Evidence of meeting #28 for Access to Information, Privacy and Ethics in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was know.
A recording is available from Parliament.
General Counsel, Office of the Privacy Commissioner of Canada
I'll ask Mâitre Caron to confirm, but my understanding is that our contact person for this investigation, particularly near the latter end of the investigation, was their legal counsel, David Fraser.
General Counsel, Office of the Privacy Commissioner of Canada
Yes, he is based in the Atlantic region at McInnes Cooper.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Okay. Does he have particular responsibilities for Google around privacy concerns, or is he a legal counsel?
General Counsel, Office of the Privacy Commissioner of Canada
I don't know.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
I know one of the things the commissioner has asked for is that by February those who are responsible be clearly designated and identified. Right now, is there anybody in Canada who's designated, other than the legal counsel, for privacy concerns?
General Counsel, Office of the Privacy Commissioner of Canada
Just to be clear, David Fraser is their external legal counsel. Maybe that's a question you can clarify with Google, so I don't misspeak.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Right. I was just getting at whether or not we will be hearing from the right person. You can't offer any other advice in that regard at the present time?
General Counsel, Office of the Privacy Commissioner of Canada
No, I'm sorry.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Okay.
The commissioner has done this investigation, made recommendations, and set a deadline, and she wants proof from Google that they've addressed the concerns she's raised. In a case like this, where an investigation's been undertaken and recommendations have been made, generally what's the next step? If there isn't compliance, what happens at that point? What are the consequences of non-compliance at this point of an investigation?
General Counsel, Office of the Privacy Commissioner of Canada
Mr. Chair, one of the powers she has under the current legislation, PIPEDA, is that at the end of her investigation, particularly if she recommends something the organization does not comply with, she has the option of going to Federal Court under section 15 of the act and taking the organization to court to have the court then adjudicate on the recommendations and to have those recommendations enforced by a judge.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
So that would be the next stage in any case where there was non-compliance?
General Counsel, Office of the Privacy Commissioner of Canada
In any case it would be.
Liberal
Liberal
Hedy Fry Liberal Vancouver Centre, BC
Thank you very much.
I want to pick up on something my colleague Dr. Bennett said. She talked about the fact that parallel streams of technology move very quickly--both of us are physicians--and in medicine, that's the way it's happening. However, people who use that technology, such as physicians, automatically have an ethical code. The ethical code is for us to do no harm. I mean, the precautionary principle is built in to what we do.
Given that communications technology, and other technology, is moving along so very quickly--we're talking about what Google did--we should be thinking about what they could do. It was only within the last short period of time that they were actually able to develop the technology to get the Wi-Fi personal data information.
If you have companies that have the ability through technology to collect data or information or do things that could have potential harm, how do you build in some piece of regulation or legislation? Obviously companies aren't doing it. I don't want to beat up on Google, but the fact that they didn't stop to think and that it was considered superficial tells me they didn't believe this was worthwhile--that privacy is a superficial issue, and who cares?
How do we build in legislation that ensures there is some kind of ethical and precautionary regulation for companies that have access to harmful technology? And Dr. Bennett talked about the good that technology can do, and you have to balance it out. How do we build that into some kind of legislation or regulation that could say you've got to deal with precautionary principles, and as your technology moves so rapidly you've always got to consider what harm it can do? I'm here to tell you that if a physician or a radiologist used brand-new technology that hurt the patient, and they were taken to court, they couldn't say they didn't know. I'm sorry, that's not acceptable. You've always got to weigh the good plus the bad. There's lots of good in this technology, but harm has to be weighed.
Is it important to get that kind of regulation or wording in the law, and not just under the Privacy Act? I mean, this criss-crosses the communications act.
Perhaps your legal person might be able to answer this question better. What is it we, as legislators, can do when we see a loophole, an opening we haven't paid attention to, to make sure we protect and prevent future harm?
This technology is moving so fast. We're talking today...and tomorrow we might be talking about something totally different. Therefore, there has to be a precautionary principle involved.
General Counsel, Office of the Privacy Commissioner of Canada
I'll let Mr. Caron address that question.
Legal Counsel, Legal Services, Policy and Parliamentary Affairs Branch, Office of the Privacy Commissioner of Canada
I think the commission shares your concern with respect to how fast technology is emerging and the privacy implications of emerging technologies.
I'm not sure if I can specifically answer the honourable member's question, but I think one positive thing that has come out through our experience with the Personal Information Protection and Electronic Documents Act, PIPEDA, is that it has shown to be sufficiently malleable to deal with these emerging technologies.
It came into effect before the Facebooks and the Google Street Views. But as a principle-based act, it has shown to be quite flexible in dealing with new technologies and finding the right balance between allowing companies to offer innovative products but in a manner that also protects personal information--the privacy rights.
Liberal
Hedy Fry Liberal Vancouver Centre, BC
But it's a reactive act; it's not a proactive act. I'm talking here about proactivity as opposed to reactivity, where somebody does something and they are taken to court and you can do whatever you wish.
Again, I am not trying to cast aspersions on Google. But you sent a letter in June 2010 and you have not yet had an answer--it's November in two days--yet Google sees fit to speak through the media about this issue. I call that disrespectful. That's been a long time for this company not to at least send a preliminary letter saying they got your stuff, they're working on it, and they'll send another letter in two days' time. There has been this talking through the media, and an ignoring of a privacy commission who sent a letter to a company...was it four months ago? The media is getting all the answers. I find that disconcerting with regard to ethics.
General Counsel, Office of the Privacy Commissioner of Canada
Just to be clear, the letter that was sent in June notified Google that the commissioner was initiating an investigation. There has been active correspondence between the commissioner's office and Google representatives throughout the investigation process. She most recently sent them her preliminary letter of findings. I believe that was on October 14.
If I may add to Mr. Caron's answer to your question about PIPEDA, one of the ways the commissioners, acting together, encourage organizations to be more proactive is to take all those principles in PIPEDA and use them in a privacy risk assessment that they should carry out prior out to the deployment of technologies. We call that a PIA, a privacy impact assessment.
PIPEDA provides the tools and principles for any organization to be proactive in identifying and managing the risks before deployment, if they walk through the principles behind PIPEDA and do a proper assessment of the risks using the PIA process. It's done much like an environmental impact assessment. Those are the tools needed to avert the risks of new information technologies, which the commissioner is first to embrace as important and novel advances, as long as the privacy risks are being properly managed in the process.
Bloc
Carole Freeman Bloc Châteauguay—Saint-Constant, QC
Thank you, Mr. Chairman.
We see that there is a consensus among parliamentarians. Ms. Davidson, Ms. Fry, Mr. Albrecht and Mr. Siksay mentioned that. We are really concerned about the situation, about what is going on with Google Street View and as a result of all the exemptions they had.
I have a completely different file in my hands. Germany and France are even considering banning Google because they think that really goes too far. I'm looking at all the countries. We are all watching and letting Google continue to act. What is our interest? I'm asking myself that question. Why can any technology emerge in this manner without us doing something else than stupidly looking at each other and letting people do things in their own way, cavalierly?
My second question is this: following all this uproar, Google decided to appoint Ms. Alma Whitten to the position of privacy policy officer. In fact, I believe she will be a scapegoat. She will try to manage the kind of monster that Google is, with all its tentacles. Does she have any training? Is she working with the commissioners of the various countries? What does this lady do?
I'll have a third question later. I don't know whether I'm going to have time.
General Counsel, Office of the Privacy Commissioner of Canada
I'll briefly try to answer your two questions.
I'll start with the second. I don't know Ms. Whitten. So I can't speak to that point. I don't know whether this is something new for her or whether she has previously been appointed. I can contact you again to forward that information to you, or perhaps you can put the question directly to the Google representatives when they appear. Once we have Google's response to our recommendation that a governance system be put in place, the commissioner will probably extend her analysis further and ask that kind of question to ensure the governance system is effective enough to manage these major privacy issues.
In response to your first question—
Bloc
Carole Freeman Bloc Châteauguay—Saint-Constant, QC
In fact, that wasn't a question, but rather a comment. You don't need to respond. We feel overwhelmed by the situation. We no longer know where they're going to stop. We get the impression we'll never be able to fill the gaps that will be created. We all seem powerless, whether it be in Europe, Australia or elsewhere. They are all powerless. We are powerless and we let them act. I don't think this situation makes sense anymore. It's the same everywhere.
I'd like to go back to the situation we have in Canada. I know that Quebec, Alberta and British Columbia are not governed by the Personal Information Protection and Electronic Documents Act. Yesterday, my colleague Bill Siksay asked me a question in the House. He wanted to know what advantages the Quebec act had over Canada's legislation. Are you working jointly with the three provinces to achieve exactly the same harmonization?
General Counsel, Office of the Privacy Commissioner of Canada
The provinces you named have legislation that has been deemed equivalent.
