Evidence of meeting #133 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was services.
A recording is available from Parliament.
4:15 p.m.
Conservative
4:15 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
It's good to have you back, Mr. Therrien, because you're very private and we don't get a lot of information.
There are a couple of statements that I would like to refute. One is that Canadians are afraid of technology or digitization. I point to the statistic that 85% of people do their taxes online. They're not forced to; they have the right to do it on paper. They choose to do it online for all types of efficiency reasons.
Have you any evidence, other than what's been stated, that Canadians are anti-technology or against digitization per se?
4:15 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I don't think I've said that Canadians are concerned with the use of technology.
I did not say that they distrust technology.
Studies consistently show that Canadians are concerned that their privacy is not being protected, in both the public and the private sectors, and that they do not have control over their information. That is not to say that they do not use technology or that they distrust it. It is rather that they believe that their privacy is not being sufficiently protected, by the public or the private sectors.
Services have to be digitized, but with the use of different means, legal, technological or whatever, to make completely sure that the information is secure.
4:15 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
You are making quite an important distinction.
Although there is the ability to be abused through digitization, people were stealing identities and doing all this long before we had computers and digitization. People aren't against digitization, but they just have a concern about their privacy and want to ensure that if we do go that route, we do what we can to protect their privacy. Is that what...?
4:15 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes, there was theft of information before, but clearly with digitization, the scope of the consequence of a breach is magnified greatly.
4:20 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
It is right now. That's true.
Ms. Cavoukian, who is an expert in this area, testified at the last session. She made the argument that security and privacy are not incompatible. It's not one or the other. In fact, we have to stop thinking this way. If things were done correctly, we could actually have more privacy with better security as opposed to always saying, “Well, if we had a lot more security, we'd lose on this side or that side.”
Do you have thoughts along those lines?
4:20 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I agree. It's not a zero-sum game between privacy and security, nor between privacy and innovation, nor between privacy and improved service delivery. It is possible to have all of that, provided that the systems, including the legal systems, are designed properly. That leads me to privacy by design, which is an important concept that should be in the law but should also be applied on the ground by the bureaucracy, by departments, in the delivery of services
4:20 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
In a way, we find ourselves right now where we've heard comparisons to the wild west or whatever. When something is new, the people go out, prospect, run, grab territory and all that, and then afterwards the law comes in and we slowly structure things around it. We're living in an era right now where there are not sufficient laws certainly in the digital world, and we have to catch up, if I can say that. However, I would ask you to underline that we cannot, as some people say, go back or even just stay static. We have to go forward, but we can go forward with what Ms. Cavoukian came up with as a concept, which is rather new, and that is privacy by design, so that we start to think about privacy as we're designing the next one.
What are your thoughts there?
4:20 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I agree. I totally support the principle of privacy by design. I would say this with regard to the fact that digitization is something that will necessarily happen—that's true—but privacy by design means that, again, the way in which we proceed needs to be thought out seriously and rigorously.
One of the issues to be considered is the role of the private sector in the delivery of services by government. You mentioned the wild west. You're well placed to know there are important problems with the way in which certain corporations are handling the personal data of individuals. Improving government services is being thought out in terms of relying on technology owned by the private sector in the delivery of services. That's fine, but the way in which these services will be delivered, calling on the private sector—say, the Alexas of this world—the government needs to be very careful as to how this will happen for many reasons, including who owns or controls the information that goes through Alexa when a citizen is asking for services from its government. What happens to that information? Is this information under public control or private control? Is it monetized or not? These are very important and fundamental questions.
4:20 p.m.
Conservative
4:20 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Thanks.
Commissioner, this committee has tabled three reports with the government over the past year or so recommending in each of those reports that your powers be expanded, that you have order-making powers, that there be more serious and significant penalties for violations, that in terms of the act itself, the government consider the GDPR and upgrade, renovate, and stiffen Canadian privacy regulations from the very barely acceptable level we're at today.
Would you recommend that your office be a direct participant, a hand on the pen at the table, as the design of digital government is considered and written? In other words, do you think it's essential that the Privacy Commissioner be a key partner in any project going ahead, either in the early stages or certainly in later stages of digital government?
4:25 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We have value to add, for sure, and we have made our services available to government. Sometimes they have accepted that offer. Is it necessary? That might not be for me to say, but I do generally believe that we have value to add and that systems that would consider our recommendations have a better chance of being privacy sensitive.
Where it is not a question of choice is at the back end, where once a law is designed that, for instance, talks about the conditions under which data will be shared between departments, there needs to be a strong regulator to ensure that these conditions are respected. That is the OPC.
4:25 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
If digital government is the property of the government and if there was hypothetically a significant and serious data breach, a damaging data breach, involving the privacy of Canadian citizens or anyone in the digital government system, would you think it would be the Privacy Commissioner that would level penalties against those responsible for that data breach? How would that work if government is actually the corporate controller of that system?
4:25 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
You're raising the issue—
4:25 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Okay, so government needs to be accountable in the way in which it manages information in relation to citizens. We, the OPC, are well placed to ensure that in individual circumstance the government is called to be accountable and that a breach of data be identified and remedied.
Does it need to lead to a financial penalty? I'm less certain of that in the public sector, but there needs to be somebody to identify violations of the law and to ensure that these violations are remedied, and we are well placed to do that.
4:25 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
The Estonian model has repositories. As you said, there are many silos that are hooked into the central system and the single citizen chip. There will almost certainly be competition for financial gain by a variety of parties to participate in digital government. Neil Parmenter, the president of the Canadian Bankers Association, in a speech that I attended last month, made a point of saying Canada's banks are trusted. There is the double-factor log-in, and he expressed an interest in the banks being a central participant in digital government. Do you have any thoughts on that type of proposition?
4:25 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
It is true that banks offer services that, compared to others, are well protected. I have no problem in principle with banks or other reputable organizations, private organizations, being responsible, say, to manage the common identifier. That's one element of the system. What type of information they actually get when the government delivers services to the citizens, for me, is a different issue, but in terms of managing a secure common identifier, banks are probably well placed to do that.
4:25 p.m.
Conservative
January 31st, 2019 / 4:25 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Good afternoon, Mr. Therrien.
Let me put something to you; I would like to know your opinion.
I am not criticizing the work we have done at all. I have thought for a long time that the committee has been doing valuable, excellent work. However, I want to suggest to you another way of looking at things.
We have been studying the protection of personal data for six or eight months. But I feel that we are spinning our wheels and getting nowhere, because we have not managed to define the problem we are trying to fix, by which I mean defining what personal information is. Let me explain.
People panic at the idea that a licence plate can be read, pretending that it is private. But all that plate can do is identify the vehicle on which it is mounted, not the person at the wheel. In the same way, an IP address does not reveal the identity of the person at the computer keyboard, just where the computer is located.
People gladly provide a lot of personal information. For example, you may remember when, in the first video clubs, we did not hesitate to provide our driving license numbers so that we could rent movies.
The reason why I feel that we do not want to touch the problem of defining personal information is that most of the witnesses we have heard from for almost a year have replied that the best way to protect our personal information was not through technology, but through transparency. Companies understand that people are ready to give them almost any personal information but, in return, they have to commit to telling them what they are going to do with it. So that means that the range of the data that you are ready to provide to anyone at all is not defined. As a result, if we are not able to define the problem that we want to fix, it will be difficult to define the measures that we want to take. Why not just simply stop right there and prevent any data transactions? If someone wants to conduct such a transaction, they would have to communicate with you to find out how to manage the information that is being communicated. That is the first part of my question.
4:30 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
In law, I am afraid I must tell you that you are wrong when you suggest that IP addresses are not personal information. The Supreme Court decided otherwise in a judgment some years ago. Since an IP address can be linked to an individual, it is personal information that must be protected as such.
With licence plates, the issue is somewhat not quite the same. After all, 800 people do not drive my vehicle, just my wife and I. Perhaps that is personal information as well.
So personal information is defined. It is pretty simple; it is any information, including a number, that can be linked to an identifiable person. We can discuss it, but I am inclined not to accept your premise.
Is transparency part of the solution in protecting privacy? Yes, it is part of the solution but it is far from the entire solution. You can be transparent, but you can still damage someone's reputation. However, transparency is part of the solution.
This certainly is a complex question, and if we are having difficulty moving forward, it is because it is complex on a number of levels, including conceptual and technological. That is why, more recently, I have focused on privacy as a human right. So let's start with basic principles.
When I say that privacy is a fundamental right, it is a concept that should be recognized, not only in the law, but also by government bodies that, day after day, implement technological and other systems to collect data and to administer public programs, including by technology. That brings us back to the importance of protecting privacy from the design stage, a concept that we should always keep in mind. If we have a choice between providing a service in a way that endangers privacy and providing the same service differently, but just as effectively, in a way that protects privacy, the concept of protecting privacy from the design stage tells us that we should choose the latter option.
All these privacy issues may seem nebulous, but, in law, what constitutes personal information is quite clear. We have to keep in mind which aspects of privacy we want to protect, so that we make sure that it is protected in government activities and in legislation.
4:35 p.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Picard.
I have Mr. Angus for the last few minutes. I was asked to split some time by two other members who haven't had a chance to ask a question. We'll do that following Mr. Angus, and then we'll go to the motion that was brought up before.
We'll go to Mr. Angus for three minutes.
4:35 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you, Mr. Chair.
Thank you, Mr. Therrien.
We began a study much earlier in this Parliament on a data breach with Cambridge Analytica and Facebook. Since then, I sometimes feel we've become the parliamentary committee on Facebook. We followed them halfway around the world trying to get answers, and we're still being buffaloed, and I think we'll invite half the world to come here to meet with us again in Ottawa when it's a little warmer to maybe get some more answers from Facebook. But it seems we go week in, week out with new questions and seemingly a continual lack of accountability.
I want to ask you a specific question, though, whether or not you've looked into it. We had the explosive article in The New York Times about the privileges given to certain Facebook users, to be able to read the personal, private messages of Facebook users. They mentioned that RBC was one of them. We've heard from RBC. They said they never had those privileges, that they never did that. The Tyee is now reporting that Facebook has told them that RBC had the capacity to read, write and delete private messages of Facebook users who were using the banking app.
Have you looked into that? Do you think that requires follow-up? Should we take RBC's word for it? Should we, as a committee, be considering this as some of our unfinished business on the Facebook file?