Information & Ethics Committee on Feb. 28th, 2022

Evidence of meeting #9 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

Collection and Use of Mobility Data by the Government of Canada

MPs speaking

Pat Kelly
Damien Kurek
Greg Fergus
Ryan Williams
Matthew Green
Ya'ara Saks
Iqra Khalid
James Bezan
Lisa Hepfner

Also speaking

Michael Geist  Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual
Jean-Pierre Charbonneau  Former Quebec Parliamentarian and Professional Speaker on Ethics, As an Individual
Clerk of the Committee  Ms. Nancy Vohl

11:20 a.m.

Liberal

Greg Fergus Liberal Hull—Aylmer, QC

Thank you very much, Mr. Chair.

Professor Geist, at the moment, we are specifically studying the Public Health Agency of Canada's use or possession of private cell phone data of Canadians, without their knowledge or consent.

In your testimony today, you said three things: that the data were de-identified to the extent that data can be de-identified, that the objective was beneficial because the data served to locate Canadians in order to check whether they were leaving their homes during the pandemic, and that it does not seem that we bypassed any legal standards.

That is the issue on which we are focusing our attention. However, you raised the issue, rightly, I feel, as to whether the current system is adequate.

Let me go back to the issue that we are concerned with. Can you state once more that the data were de-identified, that they could be beneficial in developing health policies, and that we did not overstep the standards?

Then, we are going to discuss the issue in depth.

11:20 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

I must admit I'm not sure that I can answer that beyond having read the same transcripts that you will have seen, and therein lies part of the problem. Can I confirm for you that it was fully—

11:20 a.m.

Liberal

Greg Fergus Liberal Hull—Aylmer, QC

Perhaps not confirm, but—

February 28th, 2022 / 11:20 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

I can only go by what the committee has been told by Telus and responses from the minister. Based on what I've seen put forward, the indications are that that's the case.

I think it would have been better to have the Privacy Commissioner there operating as an independent agent to provide the kind of insight and review that may not have occurred in this case, and that's one of the shortcomings that we've seen.

It's easy to say that it's legal, but part of the problem is that it's legal. Part of the problem is that if we don't have strong enough consent measures and if we don't have a framework that imbues the kind of trust that we've been talking about, then you can both conclude that it's legal and still leave people uncomfortable with what's taking place.

11:20 a.m.

Liberal

Greg Fergus Liberal Hull—Aylmer, QC

I understand you completely, but the rules of the game require us to examine what is before us.

Some of your colleagues at the University of Ottawa, and some other experts, have said that the data were de-identified, as they were supposed to be, and the government received no information that could be used to identify people. So, not only the Public Health Agency, but also some experts in the area have come to that conclusion.

I assume that you share the opinion of those experts.

11:25 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

I'm in line with the evidence that's been put forward to date.

I'm not an auditor. I'm not in the position, let's say, that the Privacy Commissioner would be in, to be able to go in and fully verify those statements. I'm able to go on the same publicly available evidence that they would be and that you would be, and based on that evidence, yes, it was de-identified. Telus made the case that they have a number of guardrails in terms of what was ultimately accessible to PHAC, so it's clear that there were steps taken to try to create those safeguards.

Again, if you're asking me to confirm based on some sort of inside knowledge, that isn't available. This program hasn't been transparent enough. I would ultimately trust the Privacy Commissioner's view, were they given the ability to go in and effectively audit what took place and then render a verdict on that question.

11:25 a.m.

Liberal

Greg Fergus Liberal Hull—Aylmer, QC

I'm going to ask you a question that you should like.

Let's set this specific situation aside and deal with the issue a little more broadly.

What kind of consent should Canadians be giving for their data to be de-identified and used for legitimate purposes?

11:25 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

I think this represents one of the really exceptional challenges. We started to see that considered in the former Bill C-11, which included references to potential consent or potential rules even around de-identified data, and so—

11:25 a.m.

Conservative

The Chair Conservative Pat Kelly

Thank you, Dr. Geist. Mr. Fergus was just out of time when he finished his question.

Thanks for the very brief answer. If you have more to add to that, maybe we can get that in later testimony, but it is now time for Monsieur Villemure.

Mr. Villemure, the floor is yours for six minutes.

11:25 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Thank you very much, Mr. Chair.

Mr. Geist and Mr. Charbonneau, thank you for joining us this morning as witnesses. I will have one question for each of you.

Mr. Geist, we are looking at the situation from the point of view of ethics. A few minutes ago, you said that it seemed to be legal, and I will not argue that point. However, you will agree that something can be legal and unethical at the same time and that legality is the minimum required in order to operate, not the ideal.

Do you believe that the current rules are adequate?

11:25 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

No, I don't think the current rules are sufficient.

I appreciate that the committee's mandate may be to focus on this specific incident and whether it was legal or not, but I fear that would miss the forest for the trees. There is an opportunity here to use this particular incident to highlight both the enormous value that the data can have, and then, by extension, the necessity of ensuring we have an effective data framework in Canada that includes adequate privacy safeguards, both within the federal government with the Privacy Act and in PIPEDA.

I think we can look at this incident as further evidence that at the moment we just don't have that.

11:25 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Thank you very much.

Mr. Charbonneau, in the committee's work, we have learned that the Public Health Agency of Canada was dealing with Telus and that two other people were providing data to BlueDot, which was acting as an intermediary.

In a situation like that, do you believe the government could have done better to inspire confidence?

11:25 a.m.

Former Quebec Parliamentarian and Professional Speaker on Ethics, As an Individual

Jean-Pierre Charbonneau

The act provides a mechanism in the person of the Privacy Commissioner. There are almost 40 million of us and we cannot check everything. So we have a commissioner who, on our behalf, verifies that the processes are adequate. When the Privacy Commissioner is kept at a distance, the process is kept at a distance.

It's all very well to say that the actions were legal. I am not so sure about that, because being legal would have required the process to be followed and the institutions that provide protection and safeguards to be used.

Why is the government not using them? Because it makes things a little complicated and because the government may be afraid of the advice it might receive. It was probably afraid that the Privacy Commissioner might be getting in its way.

If you're not afraid, why not act transparently?

11:30 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Thank you.

11:30 a.m.

Former Quebec Parliamentarian and Professional Speaker on Ethics, As an Individual

Jean-Pierre Charbonneau

Once again, you have to do that from the start, not retroactively.

11:30 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Thank you very much, Mr. Charbonneau. I apologize for interrupting you, but we are limited in time.

Let me continue with Mr. Geist.

Which models could we use to better handle these situations?

11:30 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

In the particular circumstance, I think there were a number of things that could have been done better in terms of the transparency of what took place. I think Christopher Parsons, who appeared before you, did a good job in his brief before the committee of identifying the lack of transparency and how this suddenly appeared on a website—

11:30 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Excuse me a moment.

11:30 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

—and the fog of information.

11:30 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Let me interrupt you for a second.

If we leave the issue we are currently dealing with and we look at the situation as a whole, is there legislation that we could use as a model or that provides better rules?

Which models should we adopt?

11:30 a.m.

Professor of Law, University of Ottawa and Canada Research Chair in Internet and e-Commerce Law, As an Individual

Dr. Michael Geist

Yes, absolutely. Let me pick up on and extend some of the comments I made at the beginning with respect to PIPEDA on the private sector side, which would of course implicate the obligations that Telus and BlueDot would have faced. That's legislation that's more than two decades old at this point in time. We've seen multiple provinces now move ahead with their own legislation, given that the federal government has been so slow in moving forward.

We also have, as I mentioned off the top, the European GDPR, which is effectively the model that many are comfortable with and are already seeking to comply with. It seeks to address some of these kinds of issues in terms of algorithmic transparency, in terms of greater penalties, and in terms of identifying some of the newer sorts of issues such as the right to be forgotten, and others, which form a part of what I think is widely viewed as a modernized privacy law, something that Canada no longer has.

11:30 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Finally, can you briefly tell us whether adding a privacy protection tribunal, as has been done in the case of the General Data Protection Regulation, the GDPR, is something that we should consider?

11:30 a.m.

Former Quebec Parliamentarian and Professional Speaker on Ethics, As an Individual

Jean-Pierre Charbonneau

Who was your question for, Mr. Villemure?

11:30 a.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

I am sorry. I was talking to Mr. Geist, who was still speaking at the time.

11:30 a.m.

Former Quebec Parliamentarian and Professional Speaker on Ethics, As an Individual

Jean-Pierre Charbonneau

Okay.