Evidence of meeting #51 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was nexopia.
A recording is available from Parliament.
4:15 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
The committee heard from health care experts, and those questions have been examined with a fine-tooth comb, if I may say so.
In addition, should the Privacy Commissioner be invited again by this committee, you could ask her if any guidelines will be developed.
4:15 p.m.
NDP
The Chair NDP Pierre-Luc Dusseault
I am going to give Mr. Mayes the floor.
You have just over five minutes since you are the last person to ask questions.
4:15 p.m.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
Thank you, Mr. Chair.
Thank you, Mr. Lawford, for being here today and sharing your knowledge of this subject. You may find my questions a little simplistic, compared with those of my colleague, Mr. Calkins, who has a great knowledge of this.
In your opening statement you referred to the terms, “personal information” and “general information”. Are those terms a challenge as far as identifying what they mean? Are the guidelines clear enough that discern what personal information and general information refer to?
4:20 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
I think they are. It's interesting, because Canada has this definition in PIPEDA of what is personal information, which everyone wants to avoid because it's so clear. It says personal information is information about an identifiable individual, anything about an identifiable individual. That's very wide. The Privacy Commissioner has made many, many decisions saying it's almost everything. It includes your net buy-offs on your computer. It includes your IP address in certain circumstances. It includes your hair colour, eye colour, what weight you are, everything.
A lot of the privacy policies, unfortunately, are drafted by American lawyers for American companies, and they do business in Canada. They have a different rule there—it's personally identifiable information—so they tend not to tailor it to Canada well enough.
4:20 p.m.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
One of the discussions we've had is the disclaimer of the terms and conditions when you enter into a site. It was interesting to me that you talked about a do-not-track list. I wondered if there would be the ability to put in an enforcement where they must have a data retention time, you have to agree to a data retention time, and have that right up there on the screen, first of all. Or make it a little bit simpler: sharing or marketing personal data, yes or no. Those kinds of things I think are very simple and people can understand, people like myself who are very simple when it comes to these types of uses. That's one area that I think can definitely be improved.
You talked about teeth in enforcement. The one thing about enforcement is that there's a cost to it. To do it properly, you need to have human resources as well as financial resources. Have you given any thought to where those costs should be borne? Should it be by the server, the taxpayer, or some regulatory body?
4:20 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
We've put a little bit of thought into that. That's why I mentioned at the end that the committee might want to look at the do-not-call or anti-spam model, where there are fees in the case of do not track, to buy the lists that you have to scrub against, and in the case of anti-spam, the fines go back to the CRTC to continue to do anti-spam enforcement. Now, one of those two models might help.
I want to back up, because enforcement to me—and I think this is the way the CRTC is doing it for do not call—is a pretty wide spectrum. They can start with notices, they can start with small fines, they can go and speak to trade associations. There are lots of ways before you have to go to the big hammer and the expensive overhead. I would hope that although it's a big nut to crack, it wouldn't be as expensive as something like do not track or do not call.
4:20 p.m.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
Would it be on a complaint basis, or would it be like an investigation whereby you monitor it?
4:20 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
It's the same as any other enforcement area, such as security. You'll take complaints and tips when you get them, but you have to have an arm out there doing enforcement on its own.
I think the Privacy Commissioner has done as much as she can with her budget. They haven't been very aggressive with auditing companies, which is one power they have. They haven't really self-started. That would be an area to encourage.
4:20 p.m.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
How do you reconcile personal information in the social media with things like credit checks and insurance companies collecting data on individuals?
If for some reason I don't pay my bill at a certain time and the company I am dealing with has aggressive credit collection and just throws that into my credit rating, which might be an AAA credit rating, and I don't know about it, that's data that might not be well founded and that I'm not aware of. How do you reconcile that with those types of applications?
4:20 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
It's interesting, because consumer reporting or credit reporting, which you're talking about, is something that pre-dated the privacy legislation. As you know, there are a few protections built into the provincial legislation. For example, you can correct information or you can at least put a note on your credit file saying that it is wrong.
When the privacy legislation was redone here in the late nineties, we said it wasn't a good enough model. That was a big part of what the committee working on PIPEDA talked about. That wasn't good enough. You have to give the person a right to actually demand to have information changed, and that is in the act.
You're right. The trick is in informing people that they have that right. Then how does that play out in a large, complicated organization so that it's quick and easy to do and fix?
I don't see that happening in social networks. It's not easy to take off one data element. It's not easy to fix one thing.
4:25 p.m.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
Personally, I think if a company is going to file a bad credit against your name, you should be notified. Not only do they send it out, but you are notified. Does that sound reasonable?
4:25 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
It does sound reasonable, and it also sounds sort of like what they're trying to do in Europe by giving users a little bit more control of information that is detrimental to them, by giving them more of a right to delete it or control it. Just saying that you have the right to have accurate data...well, who goes out and checks their data, as you point out? As well, some things are so sensitive that if it's wrong, it has consequences. I'm not quite sure how to fix that.
4:25 p.m.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
You might not know of that data from a creditor reporting to a credit agency.
4:25 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
No, and again, as far as social networks go, the only parallel is when you identify your data and it goes out to a third party, or the privacy policy says they can share with third parties and you didn't read it or didn't understand it and it goes out. It's sort of the same thing.
I think a social network would say that you put it in there and knew that it could have gone somewhere. It's not the same as credit reporting, where you don't know. But if you look at your credit application, of course, it says they're going to do that.
4:25 p.m.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you, Mr. Mayes. Your time is up.
I understand that Mr. Boulerice has a quick question. So I am going to give him two minutes to ask it.
4:25 p.m.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Mr. Chair, you are extremely generous.
Thank you very much for joining us, Mr. Lawford. Your remarks were very interesting and relevant.
I have two questions for you. I would ask you to answer my first question with a yes or no answer. If there is a data breach, does the company itself decide to report the facts to the Privacy Commissioner of Canada? Is that correct?
October 18th, 2012 / 4:25 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
For the time being, the answer is yes, according to the commissioner's guidelines.
Bill C-12 also provides for that, but it has not become law yet.
4:25 p.m.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
In my view, that makes no sense. I am very reluctant to rely on self-regulation for those types of things. I find that a bit disturbing.
I will now sort of play the devil's advocate. My second question excludes children and teenagers. Most social media are essentially based on making private information public. As legislators, what do we do to protect people's personal information when the business model is based on sharing personal information?
4:25 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
Yes, that is the intent. In these meetings, you see the game the two parties play; those sites have a goal, and this legislation has another. For now, we are saying that the consent allows us to determine where to draw the line. The problem is that the conditions under which people give their consent are not clear enough.
4:25 p.m.
NDP
The Chair NDP Pierre-Luc Dusseault
That brings us to the end of the evidence.
Thank you very much for coming here, Mr. Lawford.
We are going to suspend the meeting for a few minutes, since the next part of the meeting will be in camera.
Thank you once again.
As for the members of the committee, I will see you very soon.
[Proceedings continue in camera]
