Evidence of meeting #43 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

  • Warren Everson  Senior Vice-President, Policy, Canadian Chamber of Commerce
  • Brendan Wycks  Executive Director, Marketing Research and Intelligence Association
  • Annie Pettit  Vice-President, Marketing Research and Intelligence Association

11:50 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

These days, as Warren was saying, kids are being raised with privacy in the digital age. From the youngest age, this is a normal everyday conversation, whereas for many of us it didn't even come about until, let's say, 10 years ago. So this is brand-new information; it's completely different from how we were raised, and we're still wrapping our heads around it. Kids are far more aware of it; it's just normal for them. They know what is good and what's bad in terms of wanting or needing privacy. That's why they have more opinions on it than a lot of us have.

In terms of our people using defaults appropriately, I think a lot of industry is doing just what we're talking about here, its own self-regulation. When somebody changes a default setting, as in the case of Facebook, everyone is in an uproar if they don't like it, and there are some quick work-arounds to make adjustments to it. It's happening in one website after another website: people continue to speak up when they don't like what the default setting is, there's a whole bunch of discussion around it, and then tweaks are made.

So I think there is a lot of self-regulation going on in the industry, and it will only get more and more and better and better as people become more familiar with how it should be and how they want it to be.

11:50 a.m.

Conservative

Blaine Calkins Wetaskiwin, AB

My last question is about the differentiation between data and information. When information is collected about me as a user on the site, my personal information is there, if I happen to be creating an account, for example, but there are also traces of my user information, the sites I go to, things that I may visit, my interests, my hobbies. They can glean this kind of information.

When it comes to reselling this information or data, are you confident, from an industry self-regulation perspective, and comfortable with the fact that enough de-identification of some of the personal things is actually happening? If they happen to know what age group I'm in and what I happen to be looking at or shopping for on the Internet, that's one thing; if they know my name, address where I live, and what I'm shopping for on the Internet, that's a completely different thing.

Are you satisfied that there's enough de-identification? Do we have enough legislative framework around the de-identification of the information that's being resold between the data collector and those who might be interested in it?

11:50 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

This is already part of what the MRIA code looks at. All information must be de-personalized. This is the exact same thing we are doing within the social media space. Our ethical standards are exactly the same as they would be for survey research. Names are not published in research reports; there are no user names, photos, e-mail addresses, physical addresses. That kind of information is not appropriate, and we do not allow that sort of information to be published in final reports.

11:50 a.m.

NDP

The Chair Pierre-Luc Dusseault

Thank you. I am going to have to stop you there because Mr. Calkins' time is up.

We now start the question and answer period where each round is five minutes.

Your turn, Mr. Angus.

June 5th, 2012 / 11:50 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Thank you for a fascinating discussion.

Mr. Everson, I was a two-time board director of the Chamber of Commerce. At the time I was on the board, I was representing a small northern Ontario media company, and we were looking at the possibility of where we could move in terms of digital culture. I agree with you; I think the opportunities have exploded since, and even as we were watching it develop. I think Canadians are well positioned to take advantage of this. We have to encourage that. I think it's part of what our work at this committee is to do, to find out how we build the climate that allows that kind of innovation.

The issue here is about consumer confidence and the threat of data breach. Those are the issues I think we need to look at. When we ran our magazine, our database was our commodity. That was the value of our work. It's what allowed us to do value-added sales. We had many groups offer to buy this data from us, but it was an issue of trust with the people who purchased our products. They were our subscribers. We kept that.

If someone had wanted to breach that data, they would have actually had to break into the house, steal the computer, and then they would have gotten it. Now, however, in terms of what's online, it seems that when we have this discussion about informed consent, we're talking about an understanding of an old style of business model—you click on something, and it's about a commercial relationship or a sharing of information—but in the age of big data, it's a question of function creep. It's so easy to access data. You can access data through algorithms just casually. This is the concern.

My concern is about a breach of consumer confidence. For example, if I'm at a café and I use their WiFi, there's an agreement. I sign that yes, I'll abide by the rules. But we had the case with Google Street View going by. They were gathering WiFi hotspots, and that was a good business model for them. But there was the whole matter of load data that was collected as well, which could include e-mails, medical records.

I didn't sign on for that in giving initial informed consent. The people who gathered that data might not have even been looking for it, but the data is gathered up.

So, Mr. Everson, how do you see establishing some kind of framework to ensure that consumers have confidence, that the model is able to develop, and above all, that data breaches—because they would affect people's security—don't happen?

11:55 a.m.

Senior Vice-President, Policy, Canadian Chamber of Commerce

Warren Everson

Thank you for the question. It's pretty sweeping.

I guess the first thing I would urge the committee to do is to exactly understand how PIPEDA currently works, because some of what you're describing could be illegal in the existing act. I know you're going to hear from various carriers about specific high-profile incidents, such as ones you described.

I don't know of a more challenging issue for the committee than addressing the expectation of privacy in an online environment. I don't want to patronize anyone, but when I was growing up in Lancaster, Ontario, we had a general store. When you went into the general store, the vendor knew you and knew your buying habits. If you dramatically changed your buying habits, they would notice that, or perhaps they would say, “Oh, you're here, and I know you like this kind of stuff, so I got a new one. Do you want to have a look at it?”

We didn't consider that an unwarranted intrusion into our privacy. But when a company now contacts me and says, “I know you're interested in canoeing”, I would say, “Oh, how did you know that?” They know it because they have access to a lot of vendor sites in canoeing.

I think you've identified correctly the challenges. One is of consumer confidence. Consumer confidence goes both ways. We want to trust that we have enough privacy to do business online. We also want to trust that the company is using the information we have to prevent exactly the opposite side of your equation, which is the data breach.

I got a call last year asking, did I buy $12,000 worth of drywall on my credit card yesterday. No, I did not. I was very glad that they had my personal information and were able to contact me abruptly and stop that. So fraud protection is a very significant part of the online world as well. I don't know that you're going to find an exactly easy balance between those two pressures.

11:55 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Mr. Wycks, I'm interested in this issue of—

11:55 a.m.

NDP

The Chair Pierre-Luc Dusseault

You can ask a quick question.

11:55 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

—self-regulation and the support for administrative monetary penalties. Industry needs to be able to regulate itself if it's going to succeed, but there are going to be a few bad actors out there, and bad actors will damage your business model. So you support the idea of saying, for those few bad actors, that you support the Information and Privacy Commissioner's being able to hold them to account so that the rest of the industry can continue to develop. Is that your position?

11:55 a.m.

Executive Director, Marketing Research and Intelligence Association

Brendan Wycks

Yes, for those who violate PIPEDA.

11:55 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Okay. Thank you.

11:55 a.m.

NDP

The Chair Pierre-Luc Dusseault

Thank you very much, Mr. Angus.

It is now Mr. Dreeshen's turn.

Noon

Conservative

Earl Dreeshen Red Deer, AB

Thank you very much, Mr. Chair.

Thanks to you folks for being here today.

First of all, Mr. Everson, I want to commend the chambers of commerce, because they do some amazing work. You're able to get out and talk to businesses throughout the country and bring in information. Many of us depend on the information that you're able to present.

One of the things you mentioned when you were talking about PIPEDA was that the Canadian rules work and they're still relevant. Of course, this is what we're trying to do, and we're trying to take a look at some of the other things. We know there are critics out there, of course, and people who would like to see some significant changes, but in your commentary you talked about us not putting in excessive regulations for fear of losing jobs.

I'm just wondering if you could expand upon that. Also, of course, as this discussion is on social media, I'd hate to be accused of just having a time-killing question, so if you could answer that quickly, I do have a couple of others.

Noon

Senior Vice-President, Policy, Canadian Chamber of Commerce

Warren Everson

I'll try not to be too long. I thank you for your comments about the chamber.

I think it's very apparent that PIPEDA was designed by people who understood that they didn't understand, and that they would not know where the technologies were going to go and where the offerings in the marketplace were going to go. They were wise enough to say that they couldn't be extremely doctrinaire as to how the law would apply and that they were going to have to see....

One of the important functions there was to establish the commissioner as an ombudsperson and not a police force. I'm always a little uncomfortable with people who want to make the officers of Parliament into regulators. They're not. It's a unique role they have.

If you want to install more police powers, you have to take it out of the parliamentary officers and into one of the departments of government, and I do think that you already have recourse in the law for a lot of the concerns that are expressed.

Noon

Conservative

Earl Dreeshen Red Deer, AB

Thank you.

Ms. Pettit, you were talking about how you, in your organization and research, are not selling information, but is that evident to respondents upon your first contact? When you are talking to different groups or when you are going into different sites, it is evident to everyone that this is your role?