Evidence of meeting #132 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was services.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Clerk of the Committee  Mr. Michael MacPherson
Ann Cavoukian  Privacy by Design Centre of Excellence, Ryerson University, As an Individual
Michael Geist  Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

4:35 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Baylis.

Next up, for another five minutes, is Mr. Kent.

4:35 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Thank you very much, Chair.

This is a very interesting conversation. I apologize that votes are going to cut it short. You may anticipate being recalled, both of you, in the days and months ahead.

This committee has recommended to government in a couple of reports now that the General Data Protection Regulation be examined and that Canadian privacy regulations across the board and the Privacy Commissioner's powers be greatly strengthened and contemporized.

I wonder, just in the final few minutes we have, if you could offer cautions. I'm hearing signals from the government side that digital government is coming down the track: Stand back; it's about to be presented in some form or another. I wonder if you could both offer cautions to the government before they get too far down this track.

Dr. Cavoukian.

4:35 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

I totally support Commissioner Daniel Therrien's call to the federal government to upgrade the PIPEDA, for example, which dates from the early 2000s. He also said we need to add privacy by design to the new law because, after all, they have embedded it in the GDPR. We need new tools. We need to be proactive. We need to identify the risks and address them up front. We can do this.

Upgrading the laws is absolutely essential. Giving the commissioner the much-needed authority that he needs but now lacks is essential. I can say, having been a privacy commissioner for three terms, that I had order-making power. I rarely used it, but that was the stick that enabled me to engage in informal resolution with organizations, government departments that were in breach of the privacy law. It was a much better way to work.

I had the stick. If I had to issue an order, I could do that. That's what Commissioner Therrien lacks. We have to give him that additional authority and embed privacy by design into the new law so we can have additional measures available to the government to proactively address a prevention model, much like a medical model of prevention. It would be much easier if we had that. Then far less would go to the already extended Privacy Commissioner to be addressed.

Thank you.

4:40 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Dr. Geist.

4:40 p.m.

Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

Dr. Michael Geist

I would like to start by commending this committee for the reports it has put out over the last year or so, which I think have been really, really strong and have helped fuel a lot of the public discussion in this area. I think it's been really valuable.

I would say that I don't know what the government is thinking on this. I do know that they have held a consultation on a national data strategy. I guess in some ways I'm waiting to see what comes out of that. To me a national data strategy, to harken back to my comments off the top, really, if they take a holistic approach that recognizes that part of what you're dealing with in that context, includes data governance-related issues, PIPEDA-related issues, private sector-, public sector-, and Privacy Act-related issues including some of the enforcement types of issues that have been raised repeatedly by the Privacy Commissioner. That tells me there's a recognition that it's critically important to get that piece right for any number of reasons, including the prospect of trying to embrace some of the e-services that the government might want to move toward.

4:40 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

How critical is consent in that process?

4:40 p.m.

Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

Dr. Michael Geist

Consent has long been viewed as a bedrock principle. I think one of the reasons we really struggle with some of these issues comes back to Mr. Erskine-Smith's question about why we can't find a way to inform someone and I think try to do good with that prospect. Part of the problem is that in theory we might ask if we can find a mechanism for our citizens to provide consent to allow the service provider, in this case the government, to inform them about the services they're eligible for. I would say that our standards of consent have become so polluted by the low standards found in PIPEDA, which I think have been widely abused, that few people actually trust what consent means at this stage.

One of the things I think we have to seize back is to try to find mechanisms to ensure that meaningful consent is truly meaningful, informed consent. We have strayed badly in that regard. It's possible that the GDPR will be part of the impetus for trying to do that.

4:40 p.m.

Conservative

The Chair Conservative Bob Zimmer

You have 30 seconds, Mr. Kent.

4:40 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Dr. Cavoukian.

January 29th, 2019 / 4:40 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

I couldn't agree more with Michael. He's absolutely right that the notion of consent is almost non-existent the way it's been whittled down.

You see, consent is essential to control. Privacy is all about personal control over the uses of your data. If you're not consenting to it in a positive way, with positive, affirmative consent, you don't know what's happening with your data. As for expecting people to search through all the legalese in the terms of service and the privacy policy to find the opt-out clause to say no to additional uses of these data and negative consent, life is too short. No one does that, but it's not because they don't care deeply about privacy.

In the last two years, all of the public opinion poll surveys from Pew Internet research have come in at the 90th percentile for concerns about privacy. I've been in this business for well over 20 years, and that's the first time I've seen such high levels of concern, with 91% very concerned about their privacy and 92% concerned about the loss of control over their data.

Positive consent, strong consent, is essential.

4:40 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Dr. Cavoukian.

Next up is Mr. de Burgh Graham for five minutes.

David Graham Liberal Laurentides—Labelle, QC

Thank you.

Anita had a very quick question to start. I'll then take it from there.

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

Thank you.

I'm sharing my time, so I would be grateful if the answers could be short.

I want to express my pleasure that we once again have expertise on the panel from the University of Ottawa, which is right here in Ottawa. It's good to see Dr. Geist here.

Dr. Geist, you spoke about the predictive analytics that are already being used by government. There's the example of the CRA fraud and being able to predict. If we were to go to data minimization and to only using data for the purposes for which it was collected, would that preclude the ability of government to use this kind of predictive analysis or AI?

4:45 p.m.

Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

Dr. Michael Geist

Not necessarily; I'll start by saying that. Think back to the controversy we saw last year with respect to StatsCan and the banking data. I thought one of the real weaknesses with respect to StatsCan was that they had never made enough of a compelling case that they couldn't achieve what their end goals were by collecting less than massive amounts of banking data from Canadians. Similarly, with respect to your question, I suppose it depends. If there is a compelling case that the existing data doesn't provide a sufficient level of information to be as effective as having more data would be, then it becomes part of that cost-benefit analysis. Maybe in some instances it does make sense to collect more, but I think it's incumbent on you to do part of that analysis before you simply collect and say, “Hey, the more data we have, the better this will be.”

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

Thank you.

David Graham Liberal Laurentides—Labelle, QC

Dr. Geist, I first of all want to thank you for your point on Internet access. As I've said in many fora on many occasions, less than half my riding currently has 10 megabits or better. A good deal have satellite or even dial-up to this day in my riding. We're pretty tired of being left behind on this kind of file, so thank you for making that point.

How do we predict, define and declare what data is necessary and what is not necessary on the collection side? We say we only collect necessary data. How do we define that?

4:45 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

May I speak?

David Graham Liberal Laurentides—Labelle, QC

Whoever would like to.

4:45 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

The whole point is that when you're collecting data from members of the public, they don't give you their personal data to do whatever the heck you want with it. They give it to you for a particular purpose. They have to pay their taxes. They're required to do that. They realize that. They're law-abiding citizens. They give you the information necessary, but that doesn't mean that you, as the government, can do whatever the heck you want with it. They give it to you for a particular purpose. It's called purpose specification. It's use limitation. You are required to limit your use of the information to the purpose identified. That's fundamental to privacy and data protection. Personally identifiable data, which has sensitivity associated with it, must be used for the purposes intended.

Michael mentioned the Stats Canada debacle when they wanted to collect everyone's financial data from the banks. Are you kidding me? I'm sure you know how much outrage that created. They wanted to collect this from 500,000 households. Multiply that times four. It's completely unacceptable.

You have to be very clear what you want to do with the data and obtain consent for that legitimate purpose.

David Graham Liberal Laurentides—Labelle, QC

I think that's my point.

I want to hark back to something that happened in the U.S. recently.

The EFF, the Electronic Frontier Foundation, recently found that the ALPR systems, automatic licence plate readers, are networked across the United States and are exchanging data on where people have been across the country, which is obviously not the intention of those devices.

Where is the line between voluntary and involuntary collection of data? Should you be informed, for example, if an ALPR picks up your licence plate while you pass it? If that's the case, should you have the right to opt out by locking your licence plate, which we know is not the intent at all of these things and it's illegal in a number of ways? Where are the lines on these things?

I have only about a minute.

4:45 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

Licence plates are not supposed to be used for that purpose. They're not supposed to be used to track you coming and going. That's how surveillance and tracking grow enormously.

I have a quick, funny story. Steve Jobs, who, of course, was the creator of Apple, used to buy a new white Mercedes every six months less a day. Then he would take it in and buy the new model of exactly the same thing. Why? Because at that time in California you didn't have to have a licence plate on your car. You had six months after you bought a new car. He didn't want to be tracked. So six months minus a day, he took it in, bought another one, and that continued.

That's just to give you an example. People do not want to be tracked. That's not the purpose of licence plate numbers. We have to return the uses of personal information to the purposes for which they were intended. That's the goal.

David Graham Liberal Laurentides—Labelle, QC

Okay.

If we don't have some degree of centralization and we retain the siloing that we currently have in government, what's the purpose of moving to a smart government in the first place, if we don't add any convenience?

4:45 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

Well, smart government doesn't mean you identify everybody and track what they're doing. With due respect, that's not what smart government means. If that's what it means, then it's no longer free. It's not a free and open society any longer. We have to oppose that. Smart means you can deliver smart services to lots of citizens without invading their privacy. We can do both, but that has to be the goal.

4:45 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you. That's it.

Next up, for another three minutes, is Mr. Angus.

Before you get going, we do have a bit of time. The bells don't start until 5:15 p.m., and we're going to push that to about the 5:05 p.m. range, so don't feel rushed. I think we have time to get everybody finished.

Go ahead, Mr. Angus.

Charlie Angus NDP Timmins—James Bay, ON

Thank you.

One of the questions we've raised in opposition over the years is about giving police more tools, because if you give police tools, they use them. My colleague Mr. Erskine-Smith suggests that if we get everybody's data and information, government can help them by sending information to them.

I've been in opposition for 15 years and I've seen government often use those resources to say, “Hey, have we told you about our great climate change plan? Have we told you about the great child tax benefit?” To me, if you had everyone's data, the power you would have to send that out in the months leading up to an election is very disturbing.

I represent a rural region in which a lot of people have real difficulty obtaining the Internet, and yet seniors are told, “We're not taking your paper anymore. You're not filling this out. You're going to have to go online.”

We're forcing citizens to become digital. What protections do we need to have in place to say that citizens are being forced to use digital means to discuss with government, but they don't want to hear back from government, so that we limit the ability of government to use that massive amount of data to promote itself in ways that would certainly be disadvantageous to other political parties?