Information & Ethics Committee on April 19th, 2018

Unfortunately, those changes are only being made now that this situation has been made public and not because you ever thought it was the right thing to do.

Thanks very much.

Thank you, Mr. Erskine-Smith.

Next up, for seven minutes is Mr. Kent.

Thank you, Mr. Chair.

Thank you, Mr. Chan and Mr. Sherman, for attending this committee today. It's good to see you again.

These data mining scandals seem to have finally penetrated the consciousness here in Canada that the data world is one that is largely without national boundaries, without effective protection or regulation of the personal information that Canadians voluntarily or unconsciously surrender as their part of the contract to use your service. In many ways, it is a fine service; I use it politically and have no complaints in that area. But, of course, our focus here is on the abuses that data mining has, and would potentially have, to interfere in our democratic process.

Where should Canadians look at Facebook for responsibility and accountability: to your Canadian entity or to the parent company? When did Facebook Canada learn of the abuse of personal users' privacy, and did Facebook Canada, Mr. Chan, individually and separately, hold back the reporting of that abuse for two years as the parent company did? Were you aware of that breach for the past two years?

As you know, our Conservative government strengthened Canada's Personal Information Protection and Electronic Documents Act, PIPEDA, just before the election in 2015. This Liberal government, after sitting for three years on creating some of the regulations introduced in that legislation for the breach of security safeguards regulations, yesterday very quietly posted regulations on the Canada Gazette regarding the timely reporting of breaches to the Privacy Commissioner and to affected individuals.

Can Facebook Canada assure this committee that at the next violation of users' privacy, Facebook won't hold back that information for two years as it did in this case?

Thank you.

When elements of our committee visited Facebook's headquarters in Washington last October—and thank you for your hospitality, for sharing assurances on the company's commitment to social media operations and precautions, and for the demonstrations of some of the wonderful new products, like the oculus virtual reality devices—we discussed in general the possibility of new regulations here in Canada with regard to PIPEDA, or perhaps even going beyond the existing regulations with more meaningful regulations and penalties for violations of Canadian users' privacy.

We were told, almost in passing, that any new Canadian regulations might well put at risk Facebook investments in Canada along the line of the $7 million invested in the artificial intelligence project in the Montreal hub.

I wonder whether today, after Cambridge Analytica, AIQ, and Mr. Zuckerberg's testimony in Washington last week, that same caution against more meaningful regulation would still be made by Facebook to Canada?

Mr. Sherman.

Just very briefly, one of our recommendations was for the government to consider more closely aligning with the European Union's general data protection regulation that comes into effect in May of this year. Would Facebook be comfortable, the parent company of Facebook Canada be comfortable, if Canada were to adopt similar GDPR regulations?

Thank you.

Thank you, Mr. Kent.

Next up for seven minutes is Mr. Angus.

Thank you, Mr. Chan, Mr. Sherman, for joining us this morning. At the outset I want to say that Facebook in my region has been revolutionary. I represent a region that's bigger than the United Kingdom. I have communities that have no access to roads. I have some of the poorest communities in North America. The access that Facebook provides young indigenous people, for people contacting my office.... I don't use the phone anymore. If I have a medical crisis in Kashechewan, I get a message on Facebook and they get a response. So the power of Facebook to do good is incredible, but we are here because the power for Facebook to be misused for terrible things is also at issue.

The question before us is the failure of Facebook to respect the absolute power it has. The sense is that in some ways it thinks domestic laws are somehow quaint. I was very surprised this morning to learn that Facebook has shifted 1.5 billion users from Facebook Ireland to Facebook California to escape the GDPR.

Mr. Chan, will you tell this committee that as an act of good faith you will immediately implement the GDPR for all users in Canada for Facebook?

Mr. Chan, you represent Facebook Canada. He represents Facebook California. I want to know will you put in the GDPR? Will you commit today so that you don't have to be regulated to do it, but that Facebook will self-regulate in Canada with the GDPR. Yes or no?

We're talking about 1.5 billion users who were shifted to escape European law this morning.

Will you just say, “We'll implement in Canada”? Then we can move on to the next question.

Will you implement the full GDPR? I mean, you tell us you're going to do tweaks. Why would you need to move 1.5 billion users out of the range of the European law?