Evidence of meeting #51 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was nexopia.
A recording is available from Parliament.
4 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
I'll just keep saying it: yes.
4 p.m.
Liberal
Lawrence MacAulay Liberal Cardigan, PE
What responsibility do the business websites and things like Facebook, Twitter, and Myspace have with regard to fully and transparently informing people exactly how and when their information will be used, or is it just a myth that it could ever happen? Does it ever happen, or is it like the reporter: when you need it, it's there, and you don't tell the people?
4 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
I think some websites of some commercial parties do a better job than others do. Google tries and tries. They're so big and complex I think they almost can't, by definition, make it clear. But we do find that when the sites try to write from the user perspective rather than from their business perspective, it comes out a lot clearer. If they're thinking what functions the person will be using on the site, it's often clearer to them than saying, “We may use it on an aggregate basis for these business purposes. We may give to our affiliates.” And no one knows what an affiliate is, right? It's possible to do. It's a lot of work to have a proper privacy policy, but I think the responsibility is there on the companies, because they're getting personal information, it's what's driving the value of the thing, and their responsibility is to be clear.
4 p.m.
Liberal
Lawrence MacAulay Liberal Cardigan, PE
What relationship do social media sites have with data collectors?
October 18th, 2012 / 4 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
There are a number of links between social media sites and data collectors. Nexopia, on the commercial half of their site, had relationships with marketers in which they claimed to have information on how teens thought and purchased, because of their data set. I'm quite sure that Facebook is using that. That's what they use to drive their IPO: we know what people want. That's fine within the limits of everybody knowing that they have that information and are using it consistent with what they said they could use it with.
4 p.m.
Liberal
Lawrence MacAulay Liberal Cardigan, PE
What direction is this heading in? Is it expanding farther? Should the government put more regulations in place?
4 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
I think there is a lot that is good in our act. It needs some tweaks. It's really a matter of having the Privacy Commissioner look into problem areas, because she's on it; she has the experts. She can be ahead of the curve and work with other privacy commissioners around the world to get on the hot spots.
It's not so much that we need to change the act, although maybe a data breach notification law that works would be helpful. It's not a matter of just piling on regulations.
4 p.m.
Conservative
Blaine Calkins Conservative Wetaskiwin, AB
Thanks, Chair and thank you, Mr. Lawford, for being here and for the role you play in protecting the public interest and consumer protection. It is a very critical role that you have.
I'm going to ask you some questions to try to flesh out some of these things. It's a very complicated thing.
I have the privilege of knowing your background as counsel and as a lawyer. My background—I used to be a database administrator and computer programmer, so I have a little bit of experience with this. I never built any information systems that dealt with social media, but I was responsible for large amounts of corporate data.
When you talked about the four things the Privacy Commissioner did, I think I blurted something out while you were saying it, and I apologize for that. You said the biggest corporate asset that a social media site has is the data. I can assure you that the net worth of an organization like Facebook isn't in the wires and cables and computers. There's millions of dollars of value there. There's billions of dollars worth of data, and that is the most strategic asset that any social media site would have. It's probably the most strategic asset that most corporations would actually have—their consumer, their client data—and of course there are a lot of laws and regulations pertaining to that, so it shouldn't be a surprise.
You also said that the Privacy Commissioner, in the first recommendations, had no order-making power and so on and had to go to the courts. I just wonder how you can, as a legal counsel, square the circle of coming before the committee and saying you want the Privacy Commissioner to be the investigator, the jury, and the judge, and have the entirety of the process, without any opportunity for oversight that a court would have, for example, the counterbalance.
I used to be a law enforcement officer too. I can say there are times I wished I was the judge and the jury and was able to administer the sentence, but all I could have was my role in charging the individuals and letting that judicial oversight happen. It happens for a very good reason.
So can you square that circle for me on why we wouldn't want some of the larger cases to have that kind of oversight?
4:05 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
I think I can. The way the act is structured right now is that the complainant or the Privacy Commissioner can go to Federal Court to enforce a fine. The company can't complain if it loses. That works fine if the first resolution is just an ombudsman-type resolution where we recommend that you change.
If it were to change to judge, jury, and executioner, where the commissioner fines or otherwise makes an order, then I think we do have to have the right of the company, obviously if it's a tribunal making the decision, to go to Federal Court and say “bad decision”. I think that would be a change to the act that would have to be made, because it's unfair otherwise, to have no right to appeal and you've been told that you are offside.
4:05 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
I would agree, definitely, that that would have to be a change that would go along with giving order-making powers. For example, in Alberta it's very possible to go to Queen's Bench and say that a privacy commission decision was crazy and have it overturned.
If you want to separate the two functions, like you do with the Competition Bureau, with the commissioner saying “This is a bad practice”, and then the competition tribunal deciding if it really is offside, that is a lot of superstructure to add for privacy. It might be necessary on big cases. Maybe we are heading there, but I'm not sure yet.
4:05 p.m.
Conservative
Blaine Calkins Conservative Wetaskiwin, AB
I appreciate that; that's helpful.
Moving on to the second thing, which I think there is some confusion on, there's been some discussion today about the whole notion of what “delete” means, what “deactivate” means. Deactivation does not mean deletion. For example, websites will ask you if you want to deactivate your account. A user might think they're deleting their account, but they're not. The information in the account still exists; it's just been deactivated. Some would say there are good reasons for keeping that information, because nobody else can start up an account that matches or mirrors the one you just deactivated. You would have two accounts that are the same. That might actually protect the interest of the particular consumer in certain cases, where nobody else can cyber squat. If the account were deleted, somebody could come in and easily do that.
For the most part, I understand the value in wanting some information deleted from a database. If I have information I don't want to have in the hands of somebody at a certain point, I think, realistically, I make an order or make a request of that particular organization to have that information deleted. I also understand the complexity of having multiple backups, whether they're static backups or dynamic backups. How do you go back to a static system and change it if you have to do a restore because you had a system crash? You're going to bring back information you might not be able to tag at certain checkpoints along the way in the recovery process.
This is a very complicated thing to do, not only from a legislative perspective but also from a technical perspective. Can you elaborate further on anything your organization has done, any counsel you can give the committee on what other jurisdictions may have been able to do to successfully satisfy some of these cases?
4:05 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
I would like to say I could just fill you in, but I know that because of the “right to forget” stuff going on in Europe, the Article 29 working party is working on this. I don't know what their technical committees are doing. It would be a very good idea to set up a committee, led by the Privacy Commissioner, with industry and other stakeholders, like consumer groups, to start doing the same thing here.
You're right; it is terribly difficult. There are other pieces attached to this that will be affected by it, and yet there seems to be a need and a want on the part of users to have certain things deletable.
I think we can do it, but it's not a matter of just passing a law saying you should get a delete button. I think it has to be done in combination with everyone or it won't work. It will be interesting to watch Europe, because they promote talking about it, but at the end of the day, they tend to pass laws, so we'll see.
4:10 p.m.
Conservative
Blaine Calkins Conservative Wetaskiwin, AB
I don't know if you've been able to pay attention to conversations this committee has already had with witnesses. At the last committee meeting, there was an individual—I think it was Zushman—who said that with what we don't know.... I don't know what I don't know, and I don't know what the future technologies are going to be, even though I've worked in the information technology industry for a number of years.
We all know that social media is very good at posting pictures, photographs, other types of software. With the advance in biometric technology...we don't even know what future technology advancements are going to be capable of with information that's currently posted today. Some consumers might feel quite safe in posting information today, with today's known set of technology. Had they known what was maybe coming down the pike, they would maybe be less comfortable in posting a photograph of themselves today.
From that perspective, has your organization looked at any of the impacts of what's in store as far as consumer protection or public safety?
4:10 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
We did touch on it a little bit on the Nexopia complaint, because Nexopia requires, or it did require—I think it still does—that if you create a profile and you want to put a picture up, it has to be your face or torso. I don't know quite why torso is included, but face is. If you require people to put up a picture of their face, obviously we have the problem of facial recognition, which can be run over a network. This is a concern for us.
There's a situation where we might say the committee wants to think about recommending to Parliament that maybe you shouldn't be required to put up, at any time, a picture of yourself, your face, which could be facially recognized, if you don't want to—unless it's for a passport, that sort of thing.
It's an interesting area. It's one I'd like to explore more, but I'm afraid that's the limit of our work in that area.
4:10 p.m.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you.
I will now give the floor to Ms. Borg for five minutes.
4:10 p.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you, Mr. Chair.
Mr. Lawford, thank you for joining us today.
You have done a great job of pointing to the commissioner's lack of power. As my colleague Mr. Calkins said, when Mr. Zushman launched a class action suit against Facebook, the commissioner had to turn to the court to solve the problem. If she needs to go to the court, perhaps she does not have enough power.
Some provinces allow their commissioner to impose fines, for example. Do you know how that model works in those provinces? Could it be applied here, at the federal level?
4:10 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
In Alberta, the commissioner can recommend a fine for data breaches. I have studied about 30 decisions like that, and they are effective enough to make companies change their practices when there are problems, even when the fine is $5,000 or $10,000.
If the commissioner has the power and the responsibility to impose fines, those decisions are tough enough for other companies to examine them. The commissioner's decisions are sort of small tests for data breaches that really benefit other companies, in the sense that it spares them from having to do the same thing. That is just one example among others.
4:10 p.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you.
You talked about the investigation by the commissioner and her 24 recommendations regarding Nexopia. Correct me if I am wrong, but I believe that only four of them are presently in court.
What happened to the other 20? Has Nexopia followed the recommendations and the deadlines?
4:15 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
To date, Nexopia has not done anything, and the Privacy Commissioner of Canada has not said anything. I do not really know why the two deadlines of June 30 and September 30 have passed without anything being said. I would imagine that something is going on at Nexopia or that the company is taking some action, but we do not know why they are still not following the commissioner's recommendations.
4:15 p.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you.
For some companies, it is about the business model. In your view, do companies whose business is data really want to apply what is currently being done to protect personal information?
4:15 p.m.
Executive Director and General Counsel , Public Interest Advocacy Centre
It is difficult to answer that question. It does not have to do with the willingness or desire of companies to abide by the law; instead, it has to do with the fact that in situations, where the law is soft, it will be bent all the way. That's normal. It is done to do business effectively.
However, in the case of Nexopia, Facebook or CIPPIC, some people still have problems. In terms of Facebook, we have noticed that data breaches were connected to some applications. But the position of the company is to say that it is not responsible because third parties are involved. That problem has still not been solved, I believe.
To solve problems, the legislation basically has to be clarified and implemented.
4:15 p.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
I am going to change the subject.
You indicated that data could be “de-identified” and subsequently “re-identified”. Can we come up with a potential solution to make sure that the data remains anonymous or that consumers can at least understand the process of “de-identification” and “re-identification”?