Information & Ethics Committee on May 10th, 2018

Good morning, and hello from Manchester.

Thank you, Chair and committee, for the invitation to appear before you today.

I'm the Information Commissioner of the United Kingdom. I regulate data protection and freedom of information as well as a host of other personal information-related legislation.

I'm pleased to have the opportunity to speak to you today about the work of my office in investigating the use of personal data for political campaigning purposes.

I've watched some of the earlier sessions of your inquiry with great interest, and based on that, I need to set out something clearly at the outset.

In the U.K. and across the EU, information about individuals' political opinions is considered a particularly sensitive category of personal data to which additional safeguards under data protection law are applied. What that means, therefore, is that political parties and campaigns are subject to a combination of data protection, direct marketing, and electoral law when engaging in processing of data for electoral purposes with oversight by my office and the electoral commission. This has always been the case since data protection legislation was first introduced more than two decades ago, and it's simply accepted as a cultural norm.

These rules are there to ensure free and fair elections, and they do not undermine democratic engagement in the U.K. Instead, political parties have to engage with voters in a manner consistent with that law. Recognizing the special place of political parties in a democratic society, they've been given special status under U.K. data protection law to allow parties to carry out their campaigning activity.

In my complaint-handling role, I consider complaints from individuals against political parties when they think that their data has been misused. The number of complaints has never been particularly high. Other than a spike at election time, political parties have not, in the main, been a sector generating a high proportion of complaints. My office has maintained an ongoing dialogue with parties, meeting with them regularly and issuing bespoke guidance on how they can comply with the law when they are campaigning.

However, the EU referendum in the U.K. in June 2016 was an unusual exercise by British norms. Instead of being fought by established political parties, the referendum was led by campaign groups that were, in some cases, fuzzily constituted coalitions of like-minded bodies. The U.K. law on data protection is written to take account of political parties, but in a country where few referendums take place, the law has less to say about non-party campaign groups. This is made, considering potential breaches of the law during the referendum campaign, more challenging for my office.

We were concerned about some of the campaigning practices that we heard about and the provenance of the personal data used by campaign groups to target individuals. That's why in May 2017, I announced a formal investigation into the use of data analytics for political purposes. The original goal of the investigation was to pull back the curtain on how personal information was used in modern political campaigns.

At its heart, data protection law requires organizations to process data fairly and transparently, but rapid social and technological developments in the use of big data means that there's limited knowledge of or transparency around data processing techniques, including analysis, algorithms, data matching, and profiling to micro-target consumers and voters.

I think these techniques are attractive to political parties in campaigns as it enables them to target individual voters with messages in keeping with their political interests and values, but this isn't a new game played by different rules. The law continues to apply whether campaigning is conducted offline or online.

My investigation now involves over 30 organizations, including political parties and campaigns, data companies, and social media platforms. Among those organizations is AggregateIQ, which was used by a number of U.K. campaign groups, a company that this committee has already heard from.

What we didn't expect at the outset of our investigation was to be looking at the what, when, how, why, who of a reported 87 million Facebook profiles alleged to have been mined by an academic and passed on to a U.K. political consultancy working on the U.S. 2016 election and other political campaigns, plus multiple other lines of inquiry that I can't talk about at this time. This naturally raised concerns both in the U.K. and abroad and officers of Facebook and Cambridge Analytica have been called to account in various national parliaments.

I'm sure you understand that I can't speak about the particulars of an active investigation. The investigation is progressing at pace. Enforcement activity is ongoing, so it wouldn't be appropriate for me to comment further.

What I can say, though, is a number of organizations have freely co-operated with our investigation. They've answered our questions and they've engaged with us. But others have attempted to undermine the inquiry by failing to provide comprehensive answers to our questions, refusing to co-operate altogether, or challenging the process. In these situations we've been forced to use our statutory powers to make formal demands for information.

Some of my lines of inquiry are more developed than others, but an update on the entire investigation will be provided in a report issued by my office in the coming weeks. Whilst my colleague, Commissioner Therrien, is conducting his own investigation into Facebook, there are areas of joint interest that cut across both of our investigations. As Commissioner Therrien noted, the ICO and the OPC have a co-operative relationship and we can share information if it's necessary for our investigative purposes in the public interest.

When I think about your committee's work, I can see two distinct lines of inquiry: first, the immediate concern of Facebook, AggregateIQ, and others and whether existing laws in Canada have been broken, and then a second longer-term line of inquiry, a wider consideration of public expectations of the use of their data in the political context and whether the law needs to be changed. This inquiry is rightly looking not just at data protection law but also at other areas, such as electoral law, to see how these issues can be addressed.

I mentioned my report to be published in the coming weeks. I will be making findings as to whether individuals' rights were infringed, but I'll also be making policy recommendations on how the U.K. government and others could address the failings that I've uncovered, including greater transparency in political campaigning. While every jurisdiction is different, there may be some relevant lessons that could be read across into the Canadian context.

To put my cards on the table, and I say that against a backdrop of fully recognizing the public interest of political parties being able to communicate with voters, which is of course a cornerstone of democratic engagement, I believe that the use of individuals' data by political parties needs to be addressed in Canadian law. Canadians should be able to bring a complaint to an independent regulator.

The law that we have in the U.K. is built on sound foundations and principles and doesn't unnecessarily fetter the democratic process. In the U.K.'s data protection law, political parties have a legal justification for processing the personal data of individuals when carried out for electoral purposes.

My office is only part of the oversight picture in the U.K. The U.K.'s Electoral Commission is responsible for overseeing elections and political spending. Where there is crossover, my office can work with the Electoral Commission or decide which body should take the lead.

This is not to say that everything about the U.K.'s data protection regime is perfect. I said the system works for political parties, and it largely does. The Brexit referendum was a different beast, as I noted earlier. Non-traditional campaign groups either unfamiliar or unconcerned with data protection law may have crossed that line into unlawful activity, and I think the temporary nature of those groups has made pursuing them for the failures of data protection law more challenging.

The U.K. law already equips me with recourse to criminal sanction if a notice from my office goes unanswered. This means that even if a campaign group or an organization winds itself up, I can still have recourse to pursue individual former officers of that group. This might seem like a lot of powers for one body to hold, but as a regulator, I'm answerable to Parliament and I must be able to justify how I go about using my regulatory tools. I think the ICO has always been a proportionate and responsible regulator, and never more so than in the context of political campaigning where we are acutely aware of the inherent public interest in democratic engagement. This approach will continue under the GDPR and the new U.K. data protection bill when it's enacted.

The manipulation of voters via micro-targeting risks undermining our democratic model, and isn't that a major concern for all of us?

Thank you very much. I look forward to answering any questions you may have.

Good morning, Chair, and thank you very much to the committee for the invitation to appear this morning, particularly alongside—it's a great pleasure—my colleague Commissioner Denham from the U.K. In fact, only a few short weeks ago, I was in the U.K. assisting Commissioner Denham with the investigation to which she made reference.

It wasn't long after my return to British Columbia that I was conferring with Commissioner Therrien at the Office of the Privacy Commissioner of Canada agreeing to jointly conduct an investigation into Facebook and the B.C. company, AggregateIQ, a company with which this committee is very familiar. That investigation continues. Of course, I'm not at liberty to disclose much about it until our work is complete in that regard.

What I would like to do this morning is pick up on themes referenced by Commissioner Denham that relate to the broad aspects of your committee's mandate. I'm referring to seeking out legislative remedies that will help assure Canadians of the privacy of their data and the integrity of our democratic and electoral processes.

Beyond investigating companies like Facebook and Cambridge Analytica, which are critical inquiries to be sure, it is also important for Canada's political parties themselves to take some measures for restoring confidence in the democratic processes in our country. I would invite you, as my colleague Commissioner Therrien has, to subject yourselves to accountability measures regarding the way in which you collect and use the information of Canadian voters.

A question worth pondering, I think, is whether the Cambridge Analytica scandal would have happened were it not for the increasing demands on political parties to gather and analyze personal data in the hopes of understanding it and using it to persuade voters. Democracy requires the citizenry to have trust and confidence in the political process, and a significant element of that process concerns how political parties collect and use the personal information that belongs to Canadians.

Parliament and some provincial legislators have created offices that oversee the collection and use of personal information by private and public bodies. Curiously, that oversight, with few exceptions, does not apply to political parties. British Columbia is an exception. B.C.'s Personal Information Protection Act, or PIPA, applies to all organizations in B.C. It is substantially similar to PIPEDA and for that reason generally supplants PIPEDA's authority in my province.

Political parties in my province have been subject to PIPA since its enactment in 2004. In the 14 years that have since passed, I can assure you that democracy has continued to thrive unimpeded in British Columbia. We have not heard concerns or suggestions that laws protecting the personal information of voters restricts the ability of political parties or candidates to engage voters.

Political parties in B.C. can and do collect personal information about voters, but they do so under the same reasonable legal responsibilities and obligations that apply to other organizations.

Generally, this means political parties get information with the consent of voters accompanied by a clear explanation of how and for what purpose that information will be used. I used the words “generally” and “with consent” because there are legislative provisions that allow parties to collect information without consent, specifically to get the voters list and other voter data from Elections BC. These provisions, however, come with a condition that the party receiving the information must provide a satisfactory privacy policy to the Chief Electoral Officer.

PIPA also gives citizens the legal right to request and correct the personal information that political parties collect from them and to register a complaint if necessary. These complaints are adjudicated by my office. A citizen's right to exert control over their personal information is a fundamental principle of privacy law. It is a principle strengthened by the EU's general data protection regulation, which Commissioner Denham just made reference to, and which comes into effect in Europe in just a few days.

You may be interested to know that my office is now undertaking a broad investigation of how the elected parties in our legislature collect and use voters' personal information. Those parties, I would note, have fully co-operated with our office's investigation. I expect that the investigation will result in recommendations and guidance that will help parties improve their privacy practices.

Of course, I know that recent proposed amendments to the Canada Elections Act will require political parties to adopt a policy to protect personal information and to provide it to the Chief Electoral Officer. These proposals are only a minimal step forward. They attempt to address the principle of transparency, but that is only one element of a proper data protection regime.

The proposed amendments do not require parties to respond to a voter's request for the information the party holds about them, nor does it allow a voter the right to ask a party to correct inaccurate information about them. Perhaps most important, there is no provision for an impartial third party to hear and determine a voter complaint. These basic legal standards have been a part of British Columbia law for years and are the norm in many western democracies. There should be nothing for political parties to fear in any of these legal obligations. In fact, implementation will do nothing but enhance the confidence of citizens in their democratic institutions.

With that, Mr. Chair, we are happy to take any questions you may have.

The answer is yes, we are well engaged with AggregateIQ at this point. Beyond that, I don't want to say much. We are far from complete in our questioning of AggregateIQ.

I think perhaps I will just leave it at that.

In regard to the comments on the warrant, I agree with you that the current provisions in our law don't allow us to move quickly with a warrant. We need to be able to respond to digital crimes and data crimes. The government has just tabled amendments that are going to give us new powers to be able to react more quickly and not have to give long notice periods to organizations. That said, we have been able to seize and secure a great deal of data from Cambridge Analytica, and we have executed two more warrants in this investigation, so we do have a great deal of information. If there are links between one company and another, and if their intellectual property and their data are being used by a new company, then we are able to investigate and continue our investigation. If a company is entering into insolvency, as in this case, then we are in touch with the administrators and we're able to proceed with enforcement action, both criminal and civil.

We have recently received a letter from AIQ that opens the door to better co-operation than we have had. I don't know if that was a result of the testimony and the discussions with your committee; it remains to be seen. Actions will speak louder than words. If we don't receive co-operation, then as I said to my parliamentary committee in the U.K., I will seek other legal steps and actions.

I would rather not respond to that in the public domain, but I will say that we're also exploring options in co-operating with our Canadian colleagues in this investigation.

If I could start, I would say that the Canadian Privacy Commissioner's powers have fallen behind the rest of the world, so having order-making power, having the ability to levy administrative penalties, civil monetary penalties, and certainly the ability to seize material and to act quickly, I think are really important when we're dealing with global data companies and fast-paced investigations.

Even the powers that I have under the current U.K. Data Protection Act were not sufficient in this case. Government has moved really quickly and tabled amendments, which were passed last night, to provide us with even more powers of no notice inspections, streamlined warrants, the ability to make emergency orders, and also criminal sanctions for destruction of records and information.

That's important in the broader context with digital companies and being able to move quickly in the public interest.

Our office is on record as supporting Parliament providing greater powers to the Office of the Privacy Commissioner of Canada.

It's really from the perspective of citizens that I think we need to think about this. Given the matters that you're investigating, Canadians want to have some sense that somebody with some regulatory power has their backs. That can't happen unless the regulator has the appropriate authority to ensure that these kinds of things are properly remedied if there is a concern with or a transgression of the law.

Under U.K. law, and in fact under data protection law across the EU, there has to be a specified purpose for the collection and the use of data. If, for example, somebody was answering a quiz and thinking that they were sharing that information for one purpose, such as academic research, and that data was then used for a different purpose, such as political campaigning or profiling an individual as to their categories and their political leanings, then that would be a contravention of U.K. law. That is precisely what we're investigating.

When somebody releases personal information in an application or on a social media site, there needs to be some notification and clear purposes as to what that information is going to be used for. If there isn't, there is a contravention of law.

At the beginning of my remarks, I said that when it comes to establishing political opinions or political persuasion, that's a special category of personal information that requires explicit consent to use, and that again is a question that's central to our investigation in the U.K.

As you decide to share a certain amount of information with your friends that doesn't make it a free-for-all for the world. It is understandable, I think, for an individual using Facebook who expresses an interest in red cars might get an advertisement about red cars. What would certainly be beyond the expectation of an individual is that they would be psychologically profiled and identified as a candidate for a particular ad because they were open or neurotic or whatever the classification is. I think that goes well beyond what the expectation of an average citizen would be, and that does fall afoul of privacy law.

When I speak to the political parties, and we've talked to all the main political parties and the campaigns in the U.K., I think what they're looking for, although they know that more research and perhaps more specific targeting can be done to reach potential and existing supporters, it could be that technologies have got away on us.

The principles of the law, the accountabilities, and the transparency are still really important to maintain the trust and confidence of voters. Just because we have new research methods, or just because people are arguing that these are more effective ways to reach potential voters and supporters doesn't make it right.

We need to look at whether there are some red lines here for the kind of back room, back office data matching and profiling that is possible in today's world. Now is the time to do it, because if we don't get the public policy right now, then we risk losing the confidence and trust of people down the road as these techniques become more effective and more freely available.

One of the recommendations in my report is going to be for a very specific enforceable code of conduct in the use of data analytics in the political context.

Yes, I did.

We have asked some very specific questions of AggregateIQ in the context of our investigation, and, as I said earlier to your colleague, and as I've said in public, we're still waiting for comprehensive answers.

We're also looking at a lot of material that has been provided to our investigation: witness statements, information from whistle-blowers, and documentation before us. That is one of the questions our investigation is focused on. We're hoping to get to the bottom of that.

It is important that Canadians understand that their data is being protected properly and appropriately.

I would draw something of a distinction. You talked about, essentially, the work you do for your constituents. In British Columbia that information would be, for the most part, exempt under freedom of information law.

What we're talking about here is political party activity and collection of data.

Maybe another way of answering your question, in thinking about this, is in British Columbia we have had occasion to investigate instances where, in the governing party's collecting information, there were allegations that it may have crossed a line, a grey zone, where that information moved, potentially or allegedly, from a government collection to party sources.

Without our ability to investigate parties, that investigation would have been stopped at that door, which I think would have been not just problematic in terms of our own investigation, but also in terms of the public understanding of what had truly happened to the information that was collected. Because we have a law that allows us to look at parties, we were able to look at that matter holistically and come to conclusions about what had actually happened to the data. I think that enhanced the public's confidence that data was being handled properly, and where it wasn't, that sanctions were available for our office to bring down.

That's an interesting example you raised. If there was an allegation that somehow the data was leaking to the political party, as you describe it, the ability of a regulator.... I think the public's confidence would be enhanced in the system if they knew that there was some ability to investigate that to determine whether or not the party had improperly collected information that they shouldn't have. Again, it's for legislators to determine where that oversight power would be in Canada. I know there are some constitutional, legal issues with the OPC. In British Columbia there are occasions where my office actually has carriage over certain matters that are not necessarily squarely within our statute but can be referred to our office for adjudication.

Similarly, on whether there is an appropriate place, an appropriate piece of legislation, where privacy and data protection as it applies to political parties...perhaps it's not PIPEDA, I don't know, and again, that's for legislators to determine. However, you have the Privacy Commissioner of Canada who could adjudicate those matters, potentially, because he is in a good place. He has the expertise. He has the staff. He has the investigatory capability to look at those kinds of issues.

We are looking at Dr. Kogan. We are looking at his app. We are looking at the operation of it, his relationship with Cambridge Analytica, and what actually happened on the ground with that app.

Dr. Kogan has refused to speak to our investigation, so again, we are proceeding with other options in trying to get a statement from him. Again, we have enforcement tools. We have civil remedies that we can pursue, but it certainly is an important line of inquiry for our investigation in the U.K.

Again, I can't speak to that line of inquiry because of the ongoing nature of this investigation. I don't want to offer a hypothesis as to why the company was set up in this way. It certainly is a question that parliamentary committees on both sides of the Atlantic are asking, as well as attorneys general, and other regulatory bodies.

I can say the focus of our investigation is about the collection, use, and alleged misuse of personal data in the context of Cambridge Analytica and SCL Elections. It's for others to make those connections internationally.

We will get to the bottom of the questions we have in our specific lines of inquiry under the data protection law in the U.K.

We have been in touch with our American counterparts in this inquiry. I have not been in touch with Congress or with politicians in this inquiry. That might be a question for Damian Collins and the DCMS committee in the U.K.

Under my law, I have the ability to pass information to other law enforcement authorities or regulatory authorities if I deem it to be in the public interest to do so.

For example, I have passed information to the U.K. Electoral Commission that I thought was relevant to their inquiries about campaign financing. I can do that. If I found other information that would be pertinent to a law enforcement investigation, then I have the ability, in my law, to share that information.

Mr. Chair, and members of the committee, thank you for the invitation to appear today. It's a pleasure to be speaking with you again about these important topics.

I'd also like to acknowledge that today is a particularly emotional day for Parliament. I had the good luck to spend time with Gord Brown both on and off the Hill, and I know he will be missed.

Google works hard to provide choice, transparency, control, and security for our users, and we appreciate the opportunity to tell you about how we protect Canadians and our billions of users around the world. I thought it might be a helpful context for this conversation to quickly touch on Google's presence in Canada.

For a company that is just 20 years old, we have some deep Canadian roots. Sixteen years ago, Google selected Canada as the location of its first international office. Since then, we have steadily grown to over a thousand employees in Canada, with over 600 programmers and AI researchers in Montreal, Waterloo, and Toronto. Our mission is to organize the world's information and make it universally accessible and useful. Google services provide real benefits to Canadians, whether it's Search, Maps, Translate, Gmail, Android, Cloud, or our hardware devices, our products help people get answers, organize their information, and stay connected.

Our advertising products help Canadian businesses connect with customers around the globe, and our search tools help Canadians find information, answers, and even jobs. Just a few weeks ago, we rolled out new ways for Canadians to find jobs using Google Search.

As you may know, Google has invested significantly in Canada's burgeoning artificial intelligence ecosystem, not only through the funding of organizations like MILA in Montreal and Vector in Toronto, but also by establishing research labs that have helped Canada attract and retain world-leading talent.

Our engineers work on significant products like Gmail, the Chrome browser, and Cloud, products used by billions of people around the world. We have a Canadian team developing safe browsing technology that prevents malware attacks and phishing scams, keeping the open web safe and secure.

This brings me to how Google has long thought about privacy and security. Google has been investing in tools and teams over the past five years to provide users with industry-leading transparency, choice, and security regarding their data. We offer tools such as My Account, Security Checkup, Privacy Checkup, Takeout, Google Play Protect, and more, all with the aim of protecting users' data, allowing users to make easy and informed privacy decisions, and affording users the opportunity to easily take their data with them to other platforms.

In 2015, we launched My Account, or myaccount.google.com, which provides Canadian users with quick access to a centralized, easy-to-use tool to help manage their privacy and security. This is used extensively. There were over two billion visits globally to this tool in 2017, including tens of millions by Canadians. While we continue to promote the use of this tool, it's clear that awareness is growing and that Canadians are using it to make informed choices.

Google promotes Privacy Checkup to users on a recurring basis so we can help our users keep their privacy choices up to date as their use of Google services changes over time. Users can see the types of data Google collects, review what personal information they're sharing, and adjust the types of ads they would like Google to show them. In addition, we have a tool called Security Checkup which helps users understand what devices and apps are accessing their data.

On our Google-licensed Android platforms, we've developed Google Play Protect, which monitors devices for potentially malicious apps. We design our products and implement product policies that prioritize user privacy. It's part of our commitment to ensuring our users understand how we use data to improve their experience with Google products and services. It's hard to keep data private if it's not secure, which is part of the reason we have built such a strong security team at Google. It's also why we have not only focused on the security of Google and our services, but have helped the entire Internet industry bolster security through our leadership with projects like Safe Browsing, HTTPS Everywhere, email encryption in transit, and our leadership on promoting two-factor authentication security keys.

We know that our users are people. They are family members, friends, and neighbours. Some are relying on our products to build their company, and they're non-profit. Others just need help finding a product, an address, or opening hours, but every one of them is putting their trust in us, and we recognize the enormous value of the trust Canadians put in us.

Thank you again for the opportunity to be here today, and I look forward to answering your questions.

Thank you.

Mr. Chairman, and committee members, I have closely followed your committee because I believe Canadians are facing the most important public policy issue of our time: data governance.

Canada's innovators know that data flows have transformed commerce and made data the most valuable asset in today's data-driven economy. Businesses use data to create as well as access new markets and to interact globally with both customers and suppliers. Control over data and networks allows dominant firms to hinder competition and extract monopoly rents from their customers and to deceive consumers via their data collection strategies. Vast troves of data are collected and controlled by foreign unregulated digital infrastructures. This is why the Council of Canadian Innovators called on our governments to design a national data strategy to ensure that cross-border data and information flows serve the interests of Canada's economy.

A national data strategy should codify explicit treatment of competition in the data sections of free trade agreements, including the right to competitive access to data flowing through large data platforms that have de facto utility status. If Canada doesn't create adequate data residency, localization, and routing laws that protect Canadians, then our data is subject to foreign laws, making Canada a client state.

While the Facebook scandals instigated the recent set of testimonies before this committee, I urge you to arm yourself with the facts about the data-driven economy, which is completely different from the knowledge-based economy that proceeded it and the production-based economy of the 20th century.

Intangible commodified data does not function the same way as tangible goods. The data-driven economy gets its value from harvesting, identification, commodification, and then use of data flows.

What we have heard from companies such as Facebook, including at this committee, is an inaccurate picture of what is happening. The Cambridge Analytica and Facebook scandal is not a privacy breach, nor is it a corporate governance issue. It's not even a trust issue. It's a business model issue based on exploiting current gaps in Canada data governance laws.

Facebook and Google are companies built exclusively on the principle of mass surveillance. Their revenues come from collecting and selling all sorts of personal data, in some instances without a moral conscience. For example, in Australia, Facebook was caught selling access to suicidal and vulnerable children.

Surveillance capitalism is the most powerful market force today, which is why the six most valuable companies are all data driven. Their unique dynamics require a made-for-Canada strategic and sovereign policy approach, because data and intellectual property are now key determinants of prosperity, well-being, security, and values.

Data underpins all aspects of our lives, as you can see from the illustration I gave you as a framework. As an intangible asset, data has critical non-commercial effects. With this in mind, I make the following recommendation: implement GDPR-like provisions for Canada. GDPR offers valuable lessons and a point of departure for Canada's legislators and regulators. It is a universally acknowledged advance in privacy protection and control of data.

European policy-makers recognize that whoever controls the data controls who and what interacts with that data, today and into the future. This is why they ensured that EU citizens own and control their data. Similarly, Canadians should own and control their data. Canadians need to be formally empowered in this new type of economy, because it affects our entire lives. For our democracy, security, and economy, Canadian citizens, not unaccountable multinational tech giants, need to control the data that we and our institutions generate.

By focusing only on individual privacy, Canadians can find themselves plugging just one of many holes, which is, in effect, plugging nothing. We need a horizontal lens to legislation and policies. Privacy and digital public and private services aren't opposing forces. For example, Estonia shows that better data governance leads to increased privacy in digital services.

Economists consistently show that the data-driven economy is unfolding at a speed that outpaces the creation of evidence-based policy-making. I urge you to work with Canadian innovators and experts who understand open technologies, data sciences, competition, standard-setting, strategic regulations, trade agreements, algorithm ethics, IP, and data governance.

We need them to help craft detailed policies that are technical in nature. By working with experts, we can advance our country and ensure Canada doesn't miss participating in the data-driven economy, like it missed prospering in the knowledge-based economy over the past 20 years.

On a personal level, as a Canadian, I am deeply worried about the effect mass surveillance-driven companies have on both Canadian society and individual Canadians. Personal information has already been used as a potent tool to manipulate individuals, social relationships, and autonomy. Any data collected can be reprocessed, used, and analyzed in the future, in ways that are unanticipated at the time of collection. This has major implications for our freedom and democracy.

I am concerned that without the design and implementation of a national data strategy, our politicians are moving ahead with initiatives with foreign companies that are in the business of mass surveillance. Some of these companies have a proven track record of using data for manipulative purposes. Unfortunately, history offers sobering lessons about societies that practise mass surveillance.

It is the role of liberal democratic government to enhance liberty by protecting the private sphere. The private sphere is what makes us free people. There is no individual consent to, or opting out of, a city or a society that practises mass surveillance, and this is the path Canada is currently on. Therefore, in addition to putting in place appropriate economic incentive structures and regulatory frameworks, I also urge you and fellow elected officials to act boldly to preserve our liberal democratic values, to promote the public interest, and to assert our national sovereignty.

I thank you for considering my recommendations and for the opportunity to present here today.

Mr. Balsillie has made some very constructive recommendations around the need for a data strategy for Canada, to enable Canadian businesses and businesses competing in Canada to understand the data they have at hand and the business opportunity that is presented to them by capitalizing upon that data. The government certainly has an opportunity to create a nuanced strategy that helps Canada differentiate itself from the rest of the world, not just in the tech sector but in health, where we already have quite a lead in terms of dealing with health information, as well as agriculture, mining, and manufacturing.

A data strategy does not need to be as restrictive or prescriptive as Mr. Balsillie has suggested. In fact, a strategy that tries to box Canada in or creates obligations that are not either parallel or similar to those available elsewhere in the world will actually limit the opportunities available to Canadians to innovate, both in Canada and internationally. There needs to be consistency and predictability in any regulatory framework that's set up.

On a final point, I'd just like to underline that despite what Mr. Balsillie said, we do not sell the personal information of our users. We've built a business model that delivers services and products to users, relying on a personal relationship that uses the information they share with us to provide personalized services for them.

We support that broad array of services that are provided free to Canadians and everyone else in the world through advertising. It's advertising that's targeted at aggregated groups, not at individuals, and there's no exchange of personal information between Google and advertisers. It's simply recognizing that there's an economic transaction that needs to happen to provide those services, and advertising is the most common and convenient way to deliver that right now.

Are you talking about a special form for the services offered by Google?

No.

That is true.

There are levels of expertise related to individuals. If you register for a service offered by Google, you are given the service and it is assumed you are a man of a certain age who works in Ottawa. When you use our service, we can see what you do with the search results about a hockey game, for instance. While you are using the service, we make assumptions about your preferences and what you frequently search for.

The point to make would be to distinguish that we don't provide a service that allows advertisers to target individuals. What we do say is that we have identified users who search for results for hockey games and might search for results for hockey games by a particular team or in a particular province.

We do not identify the individual.

For the advertiser, all we'd say is, “You would like to deliver an advertising campaign towards people who have these qualities. We will deliver that advertising campaign.” They do not know who is seeing the ads. They don't get information about who is seeing the ads. They have an idea of the number of people and the attributes of the people who have seen the ads.

We do that.

I mentioned My Account. If you have an interest in understanding how we've used that information and how we've provided services to you, if you go to My Account, you can see a listing of those attributes and those qualities that we've associated with you. In terms of understanding what information we've exchanged in the course of our relationship, we make that clear in My Account.

It is not in our interest to engage in any type of transaction with a third party that exchanges that information. The exchange we have is that in the course of providing that information to you, we might learn more about your need to find parking near a hockey game because of your preference to go to hockey games. We will therefore, in Maps, tell you where the nearest available parking is.

I'll start by replying to your last observation, which is we don't resell information, so that is not in consideration.

In speaking about the specific project Duplex that was discussed at our developer conference this week, that's a project. It hasn't rolled out into implementation. It's an attempt to explore how to provide you with a service. At the moment you can speak to your phone and ask for the phone number for a restaurant and then dial the restaurant and try to schedule an appointment. We're trying to explore how we can use artificial intelligence to get through the entire transaction of making a reservation for you.

That project Duplex is very limited in scope. I think three or four examples were provided during the conference. Those are the three or four examples that it can conduct. It's meant to provide a service to the individual. It's not meant to collect information. It's meant to be supplementary to the relationship we have with a Google user in terms of what information they are looking for to search, how they are trying to slot information into their calendar, and how they are trying to identify places to eat on Google Maps.

In terms of your question about broader surveys, that's not even under consideration right now. Broad-based surveys that drive voter interest or user interest are not something we conduct at the moment, so that wouldn't be an implementation of this tool.

I have to underline that this is using artificial intelligence in a way to conduct mundane tasks that provide a benefit to the user, provide time to them, and make that interaction as efficient as possible while providing a clear-cut service for the user.

Thank you for your questions.

If I may, the first thing you have to understand as I go into this is that enormous amounts of data are collected without transparency, without your voluntarily knowing. What they've discovered with GDPR is that these social media platforms have literally millions of pages on you without your knowing it, including all the routing of where you personally moved throughout the year.

Many other things, different datasets, are brought together or “hashed” as they say. There are enormous sets of data that you haven't consented to being given. My main response to that is I'm encouraged by the questions you're asking because it shows me that you're not prepared to be tricked by platitudes like “informed consent” or “anonymization” or “transparency” or “nuance.” Those are trick words. Be very careful when they say they don't resell information because.... Do you exploit information? Understand that enormous amounts of data are collected without your knowing.

Have you heard of Sidewalk Labs? How are you able to opt out of all of that information they collect on you? There was a recent story of how Facebook was working with hospitals by anonymizing your data for your health care but were able to cross-reference that through AI to your personal social media and extract that to know who you are.

So, be very careful with these claims of informed consent and voluntariness in the surveillance state. As was said earlier, this is going much faster than we understand it and we are cascading towards a surveillance state. As you see by the framework I give to you, it touches all aspects of our sovereign citizenship, well beyond the economy.

It can, if we have responsible rules and regulations in society. This is what Europeans have had almost 10 years of debate and discussion on. They have discovered; they have come to a nuanced position. There's nothing extreme about GDPR in Europe. They figured out how they can be an open, innovative society as well as protect individual privacy and transparency to benefit their citizens. It is absolutely resolvable, but it takes responsible, expert, technical regulation, which is exactly what Europe spent nine years undertaking.

I'll answer that in two stages. Number one, we provide ad technology services to newspapers, and we provide revenue—

I want to differentiate because your study is predicated on one company's behaviour. We provide services to newspapers that allow them to increase opportunities to gain revenue from their online viewers.

Your second question about GST, yes. If the government takes the steps to make GST applicable to a company in our situation and other online businesses, then we will take the steps, as we do in every other country, to collect it from our users who purchase things from us.

I don't think it would be Minister Joly, would it? It would be Minister Morneau. It's up to the government to make that decision.

Number one, we do pay tax on certain of our sales, like hardware and other elements of our sales in Canada.

All I'm saying to you is if the government makes moves to implement legislation that requires us and other online companies to collect HST on behalf of the government, then we will take the steps to comply with that.

That's why, in my opening remarks, I had a list of tools we have developed that are available to users. You're right. There needs to be transparency around what we're collecting and clarity around why we're collecting it and what benefit it has to the user. Over the years we've learned from our mistakes. We've learned from incidents such as the ones you've cited.

The public policy is not to reach a space that is uncomfortable for our users. The policy we have in product development is to develop leading-edge products that provide the greatest range of benefits for our users. There are different rates of adoption and different levels of comfort with adoption.

My greatest concern is that I know these partnerships were undertaken without an economic analysis domestically. Quite frankly, we don't know. I know as an entrepreneur that they have deeply negative spillover effects on our innovation outputs. You see that this year Canada slid behind Poland in innovation performance, so we're 22nd in the world, and Poland is 21. Once you're out of the top 20, you're not really considered a credible innovation nation. I would tie our performance directly to the fact that we have not created sovereign innovation positive spillover approaches.

To answer your question, I think we rush into these things. I'm directly aware that they're done with no economic analysis involving no experts on their spillovers. I can't imagine that a business would ever do a partnership without a business case analysis. I think the first thing we need to do is start analyzing the innovation effects of these varying partnerships or relationships and use proper economics, not “lobbynomics”.

The second thing is that competition law and privacy law—as I mentioned regarding Estonia, and the EU is doing some very active competition strategies—work very nicely to the benefits of innovation and the economy and citizenship. They can all work positively together if we approach them with an understanding of their true nature.

I think there are many practices that should be changed.

One, you have to look at the ethics of the algorithms and how they impact and persuade people's behaviour. You had comments about advertising, and there's been considerable discussion about how algorithms promote certain kinds of divisive viewing on things like YouTube, because the algorithms are designed to get you to watch more, and they nudge you more to extremes the more you watch.

I think we have to properly regulate these things. I think we need proper standards for them. I think you've learned that companies respond after they get caught, and this shows that you need proper and responsible regulation.

It's not the same but it rhymes, in that we heard a lot of these issues in California when they started to legislate for emissions on cars and everybody said that it would be the end of the automotive industry, that you couldn't innovate, and that it wasn't going to be profitable. We now have better cars, less emissions, and record profits from the automotive companies. These things, properly implemented, can all positively reinforce one another. I think there's a very positive societal and capitalist way forward here.

If you dig into that tool, you'll see your location history. Your location history is something that you explicitly signed into when you were setting up your phone. You have the ability to go into your phone and both turn off the location history as a whole for all the services—

If you're looking at specific parts of our advertising network, there is in fact a little reverse D that you can press on, and it will tell you why you saw that ad in our display network.

Yes.

Well, you've described it right there. You just called it up while we were talking, and you have 59 items, some of which are wrong. I have to tell you that for quite a few years the majority of Google thought I was a woman.

You and I are speaking to a similar goal, which is, you're right. You should have the ability to understand how you're exchanging your information with us, and how we're using it to deliver services. We try to do that in a suite that we've developed, whether it's through My Account or through Privacy Checkup. Clearly, you're identifying a situation in which you're not getting all the information that helps you feel comfortable.

If they're using our products, no. We don't serve ads based on the content of your email or your Hangouts. All we do is search that content to make sure you're not seeing malware or experiencing a phishing attempt or some sort of breach to your personal security. We run automated systems to ensure the security of your account, but we're not serving ads based on the content of your Gmail in that particular specific way. Especially in the two contexts you just described—

Well, in Hangouts you wouldn't be getting ads. In Gmail you get generalized ads based on the broad understanding of who we understand you as a user to be. It's not based on the content of the inbox or the mail, no.

Sure. We don't share any information with third party apps—

Yes, that's basic account information, so they get email address—

It's the email address and name. There's a third element, but it's not sensitive. It's those two pieces, and then you have to engage with a third party app developer to agree to provide—

There's no third party app developer, who without engaging with you in a specific conversation about consent to grant access to other information in some circumstances by you providing information to the app developer—

When you're installing an app on a licensed Android phone, you're given a specific menu that is required to have a link to a comprehensive and clear privacy policy so you understand their attitude towards privacy and security. Then it specifically identifies those elements of information that are either held or generated by the phone or by your account that they're requesting access to. On an app on Google Play for an Android phone, you have to be able to link through and see in greater detail why they want that information.

Based on the core principles, no. The aspects that I'm zoning in on are, one, that you have personal ownership of your data and personal control over it, that you have awareness of what they're doing, and that you have what's called the right to delete and the right for portability.

The second thing, which we haven't had much discussion on, which is a very central part of the GDPR and this was a tremendous tug-of-war between Brussels and Washington over many years, is this element of safe harbour in routing. It is important to understand that no matter what we regulate in Canada, I've been told by experts that something akin to 80% and 90% of our data is routed through the U.S. Even if I sent you an email across this table, it's routing outside. It's called a boomerang effect. You have to understand that, per U.S. law, Canadian data has no rights whatsoever in the United States. You have no right to privacy; you have no right to anything. What the EU also did was manage the routing so that it never left the jurisdiction of what they prescribed as appropriate treatment of that data.

The GDPR is nuanced. It was the subject of many years of debate, from many perspectives. Using GDPR-like approaches is a minimum we should take in Canada, and then look at other forms of activities, such as the economic development opportunities for primary industries that Mr. McKay talked about, and many other aspects that we could extend beyond that.

It's also very important to remember, although it's not the purview of this committee, that in parallel the EU did a sustained set of studies and plans on competition behaviour for what's called the inherent asymmetry of data, where the big get bigger. If you want to promote economic advancement and prosperity, you also have to look at the competitive structures of that.

Competition and GDPR dance in harmony through pretty much a decade of work.

I don't see them as monsters. I just see them as capitalists.

They're capitalists, and the job of a corporation is to do what a corporation is supposed to do and the job of government is to regulate. It is a complex issue because this is the biggest force in the history of capitalism, where six companies come from nowhere to be the most valuable companies in the world in a very short period of time. How they're managed in terms of competitive structures, and regulated, and how we do it for the benefit of Canada's economy and Canadian innovators is very important. Things such as competition behaviour and data ownership also must be woven in a national data strategy that looks at prosperity and many other things that go along with it: employment rules, cyber rules, and so on. This is a big file, and we need to urgently address it in a horizontal way as a nation, as policy-makers.

I think we have to reflect on the fact that they're nine years into this in Europe, and we're getting at it now. That wasn't necessary for this country. I think we have to reflect on being up to date, and involving experts.

I think you've had excellent testimony from folks like Commissioner Therrien on updating our privacy rules. I think you've had the Competition Bureau come in and talk about updated competition practices.

There has been a fair bit of work. I would encourage our legislators to actually embrace this, and say that 2018 is the year of regulating and legislating the data surveillance capitalism and the data-driven economy for the benefits of Canadians and Canadian citizens, for now and in the long term.

They set the standard, yes.

No.

We've been investing in the teams and improving our tools to comply with GDPR for a very long time. It's a tremendously complex challenge, even for a company of our size. It's an even greater challenge, not just for smaller companies, but for the privacy commissioners in Europe, themselves.

What we're doing is reflected in the tools I mentioned in my opening remarks. It's reflected in the sorts of permissions and control that individual users have across all of our services around the world.

You are seeing the echoes of the obligations of GDPR, and the expectations around data protection in Europe, through the services that are provided by Google to users around the world.

Users around the world are benefiting from a greater focus on trust, transparency, and individual control. That's a central baseline in the GDPR as well as other data protection regimes.

I think if you're looking at what is the best in class, raises the most boats, standard for data protection obligations, then GDPR is setting that right now. It is driving change, both in our company and in other companies.

Equally, it's presenting a real challenge to companies that don't have sophisticated internal IT systems, or a clear understanding of what data they hold, and what responsibility they have to the users, especially companies that try to export or import from Europe, or have a relationship with customers in Europe. What we're going to see over the next six months and more is companies struggling to understand what their obligations are under GDPR.

No, the challenge for them is actually—

Yes.

They're going to see follow-on improvements and greater transparency control as a result of our compliance with GDPR.

We're not going to make explicit choices like that. What we do, as has come up in the conversation, is.... There is data protection and privacy legislation that varies from country to country. We need to meet the obligations in each country. What users are going to see is that the entirety of the controls and tools available to them are improving both as a result of our investment and the obligations of GDPR.

Not that we're aware of.

We own the data that we have about you, and we use it to sell ads.

Not that we've seen.

I assume they'll be routed through the committee.

Without a doubt.