Evidence of meeting #124 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was elections.
A video is available from Parliament.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
Thank you, Mr. Chair
Thank you very much for being here once again, Mr. Therrien.
We've met several times during our study, and I think it's important for you to be here again today to give us a progress report.
With regard to your investigation and update, you said it's difficult for you to communicate information. Do you have an idea of the date when you can issue your report?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We'll try to do it in two stages. Under the act, we have a year to complete our report. We'll obviously try to do it sooner. One year takes us into the spring.
Brent Homan Deputy Commissioner, Compliance Sector, Office of the Privacy Commissioner of Canada
Yes.
The first phase will be in December, the second perhaps in the spring.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That's it.
To disclose our findings as soon as possible, we want to present our report in two stages so that some are made public in December and the latest ones in the spring.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
At this point, do you think you've assembled all the necessary information? The committee has tried to raise certain questions. Do you have the necessary resources and information to complete your investigation?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We've had several discussions with the two companies in question. To date, we've received the information we requested. We're now in the process of validating it.
Do you want to add anything, Mr. Homan?
Deputy Commissioner, Compliance Sector, Office of the Privacy Commissioner of Canada
We're gathering information from the two organizations, Facebook and AggregateiQ, and verifying other information with the groups.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
It's very clear from your recommendation that you want the privacy laws to apply to Canadian political parties. Thank you for telling us that.
I'd like to know whether you think we should have a review or perhaps new measures respecting third parties. We've discussed that issue at length.
Do you have anything new to say on the subject? Do you think we should have other provisions respecting third parties?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
In British Columbia, the equivalent act to PIPEDA applies to all entities, including non-profit organizations, because all organizations engaged in commercial or other activities compile information that includes some information of a delicate nature. Those organizations should be subject to the same provisions.
With regard to third-party organizations—I was in the room when you discussed that kind of organization in Ontario—I think the act should apply to all organizations engaged in commercial or other activities that compile, use or transmit personal information.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
Thank you.
I'm going to turn the floor over to my colleague Mr. Picard.
November 1st, 2018 / 12:55 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you.
Good afternoon, Mr. Therrien.
We understand that you're seeking better oversight, better control and greater powers. I'm frankly not opposed to the idea. I think we need to keep an eye on what's going on. However, I don't get the impression we're seeing what needs to be changed or controlled. It's fine to want better control and the resources you need in taking more radical action to address a problem, but first you have to define that problem. I'm not sure we've properly done that. I think we've been spreading ourselves a bit too thin for some time now. I'm going to outline a scenario for you, and then I'd like you to comment on it.
Companies request information from a client. The client provides it, starting with his name. The number of details that are then requested vary from one company to the next. As my colleague said, if, as a client, I fail to provide a minimum amount of information, I won't have access to services. I also can't do much about criminal behaviour from the outside. If I'm hacked, that's not necessarily attributable to bad faith or inappropriate policies. You can always fall victim to some internal or external deficiency, and there are some things I can't control. However, when I register for a service, I expect to receive most of what the supplier is willing to provide me. So that's a relationship between two parties.
I don't think the problem is to determine what information I provide. We're told that, for reasons of transparency, we need to know what businesses do with that information. However, if they start telling us what they do, that is to say, exactly what they were previously doing without our knowledge, that won't change their professional practices much. We won't be any further ahead even if they're very transparent.
The issue isn't to determine what's going on. The problem we have to address, and which may goad us into finding better ways of proceeding, is that we lose all control of the situation when a third party enters a transaction.
Rather than try to control everything that happens, wouldn't it be preferable to establish in actual fact that the information provided to a service provider—and that includes a person's name—is private and must not be communicated, regardless of what type of information it is? So, if I do business with a third party and it wants to use my information to send me ads, so be it, but my personal information would never be disclosed to others, even if I provided it.
Should we focus on transactions involving a third party? In your efforts, you could cooperate with the Competition Bureau, for example.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
In the guidelines that we've proposed and that will come into force on January 1st, we state in particular that companies should be more transparent with consumers. However, that includes their exchanges with third parties. If I understand correctly, you'd like to go further and propose a measure that's tantamount to a prohibition from disclosing information to third parties. Is that correct?
Liberal
Michel Picard Liberal Montarville, QC
The idea isn't to prevent the service. It's possible to advertise without disclosing information.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Absolutely, but various kinds of transactions involve third parties. Imagine a company that provides a very specific service and contracts its accounting or other secondary functions to a third party. Should we prevent the principal company from dealing with a third party in such cases? Not necessarily.
I think a partial solution is to be very clear about third parties and to give consumers a genuine option to prevent disclosure where third-party intervention is not needed to provide a service. Prohibiting a company from doing business with a third party would obviously protect privacy, but do we need to go that far? I don't think it's necessary.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Picard.
Thank you, everybody.
Again, thank you, Commissioner Therrien, for having an abridged presentation. I know it's tough to squeeze it all into 45 minutes or less. I appreciate your efforts on the file, too. I know there's a lot to cover, and I know you're spread on multiple fronts, as we are. Thanks for you presentation today.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Good luck on the rest of your study.