Evidence of meeting #41 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was online.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Jennifer Stoddart  Privacy Commissioner, Office of the Privacy Commissioner of Canada
Barbara Bucknell  Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
Janet Goulding  Director General, Governance, Policy Coordination and Planning, Department of Industry
Jill Paterson  Policy Analyst, Security and Privacy Policy, Digital Policy, Department of Industry
Maxime-Olivier Thibodeau  Committee Researcher

May 29th, 2012 / 11:35 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Good morning, everyone. Since we have quorum, we will start. Welcome to this very first meeting to study privacy and social media.

I am pleased to have with us Ms. Stoddart, the privacy commissioner.

First, I would like to ask committee members whether they agree to extending this meeting by half an hour, given the vote in the House and the fact that several witnesses who will appear before us will want to be able to speak and answer questions. Do we agree to extending the meeting by half an hour?

11:35 a.m.

Conservative

Dean Del Mastro Conservative Peterborough, ON

I would move if I could, Mr. Chairman, that perhaps we reduce the period of time for each group of witnesses to 45 minutes, which would allow us some time for committee business at the end.

11:35 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

If the committee agrees, we will take a little less time for asking questions, but the witnesses will each still have 10 minutes to make their presentations. So there will be fewer questions if that is the committee's wish. We will also have to set aside 10 minutes at the end of the meeting, after the witnesses have left, to discuss a few important things for the committee and to be able to plan the rest of the study.

Mr. Angus, do you want to take the floor?

11:35 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

I'm asking the indulgence of my colleagues, because I was surprised that when we asked for the report from Madame Benoit, later on we were told that it was under a cloak of confidentiality. That was not my understanding.

I know we have committee business, but at the beginning of this meeting I want to be clear that when someone presents us with a report we've asked for, if there is a reason for it to be confidential then we will respect that, but something that looks as though it was put together using Google pictures, I think, has no reason to be kept under confidentiality.

I'd like to ask if I could get unanimous support, since we have media here and people want to know what's in that report, for it to be released to the media, and then we can carry on with our business at the end of the meeting.

11:35 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

This has to do with a whole other topic, but since Mr. Angus is asking for unanimous consent, I just want to remind committee members that there was a letter from—

11:35 a.m.

Conservative

Dean Del Mastro Conservative Peterborough, ON

Can we deal with the matter on the floor first, and then we'll come to Mr. Angus' motion?

11:35 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

The motion regarding the 45 minutes has already been accepted. There never really was a motion; agreement was unanimous.

11:35 a.m.

Conservative

Dean Del Mastro Conservative Peterborough, ON

Was that agreed to? Okay.

On Mr. Angus' motion—

11:35 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

I would just like to clarify one thing: we received a letter from Ms. Benoît's assistant, Ms. Pérusse, who said that the documents were confidential. Since I am at the service of the committee, if you decide otherwise about it… It is your decision, but I just want to remind you that we were clearly told that it was confidential.

Mr. Del Mastro, do you want to take the floor?

11:35 a.m.

Conservative

Dean Del Mastro Conservative Peterborough, ON

I'd just say if it was intended to be confidential, it's not. I'm sure most members read the story in the Globe and Mail this morning.

I don't see any reason why this should be held confidential either. We had hearings here that were entirely in public. We heard testimony that was entirely in public. I think secondly there were a number of questions that were either not answered or perhaps not answered fully.

I'm entirely supportive of what Mr. Angus is requesting. I would anticipate most members here at the committee would be.

11:35 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

The clerk told me that he spoke to Ms. Benoît today and that she has several concerns. Of course, she had already told us that it was confidential for a number of reasons that will perhaps be explained to us a little later. Since the company operates in the private sector, we may perhaps understand that she does not want to share the information with everyone.

Furthermore, since it is the committee's decision, I can do nothing to stop you, either. It is up to the committee to decide.

Mr. Angus?

11:40 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

With all due respect, I think it's very important to have this on the record. We in the official opposition take the rights of the witness very seriously. This is not meant to be a kangaroo court. There were many concerns about why taxpayers paid money for that trip. We had asked for answers. We had asked for the report.

If the report had supplied the kind of information on meetings or perhaps on costings or other things that would have been shared with the various ports in Australia and the Port of Montreal, that would be an issue of confidentiality we would be bound to respect.

I'm very concerned that someone has presented this report and then after the fact has claimed confidentiality. There's nothing on that report that even says confidential. There's nothing in that report other than something one could hire an intern or ask an intern to find on Google and Flickr. It seems to me we're being asked to use confidentiality perhaps to be almost like a cover-up.

I think that's not the role of our committee. I think the public should be able to see it, and the public should be able to make up their minds. I think it's our job to release that report.

11:40 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Mr. Del Mastro, you have the floor.

11:40 a.m.

Conservative

Dean Del Mastro Conservative Peterborough, ON

Thank you very much.

Again, with respect to the concerns voiced that this is somehow a confidential report, I haven't seen much that indicates it's in any way confidential. In fact, it's as I suspected when the witness appeared before committee. I did suggest there was nothing in the report that you couldn't get off Google.

I also suggested that while she wouldn't respond to my direct question about how much she is paid in her position, which I think people in the public employment.... And with respect to your indication that they have private competitors, two thirds of their funding directly comes from the Canadian taxpayer. I think you have to respect those dollars, and you know frankly, I would simply argue that I don't see anything here that's confidential.

In my view, this was a personal vacation that was in part paid for by Canadian taxpayers, and I'd like Canadians and others to look at it and make that determination for themselves.

That's my determination at this point, and frankly, I think this committee should come forward with a report or at least a motion that we find this spending inappropriate, and that we seek that the government respond formally to what we've witnessed here and table that response in the House of Commons. I think that's where this should go.

11:40 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Thank you.

Some witnesses are appearing as part of another study. Several things have been said, and I expressed some reservations. Everyone seems to agree on continuing the work. Is there unanimous consent? That's basically the case.

As for Ms. Benoît's documents, we would have to consult the clerk to determine how to distribute them. The documents are lengthy and cannot be sent by email. We will see what can be done.

Mr. Del Mastro?

11:40 a.m.

Conservative

Dean Del Mastro Conservative Peterborough, ON

Thank you, Mr. Chairman.

I could simply move a motion in addition to Mr. Angus' motion on which I do believe you have unanimous consent, which is to publicly release the report. I would also like to move that you table the report in the House of Commons, and that we request a response from the government in this matter.

11:40 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

I'm at the service of the committee. Would the committee like to proceed this way? Do we have unanimous consent?

The clerk is suggesting that a motion be drafted and worded in a way that is acceptable to the House of Commons, so that it can be moved at the next meeting and formally adopted. There seems to be unanimous consent. So we can move on to today's agenda.

Thank you, once again, Madam Commissioner, for being with us today. You have 10 minutes for your presentation. We will then have a period of questions. I will remind committee members that they must address their comments through the chair, as usual.

Madam Commissioner, you have the floor.

11:45 a.m.

Jennifer Stoddart Privacy Commissioner, Office of the Privacy Commissioner of Canada

Merci. Thank you very much, Chair and honourable members, for the invitation to appear before your committee today as you begin your very important study on social media companies and the steps they are taking to protect the personal information of Canadians.

I'm joined here by two social media experts from my office, Daniel Caron, legal counsel, and Barbara Bucknell, policy analyst, on this issue.

I'd like to start by giving you a brief overview of social media. I'm sure you've now all had experiences with these online platforms. They've become important channels for news, for communications, relationships, the sharing of photos, videos, and almost anything else that can be digitized. That said, I think it is useful to start with an overview of the industry to help clarify what it does and how its activities have an impact on the privacy of Canadians.

Social media involve applications that allow individuals, organizations, and communities to share information and to generate content. Building on traditional business models where businesses required personal information in order to provide a service, today individuals young and old voluntarily share their personal information on social media sites to connect with other people, or in some cases, to draw attention to themselves and to their views. Indeed, many social media sites encourage users to establish profiles that reflect who they are, what they are interested in, who they know, and what they like. Many provide their services for free in the hopes of gaining a larger user base.

To suggest that these services are "free" however is not entirely accurate. Social media companies can quickly amass a staggering amount of personal information. In addition to the preferences, habits, and social interactions of their users, these companies also collect vast amounts of background information that is not visible on public profiles, including search histories, purchases, Internet sites visited, and the content of private messages. This collection of billions of data points allows social media companies—using sophisticated algorithms—to analyze user behaviour in order to refine their services, and to identify ways to generate revenue. It can also enable others, such as researchers, employers, school administrators, and law enforcement, to learn more about individuals and their activities.

This is the age of big data where personal information is the currency that Canadians and others around the world freely give away.

My office has a mandate to ensure private sector compliance with the Personal Information Protection and Documents Act, which applies to the commercial use of personal information by social media companies operating in Canada.

Over the course of the past five years, we have engaged with, and conducted investigations into, many players in the industry, both big and small. A significant part of our recent research and policy work has focused on understanding and explaining to others the privacy implications of the social media phenomenon.

Ever mindful of the importance of innovation in today's digital economy, we have tried to strike a reasonable balance between companies' desire to experiment with new products and services, and an appropriate level of protection of Canadians' personal information.

That said, I have become very concerned about the apparent disregard that some of these social media companies have shown for Canadian privacy laws. Although we've made some headway with some of these campaigns, I would like to identify the following significant privacy concerns that I believe require more attention on the part of all social media sites, and these are the four following issues: accountability, meaningful consent, limiting use, and retention.

I'll start with accountability. Too often we have seen privacy concerns being addressed after a major problem is uncovered or there is a backlash on the part of users. While it appears that many of the major players are making improvements on this front, the social media world is constantly evolving with new entities popping up regularly in a hurry to get their new service on the market. Privacy does not appear to be a top priority for them.

This is one of the reasons that my office, together with my counterparts in Alberta and British Columbia, recently issued accountability guidance to companies on the internal privacy processes and procedures that need to be in place, including having an individual in charge of privacy.

Second, the issue of meaningful consent is critical. Social media companies need to clearly explain the purpose behind their collection, use, and disclosure of personal information, and what third parties, such as application developers, they are sharing this information with. And they have to clearly obtain users' consent.

This is a particularly challenging issue, since privacy policies tend to be too long, too convoluted, and largely ignored by users. Providing adequate information, which users can easily understand, read, and consent to, is a challenge for social media companies and data protection authorities.

Further complicating the issue of consent is the fact that children are online from an increasingly young age. The youngest users may not yet be able to provide meaningful consent required under PIPEDA.

The third issue is limiting use. Social media services are constantly evolving in an effort to be innovative and competitive. This has meant that personal information can be used in new, and sometimes, unexpected—even unwelcome—ways. It is important to keep users properly informed, explaining new features in a timely fashion, and seeking their informed consent for new uses of personal information. I think we also need to learn more about how personal information on these sites could be used, beyond advertising, and the onus should be on social media companies, as with all other organizations, to be fully transparent about their personal information practices.

The fourth issue of concern is organizations failing to establish retention schedules of personal information and true deletion options for individuals. Social media companies need to be clear about how long they retain the personal information they are collecting. They should also spell out how they treat personal information differently when an account is de-activated versus when an account is actually deleted.

Under the Personal Information Protection and Documents Act, firms are obliged to keep data only as long as is necessary for a specific purpose and then they must destroy it. Vast quantities of data, often located in other countries, can also pose security issues.

Honourable members, as you proceed with your study into privacy and social media, you may wish to use these principles—that of accountability, meaningful consent, limiting use, and retention—as a guide for assessing how social media companies protect the personal information of Canadians.

In conclusion, Mr. Chair, in public opinion polling commissioned recently by my office, we asked more than 2,000 Canadians about social media, and 83% of respondents said online companies should be asking for explicit permission before tracking their Internet usage and behaviour. Clearly, Canadians value their online privacy. That's why we feel it is so important to hold companies to account for how they collect and use personal information.

To that end, we have made steady progress with the tools available to us under the present law, but I believe much more needs to be done. The reach of digital companies using Internet and mobile technologies to collect and share personal information will only grow in the coming years.

My office has been conducting extensive research and analysis in preparation for the second mandatory five-year review of PIPEDA by Parliament, which is now past due. We're giving serious thought to how the current regime, which predates all these novel technological developments, should be modernized to keep up with the times. Top of mind is how the existing enforcement powers could be further strengthened to curb industry non-compliance and encourage greater accountability from companies for the personal information they collect, use, and share with others.

In recent years there has been a trend internationally toward more robust enforcement powers. Canada has long been a leader in terms of privacy protection laws, but I believe we now risk falling behind.

I look forward to sharing my office's detailed position on this matter when the parliamentary review gets under way.

Thank you very much for the time, Mr. Chair. I would be happy to answer any questions the honourable members have.

11:55 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Thank you for your presentation.

Since we are short on time, we will have five-minute periods to allow as many people to speak as possible.

Mr. Angus.

11:55 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you, Mr. Chair.

Thank you, Madam, for coming. I'm very pleased that you are our first witness, because your office is one of the few recognized beacons out there dealing with this issue.

I think, from a legislative point of view, there were many years where we felt that it was probably dangerous for politicians to step in on this emerging technology, because we didn't know where it was going. We had to allow this market to develop. We had to allow the technology to come of age. Suddenly it came of age, and very quickly; it moved faster than any of us ever conceived. We feel we're playing catch-up.

In terms of the issue of privacy in particular, people are now living almost entirely online, and there are enormous implications. Social media is an incredible force for good and for communication, but there are issues of privacy, security, safety. There's a whole manner of issues that we have not even begun to get our heads around.

In the short time I have, I'd like to focus on your four main points: accountability, meaningful consent, the limitation of use, and retention of data.

In terms of the issue of accountability, we have government legislation with PIPEDA coming forward, yet in this law, when they're looking at the issue of the breach of privacy, the onus is on the company to decide whether or not to share that with the citizen. It's based on the issue of significant risk or harm.

Do you believe we need to have a clearer standard? I cannot imagine a company ever calling its consumers and saying, “Guess what? Someone has been breaching our data, but don't worry; stick with us.” The obligation of the company to the consumer I think should outweigh the risk to its bottom line, because at what point is the consumer going to be able to be assured that their privacy is being respected? What role do you think your office plays, and what role do you think should be the standard, for issues of breach of privacy?

11:55 a.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Thank you for the question, honourable member, on a very important topic—namely, the growing threats to data security throughout the world but including, too, the information held by Canadian companies or of Canadians elsewhere.

In this area, once again Canada has lagged significantly behind. We don't have specific data breach provisions. I believe we should. I believe we also have to couple them with some kind of incentive for companies to invest in the appropriate data security standards.

There is some legislation currently at second reading. I think the standard in the legislation is acceptable. It mirrors that which was already adopted by Alberta. But I think we have to have stronger enforcement powers, because under the present regime there's almost no sanction for a company that doesn't report either to my office or to consumers, if there's a real risk of significant harm.

So I would welcome this issue being re-examined.

11:55 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

The issue with Facebook going with its public offering and the share price crashing.... Everybody I know is on Facebook. I live on Facebook. There will be enormous pressure at the company level since the market decided that its advertising model may not be what they thought it was. Their other incredible treasure trove is the data, and there could be increasing levels of pressure now that they're in a public offering to open up that data.

In terms of the limitation of use, how do we set down some basic rules that need to be enforced? Are there issues of “do not track”? Have you thought of what it would look like to lay down some rules in terms of protecting that data from unfair exploitation?

11:55 a.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Yes. In fact, we've been almost continually investigating Facebook since about 2009. There are clear rules. We have intervened time and time again to check as to whether or not Facebook was following these rules. The first time they weren't. In subsequent investigations, it seems they had a higher level of compliance.

The problem with social media companies is generally their lack of transparency with regulatory authorities. It takes a very skilful investigation, with a lot of experts, particularly in information technology, in order to find out really what they're doing.

Noon

NDP

Charlie Angus NDP Timmins—James Bay, ON

I guess the issue is meaningful consent, because there are mechanisms on all the various sites to allow you certain privacy settings. But as they say, the devil's in the defaults. Is that something we should be looking at in terms of coming up with recommendations or legislation? Should the opt-out mechanism be there so you get to make that choice clear and upfront, and so you know what you're signing on for?

Noon

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I would welcome this committee looking into privacy policies. Over the years, we've said they have to be clearer, they have to be readable, so that people really understand.

Again, unless we're in an investigation and we say you modify this policy so that it's a lot clearer to a user or we will have to take further steps, which involves going to federal court, in my experience, as we go online, once again, we see unreadable privacy policies. That says to me that companies are only making clearly worded privacy policies for the consumers when they're forced to. Otherwise, it's in legalese that even lawyers have difficulty following, and it says if you have a problem, go to the courts of northern California.

This is not acceptable.

I would welcome this committee examining this problem more closely.