Evidence of meeting #132 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was services.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Clerk of the Committee  Mr. Michael MacPherson
Ann Cavoukian  Privacy by Design Centre of Excellence, Ryerson University, As an Individual
Michael Geist  Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

4:10 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you, Mr. Chair.

I would certainly like to begin with a discussion of Sidewalk Labs, because it's a very interesting proposal and it's certainly been fraught with a number of questions.

Dr. Cavoukian, your decision to step down from Sidewalk Labs raised a lot of eyebrows and a lot of questions. Can you explain why you felt that you no longer wanted to be part of this project?

4:10 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

I didn't resign lightly. I want to assure you of that.

Sidewalk Labs retained me as a consultant to embed privacy by design—my baby, which I've been talking to you about—into the smart city they envisioned. I said, “I'd be very pleased to do that, but know that I could be a thorn in your side, because that will be the highest level of privacy, and in order to have privacy in a smart city...”. In a smart city, you're going to have technologies on 24-7, with sensors and everything always on. There's no opportunity for citizens to consent to the collection of their data or not. It's always on.

I said that in that model we must de-identify data at source, always, meaning that when the sensor collects your data—your car, yourself, whatever—you remove all personal identifiers, both direct and indirect, from the data. That way, you free the data from privacy considerations. You still have to decide who's going to do what with the data. There are a lot of issues, but they're not going to be privacy-related issues.

I didn't have any push-back from them, believe it or not. I didn't. They agreed to those terms. I said that to them right at the initial hiring.

What happened was that they were criticized by a number of parties in terms of the data governance and who was going to control the uses of the data, the massive amounts of data. Who will exercise control? It shouldn't just be Sidewalk Labs.

They responded to that by saying they were going to create something called a civic data trust, which would consist of themselves and members of various governments—municipal, provincial, etc.—and various IP companies were going to be involved in the creation of it. But they said, “We can't guarantee that they're all going to de-identify data at source. We'll encourage them to do that, but we can't give any assurance of that.”

When I heard that, I knew I had to step down. This was done at a board meeting in the fall. I can't remember when. Michael will remember. The next morning, right after the meeting, I issued my resignation, and the reason was this: The minute you leave this as a matter of choice on the part of companies, it's not going to happen. Someone will say, “No, we're not going to de-identify the data at source.”

Personally identifiable data has enormous value. That's the treasure trove. Everybody wants it in an identifiable form. You basically have to say what I said to Waterfront Toronto afterwards. They called me, of course, right after my resignation, and I said to them, “You have to lay down the law. If there is a civic data trust, or whoever is involved in this, I don't care, but you have to tell them that they must de-identify data at source, full stop. Those are the terms of the agreement.” I didn't get any push-back from Waterfront Toronto.

That's why I left Sidewalk Labs. I'm now working for Waterfront Toronto to move this forward, because they agree with me that we need to de-identify data at source and protect privacy. You see, I wanted us to have a smart city of privacy, not a smart city of surveillance. I'm on the international council of smart cities—smart cities all around the world—and virtually all of them are smart cities of surveillance. Think of Dubai, Shanghai and other jurisdictions. There is no privacy in them. I wanted us to step up and show that you can create a smart city of privacy. I still believe we can do that.

4:10 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you. I want to step in here.

One of the concerns I've been hearing from citizens in Toronto is about the need not just for privacy by design but democratic engagement by design; if this is a city, they're citizens' public spaces. We have a problem. We have a provincial government that is at war with the City of Toronto and has trashed a number of councillors, so there's a democratic deficit. We see Waterfront Toronto in an in-between place with a province that may be against it. We see the federal government continually dealing with this through Google lobbyists, so there are a lot of backroom dealings.

Where is the role for citizens to have engagement? If we're going to move forward, we need to have democratic voices to identify what is public, what is private, what should be protected and what is open. In terms of the other big players, we're dealing with the largest data machine company in the universe, which makes its money collecting people's data, and they're the ones who are designing all of this.

I'd like to ask you that, Dr. Cavoukian—I don't have much time, maybe one minute—and then Dr. Geist. Then maybe we'll get another round on this.

4:15 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

I want to make sure I leave time for Michael.

We need enormous transparency on exactly who's doing what and how this information is being disseminated in terms of the data and the decisions being made on the part of the various levels of government you talked about that always seem to be at each other. I'm not here to defend government, because there has to be a way that there can be an interplay in which citizens are allowed to participate and have an understanding of what the heck is going on. That is absolutely essential. I'm not suggesting that's not important; I just think we should be focusing on the privacy issues to at least make sure that privacy is addressed.

4:15 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Dr. Geist, what are your thoughts?

4:15 p.m.

Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

Dr. Michael Geist

I could really just comment on the role that my panel has been playing. All our meetings are open. The materials are made publicly available. In fact, we've learned about some of Sidewalk's plans from a technological perspective. They have come via the panel as they present to us. Anyone can attend those meetings. Those meetings are actively recorded. In fact, someone shows up to each meeting and records it themselves and then posts it to YouTube. There have been additional meetings. We have a meeting at MaRS next month that deals specifically with civic trusts.

This notion that there aren't avenues or there isn't public discussion taking place, I must admit with respect, is at odds with my experience in the year or so to date that I've been there, where literally anyone in Toronto can come out to any meeting they want.

4:15 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Dr. Geist, with respect—and I've had this from Google—they tell me that people are frustrated because Google wants to talk about how much wood is being used in the building. Come on. Eric Schmidt cares about wood products in Toronto? They're talking about data. That's what people tell me. They come out of this and they're not getting answers.

4:15 p.m.

Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

Dr. Michael Geist

That's precisely what we talk about at our committee. We spend our time talking about data governance issues, privacy issues, IP issues. In fact, we try to identify what the technologies are that they say they're going to put into place and what the implications are for IP, for privacy, for data governance. For example, the proposal for a civic trust came first to our panel.

As I say, could more be done? I'm sure it could, but I can say from my own perspective, from where I sit, that I see the media coming. I see citizens showing up. I see blog posts and otherwise coming out of that. All of this is taking place completely in the open.

4:15 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Angus.

Next up is Mr. Erskine-Smith for seven minutes.

January 29th, 2019 / 4:15 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thank you very much.

Thank you both for attending.

To begin I want to clarify a bit of a misconception in some of the questions from Mr. Kent with respect to the e-ID in Estonia. It is not a mini computer that centralizes all personal information. In fact, the very foundation of the Estonian digital government is decentralization. The digital ID is an identity card that allows them to access the system, but it's not storing mountains of personal information.

What I really want to get at, and I think the usefulness of this study, is to ask how we can apply the idea of privacy by design to digital government so that we can actually improve services for Canadians.

At the outset I would note that according to Estonia's public information, nearly 5,000 separate e-services enable people to run their daily errands without having to get off their computer at home. As a Canadian who wants better service out of his government, I want that. How do we alleviate privacy concerns from the get-go so we get better service?

If we look at the Estonian model, we have a digital ID. We have a separation of information between departments using X-Road and blockchain technology. Then we have transparency in the sense that when a government employee accesses my information, I can see who did it and it's time-stamped as to when they did it. If you add those layers of detail into a digital government system, is that sufficient to address privacy concerns? Are there other things we should be doing if we're looking to digital government?

I'll start with Dr. Cavoukian and then Dr. Geist.

4:15 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

You have a number of elements that are very positive in what you've described in terms of the transparency associated with each service that's provided and the ease of access to this online by citizens.

I want to make one comment about blockchain. Let us not assume that blockchain is this great anonymous technology. It's not. It has benefits, but it also may have negatives. It's also been hacked. I'm going to read one very short sentence that came out from a text on the GDPR. GDPR is this new law that came into effect in the European Union. They said, “Especially with blockchain, there is no alternative to implementing privacy by design from the start, as the usual add-on privacy and enhancements simply will not satisfy the requirements of the GDPR.” GDPR has raised the bar on privacy dramatically. They're saying, “Sure, use blockchain, but don't do it without privacy by design because you have to make sure privacy is embedded into the blockchain.” There are some companies, like Enigma, that do it beautifully. They have an additional privacy layer.

I just want us to be careful not to embrace blockchain and other technologies without really looking under the hood and seeing what's happening in terms of privacy.

4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

My understanding is that in Estonia they were using this technology before it was called blockchain, but it was in 2002 that they implemented a system. The idea is that when they use blockchain as a technology, it's actually when information is being transferred as between departments on a back end. As a citizen, I log on and it's one portal for me, but on the back end, my information is housed in a number of different departments. If they want to share information, those pathways are only open by way of blockchain to ensure that it's private. If I'm at the CBSA, I can't see information that is at employment services...but duly noted on the blockchain concern.

With respect to, I guess, my fundamental question.... I have more specific questions, but this is the broad question. If we build in a digital ID, if we build in anonymization as between departments when they're sharing information and I can log on it and have user control of my information, if those are the three fundamental building blocks of this, am I missing something? Am I missing something else?

4:20 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

It sounds very positive. You're going to have security embedded in [Technical difficulty—Editor]

4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

The digital ID is itself an encryption device, exactly.

4:20 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

As I understand it, in Estonia it's itself a microprocessor and it's an encryption device, so it verifies my identity.

By the way, on Estonia, the biggest sales pitch—and I know Mr. Kent might have been worried about it—when they came to our committee was that they said there's been no identity theft since they implemented this system—no identity theft. Why? Because if they lose the digital ID, the certificate can easily be revoked, so nobody can use that digital ID to access services in faking to be someone else.

If those are the three building blocks, and if you don't have a clear answer to any...and you say those all sound positive, the overarching question is, are there other layers we should be building in to make sure we have privacy by design built into digital government services, as Estonia does it? Is Estonia missing something or should we do what Estonia does?

4:20 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

Estonia is very, very positive—

4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

The—

4:20 p.m.

Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

Dr. Michael Geist

If I could respond, I'm not going to speak specifically to Estonia, but I will say that there are two elements to it. When you're a hammer, everything looks like a nail, and when you're a law professor, everything looks like a legal issue. In terms of describing largely technological standards and saying that's how we're going to effectively preserve.... I understand why that has a great deal of appeal, but my view would be that you need a commensurate law in place as well.

The other thing is that one of my other issues that I focus on is access, of course, so what else do you need? You need to ensure that all Canadians have access to the network if we're going to be able to embrace these kinds of services. We still find ourselves with too many Canadians who do not have affordable Internet access. We need to recognize that part of any conversation about asking how we can provide these kinds of services to Canadians must include how we ensure that all Canadians have affordable access.

4:20 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I appreciate those comments.

Because I'm running out of time, the last question I have is about data minimization. On the one hand, Estonia I think generally adopts this rule, but when we look at government services, we might say in the same way companies do that more data is better to deliver better services for consumers. As a government, we say that more data in certain instances is better. I want to use one example.

Very few Canadians take up the Canada learning bond. Everyone is eligible for the Canada child benefit because it's automatic, provided they file their taxes. Now, if we know who all the individuals are who have received the Canada child benefit, we also know that they're eligible for the Canada learning bond. By using that kind of information to proactively reach out to citizens to say, “Hey, by the way, there's free money here for your kid's education that you are eligible for, so please apply if you haven't applied”, we are having to use their information, ideally to improve services. Are there risks here that I should be worried about?

4:25 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

I don't think more data is better at all.

The example you give is a very worthwhile one. You want to reach out to people, but there are so many risks in using data for purposes never intended. Theoretically, we give data to the government for a particular purpose. We pay our taxes or we do whatever. That's the intent. It's the primary purpose of the data collection. The intention is that you're supposed to use that data for that purpose and limit your use of data to that unless you have the additional consent of the data subject, the citizen.

The minute you start deviating for what you might think is the greater good, and that it's better for them if you have access to all their data and can send them additional services or information.... They may not want you to do that. They may not want.... Privacy is all about control: personal control relating to the uses of your information. The minute you start stretching that out because you think—I don't mean you personally—the government knows better, that's going to take you down the path of surveillance and tracking, which is the completely wrong way to go. I say that with great respect, because I know you mean well here, but I would not go.... Plus, when you have data at rest, massive amounts of data at rest, it's a treasure trove.

4:25 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Dr. Cavoukian—

4:25 p.m.

Privacy by Design Centre of Excellence, Ryerson University, As an Individual

Dr. Ann Cavoukian

It's a treasure trove for hackers. People are going to hack into that data. It's just going to be a magnet for the bad guys.

4:25 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you.

We have votes coming up at 5:30 p.m., and we have a bit of committee business that I have to take in camera for about five minutes, so I would look to be done at about 4:50 p.m., if that's possible.

We'll go to Mr. Gourde for five minutes.

4:25 p.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Thank you, Mr. Chair.

Thank you to the witnesses for being here today.

My question is very simple: can the Estonian model be applied in Canada, given our challenges, the various levels of governance and of access to the Internet on such a vast territory?

There are regions of Canada that are not connected. If we choose this, we will have to provide Canadians with two levels of service, to take those who have no access into account. Is it really worth it?

Ms. Cavoukian, you may answer first.