Evidence of meeting #134 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was facebook.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

David Carroll  Associate Professor, Parsons School of Design, The New School, As an Individual
Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual
Jason Kint  Chief Executive Officer, Digital Content Next

4:40 p.m.

Associate Professor, Parsons School of Design, The New School, As an Individual

David Carroll

Certainly. The question is how the government can push the industry away from personal data towards a way to monetize non-personal data. There are ways to achieve similar results without using personal data.

In regard to the copyright question, there hasn't been a lot of talk or brainstorming around how taxation can reincentivize the industries, whether it's taxing personal data and exempting non-personal data, whether it's taxing use to fund through copyrights and funding for journalism. There are different models that could be explored to address these issues together, because it's hard to talk about copyright without also talking about data. It's hard to talk about antitrust without also talking about data. The way these issues collude together is very tricky.

Frank Baylis Liberal Pierrefonds—Dollard, QC

Mr. Kint.

4:40 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

I would try to avoid the government mandating this, but there are things we can learn from the GDPR in Europe. It is probably the most-discussed regulation around data right now, and probably the most forward-looking.

There's something in there called purpose limitations, which basically says that if I give you consent to use my data for a certain purpose, you can't use it beyond that. That speaks to a lot of what I commented on in my opening remarks around context and consumer expectations.

It's about using the data in the way the user expects based on the original negotiation or relationship when they started, and then limiting it to that. The way Google makes money is by moving from Gmail to location tracking, etc.

Frank Baylis Liberal Pierrefonds—Dollard, QC

Then take my data out of the phone. They keep it tracked for me for the last year. I don't want them to do that. It's not necessary, and I have no power to negotiate with Apple to stop doing it. Only the government can stop doing it.

4:40 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

As far as we understand, Apple is not using that data to also then micro-target ads at you or use it for any other purpose.

Frank Baylis Liberal Pierrefonds—Dollard, QC

Absolutely.

You go to a restaurant and they know where you've been. They ask you how the restaurant was. It's used all the time.

4:45 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

That's within the device. We can get deep into the weeds but it's—

Frank Baylis Liberal Pierrefonds—Dollard, QC

It's sold off. If I look up restaurants, for example, and am thinking of going to a particular restaurant, and then I happen to go there, then I get, hey, do you want to write a review of this restaurant? They know through this thing that they've sold to someone else, and combined with where I've searched and where I've been, they have put it together, so for sure they are doing this.

4:45 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

Either way, without going into the weeds on who's doing what, I think a higher bar is definitely in order and should be discussed for the companies that see a substantial amount of your activity; I call them service providers. That may mean that they can't use the data for that purpose. It's no different from walking into a store, say Target, and they're going to track your data as part of the store experience. That's probably acceptable and you can choose not to go to Target ever again because you don't like it. But if you walk into Target and then they track you outside of the store, everywhere you go, that's the problem you're speaking of, and that's where there needs to be a higher bar.

4:45 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Baylis.

Next up for five minutes we have Mr. Gourde.

4:45 p.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Thank you, Mr. Chair.

My question is for all the witnesses.

The digital world we're currently experiencing seems to be the same in Canada, the United States and other countries. In the digital world, reality has gone beyond fiction. Things that we couldn't even imagine in 2015 have become a reality. Major companies such as Facebook, Google or other companies that may emerge in the future don't seem to have any limits when it comes to obtaining and accumulating our personal information and storing the information for many years.

Should limits be imposed on these companies in terms of our personal information and how long they can keep it?

Mr. Carroll, you can answer first.

4:45 p.m.

Associate Professor, Parsons School of Design, The New School, As an Individual

David Carroll

The GDPR in the EU and, to a degree, the new California Consumer Privacy Act, which will come into effect in 2020, offer us models for setting limits. One limit that you proposed is a limit on data retention. One interesting part about GDPR is the requirement to disclose the data retention duration at the moment of gaining consent. When you sign up for a service the requirement is, “we will hold your data for six months”, and you are learning that limitation at the moment of signing up and giving consent.

I think we have some good models now to work from to evaluate and to see how these limits are set. The other limits that my colleague Mr. Kint has been referencing—limiting use based on the context of collection and prohibiting uses across contexts—would be also important frameworks to establish. The key here is also enforcement. My experience working with the Information Commissioner's Office as well as the court system in the U.K. shows that enforcement of these limits is where the rubber hits the road.

4:45 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

I would confirm that last point.

I saw that you were recommending giving more powers to the privacy commissioner. That's hugely important. I think the powers that the ICO commissioner had came in at the 11th hour. She was fortunate to have those, so I would recommend that. Certainly, GDPR, has real teeth to it, with the 4% fine of global turnover. That makes a difference, and we're starting to see some of that enforcement.

I have a lot of check marks next to your recommendations. There are a lot of really good recommendations. The things I put stars next to are super important things like modernizing the Competition Act and really recognizing that these companies—with which, as Mr. Baylis points out, you don't have a fair deal because they have so much power and so much data that you have to use them, and there are only two different operating systems, let's say, or only one search engine—actually should be evaluated based on the data, as part of the trade-in value. The fact that they're free shouldn't allow them to run away with a monopoly.

4:50 p.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Mr. Vickery, the floor is yours.

4:50 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I'd like to bring up the concept that data doesn't really go away. Companies can claim they've deleted it or say whatever the heck they want, but it has been rolled into other things by then. There are derivatives of it and they probably did keep some backups.

I would focus more on the data becoming stale after a while. Therefore, implement new rules, regulations, laws, to tighten their ability to collect the superfluous amounts of data, and let that other data become stale, old and of no use because it's so old. Don't worry about trying to wrest it out of their hands, because you're never going to.

Jacques Gourde Conservative Lévis—Lotbinière, QC

Thank you.

4:50 p.m.

Conservative

The Chair Conservative Bob Zimmer

Madame Fortier, for five minutes.

Mona Fortier Liberal Ottawa—Vanier, ON

Thank you, Mr. Chair.

Ladies and gentlemen, I want to go back to the study that we're currently conducting. As part of the study, we want to determine how the digitization of government services will affect the protection of personal information. We've looked at the Estonian model, among other things, and we've heard some of your comments on it.

Are there any other models or initiatives from around the world that we should look at closely for the purposes of our study?

I want to hear from Mr. Carroll first, then I'll move on to the other witnesses.

4:50 p.m.

Associate Professor, Parsons School of Design, The New School, As an Individual

David Carroll

One aspect of the Estonian model that is important and valuable is the principle of collecting once. Not requiring citizens to keep inputting their data is the key idea of this unified national identity, and it prevents this problem that citizens in most countries face of constantly giving the same information to multiple different entities. Each time data is supplied, another weak point is created.

Figuring out how to make the supply-once and secure-forever model work logically makes a lot of sense, because it also helps separate identity from other data. Having mechanisms to create de-identification and anonymization built into the structure works well and so on.

The Aadhaar model in India, another national identity system. has come up. I can corroborate what Mr. Vickery said about it. I've had students doing their own research who found these systems to be alarmingly easy to penetrate, at least in India. To have a digital model that does not also have a strong data protection regime on top of it is a risky endeavour. In some ways Estonia might be well-placed, because it has both this digital government and 20 or 30-year tradition of European data protection linked to it.

We also look at China as an extreme in the other direction, where a surveillance industry.... The distinction between private enterprise and the government is completely blurred and the use of surveillance for social control and social coercion is quite alarming. We do look at the new emerging privacy and data models around the world to figure out which places are figuring it out.

Mona Fortier Liberal Ottawa—Vanier, ON

Okay.

Mr. Kint, the floor is yours.

4:50 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

I'm not a security expert, so I'll turn most of my time over to Chris. I have heard positive reflections on the Estonian model and I have not heard the security concerns. The way it's described, it makes sense, but I haven't heard of any issues. It's most often the example that comes up in a positive light and is starting to be studied. It may just be a test of time to make sure it's the right one, but I'll let Chris weigh in.

Mona Fortier Liberal Ottawa—Vanier, ON

Mr. Vickery, the floor is yours.

4:55 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I believe it's healthiest to assume there has been a breach at all times, to make a system so segmented and resilient that even if there is a breach, you can find it, recover quickly and the damage will be minimal. I don't think you should put all your eggs in one basket. I believe the solution to having people submit the same info over and over again is to minimize the amount of information that is necessary from them. For example, here in the United States, we're not supposed to give out our social security numbers all the time, according to the government, yet every doctor's office asks for that number. Doctors' offices shouldn't be asking for it.

Minimize, optimize, make it streamlined, but I just don't think putting all of your eggs in one basket is a good idea.

4:55 p.m.

Conservative

The Chair Conservative Bob Zimmer

You have one minute and 30 seconds.

Mona Fortier Liberal Ottawa—Vanier, ON

Canada also has the distinction of having more than one level of government, namely, the federal, provincial and municipal levels. However, we're talking about a single model in the case of Estonia. If you have any ideas on how we could deal with the fact that we have three levels of government, let us know. We're considering this issue in our study. I don't think that I have enough speaking time to let you answer that question.