A new article in the Winston Report by Christopher Parsons and Andrew Hilts addresses issues that Canadians may face when attempting to request the personal information organizations keep on them.
Abstract
Privacy debates across Western democracies, and arguably the world, have been transformed following Edward Snowden’s revelations. The documents he provided to journalists informed news articles, parliamentary debates, and legal challenges, that at least temporarily invigorated the public’s interest in government-related privacy issues. However, translating this interest into action has been challenging because of the technical nature of the debates and the complexity of state surveillance behaviours. So, while campaigns and written letters to legislatures have become one way of demonstrating interest or involvement, a distinctly Canadian approach has seen domestic residents file requests to their telecommunications service providers (TSPs) to learn what data is held by the companies and whether residents’ information has previously been disclosed to state agencies.
These kinds of right to information requests are engrained in Canadian commercial privacy law. Exercising such rights, however, has traditionally demanded filing paper letters after developing knowledge about both the law and the data handling practices of the organizations in question. In the decade since PIPEDA came fully into force, the Internet has grown to be an intrinsic element of most companies’ and government agencies’ operations, but no digital system has grown up with the Internet to facilitate Canadians’ personal information requests to organizations. This article discusses the importance of such tools as well as some early results associated with an ‘Access My Information’ (AMI) tool that was developed at the Citizen Lab and argues that the public’s demand for basic information about company and industry data handling practices can be gauged by measuring how many Canadians request access to their information. Furthermore, we argue that the value of access requests can be demonstrated by Canadians’ ability to enhance public reporting about such data practices.
We test these arguments by turning to a case study, where academic and civil society organizations collaborated to help Canadians request access to their personal information from TSPs. We generally find that the companies lack common responses to standardized requests based on information we obtained about companies’ data retention schedules, their positions concerning whether they can reveal that they have disclosed subscribers’ information to government agencies, as well as barriers to timely and reasonably-priced responses to requests for certain historical data. The case study does possess limitations, however, and thus leaves the following questions: how can semi-automated support for right to information requests assist requesters after creating their initial request? And how can crowdsourced access requests respect requesters’ privacy yet collect statistical information about the requests? The article concludes by identifying how such limitations could be overcome in future iterations of similar digital tools and by discussing the value of Internet-enabled right to information tools that facilitate crowdsourced methods of understanding corporate data handling policies.