Information & Ethics Committee on Jan. 29th, 2019

I totally support Commissioner Daniel Therrien's call to the federal government to upgrade the PIPEDA, for example, which dates from the early 2000s. He also said we need to add privacy by design to the new law because, after all, they have embedded it in the GDPR. We need new tools. We need to be proactive. We need to identify the risks and address them up front. We can do this.

Upgrading the laws is absolutely essential. Giving the commissioner the much-needed authority that he needs but now lacks is essential. I can say, having been a privacy commissioner for three terms, that I had order-making power. I rarely used it, but that was the stick that enabled me to engage in informal resolution with organizations, government departments that were in breach of the privacy law. It was a much better way to work.

I had the stick. If I had to issue an order, I could do that. That's what Commissioner Therrien lacks. We have to give him that additional authority and embed privacy by design into the new law so we can have additional measures available to the government to proactively address a prevention model, much like a medical model of prevention. It would be much easier if we had that. Then far less would go to the already extended Privacy Commissioner to be addressed.

Thank you.

I would like to start by commending this committee for the reports it has put out over the last year or so, which I think have been really, really strong and have helped fuel a lot of the public discussion in this area. I think it's been really valuable.

I would say that I don't know what the government is thinking on this. I do know that they have held a consultation on a national data strategy. I guess in some ways I'm waiting to see what comes out of that. To me a national data strategy, to harken back to my comments off the top, really, if they take a holistic approach that recognizes that part of what you're dealing with in that context, includes data governance-related issues, PIPEDA-related issues, private sector-, public sector-, and Privacy Act-related issues including some of the enforcement types of issues that have been raised repeatedly by the Privacy Commissioner. That tells me there's a recognition that it's critically important to get that piece right for any number of reasons, including the prospect of trying to embrace some of the e-services that the government might want to move toward.

Consent has long been viewed as a bedrock principle. I think one of the reasons we really struggle with some of these issues comes back to Mr. Erskine-Smith's question about why we can't find a way to inform someone and I think try to do good with that prospect. Part of the problem is that in theory we might ask if we can find a mechanism for our citizens to provide consent to allow the service provider, in this case the government, to inform them about the services they're eligible for. I would say that our standards of consent have become so polluted by the low standards found in PIPEDA, which I think have been widely abused, that few people actually trust what consent means at this stage.

One of the things I think we have to seize back is to try to find mechanisms to ensure that meaningful consent is truly meaningful, informed consent. We have strayed badly in that regard. It's possible that the GDPR will be part of the impetus for trying to do that.

I couldn't agree more with Michael. He's absolutely right that the notion of consent is almost non-existent the way it's been whittled down.

You see, consent is essential to control. Privacy is all about personal control over the uses of your data. If you're not consenting to it in a positive way, with positive, affirmative consent, you don't know what's happening with your data. As for expecting people to search through all the legalese in the terms of service and the privacy policy to find the opt-out clause to say no to additional uses of these data and negative consent, life is too short. No one does that, but it's not because they don't care deeply about privacy.

In the last two years, all of the public opinion poll surveys from Pew Internet research have come in at the 90th percentile for concerns about privacy. I've been in this business for well over 20 years, and that's the first time I've seen such high levels of concern, with 91% very concerned about their privacy and 92% concerned about the loss of control over their data.

Positive consent, strong consent, is essential.

Not necessarily; I'll start by saying that. Think back to the controversy we saw last year with respect to StatsCan and the banking data. I thought one of the real weaknesses with respect to StatsCan was that they had never made enough of a compelling case that they couldn't achieve what their end goals were by collecting less than massive amounts of banking data from Canadians. Similarly, with respect to your question, I suppose it depends. If there is a compelling case that the existing data doesn't provide a sufficient level of information to be as effective as having more data would be, then it becomes part of that cost-benefit analysis. Maybe in some instances it does make sense to collect more, but I think it's incumbent on you to do part of that analysis before you simply collect and say, “Hey, the more data we have, the better this will be.”

May I speak?

The whole point is that when you're collecting data from members of the public, they don't give you their personal data to do whatever the heck you want with it. They give it to you for a particular purpose. They have to pay their taxes. They're required to do that. They realize that. They're law-abiding citizens. They give you the information necessary, but that doesn't mean that you, as the government, can do whatever the heck you want with it. They give it to you for a particular purpose. It's called purpose specification. It's use limitation. You are required to limit your use of the information to the purpose identified. That's fundamental to privacy and data protection. Personally identifiable data, which has sensitivity associated with it, must be used for the purposes intended.

Michael mentioned the Stats Canada debacle when they wanted to collect everyone's financial data from the banks. Are you kidding me? I'm sure you know how much outrage that created. They wanted to collect this from 500,000 households. Multiply that times four. It's completely unacceptable.

You have to be very clear what you want to do with the data and obtain consent for that legitimate purpose.

Licence plates are not supposed to be used for that purpose. They're not supposed to be used to track you coming and going. That's how surveillance and tracking grow enormously.

I have a quick, funny story. Steve Jobs, who, of course, was the creator of Apple, used to buy a new white Mercedes every six months less a day. Then he would take it in and buy the new model of exactly the same thing. Why? Because at that time in California you didn't have to have a licence plate on your car. You had six months after you bought a new car. He didn't want to be tracked. So six months minus a day, he took it in, bought another one, and that continued.

That's just to give you an example. People do not want to be tracked. That's not the purpose of licence plate numbers. We have to return the uses of personal information to the purposes for which they were intended. That's the goal.

Well, smart government doesn't mean you identify everybody and track what they're doing. With due respect, that's not what smart government means. If that's what it means, then it's no longer free. It's not a free and open society any longer. We have to oppose that. Smart means you can deliver smart services to lots of citizens without invading their privacy. We can do both, but that has to be the goal.