Evidence of meeting #147 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was companies.
A video is available from Parliament.
4:55 p.m.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
Thank you.
I have one last question. Is there anything that we haven't yet addressed in this committee and that we should look at before the end of this Parliament and afterward?
4:55 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Responsibility is a key issue. You may have heard industry representatives say that, in the modern technological world, consent isn't always realistic and that companies can step in and take responsibility for how they handle information.
Again, I don't see any issue with companies taking on some of the responsibility. However, we must seriously consider the fact that it isn't enough to make companies take responsibility. An audit must be carried out by an independent agency, which acts on behalf of individuals, who are often unable to identify the issues. Companies know their business model and are generally responsible. However, a third party must ensure that the interests and rights of users are actually upheld.
5 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you, Mr. Chair.
I want to follow-up on your comments about accountability, because I'm trying to think of a similar situation where there is a corporate lack of accountability. Facebook has an enormously successful platform. It's used all over the world. It's making unprecedented money. It has no competition and yet, in this past year, the U.K. parliamentary committee has made a finding that it was a digital gangster and the privacy commissioner in New Zealand found it to be morally bankrupt. Facebook was denounced by the UN for complicity in the Myanmar genocide.
It would seem to me that normal corporate practice would be to get on a goodwill tour and start to fix the problems and reassure people, yet Mr. Zuckerberg ignored his appearance at the International Grand Committee, and now we have your report coming out.
Facebook said, “Thanks, but we don't want to spend any money to actually comply, so we'll just pretend you don't have jurisdiction over law.” You referred to its policy as an empty shell. I'm trying to figure out what is fundamentally wrong with Facebook.
Is it the corporate culture, which I'm not asking you to venture in on, or is it that its fundamental business model, like the fundamental business model of surveillance capitalism, is based on ignoring the privacy rights of citizens, and it simply will not change a business model that has worked extremely well for it, even if it is breaking the law of Canada and numerous other jurisdictions?
5 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
It's clear that its business model, like the business model of many companies, is to monetize the value of personal information. That's the core of the issue and we need, as societies, to develop the right legal framework to ensure that whatever service actually adds value is maintained, but in a way that does not create harm, because of the collection and ultimately, corporate surveillance of citizens.
5 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Finally, in order to prevent something like this in the future, so that when a Canadian regulator steps in and starts to investigate, because there will be other breaches—there could be other even more serious breaches—what tools are you asking for? You need to repeat it to our committee, so we can repeat it to the Parliament of Canada. W need to learn from the lessons of the Cambridge Analytica scandal, so we can protect the democratic and social rights of citizens who use online services.
5 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
My recommendations are to give stronger enforcement powers to my office as the regulator, which means in practice at least three things: the authority to make binding orders; the authority to impose penalties to make sure that these orders are actually implemented; and equally important, perhaps more important, the authority to proactively inspect the practices of companies to make sure that they actually follow the law. That's an important mechanical step.
Beyond that, we need to reform the principles of the private sector law and the public sector law, but now we're talking about the private sector law. I don't have a problem with the fact that the current PIPEDA is principles-based. It's part of the architecture that allows it to endure over time, regardless of technologies. But this principles-based legislation also needs to ensure that it is rights-based and defines privacy not as a series of important mechanical steps like consent, but defines the right at the proper level, which is the right to be free from unjustified surveillance by corporations and government. That's the right that's at play, and that's the right that needs to be enacted, I believe, so that citizens can engage in the digital economy, can make searches and can develop as persons in such a way that they can do that without being subject to constant surveillance.
5:05 p.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Commissioner Therrien.
Once again, it's never long enough, but we appreciate your appearing at our committee.
We have committee business right away, so I'd ask you to keep the exit as brief as possible.
[Proceedings continue in camera]