Information & Ethics Committee on Nov. 1st, 2018

Thank you, Mr. Chair and members of the committee. Thank you for the invitation to appear before you today.

Last week, I attended the 40th international conference of data protection and privacy commissioners, in Brussels. The conference confirmed what I had explained in my last annual report: There is a crisis in the collection and processing of personal information online. Even tech giants, attending the conference in person or through video, are recognizing that the status quo cannot continue.

Apple CEO Tim Cook spoke of “a data industrial complex” and warned that “[o]ur own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency”. He added, “This is surveillance.” Facebook's Mark Zuckerberg admitted that his company committed a serious breach of trust in the Cambridge Analytica matter. Both companies expressed support for a new U.S. law that would be similar to Europe's General Data Protection Regulation or GDPR.

When the tech giants have become outspoken supporters of serious regulation, then you know that the ground has shifted and we have reached a crisis point.

Your committee clearly senses this ground shift and has supported our recommendations for legislative change. The government, however, has been slow to act, thereby putting at continued risk the trust that Canadians have in the digital economy, in our democratic processes and in other fundamental values.

Let's examine, for a moment, the impact of online platforms on privacy and the integrity of elections.

As Canadian artificial intelligence researcher Yoshua Bengio recently said in Le Monde: Our data fuels systems that learn how to make us press buttons to buy products or choose a candidate. Organizations that master these systems can influence people against their own interest, with grave consequences for democracy and humanity....The only way to restore balance is to ensure that individuals are not left alone when interacting with businesses. What is the role of governments if not to protect individuals. Nothing prevents regulating against excess and the concentration of power in certain sectors.

In my opinion, these are not uniquely Canadian threats, but global ones.

Aside from the misuse of personal information to influence elections, we have also seen hostile states interfering in elections by deliberately targeting personal data.

ln the words of Giovanni Buttarelli, the EU Data Protection Supervisor:

Never before has democracy been so clearly dependent on the lawful and fair processing of personal data.

Recent investigations in various countries have demonstrated that political parties are harvesting significant amounts of personal information on voters and adopting new and intrusive targeting techniques.

ln July, the UK Information Commissioner released her interim report on Facebook/Cambridge Analytica which found very serious shortcomings in the way digital players are operating.

For example, despite significant privacy information and controls on Facebook, they found users were not told about political uses of their personal information.

The UK Commissioner also raised concerns about the availability and transparency of the controls offered to users over what ads and messages they receive.

Significantly, the UK office found that political parties are at the centre of these data collection and micro-targeting activities. These activities would not take place without political parties.

None of this is encouraging for voters; when we last polled Canadians on this issue, 92% wanted political parties to be subject to privacy law. That's as close to unanimity that one can get in such polling.

ln September, privacy commissioners from across Canada put forward a resolution calling on governments to ensure that political parties are subject to privacy law.

Academic experts, civil society and the Canadian public all agreed with this position; and so does the Chief Electoral Officer.

The government, on the other hand, maintains that while the application of privacy laws to political parties is an issue that deserves study, the next federal elections can take place without them.

Canadian political parties' lack of oversight is unfortunately becoming an exception compared to other countries, and it leaves Canadian elections open to the misuse of personal information and manipulation.

The bottom line is that without proper data regulation, there are important risks to a fair electoral process; and this applies to the next federal election in Canada.

This brings me to updating you on our investigative action. I will be quick here, because I'm conscious of time.

As you are aware, we are proceeding—with our colleagues in British Columbia—with an investigation of Facebook and AggregateIQ. The work is advancing well, but we have not yet made our determinations. We continue to gather and analyze information.

For obvious reasons, I'm limited in what I can report due to confidentiality obligations under PIPEDA. I will remind you that we are investigating, among other things, the access to personal information provided to third parties by Facebook, in particular sharing friends' information with app developers. This was an issue we raised with Facebook in 2009. Since May, we've had many extensive requests for information. We received submissions from Facebook, and we will engage in another round of discussions very shortly.

Our investigation of AIQ focuses on whether it collected or used personal information without consent, or for purposes other than those identified or evident to individuals. Since my last appearance, OPC investigators have issued additional requests for information. They've conducted a site visit. They've undertaken sworn interviews with both Mr. Massingham and Mr. Silvester, and they have reviewed hundreds of internal records from AIQ, including AIQ electronic devices.

In order to make our conclusions public as soon as possible, our plan is to proceed in two phases: one at the end of this calendar year—next month—and a second phase in the spring.

The time for industry and political party self-regulation is over. The government can delay no longer. Absent comprehensive reform, Parliament should ensure the application of meaningful privacy laws to political parties. It should also give my office the same inspection and enforcement powers that most of Canada's trading partners enjoy.

Individual privacy is not a right we simply trade off for innovation, efficiency or commercial gain. No one has freely consented to having their personal information weaponized against them, to use Tim Cook's term. Similarly, we cannot allow Canadian democracy to be disrupted, nor can we permit our institutions to be undermined in a race to digitize everything and everyone simply because technology makes this possible.

Here, we go to the heart of the issue. Technology must serve humankind—that is, all individuals. Without individuality and privacy, it is a philosophical and practical truism that we cannot have a public democratic life, nor can we enjoy other fundamental rights we cherish, including equality, autonomy and freedom. Privacy is the prior condition for the enjoyment of other rights, including democratic rights. Without privacy, the social environment we have in Canada—democracy, political harmony and national independence— is also at real risk, including risks posed by hostile states.

As to the specifics of the legislative amendments that, in my view, might be required, while there are several excellent elements in the GDPR of the European Union, we should seek to develop an approach that reflects the Canadian context and values, including our close trading relationships within North America, with Europe, and with the Asia-Pacific region. A new Canadian law should reserve an important place for meaningful consent. It should also consider other ways to protect privacy where consent may not work, for instance in the development of artificial intelligence. The GDPR concept of legitimate interest may be considered in that regard.

Our law should probably continue to be principles-based and technologically neutral. It should also be rights-based, and drafted not as an industry code of conduct, but as a statute that confers rights while allowing for responsible innovation. It should empower a public authority—it could be my office or another public authority—to issue binding guidance on how to apply general principles in specific circumstances, so that the general principles do not remain pious wishes but receive practical application.

A new law should also allow different regulators to share information.

That comment surprises me because, as this committee well knows, I've talked at length about the absence of enforcement powers of the OPC.

Yes, there are some penalties for certain conduct, and as of today, with the new breach regulations coming into force, if political parties were subject to PIPEDA they would be subject to penalties for not disclosing breaches that have occurred.

As a general rule though, as you know, PIPEDA suffers from lack of enforcement, so I was surprised to hear that comment.

Possibly.

First, when I recommend that PIPEDA be applied to federal political parties, it is implicit that context would matter. PIPEDA has a number of principles, such as the right to access information and the right to be clear on the purposes for which information would be used by an entity subject to PIPEDA. The fact that we would be dealing with political parties that have legitimate interests, if not rights, to engage in political discussion with electors would be part of the context.

As we would eventually look at the application of PIPEDA to political parties, certainly there could be an examination of enforcement mechanisms, the amount of penalties and what would make sense for the various entities that are subject to it.

I would end with this. In British Columbia, which is the only jurisdiction in Canada where political parties are subject to privacy law, I believe that the enforcement mechanisms are the same for parties as for other entities subject to that law.

Not that I know of.

Yes, the GDPR applies to political parties in the EU.

What is the penalty for a political party breaching the GDPR? I must confess I have not looked at that question specifically. We could get back to you.

Not to my knowledge, but again I want to emphasize that I recognize that there is a difference in context with the relationship between political parties and electors versus commercial entities and clients. There is a difference in context, but that does not mean that the privacy laws, including PIPEDA, cannot apply having regard to context, as is occurring in Europe or in British Columbia.

Yes.

The short answer is no. What exists in other jurisdictions is rules that have stricter requirements on the conditions for consent, explicit or not, meaningful or not, but not laws that override terms of use of the company. In Europe, for instance, if there are stronger standards requiring explicit consent in many cases, then the consumer, the individual, is better informed of the uses that will be made, but they do not go as far as you're suggesting. Of course, we're looking at this issue on the facts from Facebook in our investigation.

I'll just say there are certain things that are truly required for the service to function. For instance, your location must be given to a phone operator so they can reach you. Of course, the issue, from a privacy perspective, is the conditions that are suggested or imposed by companies beyond what is truly required, and there are a lot of them.