Evidence of meeting #23 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was surveillance.
A recording is available from Parliament.
Noon
Conservative
Noon
Investigative Researcher, Advocate, As an Individual
I have just one informational thing. Canada has really had the Privacy Act since the late 1970s because I operated under part IV of the Canadian Human Rights Act, so it's an interesting act.
The Privacy Commissioner tries to do this to some extent, but my only comment is that I think it would be helpful if there was an office of technology—the Science Council of Canada used to talk about this—that would look at the impact of technology from several aspects, including privacy, so you have some place that consistently continues to look and project new ideas of what technology is and its implications. We don't seem to have any continuity. It's always this comes up, that comes up.
That would be the only thing I would add, other than, yes, things have changed dramatically since the first part. But with SIN identifiers and metadata and all the rest, there are still similarities to what you can do about it.
Noon
Professor, University of Calgary, As an Individual
I'm a professor, so you know that I'll say fund more research. The Privacy Commissioner does some already, but could a lot more. I want to give you another concept.
I did a sabbatical once with a company called Northern Telecom. My project was to find new features for their phones. I came up with one that was a solution to the telemarketer problem. They were always interrupting my dinner. I said I should be able to put on my phone a dollar amount. Maybe I'm lonely, so it's zero or 10¢, but maybe I'm having a wonderful romantic dinner so it's $1,500 to interrupt me. If you wanted to pay that, you would be charged that amount. Nortel didn't build a function, but I do it. When somebody calls up, I tell them, “This is costing you $100 an hour; I take Visa or MasterCard.”
What's the relation to this? People need to value their privacy. You're worth something like $800 a year to Google if you use Google, Gmail, YouTube, and so on. There's no way to pay Google for that. Their services are free, but they're selling you. There's this whole concept of surveillance capitalism. Shoshana Zuboff, a Harvard professor, talks about that. There's an economic aspect. Maybe what we need to do is tell people that if they think their privacy is worth something, there should be a way for them to get paid for it, just like taking the telemarketer call. Maybe you do want to give your information to the insurance company because you want that discount. Just know that you're doing it. The law has to make it really clear in some way how companies will disclose what you're paying.
Noon
Conservative
Matt Jeneroux Conservative Edmonton Riverbend, AB
Thank you.
I'm not sure if that answered a lot of it there, but we'll come back to that with subsequent witnesses, I imagine.
I quickly want to get your thoughts, Ms. McPhail, on the expansion of this. One of the recommendations is to expand the act to the Prime Minister's Office and ministers' offices. This wasn't a recommendation previously when the Privacy Commissioner made recommendations a number of years ago. It's now part of them. Would you mind commenting on how you see that progressing?
12:05 p.m.
Director, Privacy, Technology and Surveillance, Canadian Civil Liberties Association
Briefly, we would be in favour of that move. I think that at all levels of government and at all levels of power Canadians have the right to know that information is being collected and held safely and well and of the concurrent right to make requests under other acts for the information. I think moving that to the upper levels of government is a wise and sensible thing to do.
12:05 p.m.
Conservative
12:05 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Thanks to everyone for their presentations.
I appreciate how the shift to a more principled framework could be useful in allowing the legislation on the books to keep pace somewhat with technological change.
On the enforcement side or on the side of having people better understand their rights and how they're protected, can any of you put some meat on the bone in terms of what that looks like so that the notice to people who are accessing government services, for example, and agreeing to the use of their private information is not just a clause buried in the fine print? What are some concrete examples of what that would look like for people? What would change from what's there now?
12:05 p.m.
Professor, University of Calgary, As an Individual
If you look at the European Union's new general data protection regulations, you will find fines that are astronomical, something like 4% of the annual turnover of a business. People are quaking in their boots, and even people in Calgary are thinking about it because they do business in Europe. I've sat down with people who say we have to be aware of this because we can be fined an awful lot if we invade somebody's privacy. Maybe that at least gets the attention.
12:05 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
I apologize because I don't know the specifics, and you may not be able to answer because I don't know enough about it, but I have heard tell of a case going on in B.C., a suit being brought against Facebook for the use of some personal information. Part of what is at issue is that there's a clause in the Facebook user agreement that says you can only litigate in California. Without prejudging the outcome of that trial, even if we have some of the best privacy protection laws in Canada, how vulnerable are we? Is there anything we can do about those agreements that people agree to without really reading and that force them to litigate outside the boundaries that would be protected by an updated privacy law?
12:05 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
Without my prejudging the outcome of that decision, what's at issue there is whether, through very contractual clauses, an entity like Facebook that has millions of customers in Canada could essentially opt out of Canadian law. If the decision is that this is the case, I think we will be back here at some point asking for some sort of legislative reform that would expressly preclude the enforceability of that type of clause. It doesn't need to be an absolute prohibition. In the manner that it interacts with private entities like that, the Privacy Act is probably a little bit shielded from that type of activity.
Making sure that, at least in some cases, there is the ongoing ability to apply Canadian standards and laws to international entities operating from abroad is very important moving forward, to ensure a level of transparency and privacy protection that is in accordance with Canadian standards.
12:05 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
One of the recommendations to this committee is the idea that the government should be consulting with the OPC prior to tabling new legislation to see what the privacy outcomes would be. We know that international trade deals and other kinds of agreements with other governments also have privacy implications. Would you say that should go beyond simple bills that the government is tabling to any kind of substantive legal agreement the government is entering into?
12:05 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
I think so. We saw in one instance where a B.C. committee reviewing a counterpart to this law in B.C. had not been aware of a trade commitment that was made, even though some level of the B.C. government was involved in the negotiations of trade agreements. They're so multilateral these days and they have applied it in so many areas of daily life that a more integrated consultation process needs to be set up, because they weren't even aware that a mechanism might have been adopted that would impact their law in a significant way. The same could be said for other aspects of the Privacy Act as well as of PIPEDA. Finding a way to incorporate that type of consultation at early stages will be very important moving forward as more and more of these decisions are made in that context.
I don't know if Ms. McPhail wants to address this, but the CCLA put out a report earlier today on how to better address constitutional protections in legislative processes. You may want to ask her that.
12:10 p.m.
NDP
12:10 p.m.
Investigative Researcher, Advocate, As an Individual
You can penalize people as a method of enforcement.
I think the problem I have is that in the current act, if you look at the sections on use, retention, and collection, it is so vague. That's why I'm saying you have to build that act up. You can't be explicit in everything, but transborder data flows? Come on. We've had a history of these. If we can identify them, we can anticipate some. If we don't build in some explicit language in that regard, what are you going to be enforcing? You have to have much more of what these things are: metadata, biometric data. You have to have some degree of the content there, so that you can then enforce it.
12:10 p.m.
Director, Privacy, Technology and Surveillance, Canadian Civil Liberties Association
Technological difficulty is an appropriate theme for today.
Mr. Israel was referring to our just released “Charter First” report, which is a position paper that CCLA has introduced, in which we are actually arguing that all legislation that's created in Canada should undergo charter review prior to being tabled. It's very much in line with the recommendation here that legislation that involves privacy implications should be reviewed by the appropriate body that can consider all of the implications, and in the case of the Privacy Act, we would say that would be the Privacy Commissioner. In general, we would be in favour of multi-level protection to make sure that charter-protected rights—and privacy is a quasi-constitutional right—are always subject to review and consideration in any kind of activity. Whether it's a multilateral treaty, a trade agreement, a new piece of legislation, or a new data processing system, there should always be at some appropriate level consideration of what the risks are going to be to people's privacy, and of course, a number of other factors.
12:10 p.m.
Conservative
September 20th, 2016 / 12:10 p.m.
Liberal
Joël Lightbound Liberal Louis-Hébert, QC
First, if I have more time at the end, I'll share it with Mr. Erskine-Smith.
Thank you all for being here. My question is for Madam McPhail and Mr. Israel.
In the Privacy Act there is a general prohibition on information sharing, but then in subsection 8(2), there is a whole list of exceptions, such as, for instance, information shared in accordance with federal legislation or regulation. Then along comes a bill such as Bill C-51, which allows for information sharing among, I think, 17 government institutions or agencies, maybe more or less.
How should we approach the exceptions to information sharing, and do you have any recommendations?
12:10 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
One of our specific recommendations is to adopt an overarching proportionality mechanism. As we've envisioned that and as it operates in PIPEDA, the private sector counterpart, it would actually sit on top of those exceptions. It doesn't mean that any exception could be overridden in every instance, but it would allow for some ability to incorporate proportionality in the application of those exceptions, if that makes sense. That would be our immediate suggestion for how to address those.
The list of existing exceptions is very long. I think courts have also defined and narrowed some of them through charter interpretations and so on. We don't have any specific recommendations on addressing any of the specific exemptions in there, but we think the overarching proportionality consideration would allow for more problematic applications of those exemptions to be tempered.
12:15 p.m.
Director, Privacy, Technology and Surveillance, Canadian Civil Liberties Association
I think we'd support that same proportionality suggestion. In general, should the committee be willing to undertake a detailed examination of all of the exemptions, our position would be that exemptions should be limited, and they should be as narrow as possible in all cases.
12:15 p.m.
Liberal
Joël Lightbound Liberal Louis-Hébert, QC
If you would be so inclined as to send us written recommendations in terms of the exceptions and how you would curtail them, the committee would appreciate that very much.
My second question regards metadata. We've touched upon it a little bit. I know it's not defined anywhere in Canadian legislation. There was a private member's bill a few years ago by Joyce Murray to define metadata, but she was proposing to have it defined in the National Defence Act. Do you think it would be pertinent to have metadata defined in the Privacy Act, and to have it addressed?
My question again is more for Mr. Israel and Madam McPhail.
12:15 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
In terms of adopting, I think it would be useful to clarify this. Metadata already falls outside the definition of personal information in the act where there are ambiguities. An IP address is a good example. Often the argument will be that because an IP address takes three or four steps before you connect it to a name, it's not personal information. That's because the definition of personal information is tied to information that's about an identifiable individual. I think some of that can be addressed through interpretation by the Privacy Commissioner, etc. In Europe, I think they've actually issued directives around specific problematic items of metadata like IP addresses, saying that this is to be considered personal information.
I think part of the problem with addressing metadata in a statutory definition is that it's a constantly evolving category of data. Maybe something that would refer to regulation, that would allow for a rolling definition that gets adopted through regulation, might be the best way to address that particular problem and make sure that this type of data is kept within the scope of the protections in the Privacy Act.
