Your time is up, Mr. Angus.
Mr. Del Mastro now has the floor.
Evidence of meeting #41 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was online.
A video is available from Parliament.
NDP
Conservative
Dean Del Mastro Conservative Peterborough, ON
Thank you, Mr. Chairman.
Thank you to the witnesses today.
It's very interesting testimony. You indicated, Ms. Stoddart, that we live in the age of big data, and I think it's actually remarkable. Mr. Angus talked about the short time period in which this has evolved. I think companies have been studying consumer behaviour for generations. They test-market things, and in fact, Peterborough was long a test market community for various products. They don't do that much anymore, because they are working off data that they are actually gleaning.
You talked about the algorithms and so forth that they use to determine consumer approval or consumer likes and dislikes. You also talked about how Canadians, but also people around the world, give this information away freely, and about actual informed consent.
It seems to me that when you go to sign up for any of these sites—and I've signed up for them myself—they have a very long legal agreement that I would argue is beyond the comprehension of many people using the sites, especially young people, especially very young people. Should there be almost a disclaimer that says, “We are going to study what you are doing. We are going to note where you go. We're going to use these observations to report back to firms that will pay us for this information. Do you consent to that?”
Would that be a real simple way of putting it out in just basic English as to what their end is? We know what people's ends are. If you go to Facebook, it's one of the greatest communication tools. YouTube and so forth, these are incredible tools. Frankly, like a lot of people, I really like them. But their end in providing it is that they are gaining value out of it, correct?
It's not well understood, the value they're gaining from people. You indicated this information, big data, is something people are giving away freely. It's not being resold freely or repackaged freely.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Very simply, honourable member, I agree with your suggestion. Exactly. You have to talk to people clearly. That's not what's being done.
Conservative
Dean Del Mastro Conservative Peterborough, ON
Bill C-29, which was in the former Parliament, made some changes to PIPEDA, and Bill C-12, which was reintroduced on September 29, 2011, had a key amendment that required organizations to report data breaches—referred to in the bill as breaches of security safeguards involving personal information—to the Privacy Commissioner and notify affected individuals when there is real significant harm, such as identity theft or fraud.
I have a lot of folks in my community who are concerned about identity theft. It seems that every once in a while we'll hear about a significant security breach. In fact, your office has reported on some of them. This reporting requirement for security breaches, is it something you would support, these changes that are suggested in Bill C-12?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, honourable member. I think the changes that Bill C-12 would bring are very welcome, but I don't think they go far enough. We're now halfway through 2012, and as I mentioned in my presentation, Canadian privacy legislation has lagged behind the reforms in other major countries, and so there isn't much incentive for corporations to invest in the kind of software or personnel training that makes Canadians' data safer. So I think basically the bill could be strengthened.
Conservative
Dean Del Mastro Conservative Peterborough, ON
I think it's a double-edged sword. People value their privacy, but at the same time I find it very surprising the things that people will put out about themselves on Twitter, on Facebook, on any of the social media sites. But then they'll turn around and say, “Hey wait a minute, this is an invasion of my privacy.”
It seems that people are prepared to broadcast details of their lives and so forth to almost anyone who wants to see it.
Is there a bit of hypocrisy here? Are we, on the one hand, concerned about what might be done with personal details, while there's this other rush to push things out and to interact with as many people as possible? It seems that there's an irony here.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, I believe you're absolutely right, honourable member. We're dealing with human nature. We're dealing in an individualistic society, with everyone's different opinions of privacy depending on the context in which they find themselves. What I may say in one forum, like here, is not what I might say to my best friend over dinner.
The advent of new technology has changed those contexts, so people will react in very different and perhaps contradictory ways. This technology is also very new, so we don't know how much of our behaviour online will change over time, as we become older, go through various life experiences, and so on. Those are things that have yet to unfold.
But yes, there's a wide variety of behaviours online.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you. Your time is up.
Mr. Andrews has the floor for five minutes.
Liberal
Scott Andrews Liberal Avalon, NL
Thank you, Mr. Chair.
Thank you, guests, once again, for coming in.
On the issue of retention, exactly how long are these companies retaining this information? When someone decides they no longer want to participate and they shut down their account, I think there were two examples you used: deactivating it versus deleting it.
How long are these companies holding this information? How do we know they're actually destroying it in a manner that's acceptable, or do we not know that?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you for that question.
In fact there may be no limits as to how long many companies keep information, and that is one of the challenges. We are presently investigating a company—we finished the investigation—that had no plan to delete the information. It had information from users, and these were quite young users, from five or six years ago.
When we said that under the terms of the law they had to delete this, they said they couldn't because it wasn't written into their programming. This is a very serious issue. We're presently discussing with them as to what alternatives can be taken.
It varies according to company, but this has been a consistent issue. That's why we highlighted to this committee that there are not appropriate plans to delete the information, and there is not a clear explanation as to whether deactivating your account means your information is deleted or just not accessible.
Liberal
Scott Andrews Liberal Avalon, NL
How does an individual know their information was not deleted? One would assume that it has been. What would trigger them to say, hold on a second, they didn't delete my information? Would the user have any idea?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I don't think they would, but could I ask Ms. Bucknell, who has worked on a lot of these investigations?
Barbara Bucknell Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
Thank you. In many of the cases we've seen, the individual has been able to get back on to their account, and that's how they knew that their information, which they had asked to be deleted, hadn't in fact been deleted. Then, they filed complaints with us.
Liberal
Scott Andrews Liberal Avalon, NL
Okay. Ms. Stoddart, when you look at different jurisdictions—these are multinational companies operating in different countries, different states—exactly how do we harmonize all the privacy laws?
One would think you would want to have it harmonized to some extent, because how do these companies actually say different jurisdictions have different privacy laws? How do we square that circle?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you. That's a very important question for privacy commissioners throughout the world. In fact, the privacy laws are not all that different. They are all based on the OECD fair information principles of 1980.
We, in Canada, chose to follow the European standard of privacy laws, and therefore we're adequate for the purposes of transferring data.
More recently there have been very positive developments in the United States, led by the Department of Commerce and the Federal Trade Commission, to make the privacy standards in the United States more explicit. There is very little difference now between the various countries.
Secondly, I'd like to add that privacy enforcement authorities are increasingly working together.
Liberal
Scott Andrews Liberal Avalon, NL
On April 4, your office released its statement about the investigation of Facebook, and it stated that they had agreed to make a number of changes. How do you know that these companies actually make the changes? They may just simply agree with you. How will you know that these changes were actually implemented?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
In fact, a while ago I announced a new policy, which was rather than have the taxpayers fund civil servants to follow up on the companies as to whether or not they'd actually done what they were supposed to do, we have asked the companies to go now and get a third-party audit by an accounting firm or a law firm, or something like that, and report back to us within a given time period that these changes have actually been done.
Liberal
Scott Andrews Liberal Avalon, NL
How has that process worked? Have you had any of those audits or third parties come back to you yet?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
We're waiting for two. One was an audit of Staples, which showed that Staples had persistent problems in deleting personal information from recycled equipment. That is due this summer. We have one from our last investigation of Google Wi-Fi, which was due in May. They're going to be late with it, to my disappointment. They're going to give it to us in July.
Liberal
Scott Andrews Liberal Avalon, NL
Just one quick one. Did they give you a reason why they were going to be late?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
No, I don't think there was a clear reason.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Thank you very much, Mr. Chair, and thanks, Commissioner, and the rest of your contingent for being with us again today. Certainly this is an extremely interesting study, and you were referring back to the Wi-Fi study that we did previously.... All of those certainly proved to be very interesting and hopefully what we've been doing will be in the better interests of the general public
I was interested when you talked about the privacy standards internationally. I think you had indicated that now they've been progressing and there's very little difference in the standards today. But in your opening remarks, you talked about the enforcement powers and how you felt that Canada could be falling behind. Could you elaborate on that a little bit more, please?
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes. Unlike most other major jurisdictions now, Canada has no major sanctions for those who don't follow its commercial privacy law. I hope that when the second five-year review of PIPEDA will be undertaken by Parliament this issue could be discussed. I believe companies take notice—and I'm talking about very large international companies that operate on a very large scale—when they are subject to major fines or some kind of enforcement action. We have very limited power in that regard, and I believe that more respect would be shown to Canada's laws if we did have that power.