Empowerment for youth-friendly privacy law enforcement: Office of the Privacy Commissioner, Canada

Youth and privacy in the Americas: Office of the Privacy Commissioner, Canada

————————-

How do youth allies promote young people’s critical thinking on privacy, in informal learning contexts in the Americas? This blog post is part of a series showcasing the work of different organizations at the intersection of youth development, digital rights, and online safety.

————————-

Quick facts

Who: Kasia Krzymien and Anne-Marie Cenaiko, Office of the Privacy Commissioner of Canada

What: Investigation of data privacy complaints (in public and private sectors); advice to the Canadian Parliament and cooperation with other data protection authorities worldwide; educational advocacy.

Mission/vision: To protect and promote the privacy rights of individuals.

Where: Canada

Works in the field of: Personal information protection

Post summary: The Office of the Privacy Commissioner protects Canadian children and youth’s rights to privacy through the investigation of complaints, advice to government and the private sector, and outreach activities to promote privacy rights.

Highlight quote from the interview:“Even on websites and sites that are clearly intended for youth, the [privacy] language is like that of lawyers communicating to adults”

More resources: Office of the Privacy Commissioner’s website; youth-related resources appear in different sections.

————————-

As a former non-profit worker, I started this research project with the intent to document what civil society organizations in the continent are doing to defend youth’s right to privacy. However, when I asked for references from fellow non-profit researchers in Canada, all of them mentioned the Office of the Privacy Commissioner of Canada (OPC); led by an independent agent of parliament, whose mandate is to oversee compliance with the Privacy Act, which governs the handling of personal information by the public sector, and with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.

Even if data protection authorities in other countries of the region are involved in youth and privacy work, in no other country was I referred to data protection authorities by civil society organizations. After speaking with Kasia Krzymien and Anne-Marie Cenaiko, I can see why: not only is the OPC doing their share of work in a legal dimension, but also working to inform Canadians of their rights and how to exercise them, and organizations on how to comply with their privacy obligations. They believe in shared responsibility and rights-based approaches. Their library of resources is a privacy educator’s dream.

They have been able to strengthen their work on youth and privacy issues because of dedicated resources for their public education efforts, shifting priorities, as well as their involvement with an international working group. However, how is it that the Office of the Privacy Commissioner started to work on youth privacy issues? Canadian legislation gives them flexibility to address kids, and their work involves the requirements of informed consent for this age group. “Our law says that consent is valid only when individuals understand the nature, purposes and consequences of disclosure. It’s a high bar. For kids under 13, we want consent to be given by parents because we don’t think that, emotionally and cognitively, they’ve developed to understand them (it’s hard even for adults). And then [for those] between 13 and 18 we require companies to tailor their language to that age group when they are explaining what they are collecting.”

Moreover, “companies always say to us that, no matter how a privacy policy is written, they are just not going to read because they are in a rush to use the service. We say everybody has a responsibility; individuals (to inform themselves), organizations (which should be transparent about their practices), and regulators (to ensure laws are robust enough to protect people).”

Along these lines, a lot of the work of the OPC focuses on investigating complaints regarding the ways companies deal with personal information for commercial purposes, including that of kids. For example, this year they published a reporton VTech, a toy manufacturer in Hong Kong that had a data breach that potentially compromised the data of 316,000 Canadian children. They also publish guidance and policy papers, such as their draft Position on Online Reputation, which supports the idea of regulation that enables youth to request the de-indexing or removal of existing content displaying their data.   

However, the work that I found most intriguing, and the focus of our interview, was that on education – the solution that always gets mentioned in youth privacy forums, but few dedicate resources to develop. Part of the OPC’s work is to support Canada’s educational practices on privacy through international resolutions, as well as using their topical expertise to supplement the materials available to education districts and educators on privacy issues. In Canada, provinces are responsible for education, which limits role of the federal government in this regard; the OPC therefore works in collaboration with provincial and territorial counterparts and national partners.

Data Protection and Privacy Commissioners from around the world, in one of their international conferences (held in Marrakesh in 2016), adopted the Resolution for the Adoption of an International Competency Framework on Privacy Education. So the OPC worked with provincial and territorial offices in Canada to write a joint letter to the Council of Ministers of Education to encourage the clear and concrete inclusion of privacy in digital literacy curricula, after seeing the topic being “inconsistently applied” across the country.

Anne-Marie explains, “it’s not a given that a student that goes through the system will understand [the basics of privacy]. So we have developed products to address this: lesson plans on topics like how hard it is to take back what’s out there, the economics of personal information, privacy as a human right. We created a poster for 4th to 6th graders with easy tips to protect one’s privacy, for use in schools across the country”. Apart from the lesson plans and poster, the resources section of the OPC website features privacy activity sheets, discussion topics, presentation packages for different age groups, videos, a graphic novel, and an ample collection of external resources.

The most popular publication of the OPC is Social Smarts, a graphic novel.

“We do a lot of exhibiting and speaking to parents, but also at teachers’ conferences with the provinces to talk about the resources. We have also made resources to share, such as our graphic novel, Social Smarts.” Social Smarts tells the story of teenagers at school that deal with issues like digital footprints, insecure passwords, imagined audiences, online harassment and data economies; it is also accompanied by a discussion guide for in-classroom use.

Why use public resources to come up with a graphic novel? “Storytelling makes privacy relatable to youth. Privacy means a lot of things to different people, but it is in our mandate to talk about data protection laws, so we reach out to youth to talk about how to protect your personal information.”  

In creating educational materials that can then be taken into formal education settings, different pedagogical considerations arise. In the case of Canada, a bilingual country, the OPC found a window of opportunity given that few organizations have created these materials in French. The governmental requirement to publish in plain language means that ESL teachers have been able to use the graphic novel in their classroom.

As education tries to go beyond the instruction of declarative knowledge, the holy grail of youth privacy activities is to help kids reflect about their own practices and the privacy implications they have for their current and future selves, as well as for those of others. How do the OPC materials try to achieve this? Anne-Marie answers, “The activities in the lesson plans address this. They are about reflection, asking kids to describe situations. Youth may seem very tech-savvy but don’t necessarily understand already what is on the lesson plans. They need to learn about their rights and their responsibility to others’ information”.

For the OPC staff, shared responsibilities are acquired through rights-based, not fear-based, approaches to privacy. Kasia recalls, “In the mid-2000s, kids were getting on the internet and there was this stranger danger and protecting kids’ safety online and we always took the position that, while it’s not our place to tell parents how to raise their kids, we should talk about the risks to their personal information online, and companies and practices. There was a lot of fearmongering in the past. But what our office focuses on is empowerment: giving information that is needed to be digital citizens. We all recognize the benefits of the online world; so many new ideas that we get exposed to. But we need to teach kids the critical thinking to recognize good and stay away from bad.”

Now, what resources has it taken from the OPC to produce this wealth of knowledge on youth and privacy? It’s a shared responsibility with a few staff working part time on this issue. They have relied on external researchers “to understand what happens with kids online, their attitudes and challenges, to be able to make recommendations on if law is protecting them well enough or if things should change”. They fund knowledge-translation of privacy issues; in the past, this has led to privacy literacy games, radio campaigns, and a study across Canada with five thousand students. Hopefully other data protection authorities in the region will recognize the need to do similar outreach in their countries.

You can read more about on the Office of the Privacy Commissioner’s website; their youth-related resources appear in different sections.