Evidence of meeting #103 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was work.
A video is available from Parliament.
Liberal
Director General and Chief Financial Officer, Office of the Privacy Commissioner of Canada
Yes.
Conservative
Conservative
Peter Kent Conservative Thornhill, ON
Thanks again, Chair.
Commissioner, it seems that a lot of what we're looking at when we look at Facebook, Cambridge Analytica, and AIQ is along the lines of dealing in stolen property. One company acquires improperly harvested personal data and then markets it or transfers it to other unassociated bodies and we have a company like AIQ that says they didn't do anything wrong in harvesting the data. They developed programs based on data that was given to them by another party.
Do you think it's time for specific legislation in this, again, relatively lawless, borderless digital world where, when data is used by a third, fourth, or fifth party, there has to be some identification of the origin of that data?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
In theory, we have that already.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
If consent rules were properly applied and, if breached, properly sanctioned, that's part of the answer. There's an issue if a first company acquires information. To do that, there needs to be a link to the services it offers to the customer. Then consent can be obtained for other purposes. Is that consent properly applied? If not, which happens, there should be a sanction against that company, which leads to another company that also has an obligation to collect but only for certain purposes.
If you follow that chain, I think the concepts exist in the law, consent being an important one. What's missing, at least in Canada, are the real sanctions for those who violate these laws.
Conservative
Peter Kent Conservative Thornhill, ON
AIQ says, not explicitly but in waffling terms, that they were hired to take a bundle of data and then fashion programs to use it to influence a referendum in the United Kingdom, the Brexit referendum, and elections in the United States. They indicate they had no interest but they were just dealing with raw data. Do they have an obligation under the law to determine that this is lawfully obtained data?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
It gets tricky for me now because we're investigating....
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Conceptually, a company acquires information; it has to be to deliver a service to the consumer. That company may contract with another company to deliver certain services. That's fair game. The question is what kind of service is offered and did the consumer consent to that ultimate goal being achieved with their personal information.
Ultimately what I am saying is that I think the concepts are found in the current law. They are at a high level of generality, and that's a level of concern. Then there are questions that I keep mentioning about the authority of the regulator, who can act on behalf of individuals, find out where the problems are, and sanction inappropriate conduct. At the level of the standards, I think we have rules of the game in terms of consent and so on that are adequate. It's the apparatus to determine whether compliance occurs and what the sanctions are if a determination is made that there has been inappropriate use, that's where the bigger flaws are.
Conservative
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you.
I want to follow up on two things my colleague, Mr. Kent, said.
First, could you present to our committee your analysis of whether or not the fines for breaches are per breach or an overall maximum? We would need that.
Second, he spoke about the difficulty we're facing with this culture of lawlessness in terms of some of these third party operators, but it's exacerbated by the fact that credible corporations that should be following the law seem to have an internal opt-in, opt-out clause for themselves. An example is Facebook. The morning Facebook came here, we found out that they had just shifted 1.5 billion users out of the reach of Ireland so that they could escape the GDPR provisions. As we have seen with Uber paying off a hacker so that they don't have to report it, it becomes very difficult for us to play catch-up with companies that are that powerful.
Mr. Therrien, our committee can make recommendations to Parliament. We can issue reports. You say you don't have the budget. What kind of budget is needed to start going after...proactively but also to do public awareness? What tools do you need to be able to ensure that? Have you started a conversation about where your office would fit in with the larger issue of how we deal with data giants? Whether it's anti-competition, whether it's electoral integrity, those are clearly beyond the confines of your particular office. However, your office could provide some guidance on how we need to start addressing taking on data giants so that when Facebook comes to us, we know that the Facebook users of Canada are going to be under the laws of Canada and can't be shifted to another jurisdiction to avoid being held accountable.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'll undertake to provide that analysis, but I come back, at least in general terms, to the fact that there are a number of areas of the law at stake. We own part of the puzzle. Others, such as the Competition Bureau, own another part. I think co-operation is needed.
The fact that I can only intervene on complaints, for the most part, and if there are reasonable grounds to believe that a violation has occurred means that we have some knowledge of corporate practices, but we do not have a very good knowledge of corporate practices. Before I would feel comfortable providing an analysis as to what kind of regulation is required.... I have some knowledge, but I'm not sure I have all the knowledge I need to make good, solid recommendations to you. Perhaps the solution is to start relatively small. Ensure that all areas of law are adequately dealt with, including competition. Ensure that there is good co-operation between regulatory bodies, who will then be able to have a better sense of what's going on. Then proper laws can be adopted.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Angus.
Once again, thank you, Mr. Therrien, for appearing before our committee. I wish you a good day.
The meeting is adjourned.
