By Pooja Rambaran
Social media platforms such as Facebook and Twitter transfer and store user data in a variety of jurisdictions outside of Canada, according to a recent discussion paper by the Cybersecure Policy Exchange (CPX) at Ryerson.
The study found that most social media privacy policies do not explicitly state the jurisdictions in which the personal data of their users are stored, processed and transferred. This means that “social media platforms can easily transfer personal data between various countries with little oversight or transparency,” the paper reads.
Yuan Stevens, co-author of the study, said the core belief of the paper is that “people in Canada deserve to have control and autonomy over their personal data as a critical aspect of cybersecurity.”
Stevens described personal data as anything that relates to someone as a specific, identifiable person.
Almost every major social media platform—including Facebook, Instagram, LinkedIn, Snapchat, Twitter and TikTok—has faced major security breaches in the last five years, according to the CPX report written by Stevens, Mohammed Masoodi and Sam Andrey.
In 2018, Cambridge Analytica, a data analytics company, was found responsible for improperly collecting personal data of millions of Facebook users. The paper states of these 87 million users, more than 600,000 were Canadians.
As technological companies routinely face buy-outs, mergers and bankruptcies, the storage and protection of personal data may change outside of Canadian regulation. “Malicious hackers can also take advantage of data stored in locations where the data are subject to weak data protection safeguards,” the paper states.
“Our data protection laws have historically given ample freedom to corporations to treat our personal data as they please with little legal oversight,” said Stevens.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is responsible for protecting the personal data of social media users in Canada.
However, it does not prohibit companies from transferring data to third parties or other jurisdictions. When transferring this data to third parties, PIPEDA cited that organizations should provide a comparable level of protection for the collected data to what it would’ve received had it remained within the company.
Yet the act does not specify the meaning of the term “comparable level of protection” and this is left up to the discretion of the individual companies.
“The self-regulatory approach of PIPEDA fundamentally jeopardizes the security, privacy and protection of personal data for users of social media platforms,” the paper reads, adding that this data can be transferred to a variety of jurisdictions without the knowledge of Canadian social media users and with little restrictions under the Canadian privacy law.
“People in Canada deserve to have control and autonomy over their personal data as a critical aspect of cybersecurity”
On the contrary, the European Union’s (EU) General Data Protection Regulation (GDPR), requires organizations that collect personal data of their constituents to comply with their obligations, including legally-binding corporate rules or clear consent for the transfer of data, the paper states.
Those who violate the privacy and security standards set by the GDPR are subject to harsh fines, possibly amounting to as high as 20 million euros, according to the GDPR website.
“In Europe, data protection is an extension of human rights, where the right to control your personal data…is a part of informational self-determination,” said Stevens. “But in Canada, our data protection laws ensure no such protection to people.”
The researchers of the study found that some Canadians were mainly concerned with external government surveillance primarily from China and the U.S. Other Canadians indicated a lack of trust with current Canadian institutions as they believe that storage in Canada could still be improperly surveilled or used, the paper states.
The authors of the paper suggested three policy changes that can be employed by the Canadian government to improve their current data protection laws—comparable protection, consent and special protections for sensitive personal data.
A recent survey by CPX found that 86 per cent of Canadians support policies to keep Canadians’ data within Canada.
Siya Joshi, a first-year computer science student, was previously unaware that Canadian laws allow companies to release user information across borders.
“I would like to know where any personal information I store on my accounts or anything I post is being used, whether that is worldwide or national,” said Joshi, adding that she agrees with the policy suggestions made in the paper.
“[Those] would ensure that I know what [information] is being sent, why and if I agree for it to be sent,” said Joshi.
The paper stated that there needs to be a more rigorous definition of the term “comparable level of protection” in PIPEDA.
When social media companies transfer the personal data of their users outside of Canada, there should be explicit and proactive oversight mechanisms for their privacy, according to Stevens.
“Like the EU, Canada could maintain a list of countries whose data protection laws are deemed sufficient for transfer,” said Stevens.
She added that companies could otherwise provide transfer agreements that demonstrate that the transfer location of the data is sufficient under Canada’s data protection laws.
In cases where the transfer location is not pre-approved and no transfer agreement exists, Stevens suggested that the data protection law should allow social media companies to collect explicit consent for the transfer of data.
This option also requires the disclosure of the specific personal data to be transferred, countries where the data could be stored and the other organizations involved in the process.
The final policy suggestion involves better protection of sensitive personal data such as individuals’ racial or ethnic origins, sex life, sexual orientation, political opinions, religious beliefs, as well as genetic and biometric data.
“[Canadian] laws merely say that more protection is needed when data is more sensitive, allowing social media companies to decide themselves whether highly-revealing personal data deserves certain treatments that better protect our privacy,” said Stevens.
Drawing on thoughts from Shoshana Zuboff, the Charles Edward Wilson Professor Emerita at Harvard Business School and author of The Age of Surveillance Capitalism, Stevens said that companies can collect, analyze and optimize users’ personal data as a form of raw material to predict and shape their behaviours in the name of economic freedom.
“A data protection law that explicitly seeks to enhance economic development will never sufficiently protect our individual and collective rights to informational self-determination as an extension of privacy, one of our fundamental freedoms in Canada,” said Stevens.