Evidence of meeting #147 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was companies.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Right, and a court would have to take it upon itself to levy significant punitive damages it's never awarded before, because there's not a strong statutory basis for doing so.

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

You noted that Facebook's privacy protection framework was empty. That was then. They have taken some steps. Given that you don't have the powers to proactively audit, and they've refused to implement or agree to annual audits, are you able to realistically assess their current privacy framework?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The comment that the privacy framework was empty still applies. It is empty.

I'll give you two examples. The comment actually refers to the previous investigation by the OPC, in 2009. My predecessors reviewed very similar issues, such as the consistency with PIPEDA of disclosure by Facebook to third party applications. The OPC found that this was done on the basis of vague terms and conditions that did not represent meaningful consent. Facebook, at the time, agreed to make certain changes to its procedures, and it didn't. “The framework is empty” is a comment about the framework adopted then.

4:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

In light of that, does it make any sense at all that a company that has failed to respect Canadians' privacy rights would then be implementing a dating app on the service they're currently providing to Canadians? Does that many any sense at all to you?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

You don't have to go further on that. It just seems ludicrous.

You mentioned that the current laws are untenable. With the current state of affairs, I would completely agree with you.

It's interesting. I was in Brussels recently. I met with the EU data protection supervisor and other people thinking very seriously about privacy. They spoke very favourably of the ideas that have come out of Canada, both from Canadian privacy commissioners and from Canadian academics who have written about privacy. Their laws are based on our ideas, and our laws aren't based on our ideas. It seems an incredible shame.

Last June, I introduced Bill C-413. Had that bill been law, you would have been able to make orders. You would have been able to order Facebook to comply with your recommendations. You wouldn't have to seek the help of the Federal Court. Is that true?

4:10 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

If that law had been in place at the time of the offence, you would, at the very least, be able to levy fines. Facebook would not be facing $5 billion in the U.S., 500,000 pounds in the U.K. and zero in Canada. There would be some monetary sanction we would be able to apply here. Is that fair?

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:15 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I have a last question. I think you'll agree with me that we've thought a lot about improving our privacy rules at this committee, and I think Canadians expect that we will have strong privacy rules in place. But if we don't have a strong regulator to enforce those rules, it doesn't seem to me that those privacy rules and the effort to strengthen the privacy rules are worth much at all. Is there anything as a first step that matters more than creating a strong privacy regulator here in Canada?

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I would say there are at least two important solutions. One is to make sure the regulator has the right powers, and in that basket would fall binding orders, penalties and proactive inspection powers that I've discussed in this committee before and can expand on if we have more time.

But I will move to another part of the solution, which I think is to ensure that we have rights-based legislation. Facebook and Cambridge Analytica demonstrated the link between privacy protection and the exercise of other fundamental rights, in this case democracy. But there's also a link between privacy protection and other fundamental rights: equality, for instance, in the employment context; freedom to go on the Internet to develop as a person and look for issues of interest without the fear of being monitored by corporations. A clear link was demonstrated in Cambridge Analytica, but it's just one example of the clear link between privacy protection and the exercise of fundamental rights.

I think this shows that, in addition to giving powers to the regulator, the new legislation has to be framed as perhaps principles-based, as PIPEDA is, but also rights-based, and recognize that privacy protection is linked to the exercise of other fundamental rights. We're all at risk if privacy is not protected. We would not only lose our privacy, but other rights would also be at risk.

4:15 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

4:15 p.m.

Conservative

The Chair Conservative Bob Zimmer

Next up, for seven minutes, Monsieur Gourde.

4:15 p.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Thank you, Mr. Chair.

I have a more general question regarding the consent, of Canadians in this case, that is required by applications. On Facebook, a page appears and it says that in order to continue, you have to read what is written there and click on the ''I accept'' button to give consent.

Last week a witness told us that we should regulate that and that more information should be given to Canadians about the consent forms drafted by Facebook or third-party apps. By giving our consent, we are also giving it to apps that don't even exist yet.

Very often Canadians don't even read the conditions. They are in such a hurry to access the app that they accept automatically. Facebook's defence is that Canadians agreed and that this protects it.

Is there a better way to inform Canadians? When they click on the ''Accept'' button in an app, they are indeed entering into a type of contract. Is this type of acceptance that Facebook requires to protect itself against potential legal proceedings valid?

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

In the course of an investigation, we examined Facebook's current policies. We concluded that that consent was not valid, because users were consenting to something that might only occur years later. Obviously, they can't know what will happen years later. Even if there is a lovely legal text that is 50 pages long, if it does not inform Canadians about the use that will be made of their information, that consent is not valid.

As you know, in January of this year, we published guidelines to get companies to develop clearer privacy policies. That is part of the solution, but it is not the whole solution. That is why I advocate the adoption of a privacy protection law that goes beyond important principles such as consent. Consent is important, but it does not solve everything. We need a law that defines privacy in sufficiently general terms.

Protecting one's privacy does not end with giving or withholding consent. Consent is a means. Having the right to privacy means being able to communicate with our friends on social media without worrying that some company is constantly monitoring our activities. Cambridge Analytica used our information to try to influence our political opinions and our vote. We have to define the right to privacy in a sufficiently general way, and that goes beyond consent.

I have before me a bill that was tabled in a previous Parliament. It defined the right to privacy, among other things, as the right to be free from all surveillance.

Any new law on the protection of privacy, in the public or private sectors, should begin with that. What is the right to privacy? Is it tied to the idea of granting consent? No, it is not limited to that. The right to privacy is the right to one's own physical privacy. It is the right to be free from all monitoring, the right to be free from having one's private communications intercepted by the state or by private companies. That is where the definition should lie. After that, procedures or mechanisms like giving consent come in to protect the respect of privacy, but protecting privacy is not limited to consent.

4:20 p.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Once such a law has been passed, we can develop the framework around consent and even impose it on Facebook, rather than having it foist fake consent on us. If consent were imposed and regulated by a Canadian law, don't you think Canadians would enjoy much better protection?

4:20 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The practical enforcement of these legal rules will be complicated, I can't deny that. However, if we define the right to privacy with the right level of generality and importance, we will never again be in the situation you've described a few minutes ago. At this time, a company can say that its contract informed the user that it would use their private information for certain reasons, that the user consented, and that it is behaving correctly and complying with the law.

If we had a rights-based law where consent was an important mechanism but not the ultimate purpose, and if a company's monitoring, as consensual as it may be, led to the monitoring of an individual's activities, the regulatory body would have the power to intervene because despite the consent, the substance of the right to privacy would not have been respected.

4:20 p.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Thank you.

4:20 p.m.

Conservative

The Chair Conservative Bob Zimmer

Mr. Angus, for seven minutes.

4:20 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you, Mr. Chair.

I want to say at the outset how important the work of your office is. For too many years, we've been played for suckers by Silicon Valley, that it was about choice, that it was opt-in, opt-out. We could read the privacy provisions. It never respected the privacy provisions in building its models.

What we've learned with Cambridge Analytica and Facebook is that this is not simply a question of the rights and the choices of consumers. This is about the democratic rights of citizens. It's about the questions of a nation state being able to actually ensure that its citizens can live in a world where they choose certain rights that are protected and inalienable, and one of those rights, as you said, is the right to be free from surveillance.

I want to start off with a few simple questions. Your finding was that Facebook broke the law of Canada with its breach of PIPEDA. Is that correct?

4:20 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That's correct.

4:20 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

As an officer of Parliament, you have been mandated to ensure compliance with PIPEDA. Was your report an opinion or is that a finding of fact by the officer in charge of representing the Parliament of Canada in preserving our laws?

4:20 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's a finding of fact and law.

The statute under the current law is not binding on the corporation being monitored by this agency.

4:25 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Facebook initially stated that you didn't have jurisdiction because you couldn't prove that the 620-some thousand Canadians who had their private information stolen were somehow affected. Didn't they then move on to say it was an opinion of yours and they'd take it under advisement? Where are they? Is this their opinion or that the fact that we don't have jurisdiction? What is Facebook's response to you on this?