TORONTO, ON–Canadians’ sensitive data stored on social media platforms are at risk of being compromised according to Home Ice Advantage: Securing Data Sovereignty for Canadians on Social Media discussion paper and survey published by the Cybersecure Policy Exchange at Ryerson University.
Many popular platforms, such as Facebook and TikTok, transfer data to a variety of jurisdictions, and none specifically cite Canada as a country of storage. Moreover, Canadian privacy law does not require users to consent to personal data transfer outside of Canada or require meaningfully enforced limits on transferring to jurisdictions with insufficient protections for surveillance or unauthorized access of Canadians’ personal data.
An overwhelming majority (86 percent) of Canadians support a requirement to keep their data within Canadian borders. And that, on a scale of zero to ten, 49 percent of Canadians rate their trust of Facebook between zero and three despite it being the most used platform in Canada (69 percent).
This research demonstrates that most social media platforms’ privacy policies do not disclose precisely which jurisdiction they store, process and transfer the personal data of a given user, said Sam Andrey, director of policy and research at the Ryerson Leadership Lab. It also shows that existing protections in Canada have proven inadequate to rapidly changing circumstances outside Canada’s borders. The new discussion paper argues that Canada must coordinate an international approach that contributes to greater data sovereignty or else they will get caught in the legal crossfire between Europe, the U.S. and China: and Canadians security and privacy online will suffer.
“Canadians are looking for answers on how their private and sensitive data are being protected outside our borders,” said Andrey. “The federal government has an opportunity to modernize our privacy law to do just that. Canadians should have transparent information to inform their decisions, assurance that the jurisdictions where their data is transferred protect and enforce their rights, and they should have confidence that their most sensitive data will never be compromised.”
To help address some of these concerns the discussion paper outlines three policy options for the federal government to enhance Canadians’ trust and security online.
1.Comparable protection. Provide precise requirements and enforcement to ensure personal data collected and shared through social media receives comparable levels of protection when transferred outside of Canada.
2.Consent. Require social media platforms to obtain explicit consent from Canadians for the transfer of their personal data to jurisdictions that do not provide comparable protection as well as provide information about the specific data and countries involved.
3.Sensitive data. Better define and provide greater security protections for sensitive personal data, such as private messages and biometric data.
The federal government recently introduced Bill C-11, the Digital Charter Implementation Act, which proposes to make sweeping changes to private sector privacy law and to set a new precedent for the protection of Canadians’ data.
While C-11 makes many commendable changes it does not adequately address the critical points raised in the three policy options outlined in the paper, said Andrey. Although the bill’s new purpose emphasizes cross-border data transfers, it appears to enable companies to easily transfer Canadians’ personal — and sensitive — data across borders and to third-party companies. It also neglects to set any requirements for Canadians to consent to transfers outside of Canada.
Moreover, C-11 does not provide specific direction on how companies should secure sensitive data, like biometrics or private messages gathered and stored by social media companies or messaging software. Nor does it clearly define terms such as “data”, “transfer”, “disclosure” and “sensitive information” which can lead to ambiguity in enforcement. These are critical elements to discussions around privacy and security that should be addressed in this new legislation.
“We hope these issues will be considered by parliamentarians from all sides as the Bill is debated, as well as in any forthcoming regulations,” said Andrey. “The Prime Minister’s mandate letters committed to ‘new regulations for large digital companies to better protect people’s personal data’. We look forward to continuing to engage with the federal and provincial governments to advance these objectives and strengthen cybersecurity and digital privacy protections for Canadians.”