Thank you, Mr. Chair, ladies and gentlemen members of the committee.
As I have read previous testimonies, I am submitting eight comments on the issues that have not yet been addressed.
The first comment is that social media do not constitute a commercial sector. Social media are rather made up of a variety of applications that make it possible to create and exchange content used not only by a few well-known specialized companies, but also by all kinds of commercial companies, public organizations, associations, employers, schools, universities and even hospitals, which are currently developing social media applications.
Social media are not only used by people. They are also used by machines. For instance, police officers, social workers and people working in shelters now have to explain to the adults and children under their protection that their computers, tablets, telephones and cameras automatically send out information that helps locate them.
In short, social media constitute an environment. Therefore, the solution cannot be based on a sector-by-sector approach that applies to certain companies—or even to the whole private sector—but rather on a universal approach that would also apply, to an extent, to the makers of certain machines that produce such information. We are now living in an era called the Internet of things.
Second, the transparency of social medium processes is not only important for operators so that they can meet their legal obligations, for individuals so that their rights are respected or for the commission so that it can do its work. That transparency is also important so that third-party organizations can meet their own obligations.
I will give you a very simple little example. The Sleeman Brewery launched the Break into Alcatraz contest, which had to be entered by accessing a Facebook page. However, the operation of that Facebook page was breaking the official contest rules. So Sleeman was more or less in violation of laws on draws and promotional contests and the personal information protection legislation. I have two points to raise with regard to that.
The application required individuals to be Facebook members in order to enter the contest, but that was not listed in the eligibility conditions. Contest rules stated that no personal information would be transmitted to Facebook, but the application required people to click on the “Like” button on that page and, therefore, to produce and disseminate members' personal information.
The most likely explanation in a case like this one is that the professionals hired by Sleeman did not understand the Facebook processes, or how Sleeman's application process was tied to it. That brings me to the third comment.
The user-friendliness of social media gives a false impression of transparency. To illustrate, I refer you to the first figure distributed to you. The common perception is that a tweet has 140 characters. That is false, as you will see in the figures. A tweet has several hundred characters, making up about 30 different personal information fields. The same goes for the process. Users think they can see what their information goes through. In reality, the application is sort of like a black box where we can only see what the operator shows us.
Fourth, the wording of consumer contracts, conditions of use and statements regarding the use of personal information is not appropriate for explaining the processes involved. I want to point out that the first pieces of legislation for protecting personal information were adopted in the 1970s. So they were developed in the 1960s. At that time, this area was dominated by public or private bureaucracies where officials ensured that the information produced on an individual was compatible both with the internal organization processes and the individual's situation.
That challenge is called information pragmatism. I am now referring to the second figure, which sets out the factors that could determine the selection of good information for obtaining good results. I have a very simple example regarding that.
School admission and enrolment in a school year are two different processes requiring the identification of the mother, in both cases, unless we are not talking about the same person. The school secretary ensures that the right person is described. As part of the admission process, the person in the civil register is identified to distinguish among the little Tremblays, Smiths or Nguyens, while the enrolment process identifies the person who takes care of the child on a daily basis. So we may not be talking about the same person.
In the classic bureaucratic context, general implementation texts were sufficient because organizations had hundreds of officials who ensured mediation between the individual's reality and the organization processes. Today, millions of individuals are asked to manage processes on their own, and that's practical only on these two conditions:
1) that the individual obtain timely and specific explanations on the exact process they are undertaking;
2) that those explanations be comprehensible—including for children, technophobes or half the Canadian adults with low literacy levels.
Here, however, applications can be the solution because they are interactive and provided in multimedia. I want to go back to the Valerie Steeves example. On May 29, if the system has profiled me as a 16-year-old Vancouver teenager and listed the relevant interests of that profile, why would it not display that profile right away along with what exactly it is used for and by whom? That would help me adjust the parameters so that the system would be better able to meet my expectations and needs, somewhat like it is laid out in the figure I referred to earlier. This is not about revealing the industrial secret of the profiling algorithm, but rather about establishing a dialogue that will elaborate the relationship, and perhaps even the algorithm at the same time.
Here is my fifth comment. Even though personal information protection legislation has emerged largely in response to a risk of totalitarianism, and they remain a prerequisite to respecting personal rights, which are often guaranteed—for instance when it comes to issues related to child consent—those laws are nevertheless basically only an expression of principles that have to do with effective information management. I have participated in their implementation in over 500 organizations—both large and small—across all sectors. However, once the management was streamlined, the law was de facto respected. In addition, costs were reduced and processes enhanced.
Here is my sixth comment. The Canadian legislative model in terms of personal information protection basically covers only three logical and critical phases—production, conservation and communication of information. It is much less apt at covering the processing phase and the phase that consists in concluding the process that often leads to a decision. However, the processes cannot be explained adequately to users who deal with administration on their own without making all the phases transparent. As much as that individual empowerment is impossible without this understanding, the democratic dialogue among user communities, on the one hand, and developers and operators, on the other hand, is impossible without that transparency.
Here is my seventh comment. If the improvement of the Canadian legislative model continues through management principles applied at the level of logical phases rather than through the imposing of specific procedures, those standards could endure despite technological changes and be more easily accepted by operators.
However—and I am getting to the eighth and final comment—the way personal information protection legislation is organized is based on the ultimate purpose rule, or the principle whereby a predefined relationship with the individual is established.
Consequently, companies that have no clear business model or that favour the approach according to which they should generate any kind of information, as they will always find a way to use it, will never be able to accept any kind of legislation straight away, since the two logical approaches are contradictory.
In such cases, it is clear that those types of stakeholders can only be dealt with by clearly setting out the values and principles that are given force of law and by setting out powers to issue orders, as well as a substantial criminal sanction system that would help enforce the law.
So there you have the eight comments I thought I could add to the debate so far. Obviously, I am available to answer any questions you may have.