Thank you, Mr. Chair and members of the committee. Thank you for the invitation to appear before you today.
Last week, I attended the 40th international conference of data protection and privacy commissioners, in Brussels. The conference confirmed what I had explained in my last annual report: There is a crisis in the collection and processing of personal information online. Even tech giants, attending the conference in person or through video, are recognizing that the status quo cannot continue.
Apple CEO Tim Cook spoke of “a data industrial complex” and warned that “[o]ur own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency”. He added, “This is surveillance.” Facebook's Mark Zuckerberg admitted that his company committed a serious breach of trust in the Cambridge Analytica matter. Both companies expressed support for a new U.S. law that would be similar to Europe's General Data Protection Regulation or GDPR.
When the tech giants have become outspoken supporters of serious regulation, then you know that the ground has shifted and we have reached a crisis point.
Your committee clearly senses this ground shift and has supported our recommendations for legislative change. The government, however, has been slow to act, thereby putting at continued risk the trust that Canadians have in the digital economy, in our democratic processes and in other fundamental values.
Let's examine, for a moment, the impact of online platforms on privacy and the integrity of elections.
As Canadian artificial intelligence researcher Yoshua Bengio recently said in Le Monde: Our data fuels systems that learn how to make us press buttons to buy products or choose a candidate. Organizations that master these systems can influence people against their own interest, with grave consequences for democracy and humanity....The only way to restore balance is to ensure that individuals are not left alone when interacting with businesses. What is the role of governments if not to protect individuals. Nothing prevents regulating against excess and the concentration of power in certain sectors.
In my opinion, these are not uniquely Canadian threats, but global ones.
Aside from the misuse of personal information to influence elections, we have also seen hostile states interfering in elections by deliberately targeting personal data.
ln the words of Giovanni Buttarelli, the EU Data Protection Supervisor:
Never before has democracy been so clearly dependent on the lawful and fair processing of personal data.
Recent investigations in various countries have demonstrated that political parties are harvesting significant amounts of personal information on voters and adopting new and intrusive targeting techniques.
ln July, the UK Information Commissioner released her interim report on Facebook/Cambridge Analytica which found very serious shortcomings in the way digital players are operating.
For example, despite significant privacy information and controls on Facebook, they found users were not told about political uses of their personal information.
The UK Commissioner also raised concerns about the availability and transparency of the controls offered to users over what ads and messages they receive.
Significantly, the UK office found that political parties are at the centre of these data collection and micro-targeting activities. These activities would not take place without political parties.
None of this is encouraging for voters; when we last polled Canadians on this issue, 92% wanted political parties to be subject to privacy law. That's as close to unanimity that one can get in such polling.
ln September, privacy commissioners from across Canada put forward a resolution calling on governments to ensure that political parties are subject to privacy law.
Academic experts, civil society and the Canadian public all agreed with this position; and so does the Chief Electoral Officer.
The government, on the other hand, maintains that while the application of privacy laws to political parties is an issue that deserves study, the next federal elections can take place without them.
Canadian political parties' lack of oversight is unfortunately becoming an exception compared to other countries, and it leaves Canadian elections open to the misuse of personal information and manipulation.
The bottom line is that without proper data regulation, there are important risks to a fair electoral process; and this applies to the next federal election in Canada.
This brings me to updating you on our investigative action. I will be quick here, because I'm conscious of time.
As you are aware, we are proceeding—with our colleagues in British Columbia—with an investigation of Facebook and AggregateIQ. The work is advancing well, but we have not yet made our determinations. We continue to gather and analyze information.
For obvious reasons, I'm limited in what I can report due to confidentiality obligations under PIPEDA. I will remind you that we are investigating, among other things, the access to personal information provided to third parties by Facebook, in particular sharing friends' information with app developers. This was an issue we raised with Facebook in 2009. Since May, we've had many extensive requests for information. We received submissions from Facebook, and we will engage in another round of discussions very shortly.
Our investigation of AIQ focuses on whether it collected or used personal information without consent, or for purposes other than those identified or evident to individuals. Since my last appearance, OPC investigators have issued additional requests for information. They've conducted a site visit. They've undertaken sworn interviews with both Mr. Massingham and Mr. Silvester, and they have reviewed hundreds of internal records from AIQ, including AIQ electronic devices.
In order to make our conclusions public as soon as possible, our plan is to proceed in two phases: one at the end of this calendar year—next month—and a second phase in the spring.
The time for industry and political party self-regulation is over. The government can delay no longer. Absent comprehensive reform, Parliament should ensure the application of meaningful privacy laws to political parties. It should also give my office the same inspection and enforcement powers that most of Canada's trading partners enjoy.
Individual privacy is not a right we simply trade off for innovation, efficiency or commercial gain. No one has freely consented to having their personal information weaponized against them, to use Tim Cook's term. Similarly, we cannot allow Canadian democracy to be disrupted, nor can we permit our institutions to be undermined in a race to digitize everything and everyone simply because technology makes this possible.
Here, we go to the heart of the issue. Technology must serve humankind—that is, all individuals. Without individuality and privacy, it is a philosophical and practical truism that we cannot have a public democratic life, nor can we enjoy other fundamental rights we cherish, including equality, autonomy and freedom. Privacy is the prior condition for the enjoyment of other rights, including democratic rights. Without privacy, the social environment we have in Canada—democracy, political harmony and national independence— is also at real risk, including risks posed by hostile states.
As to the specifics of the legislative amendments that, in my view, might be required, while there are several excellent elements in the GDPR of the European Union, we should seek to develop an approach that reflects the Canadian context and values, including our close trading relationships within North America, with Europe, and with the Asia-Pacific region. A new Canadian law should reserve an important place for meaningful consent. It should also consider other ways to protect privacy where consent may not work, for instance in the development of artificial intelligence. The GDPR concept of legitimate interest may be considered in that regard.
Our law should probably continue to be principles-based and technologically neutral. It should also be rights-based, and drafted not as an industry code of conduct, but as a statute that confers rights while allowing for responsible innovation. It should empower a public authority—it could be my office or another public authority—to issue binding guidance on how to apply general principles in specific circumstances, so that the general principles do not remain pious wishes but receive practical application.
A new law should also allow different regulators to share information.
