Evidence of meeting #59 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was bluekai.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Alan Chapell  Outside Counsel, Privacy Officer, BlueKai Inc.
Jennifer Stoddart  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Barbara Bucknell  Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
Chantal Bernier  Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada

December 11th, 2012 / 4:45 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Yes, well—

Scott Andrews Liberal Avalon, NL

—their back way of doing it, and—

4:45 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Scott Andrews Liberal Avalon, NL

—they acknowledge that.

4:45 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Scott Andrews Liberal Avalon, NL

If you stay off their radar.... I found that a bit bizarre, but I guess that is just their system.

Is that only for mandatory breach notification? Let's drill in, because you said we should start with that at a minimum. What levels should there be? What would be the maximum?

4:50 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I think the maximum that the European Union.... I remind you that PIPEDA was adopted so that we would meet European Union standards, and 80 countries in the world have now adopted the European model.

From memory, there are maybe 15 countries outside the European Union that explicitly meet the European standard. Canada was the first one. We should continue to look at the European model and have these different levels of fines that start at perhaps a few thousand euros and go up to something major. That's because you may be dealing with a small, local family business that just doesn't want to pay attention, or you may be dealing with a big multinational player.

The Chair NDP Pierre-Luc Dusseault

Thank you, Mr. Andrews. You're out of time.

I now give the floor to Mr. Mayes.

4:50 p.m.

Conservative

Colin Mayes Conservative Okanagan—Shuswap, BC

Thank you, Mr. Chair.

Ladies, thank you for being here today.

I have to say that this study has enlightened me about what goes on in social media and some of the challenges you have.

In your statement, you discussed four issues, which were retention, meaningful consent, limiting of use, and accountability.

To me, retention, meaningful consent, and limiting of use are very simple to deal with through laws or guidelines for compliance. You have to spell out what that should be. What I understand from the witnesses is that simplicity is important for the user. Accountability is really the issue, I think, and your biggest challenge.

To make those providers accountable, would you regulate on a complaint basis or a monitoring basis?

4:50 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

In speaking of accountability, which is one of the features of the Canadian law that has become very popular internationally because it well encapsulates the obligations of companies to privacy law, I think ideally—and this is why I would urge the committee and the honourable members to think of embarking on the second review PIPEDA that is already overdue—that it would be very helpful to have in the law that the Office of the Privacy Commissioner could request companies to show, to demonstrate, how they are accountable. We have an entire document on that, honourable member, that we could send to you.

It basically means being able to demonstrate that you have done all the things to make sure that you are privacy compliant: that you have a chief privacy officer, that your staff has been trained, that they know what to do, that you don't retain data longer than necessary, that you've invested in securing personal information, that you have the right procedures so that when people come under the law asking to see their personal information, you know how to handle that, and so on. Accountability goes to the range of your obligations under the law.

Presently when we go in for an audit or go in because of a complaint, we look at how the companies have been accountable, but we don't have a specific proviso that says they must show us how they are accountable.

4:50 p.m.

Conservative

Colin Mayes Conservative Okanagan—Shuswap, BC

The previous witness said something that was quite interesting to me. He said that the platform is anonymous, so it really isn't an issue of the privacy of the person. It is the privacy of the site that they use to access their platform.

This puts in my mind what are we protecting here. Is the culture of privacy? Modesty and several aspects of what I consider private are different today from what they were 10 or 20 years ago. Is that fence post moving? On what do you base what you would call your scope of privacy or your principles of privacy?

4:50 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

As to the first question, honourable member, I didn't hear that. I don't quite understand what that gentleman meant. Perhaps we could go back and look at the transcript, and I could give you an answer on that.

4:50 p.m.

Conservative

Colin Mayes Conservative Okanagan—Shuswap, BC

Maybe I could just take some time to explain. Maybe Mr. Calkins could help me here, because he's very knowledgeable about this aspect. He said that when they're gathering information, they're gathering information about the site, not the person. The person might be sharing information by looking for a new vehicle or something; that information is stored and marketed so that those who are selling vehicles can set that cookie in place, but the actual personal information—what I call personal information—is not necessarily shared. It's what the site activity is; it's what's happening on that site, rather than the person's personal information.

4:55 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:55 p.m.

Conservative

Colin Mayes Conservative Okanagan—Shuswap, BC

Can you differentiate between those two, and then also—

4:55 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

The culture of privacy.

4:55 p.m.

Conservative

Colin Mayes Conservative Okanagan—Shuswap, BC

—the culture of privacy.

4:55 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

On that I would say, yes, that's what we hear often—that they just want to see what site you visit—but from our own work on what you can find out by tracking, the problem is that you can aggregate all the sites that I have visited and then draw up a profile. In some cases you could find my name and my address from public sources, and so on, and you could draw up a profile of me as a citizen or consumer that can be accurate or it can be extremely inaccurate.

As the Internet becomes more sophisticated.... There's an article by the American scholar Jeffrey Rosen that's very good on this. It was published about two weeks ago.

The danger of tracking and the issue of discrimination on the Internet is that because you have visited these sites, the ad server can decide that you fall into a certain category. We can't each have a personally individualized category for the moment, but we'll say “middle-aged lady, likes golf, likes to drive station wagons”. In the American example, because of different political sites that were visited, it could be “votes this way, thinks this way”, and so on. It can be accurate, but it can be inaccurate.

The fact that it will determine the information you get, the ads you get, and sometimes, I believe, the rankings in search engines—I'm not sure about that—means that your experience of the Internet and the world of knowledge that the Internet represents will be limited. It will be based on what may be a true or a false or a partly true profile that algorithms are determining for you.

That's some of the concern: that you fall into artificial categories and therefore only see the information that is deemed to fit in with the artificial category into which you have fallen.

4:55 p.m.

Conservative

Colin Mayes Conservative Okanagan—Shuswap, BC

The other question was on the principles of what you consider privacy.

4:55 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

That's a hugely broad question, and the issue of privacy goes well beyond my mandate. I only have a mandate for personal information handled either by the government or by organizations.

In PIPEDA, for example, we enforce the Canadian Standards Association's code, which is an appendix to PIPEDA, and that's based on OECD work of the early eighties.

4:55 p.m.

Conservative

Colin Mayes Conservative Okanagan—Shuswap, BC

Thank you.

The Chair NDP Pierre-Luc Dusseault

Thank you, Mr. Mayes. Your time is up.

I now yield the floor to Mr. Angus for five minutes.

Charlie Angus NDP Timmins—James Bay, ON

Thank you. It's great that you came back.

Our first witness said something interesting. He spoke about self-regulation and some of the industry players we have. They have standards. Other people don't have standards. He said self-regulation worked very well as long as you had an enforcement mechanism.

I sometimes think my colleagues on the other side hear self-regulation as the market mantra. If that were the case, Somalia would be a centre of international innovation—but it's not, because they don't have the enforcement mechanisms to decide what is good activity and what is bad activity.

In our case it comes down to breach notification. That's one of the key bottom lines, I think. If my data is breached, it's not just what site I go to or what I'm interested in or where I play golf, but the fact that I use my credit card to buy stuff. If that data is breached, my security is at risk.

Under the rewrite that's being planned by this government, their language is interesting. They say it has to be a “real risk”—not a perceived risk, but a real risk—“of significant harm”. If I were a corporate lawyer, I'd say I wouldn't tell anybody that their data has been breached. Significant risk means what? Nobody's going to come and kill you.

It seems that the government is setting a bar so high that the companies have an opt-out mechanism and are not going to report breaches even if it's credit card information or personal data information, something that the cyber hackers would love. Do you think we need to clarify at what point a company has to inform you that the cyber hackers have been visiting your data?

4:55 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I think, honourable member, we have to revisit this question, and that's why I spoke to the Deputy Minister of Industry. I think that the draft legislation was drawn up maybe two or three years ago with what we knew then. I think we have to go back now and look at some of the laws, at how they function, what we know about adverse effect on consumers, and so on. The question has been raised of whether this is too high a bar, given the frequency of data breaches, and I think that question should not only be asked again, but studied and answered.

Charlie Angus NDP Timmins—James Bay, ON

In terms of allowing the market to maintain itself here, we have an extremely high bar that has to be met, and a lot of stuff can slip under it with no enforcement mechanisms. From your comments I'm seeing that we are going to fall behind all the other western countries when it comes to having those enforcement mechanisms.

I don't know if the comparison is correct, but in the copyright wars we heard all about Canada being a Pirate Bay because we didn't have enforcement mechanisms. I think some of the language was a little over the top, but if data breaches occur in the market we have, people don't have to worry about it because nobody's coming after them, and if they do come after you, if you're beyond shame, what are they going to do?

Perhaps certain companies would prefer to set up and do business here in Canada. They'll say they're under Canadian law and they shouldn't be bothered. They'll set up here because they'd get hammered in England, hammered in the EU, and hammered in the United States.

Because we have always been the world leader, should we not establish a similar standard that matches where the other main western countries are?