Information & Ethics Committee on May 28th, 2019

Thank you.

Let me put my first question to all three of the witnesses.

Okay.

Thank you, Mr. Chair.

Members of the grand committee, thank you for the invitation to address you today.

My remarks will address three points that I think go to the heart of your study: first, that freedom and democracy cannot exist without privacy and the protection of our personal information; second, that in meeting the risks posed by digital harms, such as disinformation campaigns, we need to strengthen our laws in order to better protect rights; lastly, I will share suggestions on what needs to be done in Canada, as I'm an expert in Canadian privacy regulation, so that we have 21st century laws in place to ensure that the privacy rights of Canadians are protected effectively.

I trust that these suggestions made in a Canadian context can also be relevant in an international context.

As you know, my U.K. counterpart, the Information Commissioner's Office, in its report on privacy and the political process, clearly found that lax privacy compliance and micro-targeting by political parties had exposed gaps in the regulatory landscape. These gaps in turn have been exploited to target voters via social media and to spread disinformation.

The Cambridge Analytica scandal highlighted the unexpected uses to which personal information can be put and, as my office concluded in our Facebook investigation, uncovered a privacy framework that was actually an empty shell. It reminded citizens that privacy is a fundamental right and a necessary precondition for the exercise of other fundamental rights, including democracy. In fact, privacy is nothing less than a prerequisite for freedom: the freedom to live and develop independently as individuals, away from the watchful eye of surveillance by the state or commercial enterprises, while participating voluntarily and actively in the regular, day-to-day activities of a modern society.

As members of this committee are gravely aware, the incidents and breaches that have now become all too common go well beyond matters of privacy as serious as I believe those to be. Beyond questions of privacy and data protection, democratic institutions' and citizens' very faith in our electoral process is now under a cloud of distrust and suspicion. The same digital tools like social networks, which public agencies like electoral regulators thought could be leveraged to effectively engage a new generation of citizens, are also being used to subvert, not strengthen, our democracies.

The interplay between data protection, micro-targeting and disinformation represents a real threat to our laws and institutions. Some parts of the world have started to mount a response to these risks with various forms of proposed regulation. I will note a few.

First, the recent U.K. white paper on digital harms proposes the creation of a digital regulatory body and offers a range of potential interventions with commercial organizations to regulate a whole spectrum of problems. The proposed model for the U.K. is to add a regulator agency for digital platforms that will help them develop specific codes of conduct to deal with child exploitation, hate propaganda, foreign election interference and other pernicious online harms.

Second, earlier this month, the Christchurch call to eliminate terrorist and violent extremist content online highlighted the need for effective enforcement, the application of ethical standards and appropriate co-operation.

Finally, just last week here in Canada, the government released a new proposal for an update to our federal commercial data protection law as well as an overarching digital charter meant to help protect privacy, counter misuse of data and help ensure companies are communicating clearly with users.

Underlying all these approaches is the need to adapt our laws to the new realities of our digitally interconnected world. There is a growing realization that the age of self-regulation has come to an end. The solution is not to get people to turn off their computers or to stop using social media, search engines, or other digital services. Many of these services meet real needs. Rather, the ultimate goal is to allow individuals to benefit from digital services—to socialize, learn and generally develop as persons—while remaining safe and confident that their privacy rights will be respected.

There are certain fundamental principles that I believe can guide government efforts to re-establish citizens' trust. Putting citizens and their rights at the centre of these discussions is vitally important, in my view, and legislators' work should focus on rights-based solutions.

In Canada, the starting point, in my view, should be to give the law a rights-based foundation worthy of privacy's quasi-constitutional status in this country. This rights-based foundation is applicable in many countries where their law frames certain privacy rights explicitly as such, as rights, with practices and processes that support and enforce this important right.

I think Canada should continue to have a law that is technologically neutral and principles based. Having a law that is based on internationally recognized principles, such as those of the OECD, is important for the interoperability of the legislation. Adopting an international treaty for privacy and data protection would be an excellent idea, but in the meantime, countries should aim to develop interoperable laws.

We also need a rights-based statute, meaning a law that confers enforceable rights to individuals while also allowing for responsible innovation. Such a law would define privacy in its broadest and truest sense, such as freedom from unjustified surveillance, recognizing its value in correlation to other fundamental rights.

Privacy is not limited to consent, access and transparency. These are important mechanisms, but they do not define the right itself. Codifying the right, in its broadest sense, along the principles-based and technologically neutral nature of the current Canadian law would ensure it can endure over time, despite the certainty of technological developments.

One final point I wish to make has to do with independent oversight. Privacy cannot be protected without independent regulators and the power to impose fines and to verify compliance proactively to ensure organizations are truly accountable for the protection of information.

This last notion, demonstrable accountability, is a needed response to today's world, where business models are opaque and information flows are increasingly complex. Individuals are unlikely to file a complaint when they are unaware of a practice that may harm them. This is why it is so important for the regulator to have the authority to proactively inspect the practices of organizations. Where consent is not practical or effective, which is a point made by many organizations in this day and age, and organizations are expected to fill the protective void through accountability, these organizations must be required to demonstrate true accountability upon request.

What I have presented today as solutions are not new concepts, but as this committee takes a global approach to the problem of disinformation, it's also an opportunity for domestic actors—regulators, government officials and elected representatives—to recognize what best practices and solutions are emerging and to take action to protect our citizens, our rights, and our institutions.

Thank you. I look forward to your questions.

Thank you.

Thank you very much, Mr. Chair, and members of the grand committee, for the invitation to speak.

I will try to build on what Mr. Therrien has said in order to cover a few more points. I will also make some references to what other witnesses presented previously.

First, I will be trying to take a more international view, though the themes that are covered by the committee are very global in nature. That's why when it comes to global...the previous witness spoke about an international treaty. One of the reasons, as I will be explaining, that I have decided in my mandate at the United Nations to go through a number of priorities when it comes to privacy is that the general framework of privacy and data protection in law insofar as an international treaty is concerned, who regulates this, doesn't happen to be specifically a UN treaty. It happens to be convention 108 or convention 108+, which is already ratified by 55 nations across the world. Morocco was the latest one to present its document of ratification yesterday.

When people meet in Strasbourg or elsewhere to discuss the actions and interoperability within an international framework, there are already 70 countries, ratified states and observer states, that will discuss the framework afforded by that international legal instrument. I would indeed encourage Canada to consider adhering to this instrument. While I am not an expert on Canadian law, I have been following it since 1982. I think Canadian law is pretty close in most cases. I think it would be a welcome addition to that growing group of nations.

As for the second point that I wish to make, I'll be very brief on this, but I also share preoccupations about the facts on democracy and the fact that the Internet is being increasingly used in order to manipulate people's opinions through monitoring their profiles in a number of ways. The Cambridge Analytica case, of course, is the classic case we have for our consideration, but there are other cases too in a number of other countries around the world.

I should also explain that the six or seven priorities that I have set for my United Nations mandate to a certain extent summarize maybe not all, but many of the major problems that we are facing in the privacy and data protection field. The first priority should not surprise you, ladies and gentlemen, because it relates to the very reasons that my mandate was born, which is security and surveillance.

You would recall that my United Nations mandate was born in the aftermath of the Snowden revelations. It won't surprise you, therefore, that we have dedicated a great deal of attention internationally to security and surveillance. I am very pleased that Canada participates very actively in one of the fora, which is the International Intelligence Oversight Forum because, as the previous witness has just stated, oversight is a key element that should be addressed. I was also pleased to see some significant progress in the Canadian sphere over the past 12 to 24 months.

There is a lot to be said about surveillance, but I don't have much left of my 10 minutes so I can perhaps respond to questions. What I will restrict myself to saying at this stage is that globally we see the same problems. In other words, we don't have a proper solution for jurisdiction. Issues of jurisdiction and definitions of offences remain some of the greatest problems we have, notwithstanding the existence of the Convention on Cybercrime. Security, surveillance and basically the growth of state-sponsored behaviour in cyberspace are still a glaring problem.

Some nations are not very comfortable talking about their espionage activities in cyberspace, and some treat it as their own backyard, but in reality, there is evidence that the privacy of hundreds of millions of people, not in just one country but around the world, has been subjected to intrusion by the state-sponsored services of one actor or another, including most of the permanent powers of the United Nations.

The problem remains one of jurisdiction and defining limits. We have prepared a draft legal instrument on security and surveillance in cyberspace, but the political mood across the world doesn't seem conducive to major discussions on those points. The result is that we have seen some unilateral action, for example, by the United States with its Cloud Act, which has not seen much take-up at this moment in time. However, regardless of whether unilateral action would work, I encourage discussion even on the principles of the Cloud Act. Even if it doesn't lead to immediate agreements, the very discussion will at least get people to focus on the problems that exist at that stage.

I will quickly pass to big data and open data. In the interests of the economy of time, I refer the committee to the report on big data and open data that I presented to the United Nations General Assembly in October 2018. Quite frankly, I would advise the committee to be very wary of joining the two in such a way that open data continues to be a bit like a mother with an apple pie when it comes to politicians proclaiming all the good it's going to do for the world. The truth is that in the principles of big data and open data, we are looking at key fundamental issues when it comes to privacy and data protection.

In Canadian law, as in the law of other countries, including the laws of all those countries that adhere to convention 108, the purpose specification principle that data should be collected and used only for a specified or compatible purpose lives on as a fundamental principle. It also lives on as a principle in the recent GDPR in Europe. However, we have to remember that in many cases, when one is using big data analytics, one is seeking to repurpose that data for a different purpose. Once again, I refer the committee to my report and the detailed recommendations there.

At this moment in time, I have out for consultation a document on health data. We are expecting to debate this document, together with recommendations, at a special meeting in France on June 11 and 12. I trust there will be a healthy Canadian presence at that meeting too. We've received many positive comments about the report. We're trying to build an existing consensus on health data, but I'd like to direct the committee's attention to how important health data is. Growing amounts of health data are being collected each and every day with the use of smart phones and Fitbits and other wearables, which are being used in a way that really wasn't thought about 15 or 20 years ago.

Another consultation paper I have out, which I would direct the committee's attention to, is on gender and privacy. I'm hoping to organize a public consultation. It has already started as an online consultation, but I am hoping to have a public meeting, probably in New York, on October 30 and 31. Gender and privacy continues to be a very important yet controversial topic, and it is one in which I would welcome continued Canadian contribution and participation.

I think you would not be surprised if I were to say that among the five task forces I established, there is a task force on the use of personal data by corporations. I make it a point to meet with the major corporations, including Google, Facebook, Apple, Yahoo, but also some of the non-U.S. ones, including Deutsche Telekom, Huawei, etc., at least twice a year all together around a table in an effort to get their collaboration to find new safeguards and remedies for privacy, especially in cyberspace.

This brings me to the final point I'll mention for now. It's linked to the previous one on corporations and the use of personal data by corporations. It's the priority for privacy action.

I have been increasingly concerned about privacy issues, especially those affecting children as online citizens from a very early age. As the previous witness has borne witness, we are looking at some leading new and innovative legislation, such as that in the United Kingdom, not only the one on digital harms, but also one about age-appropriate behaviour and the liability of corporations. I am broaching these subjects formally next with the corporations at our September 2019 meeting. I look forward to being able to achieve some progress on the subject of privacy and children and on greater accountability and action from the corporations in a set of recommendations that we shall be devising during the next 12 to 18 months.

I'll stop here for now, Mr. Chair. I look forward to questions.

Oh, oh!

Thank you. My first question is for Ellen Weintraub.

You mentioned dark money in your opening statement. How concerned are you about the ability of campaigns to use technology, particularly blockchain technology, to launder impermissible donations to campaigns by turning them into multiple, small micro-donations?

I'm very concerned about it, in part because our entire system of regulation is based on the assumption that large sums of money are what we need to worry about and that this is where we should focus our regulatory activity. On the Internet, however, sometimes very small amounts of money can be used to have vast impact, and that doesn't even get into the possibility of Bitcoin and other technologies being used to entirely mask where the money is coming from.

So yes, I have deep concerns.

Have there been any particular examples that have come to the awareness of your commission?

The problem with dark money is that you never really know who is behind it. There has been about a billion dollars in dark money spent on our elections in the last 10 years, and I cannot tell you who is behind it. That's the nature of the darkness.

I just wondered whether any particular allegations had been made, or whether there had been cause for any further investigation about what might be considered to be suspicious activity.

We have a constant stream of complaints about dark money. The case I just described to you is one of the foremost examples we've seen recently. It can be money that comes in through LLCs or 501(c)(4)s. In this case, it came in through the domestic subsidiary of a foreign corporation.

Do you have any concerns about the way technologies like PayPal could be used as well to bring money in from sources trying to hide their identity or even from abroad?