Thank you very much.
Are there cases when companies completely change their platforms in order to avoid implementing certain recommendations? Is it a problem?
Evidence of meeting #46 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A video is available from Parliament.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you very much.
Are there cases when companies completely change their platforms in order to avoid implementing certain recommendations? Is it a problem?
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
I would say that it's a problem, yes, but part of the problem is that it's a two-tiered problem. These sites evolve at such a rapid pace that it's hard to.... You need something more flexible, so that the Privacy Commissioner can adapt. Six months in Internet time is a decade in non-Internet time, so what you need is a process for the Privacy Commissioner to be able to adapt, in an ongoing manner, what the intent of their principle is. Because what will often happen is that by the time the response get implemented, it ends up doing the opposite of what it was intended to do, for example.
NDP
Managing Director and Head of AccessPrivacy, Heenan Blaikie
May I offer a comment? Just by way of background, I've had the opportunity to represent companies across sectors in multiple investigations with the Office of the Privacy Commissioner of Canada. At least in my experience, once an investigation has been commenced, the companies always end up working out—or have worked out—a solution tailored to their business practices, but to the satisfaction of the OPC.
As I mentioned in my opening remarks, Commissioner Stoddart has been on record as saying that the mere threat of Federal Court action has been very effective. Nothing is more important to most companies—if not all companies—than their reputation. The prospect of being publicly named is something that they really want to make sure doesn't happen, so they comply.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you.
Mr. Israel, you mentioned Acxiom as an example of a company that has gathered a large amount of data.
Should we be thinking of establishing principles that would limit the amount of data that companies are collecting? How could that be put into practice at the moment?
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
That's a very good question. I think it's something that really needs a lot of closer study.
The same issue is starting to arise in the child gaming context. The marketing materials used to be easier to get because companies would have their practices out in their marketing materials. If I were trying to figure out what a specific site was doing, I could pick up their marketing materials and see it in there, as Sara was saying. Now they've moved away from that. They don't have those marketing materials available any more, so it's not as easy to do.
It's the same issue as with the data brokers. It's not very clear to me what they're doing. Some of their marketing materials are available, so you can get a sense, but I think you need.... I don't have a solution. I think what's needed is a more in-depth investigation, with those data brokers at the table, that tries to get them to explain what their processes are.
What's been suggested is to just have a centralized place where individuals can ping these data brokers and do searches of these data brokers all in one place to see if their names are on there. Then you have, under PIPEDA, for example, a right to request an organization to give you everything they have on you. But you have to first know which organization to go to, what the organizations are. I don't want to send out 100,000 of these. If there are 100,000 data brokers, I want to be able to go to one spot, see who these are, send them requests, see what data they have on me, and then maybe correct any errors that are there.
In addition to that transparency mechanism, there's probably an analogous regulatory-ish mechanism that could be put in place that would talk to these organizations and get a sense of where their data's going, how it's being used, and where it's being collected from. That's a fact-finding type of expedition that I think would be really useful, but it's very difficult for individuals to undertake on their own.
That's a starting point.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you. Your time is up.
I now recognize Mr. Butt, for five minutes.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Thank you very much, Mr. Chair.
Thank you very much, witnesses, for being here today. I think the other committee members have said it well, that we're learning a great deal today. I really appreciate your expertise in this area.
Let me run a concept by you and get your feedback on it. I'm going to call it, for lack of a better term, a reverse negative billing option as far as the privacy or consent form is concerned. Would it be possible, or do you see it working, that unless a user specifically gives consent for their private information to be held by the user—Facebook, Google, whoever it is—and then disseminated, versus their providing specific consent that it may be used...?
As I understand it now with the privacy policies, it basically says that they can use all this information for anything they want. You click “I agree”. Nobody reads the 15 pages. You just click “I agree” because you want to sign up.
Can it work in reverse? Can we set it...whether through Parliament in our rules or laws, or through companies just getting together? I'm going to talk about your self-regulatory model in a second, as my follow-up question. Can we start to put pressure on these companies—and would it work—to have a privacy policy that works in reverse? For example, “You may not use any of my personal private information for any reason unless I specifically consent to your using that information”. Is that viable? Would it even work?
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
I agree with what my colleague Mr. Kardash was saying before, that you do need a flexible framework in place. We do have a consent regime in Canada, so the starting point is that technically they do need my consent. It's a graduated consent regime, where the more sensitive the information is right now, under PIPEDA, the more explicit the consent you need to seek—in theory. The problem is that transposing that onto the social media context has been very challenging, just given the rate of evolution of these services.
So I think we have that to an extent. I think we would just need to maybe bolster it a little bit to make it more of an implemented reality.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Do you see that as something that Parliament, through a law, through changes to the PIPEDA legislation, or in some other fashion...? Do we need Canadian law to enshrine that, or do you see that as something that industry could do through moral suasion, let's say?
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
I think a combination of the two. You need the principle in place under PIPEDA, and I agree with Mr. Kardash that PIPEDA has been very successful in setting in place a very broad, principled framework that the privacy commissioner has applied in a flexible manner, in a sort of co-regulatory manner, in the sense that the guidelines are issued and companies attempt to implement them, and there's discussion with industry and sometimes with other stakeholders on how to develop and apply those.
I think that's the proper mechanism, but the principle itself needs to be embedded in the statute, and then there needs to be a potential, at least, for a penalty for serious cases of non-compliance, clear cases of non-compliance, not borderline cases or something like that. Then, within that context, I think you can develop a co-regulatory framework where the principles get applied in a flexible manner. I think that's the way to go.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Do the other witnesses want to jump in on this one before I ask about the self-regulatory...?
Managing Director and Head of AccessPrivacy, Heenan Blaikie
It's an excellent question. In international forums and global think tanks discussing privacy, one of the emerging issues focuses 100% on consent. The question is actually not whether it should be an express or an opt-in, as you were mentioning, or an opt-out form of consent; the question is more in a context of meaningful privacy protections. Is consent even the model of the way to go? Perhaps it's a way of robust user control, as mentioned by your colleague Mr. Calkins, in the context of broad and holistic privacy governance. For the meaning of that, again I refer the committee to the excellent joint guidance issued by the privacy regulatory authorities. It's very comprehensive, with over a hundred expectations for how to provide appropriate privacy protections in a balanced manner for business.
The issue is, once you focus just on consent as the trigger to get into a site or user-specific technology, it quickly becomes a meaningless apparatus in and of itself to actually enhance privacy protections, because once you receive that, you still have to address more radically the more broad set of concerns, and those become more important.
This is why internationally you're actually seeing a trend towards not relying as heavily on consent, as many current statutory frameworks do.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Professor Grimes, did you want to speak? Not on that one.
Am I done?
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Thank you, Mr. Chair.
My thanks to our guests for joining us today.
I would like to start with a basic question to all three witnesses. If I understand correctly, the business model of social media depends on collecting personal information that is then sold to companies that target people in order to sell them their products.
If we try to protect people's privacy and the personal information of those who use social media, are we not going against the very nature of the system, which is all about collecting information and then selling it to companies interested in having it?
Assistant Professor, Faculty of Information, University of Toronto
I guess it depends on how you define social media—if you think of it purely as Facebook as social media, that's its business model and that's how it operates. I take a broader definition of social media, because the kinds of social media kids use include games and all kinds of different things.
A lot of the more successful online games for kids are subscription models. They pay a monthly fee. There's no real reason to do this additional data-mining. It's extra money, I guess, and extra insight into the market, but a lot of that could probably be done—in terms of insight into the market—with permission and consent and a more transparent process.
Take an example like Club Penguin. It's owned by Disney. It was a Canadian company, and there are still links to the Canadian company that founded it. It's a subscription model. Kids pay a nominal monthly fee to play it. It's enormously popular. They don't do third-party advertising, so there's not that explicit link, and any data mining they do is in-house. We don't know what that might be, but to say that data mining and selling the data is completely necessary for them to function is not at all true. They have tens of millions of players paying money every month for the opportunity to play.
I guess it would depend on the definition.
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
Just to be clear, Facebook doesn't sell data to data brokers. It actually uses the same kind of model. It's an internal marketing model where the information stays in-house, and if I were an advertiser, I'd pick the five categories of people I wanted to see my ads. So it's actually pretty good in that regard.
I think our Privacy Commissioner's finding on Facebook's practices actually held that to a certain degree they can do certain types of targeted advertising, because that is their business model and that's acceptable and everybody understands that. It's a question of where that line gets drawn, and then, when you start to get into more sensitive types of data, how you do controls around that.
As for these other types of data brokers, now we're talking about people I've never had any business or interaction with at all. They're collecting data that's either publicly available or through various other means I'm not necessarily involved in, and I think those are a little more questionable.
So I think there are different tiers of business models, and you need flexible approaches to address each of them—but I think there's room for improvement across the board.
Managing Director and Head of AccessPrivacy, Heenan Blaikie
I have nothing further to add, other than to say that the services are free. So they're supported, as reflected in the Office of the Privacy Commissioner's decision in the Facebook investigation, by certain practices and they were found to be in compliance with PIPEDA.
To the extent that your question relates to broader data practices involving advertising, the Office of the Privacy Commissioner of Canada has again shown leadership in coming out with specific guidelines dealing with online behavioural advertising. This is going to be worked in concert with a self-regulatory framework that's being developed by industry to effectively allow individuals to exercise choice in that context.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
My next question goes to Mr. Israel. It has to do with Acxiom, or with online data brokers. This is the first time that I have heard about them. I find it a little troubling.
Are there a lot of players like that? How do they get their information, their data, and who do they sell it to?
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
Sorry. Please say that again.
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
I would like to know who these players are. Are there a lot of them? Where do they get their information from and who do they sell it to?
Staff Lawyer, Canadian Internet Policy and Public Interest Clinic
I would also like to know that.
There are a number of them. I think Acxiom is one of the bigger ones, and there are other examples. I think ChoicePoint has historically been an interesting one that was mining data from various sources and created profiles for law enforcement to use in the States.
There are a number of them out there of varying sizes, and that's part of the problem, in that it's hard to get a complete picture of where they all are and exactly how their data flows. Some of it is collected from the vast amounts of information that's now publicly available. In a social media context, I think that should be one of the factors we're taking into account when we're deciding where privacy defaults should be set, and those kinds of things.
As for another potential avenue for information to flow to these databases from sites like Facebook or others, though I don't want to single out any specific companies, there are a lot of third-party applications that get put onto Facebook, such as FarmVille and games like that.
I think it's actually a violation of Facebook's terms of use to sell information further downstream to these brokers, but it's not very clear exactly how that's enforced. I think technically Acxiom could make its own application and put it on Facebook.