Evidence of meeting #28 for Access to Information, Privacy and Ethics in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was know.
A recording is available from Parliament.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Okay.
We've also heard this afternoon about some new technologies that Google is exploring at this point. Could you talk a little more about those technologies? I've read a little bit about this issue, and what I have read is not reassuring unless we are able to put some restrictions or some regulations in place. Could one of you please speak a bit to those new technologies that they're anticipating?
General Counsel, Office of the Privacy Commissioner of Canada
I'll give a few general remarks and then I'll ask my colleague to elaborate.
In the introduction of any technology and in other areas of science--and in the case of information technology increasingly so--we've generally taken measures to adopt what is commonly known as the precautionary principle. As you introduce and deploy new technologies, in the absence of scientific evidence indicating with absolute certainty that there are no harms being done, the precautionary principle kicks in. It says that you must take the proactive measures--the “forecare” measures, to use the German term--to avoid risk. You must take those measures necessary to avert the potential harm that may arise. This is the key message that the commissioner and her colleagues worldwide are sending to organizations, especially those that, like Google, are model organizations and trendsetters: to adopt the spirit of the precautionary principle before deploying new information technologies.
I'll ask Dr. Patrick to speak to you about the specifics of this new technology.
Information Technology Research Analyst, Office of the Privacy Commissioner of Canada
Thank you for the question. I'm hoping it's something you'll ask Google next week.
We don't have any special knowledge of the kinds of things they're developing. We watch the trade press and attend the technical conferences. We know the kinds of things that they and other companies are exploring. Location-based advertising is going to be a big trend; sending advertisements to your mobile phone or your home entertainment system, based on where you are and what your profiles are, are things that we're well aware of, and we're watching for them. Beyond those specifics, I don't have any special knowledge.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Thank you.
Am I correct that the commissioner is at an international conference right now?
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Do you expect that she'll be bringing back recommendations, best practices, improvements, or things we can discuss at this committee on an international basis?
General Counsel, Office of the Privacy Commissioner of Canada
Yes.
Every year at this international data protection commissioners' conference, data protection authorities from around the world, including the FTC in the U.S., come together and typically prepare and adopt resolutions as a community. There will be resolutions coming out of this international meeting. I'm sure the commissioner would be pleased to come back and speak to this committee about the 2010 resolutions that will have been adopted by her and her counterparts to tackle some of these global issues. I'm sure she'd be pleased to do that.
Conservative
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
The Wi-Fi issue is still unresolved, and you're waiting to hear something on it before February 1. Are you feeling fairly confident that you're going to get something, given the degree of cooperation? You have indicated there has not been a lack of cooperation. Are you confident that you're going to be getting what you need by that date?
General Counsel, Office of the Privacy Commissioner of Canada
I think we have every indication to be confident. Although there have not been formal responses to us from Google, we have heard responses in the press, as all of you have, to indicate concrete steps that they have already taken. In the course of our investigation we learned about steps that had already been undertaken to begin the process of putting in place appropriate governance structures within the organization, which is a global giant, as you can understand. The date of February 1 was deliberately chosen, bearing in mind a reasonable amount of time not only to make these changes but also to have concrete evidence that they've been made at a global scale. That's why that date was given.
We have every hope that we will get a positive response earlier than that, and we'd be delighted to do so. We are fairly confident that there will be a good ending to this.
Liberal
The Chair Liberal Shawn Murphy
Thank you very much, Mrs. Davidson.
Can I ask you one question before we go to the second round, Madam Kosseim?
This is a hypothetical question. In your opinion, what would have happened in this situation if Google had not been caught by the Germans six months ago?
General Counsel, Office of the Privacy Commissioner of Canada
To my knowledge and to be fair, I don't think they were caught by the Germans. I think that prompted by questions, in essence they caught themselves, identified the breach, and announced it right away. I have no personal knowledge of it, but that's my understanding.
If it had not been identified when it was, I think the danger would have been in just complacently continuing, on the understanding or the thought that they were, in the engineer's terms, “superficial privacy concerns”. The belief was that any data picked up would be so scrambled anyway by the speed at which the cars go by that it would be meaningless. It would not be meaningful data. I think the danger of not identifying it and stopping immediately would have been the continued complacency in not understanding the privacy implications, and of course the more you collect, the greater the risk to citizens' privacy.
Essentially those are the risks, and as we've seen in other instances, the more you collect, the more risk you have of something untoward happening to it. There is a greater risk that it will be leaked or otherwise breached. The risks just compound from there.
Liberal
The Chair Liberal Shawn Murphy
Thank you very much.
We're now going to start round two.
We're going to go to Ms. Bennett. Ms. Bennett, you have five minutes.
Liberal
Carolyn Bennett Liberal St. Paul's, ON
Thanks very much.
My line of questioning, instead of following everybody else's, has to do with how we go forward.
At an international meeting, obviously people like the commissioner come together to consider what we do about this. Surely we have now learned something from this Google Street View episode. I was a bit shocked that just one engineer can decide that this is a “superficial” privacy concern and then go forward. It doesn't seem as though there's any training at all as to what privacy is. They're naming Alma Whitten as the new director of privacy; do we know who that person is, or whether she has any idea of privacy? Would the equivalent people in lots of other companies that are obviously pushing us forward in technology be at the privacy commissioners' meeting? Where do they find out what the minimum specifications actually are in terms of determining what a real privacy concern is, or a medium one, or a so-called superficial one? We're breaking new ground all the time, and I think that even in medicine we learned the hard way that the law has a terrible time keeping up with technology.
Do you have any observations as to what you would want us to put in a report from this committee about how we could go forward? Could it be that the commissioner needs powers more like those of some of her international counterparts? At the same time, the NHS is able to tell people where the closest smoking cessation course is, and that's probably a good thing, so how do we balance the need to help citizens get things that are relevant and responsive to their needs against their need for privacy?
I think this example was pretty egregious. Google all of a sudden was capturing all of this data without any pre-clearance or advance warning or respect. Somebody who knows more about privacy than a private enterprise would actually need to go forward the way we would, with a law and a charter challenge. We would want to know whether this would fly or not before you went ahead and collected all this stuff.
If you were writing the recommendations for this committee as to what we learned and how we can go forward in a more proactive way, what would those recommendations be? If you don't have them now, would you send them to the committee?
General Counsel, Office of the Privacy Commissioner of Canada
That's a very nice question. Thank you.
We may take you up on that on further reflection and send those recommendations back to you. I'm sure our office would be pleased to do so, but let me offer a few suggestions right off the bat, if I may.
The first thing I could say is to echo what has been the key message of the commissioner and her international counterparts, which is to impress upon all organizations--but especially model organizations and world trendsetters like Google--that they must take proactive measures to avert risks before the deployment of products and services occurs. This is a key message; if you were to echo it, I think it would be very helpful.
There are other things being contemplated by Parliament right now that would go a long way in assisting in where we go from here. One of those is to afford the commissioner with the powers and the authority necessary to share information about ongoing investigations with her international counterparts, so that she can compare notes with her German and U.K. and Irish and Australian colleagues and discuss what we have found, what they have found, and what we need to do collectively to stop something in its tracks.
Currently, she cannot do that, but Bill C-28 would afford her with the powers to share and exchange information and collaborate even more meaningfully than she can now with her international counterparts to deal with these global issues.
Another change going from here currently to Parliament would be to give her discretion to choose which complaints she goes forward with. Right now she must investigate all complaints, which takes an awful lot of resources, as you know. If she were afforded with the discretion to set priorities and decide where the real risks are, to take some complaints or not investigate other complaints, then she could afford and allocate resources much more meaningfully to get at the big risks--such as Google, in this example--and allocate her resources accordingly. That discretion would help.
Finally, another change before Parliament is Bill C-29, the amendments to PIPEDA. As you know, these amendments would make it mandatory for organizations to notify of breach. This would go a long way towards bringing these instances out into the open to be able to deal with them.
Liberal
General Counsel, Office of the Privacy Commissioner of Canada
I know that the commissioner is on record as supporting particularly those provisions I just mentioned. I know that there are many things that she welcomes in the bill, and if asked to do so, I'm sure she would discuss in further detail her position on other issues.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
Thank you. I wasn't intending to ask the question, but you opened that door on Bill C-28 and Bill C-29.
I'd be the first to acknowledge that I'm not an IT expert, and my questions will probably show that quickly enough.
If Google can inadvertently capture this Wi-Fi payload data while a car is driving down the street, how can I be assured as a private citizen that some IT expert with malicious intent could not go down my street, do a personal investigation on my data, and use it for something other than proper purposes?
General Counsel, Office of the Privacy Commissioner of Canada
Mr. Chair, one of the key outcomes and messages coming out of this investigation is that although Google has a large responsibility, there is the other side of the coin, which is that individuals and organizations who use wireless networks have to adopt the protective measures necessary to encrypt data so that you, I, or anybody else going down the street cannot pick up information about their communications.
That is a big responsibility of individuals and of organizations as well.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
So it's unencrypted information from people who are carelessly leaving their Wi-Fi accessible to people in the apartment next door that's the big issue.
I want to follow up on a question that Ms. Fry asked about private information. She alluded to the possibility that you could even tell from the pictures that somebody was on holiday. I want to follow that up.
The information and pictures that are being gathered by Google Street View are not being gathered every day. It's once a year or once every six months or once a month. How frequently are they updating? Are the chances of telling whether I'm home pretty remote, or am I wrong on that?
General Counsel, Office of the Privacy Commissioner of Canada
My understanding is that these are still photographs taken at a point in time. They're snapshots at a point in time. They can capture other compromising information, but they are a snapshot in time.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
Okay. If I am a private citizen who is not surfing Google every day, and something private was posted on Google Street View, how would I be notified? How would I ever find out that there may have been an image there for six months that I didn't even know about? Is there any way of finding out that kind of information?
General Counsel, Office of the Privacy Commissioner of Canada
The first thing you can do, as a citizen, is to Google-map the area of your neighbourhood. That's for starters.