Who's really responsible for protecting our privacy online?

thumbprintJennifer Stoddart, the Privacy Commissioner of Canada, put out a press release today about how Canadians need to take more control of their private information online. Notably, Stoddart seems especially concerned about Facebook, reflecting the focus of her annual report to parliament from August. The Privacy Commissioner’s office seems especially concerned about  young people posting drunk photos of themselves on the internet. Just a few months ago, the idea even circulated that Facebook might actually be illegal in Canada under our current privacy laws (the conclusions were mixed, as it turned out).

Frankly, there’s more than enough moral panic out there about the web and the Youth of Today already. It’s old hat. What I found more interesting about this message today is that, while it’s true that civilians post unflattering, embarrassing, or quasi-criminal photos of themselves and each other online, the worst and farthest-reaching damage is done by institutions and businesses collecting and then either abusing or misplacing personal data. It’s all right there in Stoddart’s report. Of 422 privacy complaints the office handled in 2008, the top five industry sectors represented in those complaints were: financial institutions, insurance, sales, telecommunications, and transportation. The “noteworthy cases” of 2008 identified in the report are examples such as Ticketmaster demanding that customers agree to receiving marketing materials in order to use their service; the Law School Admission Council, the body that oversees the LSAT, demanding fingerprints from everyone who writes the test; a chain of bars in Manitoba that was photocopying drivers’ licences every time they carded their patrons and keeping the information; and of course, CIBC’s classic “Oops, we lost a hard-drive containing 470,472 client records” blunder from 2006, an incident the commissioner’s office finished up in 2008, concluding: “while robust corporate privacy policies are essential, they must also be backed up by ongoing staff training.”

What these incidents show is that sure, while there’s a generational shift under way and younger Canadians are showing a more cavalier attitude towards their private information, most of the actual damage comes from institutional incompetence, the banks, insurance agents, hotel chains, websites, and other corporate entities we entrust with our privacy. Yes, you should take an interest in keeping your data safe. But stronger regulation, more rigorous corporate oversight, and bigger fines for privacy breaches is what will really make the difference.

Below I’ve embedded the privacy commissioner’s report from August.