Information & Ethics Committee on Jan. 29th, 2019

Thank you very much.

Good afternoon, ladies and gentlemen. It's a pleasure to be here to speak to you today. I've worked with Michael for many years, so it's wonderful to be here with him to speak on these important issues.

What struck me in what you will be doing—I'm just going to read it out—is that your committee is to “undertake a study of digital government services, to understand how the government can improve services for Canadians while also protecting their privacy and security”.

That is so vitally important. That's how I want to address something which I created years ago and is called privacy by design, which is all about abandoning the zero-sum models of thinking that prevail in our society. Zero-sum just means that you can only have a positive gain in one area, security, always to the detriment of the other area, privacy, so that the two total to a sum of zero.

That either-or, win-lose model is so dated. What I would like you to embrace today is something called positive sum. Positive sum just means that you can have two positive gains in two areas at the same time. It's a win-win proposition.

It was started years ago. I did my Ph.D. at the U of T when the father of game theory, Anatol Rapoport, was there. We used to discuss this. I always remember saying, “Why do people embrace zero-sum?” I am the eternal optimist. I would much rather deliver multiple wins than an either-or compromise. He said, “It's simple, Ann. Zero-sum is the lazy way out, because it's much easier just to deliver one thing and disregard everything else.”

I want you to do more, and I think you want to. You want to deliver privacy and security as well as government improvements that can improve services to Canadians.

My privacy by design framework is predicated on proactively embedding much-needed privacy protective measures into the design of your operations and the design of your policies for whatever new services you want to develop and whatever you want to do in terms of data utility, but we do that along with privacy/security. It's a multiple-win model. It's privacy and data utility services to individuals. You can fill in the blanks, but it's “and” not “versus”. It's not one to the exclusion of the other. But how do you do both?

I know that I only have 10 minutes and I've probably used up five, so I'm going to keep the rest short.

In the privacy world, there's a key concept called data minimization. It's all about de-identifying data so that you can benefit from the value of the data to deliver much-needed services in other areas of interest to Canadians and individuals without forfeiting their privacy. When you de-identify personally identifiable data, both the direct and indirect identifiers, then you free the data, if you will, from the privacy restrictions, because privacy issues arise and end with the identifiability of the data. If the data are no longer personally identifiable, then there may be other issues related to the data, but they're not going to be privacy-related issues.

Data minimization and de-identification will drive this goal of having what I call multiple positive gains at the same time, making it a win-win proposition. I think it will make governments more efficient. You will be able to use the data that you have available and you will always be protecting citizens' personal information at the same time. That's absolutely critical.

I am happy to speak more. I can speak on this issue forever, but I want to be respectful of my time restrictions. I will gladly turn it over to you and answer any questions that you may have.

Oh, oh!

All right. Great. I don't think my wife is listening in.

Oh, oh!

Good afternoon, everybody. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in internet and e-commerce law and am a member of the Centre for Law, Technology and Society.

My areas of speciality include digital policy, intellectual property and privacy. I served for many years on the Privacy Commissioner of Canada's external advisory board. I have been privileged to appear many times before committees on privacy issues, including on PIPEDA, Bill S-4, Bill C-13, the Privacy Act and this committee's review of social and media privacy. I'm also chair of Waterfront Toronto's digital strategy advisory panel, which is actively engaged in the smart city process in Toronto involving Sidewalk Labs. As always, I appear in a personal capacity as an independent academic representing only my own views.

This committee's study on government services and privacy provides an exceptional opportunity to tackle many of the challenges surrounding government services, privacy and technology today. Indeed, I believe what makes this issue so compelling is that it represents a confluence of public sector privacy law, private sector privacy law, data governance and emerging technologies. The Sidewalk Labs issue is a case in point. While it's not about federal government services—it's obviously a municipal project—the debates are fundamentally about the role of the private sector in the delivery of government services, the collection of public data and the oversight or engagement of governments at all levels. For example, the applicable law of that project remains still somewhat uncertain. Is it PIPEDA? Is it the provincial privacy law? Is it both? How do we grapple with some of these new challenges when even determining the applicable law is not a straightforward issue?

My core message today is that looking at government services and privacy requires more than just a narrow examination of what the federal government is doing to deliver the services, assessing the privacy implications and then identifying what rules or regulations could be amended or introduced to better facilitate services that both meet the needs of Canadians and provide them with the privacy and security safeguards they rightly expect.

I believe the government services really of tomorrow will engage a far more complex ecosystem that involves not just the conventional questions of the suitability of the Privacy Act in the digital age. Rather, given the overlap between public and private, between federal, provincial and municipal, and between domestic and foreign, we need a more holistic assessment that recognizes that service delivery in the digital age necessarily implicates more than just one law. These services will involve questions about sharing information across government or governments, the location of data storage, transfer of information across borders, and the use of information by governments and the private sector for data analytics, artificial intelligence and other uses.

In other words, we're talking about the Privacy Act, PIPEDA, trade agreements that feature data localization and data transfer rules, the GDPR, international treaties such as the forthcoming work at the WTO on e-commerce, community data trusts, open government policies, Crown copyright, private sector standards and emerging technologies. It's a complex, challenging and exciting space.

I would be happy to touch on many of those issues during questions, but in the interest of time I will do a slightly deeper dive into the Privacy Act. As this committee knows, that is the foundational statute for government collection and use of personal information. Multiple studies and successive federal privacy commissioners have tried to sound the alarm on the legislation that is viewed as outdated and inadequate. Canadians understandably expect that the privacy rules that govern the collection, use and disclosure of their personal information by the federal government will meet the highest standards. For decades we have failed to meet that standard. As pressure mounts for new uses of data collected by the federal government, the necessity of a “fit for purpose” law increases.

I would like to point to three issues in particular with the federal rules governing privacy and their implications. First is the reporting power. The failure to engage in meaningful Privacy Act reform may be attributable in part to the lack of public awareness of the law and its importance. Privacy commissioners played an important role in educating the public about PIPEDA and broader privacy concerns. The Privacy Act desperately needs a similar mandate for public education and research.

Moreover, the notion of limiting reporting to an annual report reflects really a bygone era. In our current 24-hour social media-driven news cycle, restrictions on the ability to disseminate information—real information, particularly that which touches on the privacy of millions of Canadians—can't be permitted to remain outside the public eye until an annual report can be tabled. Where the commissioner deems it in the public interest, the office must surely have the power to disclose in a timely manner.

Second is limiting collection. The committee has heard repeatedly that the Privacy Act falls woefully short in meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be the model, it instead requires less of itself than it does of the private sector.

A key reform, in my view, is the limiting collection principle, a hallmark of private sector privacy law. The government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities. This is particularly relevant with respect to emerging technologies and artificial intelligence.

The Office of the Privacy Commissioner of Canada, which I know is coming in later this week, recently reported on the use of data analytics and AI in delivering certain programs. The report cited several examples, including Immigration, Refugees and Citizenship Canada's temporary resident visa predictive analytics pilot project, which uses predictive analytics and automated decision-making as part of the visa approval process; the CBSA's use of advanced analytics in its national targeting program with passenger data involving air travellers arriving in Canada; and the Canada Revenue Agency's increasing use of analytics to sort, categorize and match taxpayer information against perceived indicators of risks of fraud.

These technologies obviously offer great potential, but they also may encourage greater collection, sharing and linkage of data. That requires robust privacy impact assessments and considerations of the privacy cost benefits.

Finally, we have data breaches and transparency. Breach disclosure legislation, as I'm sure you know, has become commonplace in the private sector privacy world and it has long been clear that similar disclosure requirements are needed within the Privacy Act. Despite its importance, it took more than a decade in Canada to pass and implement data breach disclosure rules for the private sector, and as long as that took, we're still waiting for the equivalent at the federal government level.

Again, as this committee knows, data indicate that hundreds of thousands of Canadians have been affected by breaches of their private information. The rate of reporting of those breaches remains low. If the public is to trust the safety and security of their personal information, there is a clear need for mandated breach disclosure rules within government.

Closely related to the issue of data breaches are broader rules and policies around transparency. In a sense, the policy objective is to foster public confidence in the collection, use and disclosure of their information by adopting transparent open approaches with respect to policy safeguards and identifying instances where we fall short.

Where there has been a recent emphasis on private sector transparency reporting, large Internet companies, such as Google and Twitter, have released transparency reports. They've been joined by some of Canada's leading communications companies such as Rogers and Telus. Remarkably, though, there are still some holdouts. For example, Bell, the largest player of all, still does not release a transparency report in 2019.

Those reports, though, still represent just one side of the story. Public awareness of the world of requests and disclosures would be even better informed if governments would also release transparency reports. These need not implicate active investigations, but there's little reason that government not be subject to the same kind of expectations on transparency as the private sector.

Ultimately, we need rules that foster public confidence in government services by ensuring there are adequate safeguards and transparency and reporting mechanisms to give the public the information it needs about the status of their data and appropriate levels of access so the benefits of government services can be maximized.

None of that is new. What may be new is that this needs to happen in an environment of changing technologies, global information flows and an increasingly blurry line between public and private in service delivery.

I look forward to your questions.

You raise an interesting point. In some ways it highlights—and Ann will recall this and I'm sure may have comments—that when we were setting out to create private sector privacy law in Canada at the federal level, we were in a sense grappling with much the same question: How do we ensure that all Canadians have the same level of privacy laws regardless of where they happen to live and which level of government they're thinking about?

The sad reality is that decades later, the answer is they don't, and they still don't. We can certainly think about whether there are mechanisms we can find through which governments can more actively work together with respect to these issues. I think if we're candid about it, though, the reality is that provinces have taken different approaches with respect to some of these privacy rules, and that's just one other layer of government. Quebec's private sector privacy law predated the federal law. A couple of provinces have tried to establish similar kinds of laws. Other provinces have done it on a more subject-specific basis. The mechanism within PIPEDA that we use for that is to see whether the law is substantially similar, but the practical reality is that there are still many Canadians in many situations who don't, practically speaking, have privacy protections today because they don't have provincial laws that have filled those gaps. That's not even getting into the other layers you've talked about. It's a thorny constitutional issue and it is also one that raises really different questions around some of the substance as well.

I think it's an excellent model and it's one you're going to be seeing more of. It's called a model of decentralization, in which all the data isn't housed in one central database that different arms of government can access. The problem with centralization is that it is subject to far greater risk in terms of data breaches, privacy infractions, unauthorized access to the data by curious employees, inside jobs and all of that. All of the data is placed at far greater risk if it's in one central location.

You may recall about six months ago that Tim Berners-Lee, who created the World Wide Web, was aghast and said he was horrified at what he'd created because it is a centralized model that everyone can basically break into more easily and access everyone's data in an unauthorized manner. Centralization also lends itself to surveillance and tracking of citizens' activities and movements. It is fraught with problems from a privacy and security perspective.

In Estonia, the decentralized model is superior, with different pots of information. Each database contains information that can be accessed for a particular purpose. Often that's referred to as the primary purpose of the data collection, and individuals within the government are limited as to the uses of the data. They have to use the data for the intended purposes. The more you have decentralized pots of information the greater the likelihood the data will remain and will be retained for the purposes intended and not used across the board for a variety of purposes that were never contemplated.

You have far greater control and people, citizens, can be assured of a greater level of privacy and security associated with that data. It's a model that is proliferating and you're going to see much more of it in the future. It doesn't mean that other arms of government can't access it. They just can't automatically access it and do whatever they want with it.

I see accountability as being a legal principle and not a technological one, and that speaks to the accountability of the information that gets collected.

In terms of ensuring that both public and private are using best of breed security, for example, I think we've seen some of the mechanisms, at least in the public sector where we can try to do that, with the government's efforts to try to embrace different cloud computing services. It's a good illustration of how the government has recognized that cloud may offer certain concerns around where the data is stored and those kinds of localization issues, but it also may offer, depending on the provider, some of the best security mechanisms with regard to where that data's being stored. So how do you get the benefits of that, while at the same time creating some of the safeguards that may be necessary? We've seen some efforts in that regard.

Some of that comes down to identifying different kinds of data or perhaps, especially at the federal government level, different kinds of rules for different kinds of data. I think it does require an openness to blurring those lines sometimes, within the context of recognizing that we still need to ensure that Canadian rules are applicable.

Forgive me; I was shaking my head. Estonia is highly respected, no question. I personally would not want to go with one card with one chip that contained all your data. That's a centralized model that is just going to be so problematic, in my view, not only now but especially in the future.

There are so many developments. You may have heard of what's happening in Australia. They've just passed a law that allows the government there to have a back door into encrypted communications. Why do you encrypt communications? You want them to be secure and untouched by the government or by third parties, unauthorized parties. Australia has passed a law that allows it to gain back-door access into your encrypted communications and you won't know about it. No one can tell you about it. It is appalling to me.

Personally, I am not in favour of one identity card, one chip, one anything.

Having said that, I think we have to go beyond the existing laws to protect our data and find new models, and I say this with great respect. I was privacy commissioner of Ontario for three terms, 17 years. Of course we had many laws here and I was very respectful of them, but they were never enough. It's too little too late. Laws always seem to lag behind emerging technologies and developments. That's why I developed privacy by design. I wanted a proactive means of preventing the harms from arising, much like a medical model of prevention. Privacy by design was unanimously passed as an international standard in 2010. It has been translated into 40 languages and it has just been included in the latest law that came into effect last year in the European Union called the General Data Protection Regulation. It has privacy by design in it.

The reason I'm pointing to this is that there are things we can do to protect data, to ensure access to the data, digital access by governments when needed, but not across the board, and not create a model of surveillance in which it's all in one place, an identity card, that can be accessed by the government or by law enforcement.

You might say that the police won't access it unless they have a warrant. Regrettably, to that I have to say nonsense. That's not true. We have examples of how the RCMP, for example, has created what are called Stingrays. These impersonate cellphone towers so they can access the cellphone communications of everyone in a given area when they're looking for the bad guy. Of course, if they have a warrant, I'd say to them, “Be my guest, by all means. Go search for him.” Did they have a warrant? No. They did this without anyone knowing, but CBC outed them, and they finally had to come clean that they were doing this.

With the greatest of respect and not to say anything negative about Estonia, that's not the direction I would want us to take here, one of greater centralization. I would avoid that.

Ann has raised a number of really important issues, especially around that issue of centralization.

I couldn't help, as you were talking about that, thinking about the experience so far on the digital strategy advisory panel for Waterfront Toronto, which I must admit has been more than I bargained for. As chair of that panel for the past year—

I have to say when you take a look at that, that isn't a single identity card. That is taking a relatively small piece of land and wanting to embed some of the kinds of technologies, emerging technologies, that allow for smart government. Both the controversy that has arisen in association with it, and even more, just the kind of public discussion around what we're comfortable with, which vendors we're comfortable with and what role we want government to play in all of this highlight some of the real challenges. That's in a sense a small pilot project for some of the smart city technologies. Talking about a single card for all data to me is a force multiplier behind that which raises a whole series of issues in our environment.

Sure, she departed from her position as an adviser to Sidewalk Labs. My role has been on the advisory panel to Waterfront Toronto, and I still feel that it's early days in terms of trying to identify precisely what the final development project looks like and whether it gets approved. That's really what this advisory panel is all about: trying to better understand what kinds of technology are being proposed, what sort of data governance we have around the intellectual property and privacy, and ensuring that the terms are not dictated but rather better reflect what the community is thinking about.