Recently the Office of the Privacy Commissioner of Canada released its annual report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA sets the ground rules for the management of personal information in the private sector – and the Privacy Commissioner (Jennifer Stoddart) oversees its application and determines corporations’ level of compliance.
Stoddart’s efforts have led to a streamlining of Facebook’s privacy options as well as the destruction of inadvertently-collected wireless network data from Google Street View. This year’s annual report explains that the Privacy Commissioner has acted on complaints related to eHarmony and Staples Business Depot.
There is a Parliamentary review of PIPEDA every five years and the next review is expected to start later this year. In preparation for this review, the Office commissioned an effectiveness study of the Office’s ombuds model. In the study, legal scholars recommended giving the Office the ability to fine corporations that overstep privacy legislation. Legal journalist Gail J. Cohen echoed that call for more powers.
Public consultations on the PIPEDA review should focus on, not only empowering the Office, but also reforming the purpose of the Act. Currently the purpose of PIPEDA is to establish “rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” where ‘personal information’ is broadly interpreted as “information about an identifiable individual”.
Not only should the privacy rights of the individual be protected – but the privacy rights of networked publics should also be considered. A ‘networked public’ is defined by social media superstar danah boyd as “(1) the space constructed through networked technologies and (2) the imagined community that emerges as a result of the intersection of people, technology, and
practice” (p. 15) .
Essentially, a ‘networked public’ is a group of people interconnected (usually through social media – but not always) to form their own mini-community or mini-public. People gathered in a ballpark to witness a slow-pitch championship would be considered a ‘public’ – and people connected to and by a highly accessible place (like on Facebook or together on an online forum) would be a networked public.
It may not be immediately evident how the privacy of a networked public is important – or even why a collective should have any privacy. Let’s return to the example of a tournament in a park. There are a number of personal information items easily available for collection. The people in attendance all self-identify as enjoying the sport they are watching, they self-identify what they are wearing (possibly identifying themselves as a fan of a particular team), and they self-identify as being in that location at that particular time. But the people in attendance are purposely not sharing some personal information to others – such as their names, their professions, and their relationships with their companions. These items remain private information.
The same is true on a networked public like Facebook. A person may self-identify that he enjoys softball and that he was educated at the University of Pittsburgh. He may also ‘like’ pages about the Beatles, NASCAR, and pirates. This is personal information that Facebook can collect and, presumably since that person has self-revealed these things, he is okay with that collection.
But assume the person is a political conservative and does not want to disclose that bit of information. If Facebook collects information from all of that person’s friends and determines, based on the self-disclosed political preference of those friends, that the first person may also be conservative – this would be invasion of privacy. In 2009, one study (academic report, media story) described the existence of a program that can determine a person’s sexuality based on the sexualities of their networked public.
Returning to the purpose of PIPEDA, there is no protection for people who have had this personal information deduced because, technically in these cases, their individual personal information isn’t being collected, used, or disclosed. The privacy of the single individual is being violated and so is the privacy of the networked public – whose basic personal information was aggregated to profile someone else.
Many people aren’t too concerned when individual items of personal information are collected – or even used by corporations. Personally, if Amazon.com knows that I typically purchase sports books, I certainly don’t mind if the advertisements on Amazon.com are related to sports rather than to gardening. But intrusion into the privacy of the networked public (and the many people who are a part of the networked public) is potentially more dangerous than intrusion into a single person’s privacy.
This is definitely a complex topic and it may be difficult to legislate inter-connectivity and protect the privacy of networked publics. But going forward it’s certainly an area of discussion for PIPEDA reform.
 boyd, d. m. (2008). Taken out of context: American teen sociality in networked publics. Retrieved June 27th 2011 from: http://www.danah.org/papers/TakenOutOfContext.pdf