Evidence of meeting #41 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was online.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Jennifer Stoddart  Privacy Commissioner, Office of the Privacy Commissioner of Canada
Barbara Bucknell  Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
Janet Goulding  Director General, Governance, Policy Coordination and Planning, Department of Industry
Jill Paterson  Policy Analyst, Security and Privacy Policy, Digital Policy, Department of Industry
Maxime-Olivier Thibodeau  Committee Researcher

12:35 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

You have a minute and a half.

12:35 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

I've spoken with a number of stakeholders and academics in this area. Ms. Stoddart also gave the example of a company that kept its data because it didn't have the technology to purge the data. So I think we have technology that is being adopted and invented, and the policy comes afterward.

I would like to hear your comments on this as well. How can we make sure—with the policy and then the technology that's developed—how can we make sure that we don't have technologies that will preserve data because we don't know how to purge or destroy it?

12:35 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

In the current legislation, PIPEDA has requirements for organizations to set retention schedules for all of their personal information. The commissioner alluded to that.

In terms of requiring companies to think about privacy as they're implementing new technologies, this is an ongoing challenge. It's something privacy commissioners around the world, and in Canada as well.... The Ontario Information and Privacy Commissioner has been very vocal on her views on privacy by design.

Companies are thinking about how they need to be in line with privacy protection. But clearly, awareness is a challenge. The private sector, as well as individuals, have a role to play in protecting their privacy online.

12:35 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Thank you.

Your time is up, Ms. Borg.

Mr. Calkins, you have the floor.

12:35 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

Thank you, Mr. Chair. Thank you very much, Ms. Goulding, for being here today.

I have a couple of direct questions for you. They're fairly straightforward and come right out of your testimony.

You said that the OECD is conducting a review of its privacy guidelines. Do you know when that OECD review is slated to be completed?

12:35 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

The review is ongoing, but I'll maybe just turn to my colleague, Jill, in terms of the timelines.

May 29th, 2012 / 12:35 p.m.

Jill Paterson Policy Analyst, Security and Privacy Policy, Digital Policy, Department of Industry

I'm afraid I don't have specific details about that. I know the OECD has recently published some documentation with regard to recommendations for changes to the EU Data Protection Directive. I'm afraid I'll have to get back to you with details on the timing for how they see moving those recommendations forward.

12:35 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

It would just be helpful for us to know, from a timing perspective.

Ms. Goulding, you spoke a little bit about cookies. Believe it or not, I was a computer programmer before I came here. I taught information technology. I'm fairly familiar with some of the issues that concern this. Everybody who is a computer or technology user should know that there are operating system settings that can be used to set things like security, for example. When it comes to cookies, you can actually turn the setting off so that cookies can't be stored on your computer, and so on.

Do we have an education problem in Canada insofar as people's ability to actually understand what their systems are capable of? I was going to ask this of the Privacy Commissioner, because if you know what you are doing, you can actually set it up in such a way that you can increase your own personal protection of your information.

Are we doing enough on that front in Canada to make sure people are fully aware of the risks they face, and what some of the things are that can help mitigate these concerns?

12:35 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Thank you for the question. I do think you raise a very important point. Digital literacy has been an issue that has been raised over and over again in the context of having people understand what their privacy risks are online. I do think digital literacy needs to be a priority. Awareness is an important element. It's important, as the commissioner pointed out, because schoolchildren are coming online sooner and sooner. For them to understand the potential risks they face when they put their information online is key.

Again, I mentioned to you briefly that one of the amendments in Bill C-12 will impose a new obligation, or a clearer obligation, on organizations to target their messaging at their target audience. When you're talking about children, or frankly, the average Internet user, it's important they're aware that there are measures they can take to further protect their privacy online.

12:40 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

I have something that I hope for some clarification on. In one of your first paragraphs, you say the act balances two simple considerations—the need to protect privacy of individuals, and the need for organizations to collect user-disclosed personal information in the course of commercial activities.

I think everybody understands that a financial transaction—for example, every time you use a Visa, debit card, or do an online banking transaction—certainly is a commercial activity, but is signing up or downloading an app off of iTunes that's free....? Do we actually need money to change hands in order for this to be considered a commercial activity? Is signing up for a free e-mail account on Gmail considered a commercial activity? Or is the commercial activity actually when somebody takes the personal information that you volunteered as, I would guess, the fee for the free service, and then resells that information?

I'm sure everybody who is watching this would clearly know that sometimes within minutes of signing up for a free app or whatever, as soon as you give your e-mail address, all of a sudden your inbox is full of spam. Sometimes it takes less than a couple of hours for that to happen. So you know that your information that you have just submitted has been either divulged, sold, or whatever the case might be.

What protections do I have when I sign up to know that my personal information has been sold? Do I have to read those 15 pages of jargon, or is there something a little more clear that Canadians can grapple with?

12:40 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Thank you. I think the question of clarity is an important one. You're absolutely right in terms of the need for clarity when organizations are seeking to collect information that they will use for a commercial activity. I think it's clear that an actual transaction....

It might be arguable that when downloading a free app, there is still a transaction going on there. But clearly, information is collected in a commercial context in many ways, whether or not money is actually changing hands. Clarity about what that information is being collected for and how it is being used is a real challenge in today's environment.

12:40 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

You only have a few seconds left.

12:40 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

From my perspective, then, do you think it would be feasible to implement a system whereby Canadians would be notified any time their personal information was sold or shared in a commercial way?

12:40 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

The challenges that are presented in the online environment can make that difficult. The Privacy Commissioner alluded to that simply in that, although the information may be contained, you have to get through a 10-page terms and conditions statement to actually find that information. All too often, Canadians or consumers just click “accept” and move on to the next phase of their transaction.

So getting back to your first question, digital literacy is key, and people need to take an active role in protecting their own privacy. I don't know that I have a more precise answer to your question.

12:40 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Thank you.

Mr. Andrews now.

12:40 p.m.

Liberal

Scott Andrews Liberal Avalon, NL

Thank you, Mr. Chair, and welcome.

To continue on that concept, the first thing, the most central principle you said is the need for consent. When you're talking about consent, how much jargon can be in there? How simple can we make it? I know we talked about the Privacy Commissioner, when someone has consent—you give consent to give your information to somebody else—how simple can we make this, so that people get it, and everyone knows what we're doing when we give consent? Is it possible?

12:40 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

I would have to agree with the Privacy Commissioner on this front. I think it is possible, but it is up to organizations to make those clear statements to their users as to what they're consenting to and what their information will be used for.

12:40 p.m.

Liberal

Scott Andrews Liberal Avalon, NL

You also said that this is whether consent is “expressed or implied”. Can you give us an example of implied consent? Should users be very concerned that some of this may be implied and they don't realize it?

12:40 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

The legislation indicates that implied consent depends on the context and the circumstances around it. So, for example, if the consumer is purchasing a magazine subscription, their consent might be implied to get a follow-up notice about the fact that their subscription is expiring, but it's very much contextual and it depends on the circumstances in place. So that kind of framework allows flexibility in allowing the Privacy Commissioner to interpret what's reasonable in the context of implied consent. I think it's one of the valuable aspects of the legislation.

Once you move to something that's more prescriptive, then by definition you tend to exclude something you can't foresee, and so the principles are very flexible and that's one of the strengths of the legislation. But the Privacy Commissioner has issued a number of guidelines on how consent should be interpreted, and they are available on our website.

12:45 p.m.

Liberal

Scott Andrews Liberal Avalon, NL

Quite often now, you see when you sign up that there's a box to be ticked beside a sentence that says, “We will provide this information to other vendors” and you can tick it if you wish to do that.

If you do tick the box, how far does it go down the chain to these vendors or other groups? How about the resale of this data? Does that go on? Does some organization get this data from somewhere else and then in turn resell it to somebody else? Are we concerned that this data gets passed through many hands through the resale?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

I can't speak to all business models but I don't think what you're describing is unheard of. I think that the principle of consent applies, no matter what the context. So if the information that's being collected is to be passed on to a third party, that consent is required by the legislation to be explicit and informed.

12:45 p.m.

Liberal

Scott Andrews Liberal Avalon, NL

And even if that third party then resells it?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Certainly within the context of the legislation, I would say, yes.

12:45 p.m.

Liberal

Scott Andrews Liberal Avalon, NL

Talking about breach notifications, the Privacy Commissioner said that not all businesses are reporting data breaches. How widespread do you think data breaches are?

12:45 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

Unfortunately, we don't have any research available to us to indicate how widespread data breaches are, but I think that in a world where organizations have vast amounts of data at their fingertips, it's important that we have legislation that requires all organizations to be subject to the same level playing field, and that they be required to take measures to protect that information in a manner consistent with the sensitivity of the information.

I think once the legislation is in force, the Privacy Commissioner will have the ability to have a better understanding of how widespread data breaches are in Canada.