Evidence of meeting #103 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was work.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Mario Dion  Conflict of Interest and Ethics Commissioner, Office of the Conflict of Interest and Ethics Commissioner
Sandy Tremblay  Director, Corporate Management, Office of the Conflict of Interest and Ethics Commissioner
Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Barbara Bucknell  Director of Policy and Research, Office of the Privacy Commissioner of Canada
Daniel Nadeau  Director General and Chief Financial Officer, Office of the Privacy Commissioner of Canada

10:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We've been in touch with the company in question. My understanding is that they have agreed to remove that particular aspect of their privacy policy. We're also investigating other issues with respect to that organization. On that specific point, my understanding is that they have agreed to withdraw that part.

Charlie Angus NDP Timmins—James Bay, ON

Thank you for that.

I guess my concern is that we have Rogers as a Canadian company, very well protected by Canadian law to maintain their market, and it's a Rogers portal that then goes to a U.S. server. How do we determine that Canadian information that ends up on an American server like Yahoo is still under the rules and rights of Canadian law?

May 1st, 2018 / 10:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We were able to convince the sum of companies at stake here to change their practices, even though some of them are American. I think the law was satisfactory from that perspective, in that case.

Charlie Angus NDP Timmins—James Bay, ON

Thank you very much for that. That's good to hear, because we've have had a lot of concern over it.

In 2016, there was a data theft of 57 million users from Uber that was traced back to a Canadian. Uber did not release that breach. They paid them off, which some U.S. congressmen said was reprehensible behaviour.

I understand that you have been looking into this matter.

10:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We're formally investigating it now.

Charlie Angus NDP Timmins—James Bay, ON

You're formally investigating it.

It has come up again because of the recent testimony of Brittany Kaiser at the U.K. hearings that Cambridge Analytica had met with Uber, which Uber is denying. There are questions of whether or not that data may have been sold.

This is all speculation but, to clarify, will you be raising the issue of Uber and that breach with your U.K. counterpart when you speak?

10:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We're starting with an investigation of the breach. If that leads us to the issue you're mentioning, we will go there and we will talk to our U.K. colleagues.

Charlie Angus NDP Timmins—James Bay, ON

That's good to know. Again, what I want to know is that these issues being raised in the public and at committees in various jurisdictions are being followed up. I'm very pleased with that.

With regard to the issue of this hacker in Canada who was paid off, to me that's a very concerning breach of trust by a major corporation. What we're seeing now, with the breaches of 85 million users, and 57 million users, is that these are very serious breaches that could have major effect. This person could have sold that money to eastern European blackmail gangs or to Chinese operatives.

How do we establish, internationally, rules that actually force these companies to play by the law? Many of them seem to think that laws are somehow quaint and only for domestic companies. They see themselves as international and above domestic law.

10:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We're investigating some of these issues, including the Uber case, which is all fine and good. We will try our best to find the truth and make recommendations.

I think part of the solution starts with sanctions. There have to be credible sanctions that give a message to people who would otherwise violate the law that they need to get in line.

As to international norms, it's a laudable objective. I would start with having co-operation between DPAs, data protection authorities, of various countries, and try to harmonize laws to the extent possible.

That brings me to the issue of adequacy and whether Canada's laws should be closer to the GDPR. International norms are laudable—

Charlie Angus NDP Timmins—James Bay, ON

You would support our adopting the GDPR?

10:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

As an inspiration.

I've made certain recommendations that you have in your PIPEDA review report. We don't have to align exactly to the GDPR, but the GDPR is a good model.

10:20 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Angus.

Next up for seven minutes is Mr. Erskine-Smith.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

I want to first understand whether Facebook and AIQ, and some of the other players you're investigating in relation to the Cambridge Analytica scandal, have co-operated so far with your investigation.

10:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We've had a number of meetings or exchanges of correspondence with Facebook, so I would say yes. With AIQ, I don't think we've really started. We're trying to define our questions to them, so the question has not arisen as far as we're concerned with respect to AIQ.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

When you do have them answer questions, having had them here before us, you may want to administer the oath.

When it comes to a company that had 272 Canadians authorize the sharing of information with an application, and as a result of that authorization, actually sharing the information of their friends in the amount of over 600,000 Canadians, I know there's an investigation going on, but I struggle to see how this is in compliance with the existing law.

We can talk about changes to the law to improve it, but I can't understand and I can't wrap my head around how this could possibly be in compliance with the existing legislation that we have.

10:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We're investigating. You're asking, doesn't the current law address that problem? The current law talks about consent. It doesn't define consent really, but there is room within the current law to give guidance to organizations on what we expect, as a regulator, consent to mean: meaningfulness, information to individuals as to what's at stake, and so on and so forth. To that extent, yes, the current law gives us quite a bit of latitude in defining our expectations.

That being said, it would be important for you to understand that we had communications with organizations regarding draft guidance on consent following our report last year. One of the things we were told by some companies was that the OPC has no role to interpret the current law more than, or in addition to, what the law allows.

In other words, the law is written generally, and some committees are telling us that we have no role in trying to define that more practically for consumers. I find that of concern.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

That's a concern given the clear language in the principles related to meaningful consent. There's zero chance that the sharing of such information in the way that it was shared is in compliance with our law.

You are undertaking an investigation, and we've had witnesses before our committee. You don't have to answer now; you can submit names in writing, but it would be of interest to me to have additional names, proposed witnesses, to flesh out our study as we go. If you have suggestions of names of people who we are not bringing before us, I would appreciate it if you would submit their names to us.

10:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I can do that.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I'm going to split my time with Ms. Fortier.

The last question I have is in relation to new powers for your office. We can talk about order-making powers, the ability to define broader audit powers, including the discretion to undertake investigations or not. If you had that basket of powers, would we not be in a much better position to address scandals like we've seen with Facebook and Cambridge Analytica?

10:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Absolutely.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

10:20 a.m.

Conservative

The Chair Conservative Bob Zimmer

Ms. Fortier, you have the floor.

Mona Fortier Liberal Ottawa—Vanier, ON

Thank you.

I’d like to come back to the Main Estimates. I have a few questions.

You mentioned earlier the communication pressures. You must have the necessary resources and find new ways to inform Canadians. What is your plan to reach out more to Canadians in the coming year to help them comply with the Act?

10:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We’re presently conducting a number of advisory or educational activities. We’re very much focused on our website. We also take part in certain events, like workshops, exhibits, and conferences. The issue we have relates more to the scope of these activities. I think that the information we have is accurate, but we find it difficult to reach people to ensure that more Canadians have access to that information.

This brings me to the possibility of having to use advertising, although I can’t afford it at the moment. There could be other ways.

Mona Fortier Liberal Ottawa—Vanier, ON

You can’t afford it on a financial level, but do you have the necessary human resources?