Information & Ethics Committee on Oct. 16th, 2012

I hope I understand your question. There is an access right under privacy law that says a user can have access to the information that an organization holds about him, and he has a right to know how it's being used and disclosed. You're saying there should be a list that names the organizations to whom that information—

The difficulty would be that those tend to be evolving relationships. For instance, if you buy a dining room set, to use Mr. Péladeau's example, you might consent at that point to release information to certain companies, but at any time it can be very difficult to track precisely to whom your data has been provided.

Oh, I see.

I haven't really given that a lot of thought or spoken to the CMA about it, so I won't put this forward as the CMA's position, but I would say generally that companies are in favour of the concept of transparency and so to the extent that a company is collecting, using, and selling data to others, that sort of information should be available.

It looks a bit like the U.K. model where they have a registrar of some sort, and it's very bureaucratic. I'm not sure that this is the right way to go. But if there are standards of transparency and openness such that if you are in the market you must provide this or that information and make it available, that would make more sense. If the issue is to create a registrar, that's costly and you might not be covering everything. But if you have a clear obligation to be open and transparent, in the work we did in the “L'identité piratée” report in 1986, that was the model we preferred.

That was the point I was trying to stress before. If there is a primary entity by which the information is entered or shared and there are a bunch of sub-organizations taking care of that data—I think you had referred to a data warehousing company or a brokerage—how do you have an agreement with the primary entity through which the information is assigned and shared with the sub-entity? How do you compel production from the sub-entity when the sub-entity may not even be doing business in the same jurisdiction, or may not necessarily have the same moral obligations toward the use of the data? It has to occur near the top level, near the initial sharing of the data. If consumers choose to share information with other third-party sites, the means to compel the destruction of any data they share should be available at the avenue through which they share with the third party. It is difficult when it trees down like that to enforce production and destruction of user data.

As for the young people, I don't have specific expertise on that, so I cannot answer.

As for the issue of innovation, it can be oriented. Nevertheless, the existing data protection model, which dates back to the 1970s, still holds on. It's still solid. What we need is only to improve it.

That's why I have insisted in my presentation not to make what we're discussing something that is specifically targeted to some social media enterprise. What's happening is that this new environment reveals things that we can address. I think the most efficient way to address them is through a universal approach at the highest level, applying principles instead of specific procedures. In doing that, we can orient innovation rather than stifle it.

That's my basic answer. More specifically, we would have to look at specific issues.

Again I would say certainly there's a balance that's possible, and I think we're very close to achieving it, as I said earlier. We have a principles-based approach. We have a Privacy Commissioner who is keeping track of technologies and new uses and consumer concerns as they go along. She's putting out guidelines. In many cases expectations are clear, I think, for companies as to what to expect. I think that is the best and most flexible model we can have.

In terms of marketing to children, frankly, I'm not sure there is an absolute, clear answer. Certainly the CMA has its code that says if you're going to collect information from those under 13 years, you need parental consent. I think the difficulty in legislating this—I don't know if this was part of the discussions in Washington, but in the U.S. they did legislate it. They had the Children's Online Privacy Protection Act. There were a lot of really bizarre and unintended consequences that came out of that act.

One of them was that a lot of sites just said that, because the rules were so difficult to comply with, they were not going to allow children under 13 to use them. Instead of taking an approach that might have had privacy protections appropriate to that age group that would allow the children to benefit from some of these social media networks, they shut out children completely, so children wound up lying or their parents lied for them. There were a number of problems. Another one was when they were getting parental consent they required some kind of identification, which tended to be credit card numbers, so they wound up collecting more sensitive personal information just to verify that they could use it.

I think the approach is there. The principle already says in the privacy legislation we have that you need knowledge and consent. I think that's already flexible enough and recognizes that it requires a different standard when you're talking to children.

With regard to your first question, Mrs. Davidson, I don't see why privacy protection and innovation can't both exist. I think you may even have technologies develop in relation to the provision of privacy and keeping information secure. Technology was a booming industry prior to the introduction of social media. Perhaps if legislation is empowered there won't necessarily be that same stifling of technology or that same sort of fear of that possibility.

In terms of protecting young people, I think what Mr. Elder mentions—codes that provide for the protection of children and underage users—are very beneficial. Perhaps education and public awareness programs that let kids know that the Internet isn't necessarily a safe place and that provide for different educational initiatives to help them realize that when you put something out there you're not necessarily getting it back and that it can have lasting consequences would be worthwhile initiatives.

Thank you.