Evidence of meeting #106 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was google.
A video is available from Parliament.
10:40 a.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
That was fascinating information. Thank you, Mr. Erskine-Smith.
Mr. Balsillie, you talked about the EU's GDPR. Is there anything that you would change of that if Canada were to adopt something similar?
10:40 a.m.
Chair, Council of Canadian Innovators
Based on the core principles, no. The aspects that I'm zoning in on are, one, that you have personal ownership of your data and personal control over it, that you have awareness of what they're doing, and that you have what's called the right to delete and the right for portability.
The second thing, which we haven't had much discussion on, which is a very central part of the GDPR and this was a tremendous tug-of-war between Brussels and Washington over many years, is this element of safe harbour in routing. It is important to understand that no matter what we regulate in Canada, I've been told by experts that something akin to 80% and 90% of our data is routed through the U.S. Even if I sent you an email across this table, it's routing outside. It's called a boomerang effect. You have to understand that, per U.S. law, Canadian data has no rights whatsoever in the United States. You have no right to privacy; you have no right to anything. What the EU also did was manage the routing so that it never left the jurisdiction of what they prescribed as appropriate treatment of that data.
The GDPR is nuanced. It was the subject of many years of debate, from many perspectives. Using GDPR-like approaches is a minimum we should take in Canada, and then look at other forms of activities, such as the economic development opportunities for primary industries that Mr. McKay talked about, and many other aspects that we could extend beyond that.
It's also very important to remember, although it's not the purview of this committee, that in parallel the EU did a sustained set of studies and plans on competition behaviour for what's called the inherent asymmetry of data, where the big get bigger. If you want to promote economic advancement and prosperity, you also have to look at the competitive structures of that.
Competition and GDPR dance in harmony through pretty much a decade of work.
10:40 a.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
That was my follow-up question. You talked about the value of data. My question was going to be, how do we monetize it in Canada but protect privacy. However, I'm going to move over to, what is the role of the monsters of Facebook and Google in Canada under the system where we want to monetize the value for Canadians and not just the big getting bigger?
10:45 a.m.
Chair, Council of Canadian Innovators
I don't see them as monsters. I just see them as capitalists.
10:45 a.m.
Chair, Council of Canadian Innovators
They're capitalists, and the job of a corporation is to do what a corporation is supposed to do and the job of government is to regulate. It is a complex issue because this is the biggest force in the history of capitalism, where six companies come from nowhere to be the most valuable companies in the world in a very short period of time. How they're managed in terms of competitive structures, and regulated, and how we do it for the benefit of Canada's economy and Canadian innovators is very important. Things such as competition behaviour and data ownership also must be woven in a national data strategy that looks at prosperity and many other things that go along with it: employment rules, cyber rules, and so on. This is a big file, and we need to urgently address it in a horizontal way as a nation, as policy-makers.
10:45 a.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
We, this government, are not the fastest acting. If we were to approach GDPR, it could be years from now.
Things are moving so quickly. What should we be looking for, to adjust as we go, so that we're not introducing a GDPR for yesterday's rules or yesterday's reality?
10:45 a.m.
Chair, Council of Canadian Innovators
I think we have to reflect on the fact that they're nine years into this in Europe, and we're getting at it now. That wasn't necessary for this country. I think we have to reflect on being up to date, and involving experts.
I think you've had excellent testimony from folks like Commissioner Therrien on updating our privacy rules. I think you've had the Competition Bureau come in and talk about updated competition practices.
There has been a fair bit of work. I would encourage our legislators to actually embrace this, and say that 2018 is the year of regulating and legislating the data surveillance capitalism and the data-driven economy for the benefits of Canadians and Canadian citizens, for now and in the long term.
10:45 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. McCauley.
Next up, for five minutes, we have Mr. Baylis.
10:45 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Thank you, Chair.
On the GDPR rules, I agree with Mr. Balsillie.
Would you say that these are the leading rules in the world right now which we should be looking to?
10:45 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
They set the standard.
Mr. McKay, when the GDPR rules came into place, Facebook purposely moved a lot of their data from Ireland to outside the jurisdiction of the GDPR rules.
Has Google taken any such actions?
10:45 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
You must now have to look at complying with these GDPR rules. What actions are you taking to comply with them, if you've not taken actions to move away from them?
10:45 a.m.
Head, Public Policy and Government Relations, Google Canada
We've been investing in the teams and improving our tools to comply with GDPR for a very long time. It's a tremendously complex challenge, even for a company of our size. It's an even greater challenge, not just for smaller companies, but for the privacy commissioners in Europe, themselves.
What we're doing is reflected in the tools I mentioned in my opening remarks. It's reflected in the sorts of permissions and control that individual users have across all of our services around the world.
You are seeing the echoes of the obligations of GDPR, and the expectations around data protection in Europe, through the services that are provided by Google to users around the world.
10:45 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
So users around the world are going to benefit from the GDPR. Are you not going to have a two-tiered system?
10:45 a.m.
Head, Public Policy and Government Relations, Google Canada
Users around the world are benefiting from a greater focus on trust, transparency, and individual control. That's a central baseline in the GDPR as well as other data protection regimes.
10:45 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Let's be specific. Mr. Balsillie tells us that these rules are the best in class right now.
You're working very hard to adhere to those rules. You haven't moved data, as Facebook has, to avoid those rules. Those rules are going to be done. You've programmed for Europe. Is everybody else in the world going to benefit from those rules, or do we have to, as Mr. Balsillie suggested, put in our own rules and go back to Google and say that they had better adhere to the Canadian version of GDPR?
10:45 a.m.
Head, Public Policy and Government Relations, Google Canada
I think if you're looking at what is the best in class, raises the most boats, standard for data protection obligations, then GDPR is setting that right now. It is driving change, both in our company and in other companies.
Equally, it's presenting a real challenge to companies that don't have sophisticated internal IT systems, or a clear understanding of what data they hold, and what responsibility they have to the users, especially companies that try to export or import from Europe, or have a relationship with customers in Europe. What we're going to see over the next six months and more is companies struggling to understand what their obligations are under GDPR.
10:50 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
If they're not as big as you, they're probably just going to have to adhere to them and say that everything they do adheres to GDPR—
10:50 a.m.
Head, Public Policy and Government Relations, Google Canada
No, the challenge for them is actually—
10:50 a.m.
Liberal
10:50 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Is Google basically going to make sure that if someone has a transaction in Japan, or is talking from Canada, Japan, whatever, the rules that you put in place to meet GDPR are going to protect all of those other activities that are not actually touching Europe or being routed through Europe?
10:50 a.m.
Head, Public Policy and Government Relations, Google Canada
They're going to see follow-on improvements and greater transparency control as a result of our compliance with GDPR.