Evidence of meeting #59 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was bluekai.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Alan Chapell  Outside Counsel, Privacy Officer, BlueKai Inc.
Jennifer Stoddart  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Barbara Bucknell  Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
Chantal Bernier  Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I would think so, and I continue to be concerned that we don't have any data breach legislation at the present time, except in the province of Alberta.

Charlie Angus NDP Timmins—James Bay, ON

Second, it seems an odd situation to have data breach provisions in certain provincial jurisdictions and not in others. With this whole balkanization of our privacy regulations, someone just has to look for the easiest point to go to in Canada and set up there. Is that the kind of innovation standard we want to have? If you want to be a cyber hacker you come here, but if you want to do good innovation and be a respected company.... In Europe and the United States, you know that if you play by the rules, you're going to be looked after, and the companies that don't play by the rules are going to get nailed.

Isn't it important to have a cross-Canada standard, as opposed to various provincial systems?

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Well, I can't speak to the provinces, which do what's in their jurisdiction, but as federal Privacy Commissioner I'm particularly concerned that the federal government jurisdiction over such entities as banks, for example, has no specific data breach provisions. We know that banks are a particular target for data hackers.

The Chair NDP Pierre-Luc Dusseault

Thank you, Mr. Angus. Unfortunately, you're out of time.

I now yield the floor to Mr. Calkins for five minutes.

5 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

Thank you.

I just have one question. Then I'll pass my time on to one of my colleagues.

It's the question about being able to provide an administrative penalty, Madam Commissioner. You've often referred to the European model, which has a scale based on the size of the company in question and so on.

What could you do and what would be considered fair, outside the judicial system's practice of due process before the law? In the event of a material breach of an individual's privacy, whether a data breach at a banking institution or whatever the case might be, what size of penalty do you think you would need in order to appropriately levy a fine to provide a deterrent or an adequate punishment for a company such as Google or Facebook or some such, which are multi-billion-dollar companies?

5 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Thank you for the question.

I haven't looked at the size of data breach fines, which are for something different from simply not obeying the law on consent when sharing personal information.

My remarks on the size of the EU fines were that they relate to whether you respect the law or generally do not, whether there was a data breach, and whether it happened because basically you weren't investing in security. We've seen that time and time again.

I believe that Industry Canada, which drew up the legislation, is best placed to look at what would be appropriate fines. My only point here—and I didn't come here prepared to talk about it, but the question was raised—is that we need some kind of appropriate sanction. How big that is, I can't answer, but I don't think we should go ahead with that part of Bill C-12 at this point, if Bill C-12 lags so far behind the world standard.

The Chair NDP Pierre-Luc Dusseault

Mr. Dreeshen, you may continue.

5:05 p.m.

Conservative

Earl Dreeshen Conservative Red Deer, AB

Thank you very much.

I have just a couple of comments, as I've had a chance to talk to different businesses that have been involved in this area.

One of the concerns I have when you set the bar relatively high—and I think you went through a list, saying that each company should have various levels of individuals who can ensure that you have the privacy that you require—is whether we then start to be concerned about picking winners and losers. Perhaps the bigger companies, which already have that mechanism, are able to expand, and the smaller businesses then know that they have all of this level of privacy legislation and so on that they have to get to.

I'm concerned about that, with the small businesses coming in. That was one thing we heard right off the bat: that if you put the rules in right away and make them too stringent, the only ones who are going to be successful are the ones who are big enough to take on the burden that is being presented to them. That's not how you gain innovation.

When you take a look at some of your suggestions—as no doubt you will, when you think about what we have been studying—I wonder whether you could look at the question through that particular lens, because we want to make sure we're not stifling innovation. That's the first feeling and thought that I have with regard to this issue.

The other thing we've tried to talk about to people who have come here is that it isn't free. When we suggest that if we get on the BlackBerry and do this, that, and the other thing, we all of a sudden have the free range to do whatever we want and we're going to be protected from ourselves, based on some of the activities that we have.... I look at it from that perspective.

If you go into a store and take a magazine off the shelf and start reading it there, somewhere along the line you have to go and buy the thing; you have to recognize that this is part of what we do. I haven't really heard a lot of discussion from regulators that really recognizes this. When you ask businesses about how they make their money and what they do, you get a bit of an understanding of where you're going with that.

If I have a few seconds, my last comment is about the right to be forgotten. One of the analogies we heard was of someone taking a glass of water and pouring it into a stream; it goes all the way through, and at the end of days they say, “I want my glass of water back” after it has gone through the river and down into the ocean and so on.

There are different thoughts on this aspect. I wonder whether you could comment on some of my ramblings there in the time I have remaining.

5:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I understand, honourable member—

The Chair NDP Pierre-Luc Dusseault

I apologize for interrupting you. The time is up, but I will give you about a minute to answer.

5:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Did you say three minutes?

The Chair NDP Pierre-Luc Dusseault

I am giving you about one minute.

5:05 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Okay.

Very quickly, then, in one minute: first, we have always tried to tailor the law to small and medium business. Some of the examples I'm talking about here are mega-megacorporations, not small and medium-sized businesses.

Second, on stifling innovation, I don't believe innovation always has a direct link to privacy. I think innovation is mostly encouraged by capital formation, entrepreneurial capital that's free, and levels of education or technical knowledge.

Third, my office has no objection if people want to sell their personal information to get services free. We have never said that. We have no problem with the Internet model. We just want the law that Parliament adopted in 1999 to be applied correctly: you have to consent, and you have to understand what you're selling and what will be done with it.

Fourth, on the right to be forgotten, I think this right is an important concept. We have to seriously look at the ways and means of enforcing it. Parliament in its wisdom said that PIPEDA that you have a right of deletion of your personal information, so we in a sense already have it, but we have big issues with some companies who built in no ability to delete young people's information.

The Chair NDP Pierre-Luc Dusseault

Thank you for your answer.

I yield the floor to Mr. Boulerice, who has five minutes.

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

Thank you, Mr. Chair.

Madam Commissioner, ladies, thank you for joining us.

As my colleague was saying, it's useful to hear from you at the beginning and at the end of the process. I will take a few seconds to say that this study, thanks to my colleague, has been something of a revelation for me. It has opened my eyes to the fact that we are monitored much more than we think on the Internet and in social media. I didn't know how much we were being monitored and watched.

I feel that this is the case for many Canadians who accept the conditions quickly and then go on to browse various websites. They are unaware of the machine behind it all—be it browsers, Google, social media or these data brokers, which I didn't even know existed not too long ago. They gather a great deal of information about us—our habits, choices, preferences, places we visit, purchases, ideas. Afterwards, they put all that together and often sell the information. I think that, according to what you have told us, the role of educator—which you should play more—is as important as the power to impose fines or penalties.

Could you tell me what you think of Canadians' digital knowledge or digital literacy? Do people know that they are being monitored so much?

5:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

We conduct annual surveys. One year, it's a survey of companies, the next year, it's a survey of citizens. Canadians are very concerned about their privacy; they think this is one of the major issues of the future. Unless I am mistaken, 40% of the people we have surveyed identify Internet as a possible source of privacy violations. In general, people are uncomfortable with explicit monitoring by video cameras or monitoring on the Web, but they are not very informed because the matter is complicated to understand.

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

You said that the bill introduced in the House is now two or three years old, but that it has not been passed. Perhaps a comprehensive review is necessary, where certain provisions would be amended because the digital world and the Internet have changed since then. You told us that inaction is risky and that, if nothing is done, we will fall behind other western countries. I would like to know what you think is the potential consequence of our inactivity regarding the protection of Canadians' privacy. What kind of an impact will that have on people?

December 11th, 2012 / 5:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I think it's unacceptable that, in 2012, Canada does not have any legislative protection against data leakage—with the exception of Alberta. About once a week, companies or the government itself voluntarily report to our office leakages that affect thousands of citizens and consumers.

In the United States, 49 of the 51 states apply legislative protection or deterrent measures. That approach does not only consist in deterring companies. Businesses are also required to provide a free assessment of the credit rating. One year later, they have to check whether people are affected by the data leakage and, if so, undo the resulting damage.

I think the fact that Canadians are not provided with this protection is a serious matter, and I hope that the government will introduce relevant legislation very soon.

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

Especially in the banking sector, where everyone would like to see things more tightly regulated, for obvious reasons.

5:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

Do I have a little time left?

The Chair NDP Pierre-Luc Dusseault

You have 30 seconds.

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

You are very generous, Mr. Chair.

Do you feel that self-regulation on the Internet and in social media is enough? In discussing previous testimony, we talked about harmonizing the voluntary rules. But when we talk to people from the industry, we get the impression that no adequate oversight mechanism is in the works.

Is it enough to let people get together to decide the way in which they will operate, with no one overseeing them?

5:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

No, I don't think so. That approach does not work. In the United States, the entire advertising industry has been talking about it for several years. They have never managed to come to an agreement on self-regulation. Self-regulation is fine, but I feel that it needs legislation to back it up. As the Americans have not been able to make it work, it is possible that they will come up with legislation.

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

Thank you.