Information & Ethics Committee on Dec. 11th, 2012

Second, it seems an odd situation to have data breach provisions in certain provincial jurisdictions and not in others. With this whole balkanization of our privacy regulations, someone just has to look for the easiest point to go to in Canada and set up there. Is that the kind of innovation standard we want to have? If you want to be a cyber hacker you come here, but if you want to do good innovation and be a respected company.... In Europe and the United States, you know that if you play by the rules, you're going to be looked after, and the companies that don't play by the rules are going to get nailed.

Isn't it important to have a cross-Canada standard, as opposed to various provincial systems?

Thank you, Mr. Angus. Unfortunately, you're out of time.

I now yield the floor to Mr. Calkins for five minutes.

Thank you.

I just have one question. Then I'll pass my time on to one of my colleagues.

It's the question about being able to provide an administrative penalty, Madam Commissioner. You've often referred to the European model, which has a scale based on the size of the company in question and so on.

What could you do and what would be considered fair, outside the judicial system's practice of due process before the law? In the event of a material breach of an individual's privacy, whether a data breach at a banking institution or whatever the case might be, what size of penalty do you think you would need in order to appropriately levy a fine to provide a deterrent or an adequate punishment for a company such as Google or Facebook or some such, which are multi-billion-dollar companies?

Mr. Dreeshen, you may continue.

Thank you very much.

I have just a couple of comments, as I've had a chance to talk to different businesses that have been involved in this area.

One of the concerns I have when you set the bar relatively high—and I think you went through a list, saying that each company should have various levels of individuals who can ensure that you have the privacy that you require—is whether we then start to be concerned about picking winners and losers. Perhaps the bigger companies, which already have that mechanism, are able to expand, and the smaller businesses then know that they have all of this level of privacy legislation and so on that they have to get to.

I'm concerned about that, with the small businesses coming in. That was one thing we heard right off the bat: that if you put the rules in right away and make them too stringent, the only ones who are going to be successful are the ones who are big enough to take on the burden that is being presented to them. That's not how you gain innovation.

When you take a look at some of your suggestions—as no doubt you will, when you think about what we have been studying—I wonder whether you could look at the question through that particular lens, because we want to make sure we're not stifling innovation. That's the first feeling and thought that I have with regard to this issue.

The other thing we've tried to talk about to people who have come here is that it isn't free. When we suggest that if we get on the BlackBerry and do this, that, and the other thing, we all of a sudden have the free range to do whatever we want and we're going to be protected from ourselves, based on some of the activities that we have.... I look at it from that perspective.

If you go into a store and take a magazine off the shelf and start reading it there, somewhere along the line you have to go and buy the thing; you have to recognize that this is part of what we do. I haven't really heard a lot of discussion from regulators that really recognizes this. When you ask businesses about how they make their money and what they do, you get a bit of an understanding of where you're going with that.

If I have a few seconds, my last comment is about the right to be forgotten. One of the analogies we heard was of someone taking a glass of water and pouring it into a stream; it goes all the way through, and at the end of days they say, “I want my glass of water back” after it has gone through the river and down into the ocean and so on.

There are different thoughts on this aspect. I wonder whether you could comment on some of my ramblings there in the time I have remaining.

I apologize for interrupting you. The time is up, but I will give you about a minute to answer.

I am giving you about one minute.

Thank you for your answer.

I yield the floor to Mr. Boulerice, who has five minutes.

Thank you, Mr. Chair.

Madam Commissioner, ladies, thank you for joining us.

As my colleague was saying, it's useful to hear from you at the beginning and at the end of the process. I will take a few seconds to say that this study, thanks to my colleague, has been something of a revelation for me. It has opened my eyes to the fact that we are monitored much more than we think on the Internet and in social media. I didn't know how much we were being monitored and watched.

I feel that this is the case for many Canadians who accept the conditions quickly and then go on to browse various websites. They are unaware of the machine behind it all—be it browsers, Google, social media or these data brokers, which I didn't even know existed not too long ago. They gather a great deal of information about us—our habits, choices, preferences, places we visit, purchases, ideas. Afterwards, they put all that together and often sell the information. I think that, according to what you have told us, the role of educator—which you should play more—is as important as the power to impose fines or penalties.

Could you tell me what you think of Canadians' digital knowledge or digital literacy? Do people know that they are being monitored so much?

You said that the bill introduced in the House is now two or three years old, but that it has not been passed. Perhaps a comprehensive review is necessary, where certain provisions would be amended because the digital world and the Internet have changed since then. You told us that inaction is risky and that, if nothing is done, we will fall behind other western countries. I would like to know what you think is the potential consequence of our inactivity regarding the protection of Canadians' privacy. What kind of an impact will that have on people?

Especially in the banking sector, where everyone would like to see things more tightly regulated, for obvious reasons.

Do I have a little time left?

You have 30 seconds.

You are very generous, Mr. Chair.

Do you feel that self-regulation on the Internet and in social media is enough? In discussing previous testimony, we talked about harmonizing the voluntary rules. But when we talk to people from the industry, we get the impression that no adequate oversight mechanism is in the works.

Is it enough to let people get together to decide the way in which they will operate, with no one overseeing them?

Thank you.