Tuesday, April 17, 2018

In a commentary in the Toronto Star, Prof. Lisa Austin assesses some key issues that Canadians concerned about the state of our own privacy laws should focus on in the wake of the U.S. Senate hearings on Facebook ("Protecting the public interest when ‘Your user agreement sucks’," April 17, 2018).

Read the full commentary on the Toronto Star website, or below.


Protecting the public interest when ‘Your user agreement sucks’

By Lisa Austin

April 17, 2018

At last week’s U.S. Senate hearings on Facebook, Senator Kennedy told Facebook CEO Mark Zuckerberg what many of us want to say to tech companies in general: “your user agreement sucks.”

Zuckerberg conceded that users do not read these agreements but claimed they still have lots of control over their information because they are given tools to control the audience of disclosure.

Both are at least partially right but both are missing the point: Privacy legislation is not mere consumer protection legislation, it is human rights legislation; our statutory framework and its enforcement mechanisms needs to reflect this. Canadians concerned about the state of our own privacy laws should focus on five things.

First, there are different scales of transparency. Understanding what it means for Google maps to collect location data is one thing; understanding what it means for multiple apps to collect location data and share it with third party ad libraries, who will aggregate it and use it to profile you, is quite another. User agreements and individual tools rarely help consumers understand the latter.

This transparency gap was at the heart of some of the questions Zuckerberg often failed to answer regarding Facebook: what information does Facebook collect in addition to user-generated content, how are people being profiled, and does it track browsing activity or activities across devices, even when a user is logged out of Facebook? We need practices of transparency that scale.

Second, individual control is not the same thing as meaningful choice. I can have individual control over my food choices and still only have a choice between a chocolate chip muffin and a bag of Doritos. If an individual is in the middle of a “food desert” without healthy choices available, telling her about the empowering effects of better food labels will ring hollow.

Similarly, privacy debates need to move beyond a focus on informing individuals and instead ask about whether the informational infrastructure incentivizes disclosure for commercial data sharing or whether it provides meaningful privacy choices.

Third, meaningful choice is not about satisfying individual preferences, but mitigating collective concerns. The Cambridge Analytica scandal has shown very clearly that how data is collected, analyzed, and used implicates many broad public concerns. Whether the choices available to individuals are meaningful depends upon how we collectively value privacy. It is also crucial that we see that these values extend beyond privacy and can also involve questions of equality, freedom of expression, and democratic participation, to only name a few.

Fourth, it is public regulators who can best safeguard the public interest at stake here. Let’s give them the tools to do so. Our regulators can investigate transparency at a different scale from individuals, they can ask questions regarding the availability of meaningful choices, and they can deliberate about the collective value of privacy and related concerns. They are the ones we must empower.

Fifth, empowering our public regulators requires updating our privacy laws. However, if we do this by simply strengthening the individual control model then we will have failed. There are many specific proposals for strengthening PIPEDA, Canada’s main private sector privacy law, including the recent report of the Standing Committee on Access to Information, Privacy and Ethics.

The deeper problem that we need to grapple with in reforming PIPEDA is that its very purpose is to balance privacy with business interests. This might have been appropriate 20 years ago. But it fails badly in the new data-driven economy where data collection, sharing and use in myriad ways are at the very heart of business practices.

PIPEDA currently builds a privacy compromise into the very heart of our privacy protection. This is exacerbated by the fact that the privacy commissioner has no power to make orders or issue fines.

Instead we need to take seriously what the Supreme Court of Canada has now repeatedly stated — privacy law, even when it applies to the private sector, is “quasi-constitutional.” Privacy legislation is not mere consumer protection legislation, it is human rights legislation; our statutory framework and its enforcement mechanisms needs to reflect this.

In Canada we are comfortable with placing a burden on businesses to accommodate human rights, even if it involves requiring them to spend money and change business practices. We need to see this shift in relation to privacy so that the private sector builds us an infrastructure that offers apples in addition to chocolate chip muffins and does not engage in unsafe practices.

The ultimate choice will be up to individuals, but individuals will choose within an environment of meaningful choices consistent with our most basic public values.