Evidence of meeting #46 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

  • Sara Grimes  Assistant Professor, Faculty of Information, University of Toronto
  • Tamir Israel  Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
  • Adam Kardash  Managing Director and Head of AccessPrivacy, Heenan Blaikie

11:35 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Okay.

I just have a question. You didn't tell us you were Facebook's lawyer. Or did I not hear that? Did you tell us you were Facebook's lawyer when you came here?

11:35 a.m.

Managing Director and Head of AccessPrivacy, Heenan Blaikie

Adam Kardash

I act for a range of companies in the social media space. They are one company. I am here purely in my personal capacity.

11:35 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Okay.

So Mr. Israel writes you a letter, Mr. Kardash, on May 28, 2010. He says to you, with respect to your client's compliance with PIPEDA, your client being Facebook, that

...we wish to note that the privacy screen it intends to present its users is not...an adequate basis for curing the concerns we raised with your client in respect to its December privacy transition. Our position is that Facebook does not have the meaningful informed consent of its users for privacy changes....PIPEDA requires both transparency and privacy sensitive defaults in line with user expectations.

You were there representing Facebook in one famous case of compliance. We still don't seem to have really worked out compliance, from what we're hearing from the Privacy Commissioner.

Don't you think you should have told us that's who you represent?

11:35 a.m.

Managing Director and Head of AccessPrivacy, Heenan Blaikie

Adam Kardash

The Office of the Privacy Commissioner of Canada has considered multiple investigations in the social media context, including several involving Facebook. All of them have been resolved to the satisfaction of the Office of the Privacy Commissioner of Canada. They've considered those carefully.

Again, I'm here not on behalf of any one particular company; I'm here on behalf of a range of companies and views.

11:35 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

Okay. Thank you.

Mr. Israel.... And again, I'm not picking on Facebook here. I love Facebook. I'm on it much too much, according to my wife especially. She thinks I have a Facebook addiction. I should go on the record with that. I might have a problem.

Mr. Israel, you mentioned Acxiom. You see, we're focused on Facebook, we're focused on Google and whether they're in compliance or not in compliance. But in the age of big data, there are third-party data-miners who are out there well beyond the scope of anything we're even aware of. You mentioned this company Acxiom. You said they have 500 million hits. We've never even heard of it.

How do we ensure some measure of compliance with the data-miners who are going in, and through their...? It's fairly easy just to gather up massive amounts of information. It's not like we want to pick on Facebook or pick on Google; there are companies that are gathering this information and we have no idea of them. What steps do we need in order to deal with these companies?

11:40 a.m.

Staff Lawyer, Canadian Internet Policy and Public Interest Clinic

Tamir Israel

Well, it's definitely a challenging arena. I agree with Adam to the extent that we should be putting in place flexible regimes that don't shut down legitimate innovation and these types of things. I'm also on Facebook, and I like the services.

I think there's a gap between the user understanding and expectation of what's happening when they interact with their friends and their colleagues in some of these online venues and how the information flow works. A lot of the interactions happen in a semi-public context in social media, and companies like Acxiom are free to basically suck that up into their databases. This is probably a violation of Facebook's terms of use, but there's no transparency in this process. Nobody really follows very closely how the information is getting into these databases or what the rules of collection are.

With respect to the database data brokers in particular, it's a challenging environment. There's no direct interaction with the users, so you need.... The FTC is looking at putting in place some rules that will stimulate industry to provide centralized places where users can go and check which data broker has a profile on them, what they have, and where it came from.

That may be one starting point for it. We don't need heavy-handed fines or anything like that in this context, but at least the threat of a penalty, if you continually ignore the principles that are there, is very necessary to get both proactive and reactive compliance. I'm not saying everybody's a bad actor, but without the possibility of a penalty, there's often little incentive to practicably figure out what these principles are and really integrate them into your business model.

11:40 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

My concern is—

11:40 a.m.

NDP

The Chair Pierre-Luc Dusseault

Unfortunately, your time is up.

11:40 a.m.

NDP

Charlie Angus Timmins—James Bay, ON

I was just getting started, Mr. Chair.

11:40 a.m.

NDP

The Chair Pierre-Luc Dusseault

You are almost at nine minutes.

I now give the floor to Mr. Calkins, for seven minutes.

11:40 a.m.

Conservative

Blaine Calkins Wetaskiwin, AB

Thank you, Chair.

Thank you very much to our witnesses. We've heard some fascinating information here.

I don't even know where to begin, but I'm going to just start, Ms. Grimes, with you.

You said that unbeknownst to most Canadians—I think this is fairly common knowledge—online activities are surveilled. We have data-mining going on out there. We have spiders. We have bots. We have all kinds of things that are downloaded onto people's computers unwittingly. We have spyware, malware, adware, and whatever you want to call it tracking people's activities, whether they're on a laptop or a mobile device. In these user agreements, we agree that our information will be allowed. It's in our settings in our devices whether or not we want to allow cookies, for example, on our computers. It's in our settings on our iPods and our iPads. We get push notifications. We can turn these kinds of things on or off. An educated user will have to make a little bit of an effort to do that. We can get third-party software that will help us protect, for example, our computers at home that our children are on when they're trying to do their homework, so that I as a parent can get notification on what kinds of activities my children may or may not be doing online.

And that's going to be a question I have for you: Do you think my child has the right to be able to do that on a computer, without me knowing what my child is actually doing? I'll save that question for the end.

In all of these agreements, I have one choice: I either accept the terms of the agreement in its entirety or I don't. That's the choice I have. I don't have the option to parse parts out.

My question, broadly, for all three of you is do you think there should be a legislative or a regulatory requirement to have these kinds of agreements parsed out in such a way that an end-user can actually have the ability to select which parts they're going to agree to, or which parts they're not going to agree to? Most of these things set defaults on how my information is going to be shared with a company like Acxiom, which frankly has me terrified.

I know how these things work, because I used to be a database administrator. I understand how these data points are collected, and many of these things are collected without my knowledge. I'm sure my name's in Acxiom, because I'm an avid computer user, or if it's not in Acxiom it's somewhere else. Somebody has information about me and my browsing habits and my user habits, and so on. So this is a very frustrating thing.

Why can I as a user not have the ability to choose which parts of the agreement I want to agree with and which parts I don't? Is that a reasonable thing, from a regulatory environment point of view, for a government to be involved in?

11:45 a.m.

Assistant Professor, Faculty of Information, University of Toronto

Dr. Sara Grimes

I'll leave the broader parts of the question to my co-presenters here.

In terms of kids and user agreements, there definitely need to be some changes. I've read a lot of end-user licence agreements for service directed to kids. They include all the same types of clauses that you find in any of these documents. There are all kinds of complications when kids are involved. Not only are there words that most kids can't understand, but most adults have trouble understanding them. Service contracts actually describe relationships in terms that younger kids just can't understand yet. They still have some developing to do before they can understand that level of complex things like property exchange or different economic processes that are being described in terms of service and use.

Changes to the kids' area, which is the area I'm an expert in, are defintiely needed with regard to things like the terms used in contracts so that they are understandable to kids and parents. I think as a government, as a country, we need to start thinking about how we're going to deal with kids entering into contracts, because minors' contracts are very tricky legally. They're voidable and there are all kinds of strange precedents to wade into.

I'm not a legal expert, and it hurts my head even to think about how complicated this all becomes when you start thinking about it in those terms. But we need to start dealing with that. We need to start thinking about it seriously and think about what we are expecting kids to be held to when they agree to terms of service that are 15 pages long, are full of all kinds of jargon, and include processes that are so far beyond what they're capable of understanding that we couldn't possibly expect these contracts to actually be upheld.

So, yes, I would love to see a more à la carte type of design for terms of service for use and end-user licence agreements, including some terms that have been delineated as terms that are appropriate for younger kids, and a framework for figuring out how we're going to deal with who signs on and who agrees to it, and how involved will parents be, because they clearly will have to be.

11:45 a.m.

Conservative

Blaine Calkins Wetaskiwin, AB

Thank you.

11:45 a.m.

Managing Director and Head of AccessPrivacy, Heenan Blaikie

Adam Kardash

The question's excellent, because it illustrates how you can't address privacy in a meaningful fashion with just an upfront consent process, especially for platforms that get more complicated.

There are two approaches to dealing with all sorts of different contexts, not just in the pure technology sector, but even more broadly. One is that in addition to a meaningful drafted notice upfront about what the user should be engaged in, really the most important thing has become twofold. One part is making sure users have appropriate control, and know where they can exercise that control. The other is—and this is an absolutely critical point and the emerging theme over the practice during the last ten years—that we've seen a move from concepts of consent and notice being important parts of privacy protection to the concept of privacy governance and a much more holistic approach to how you address these issues.

I think two or three weeks ago the Office of the Privacy Commissioner of Canada and the Alberta and B.C. privacy regulatory authorities issued a joint 26-page guidance document on their expectations for effective privacy management programs. Those expectations set out obligations for organizations to look at privacy five steps back from the whole range of the life cycle of data but from a risk perspective, in a manner through which they continually improve their practices and address things like controls and transparency. But most importantly, they addressed it in a much more detailed format.

I encourage the committee to refer to that document. There are at least 110 expectations set out that really go to the heart of your question. If companies are relying solely on those long-winded consent forms.... I used to draft those things. I know what they're about. They're not effective for privacy compliance. It's privacy governance that's exactly at the heart of what you're raising.

11:50 a.m.

Staff Lawyer, Canadian Internet Policy and Public Interest Clinic

Tamir Israel

It is an excellent question. I fully agree it is important to do a little bit more to simplify privacy policies. There's been talk of trying to standardize certain terms that have similar meanings for different companies but that are described in different ways in order to make it easier for consumers to compare privacy policies, but I agree with my colleague that doing that can't be the end of the process.

It's very important to have accountability and to have organizations put in place processes that take into account privacy concerns at all stages of the development of their services. I think our federal Privacy Commissioner and some of our provincial privacy commissioners have done a really good job at instilling that.

In addition, though, it's very important to make sure the substance of what is being imbedded into these development processes is also reflective of user expectations and privacy. Historically there's been a divide internationally among what the European Union does, what Canada does, and what the U.S. does. The U.S. had this sort of open framework where there was not too much regulation in place, but they're moving very far away from that and towards where we are now and also adopting these types of last-minute, just-in-time notifications where you're providing more notification and more control in line with the decisions you're actually making. That helps adjust elements of the privacy policy to let users have greater control over which parts of it they're okay with and which parts they're not.