not. I am not confident, however, that this would represent a feasible or practical response to the problems created by the use of anonymized or aggregated information to impute characteristics to Canadian households. That issue might better be addressed by legislation that precludes the use of data for certain purposes, as opposed to the wholesale revision of the definition of “personal information” itself.
These (and admittedly other) shortcomings aside, Canada’s privacy legislation has been a valuable tool for protecting the informational privacy of Canadian citizens. With certain amendments, the legislation could come to represent a truly effective set of tools to be used in the fight to protect the informational privacy still enjoyed by Canadians.
However, these tools will only be effective if the activities of the culprit primarily responsible for the erosion of the informational privacy of Canadians can be stymied. “Who is this culprit?,” you may ask. There are—both unfortunately and perhaps unsurprisingly—an abundance of candidates, given the actors and factors that have had a significant impact on informational privacy of Canadians in the last decade: the abundance of cheap and powerful digital database technologies, the growth of the internet, the emergence of the data brokerage industry and the development of a culture of fear in the US, are but a few.
However, I believe the primary culprits responsible for the erosion of informational privacy are, in fact, Canadians themselves.
In examining the sources of the data commonly exchanged in the data brokerage industry, I was astounded to discover how much sensitive data is provided willingly and openly—for little or no consideration—by Canadians. Admittedly, there are a number of collection vehicles wherein the language used to explain the purpose for the collection and planned use for the data is vague and / or misleading—if any language is used at all. But there were a remarkable number of occasions where the collection vehicles used clear and unequivocal language to explain the reasons for collection and use, and Canadians still appeared to respond in droves. There are numerous examples—Canadians complete surveys and questionnaires on sensitive topics, enter contests or offers that request extensive information about buying habits or preferences, and obtain free product samples in exchange for providing their personal details. The most recent iteration of one survey used extensively in the Canadian market is over 91 pages long, asking an exhaustive list of sensitive and highly personal questions about the respondent.  While consumers are often offered coupons or contest entries in exchange for completing the survey, many surveys offer no reward for their completion at all.
The aforementioned collection vehicles are examples of circumstances where it should be reasonably clear to the respondent (certainly if the data collector is complying with the requisite legislation) that there is little to be gained by them in disclosing their valuable personal information. Less clear, perhaps, are those circumstances where information is collected from Canadians contemporaneously with the acquisition of goods or services, whether over the internet or via traditional channels. Book, music and movie clubs, along with newspaper and magazine publishers, are fertile sources of information about the hobbies and interests of Canadians. General retailers and service providers are also rich sources.
Drawing on all of this, data brokers have accrued and trade in a broad range of information on many Canadians, including marital status, age, religion, income, property ownership, investments, health information, habits, interests, diet and credit card ownership, amongst others. One Canadian data broker claims to have a file containing the names of 8.7 million Canadians organized by preferred genre of book; 8.1 million organized by hobby, and another 3.1 million organized by the types of financial investments they own and plan to purchase. Another broker offers information on households in which one or more members has experienced any one of a variety of health conditions including ADHD, arthritis, bedwetting, depression, diabetes, heart or kidney disease, high blood pressure or cholesterol, lactose intolerance, macular degeneration, migraines, neck pain, nut allergies, urinary tract and yeast infections.
All of this information has been, for the most part, willingly provided by Canadians. And while much has been written about growing public concerns about privacy, the actions of Canadians do not accord with their purported fears. The results of a survey conducted by Forrester Research in 2005 found that “…while 86% of consumers admitted to discomfort with disclosing information to marketers, they participated in online surveys and research for free products or coupons, and entered competitions or sweepstakes at rates nearly equal to consumers who aren’t as concerned. [emphasis added]” 
Given this, it is Canadian citizens themselves that I see as posing the single greatest threat to their own informational privacy. The interests of Canadians do not appear to accord with their actions in this respect, which I would assume to be the product of a lack of education about how individuals can themselves be more responsible about protecting their own personal information. There is no question that being privacy savvy takes time and energy. However, the public must be invested with some of the responsibility for safeguarding their own personal information; otherwise, personal data privacy will continue to erode, despite the most finely crafted legislation, the efforts of the Privacy Commissioners and the lobbying of privacy advocates.
Similarly, those of us who have an appreciation of the importance of data privacy have obligations as well. We must resist the too-often-pursued predilection to “preach to the choir,” and instead make a concerted effort to educate the public about the importance of personal information privacy. An educated and engaged public can be far more effective in protecting their own informational privacy interests than even the most well-funded Privacy Commissioner or privacy advocate.
 In this context, I am considering information that is extant and generally available for purchase, as opposed to the use of the internet to contact parties who might—via pretexting or other means—obtain detailed information about an individual.
 It should be noted that this information is not typically made available with names and addresses attached; rather, it is released in an aggregated format.
 See "Privacy worries don't keep consumers out of online surveys and promotions" (Jan.30, 2006) Internet Retailer, http://www.internetretailer.com/dailyNews.asp?id=17434.
Jeffrey Vicq is a lawyer and consultant, and candidate in the Master of Laws (with Concentration in Law and Technology) program at the University of Ottawa.