Information & Ethics Committee on Oct. 20th, 2016

I'll reiterate that we're not opposed to order-making power. We're on the fence about it, and to me it seems like an issue of efficacy more than anything else. I'm inclined to defer it to the Privacy Commissioner, if they think it will help them to do the job better.

I don't think the argument that if one commissioner has it, therefore the other commissioner has it holds a lot of water with me. It's more that you look at the commissioner's specific mandate, you look at their success in implementing their recommendations, and you look at the tool kit they have available to them and the needs they have. You design particular powers around that. These commissioners are structurally similar in a lot of ways, but have very different mandates, so I do think they require different considerations. That was the way I was trying to frame it.

With the divide between public sector and private sector, there are enhanced procedural considerations if you want to talk about an organization that is levying fines, and potentially large fines. There have been a lot of pushback complaints from the private sector about the anti-spam mechanism, about CASL, and the way fines have been levied there. I think people in the private sector are a bit concerned about that.

I have heard from private sector people on the argument I made about private sector interests being less likely to co-operate with an agency that has order-making powers. You hear that from people in the private sector. You have to take it with a grain of salt because, of course, they don't want to be overseen by an organization that has power to fine them. They would prefer an organization that doesn't have those powers to be overseeing them. There's an obvious interest there, but I also don't think it can be entirely discounted. I would defer to the Privacy Commissioner if the question is framed specifically on efficacy.

When you're limiting the order-making powers so that they only apply to government, I think if you did it in that way, then it would certainly limit some of the concerns, and that would make the argument for parity a little bit better. If you look at the Privacy Commissioner's role specifically with regard to interacting with public bodies, you see it is quite similar to the Information Commissioner's role.

However, the Privacy Commissioner also needs to have the tools available to properly protect Canadians' privacy, particularly in the private sector, particularly when you look at the failures of the consent-based model, which I went into a little bit before. I do think there need to be stronger rules in place. Whether that's done through orders from the Privacy Commissioner, whether it's done through legislation or regulations, or whether it's done through recommendations, I'm not sure, but I do think there needs to be greater clarity.

I have a brief point about the private sector, but it relates to all of it.

In the private sector, of course, we have two different sets of regimes. We have PIPEDA, which is the federal regime, and then we have substantially similar regimes in a number of other provinces, including British Columbia, which we're familiar with. You have the unusual situation of the commissioner making recommendations under PIPEDA, while in British Columbia, our commissioner issues orders.

We were involved in a case in which an insurance company had been ordered to get explicit consent from their customers for use of their credit information to determine the level of their premiums, so we had an actual order. Eventually another complaint was brought under PIPEDA from Ontario, a PIPEDA-level resolution was reached, and the organization ended up doing this at a national level.

It could create an interesting situation. You could have one substantially similar jurisdiction where there's an order in place and an organization or a company is required to do something, but not in the PIPEDA jurisdiction.

This is another reason we are in favour of order-making power for the Privacy Commissioner, both public and private.

This also parallels a recommendation that we made for the Information Commissioner.

To me, it's about a gap in understanding among Canadians about what privacy is and about the changes that have occurred as a result of digitization, which have dramatically changed people's relationship with personal information. It's about giving the Privacy Commissioner a stronger role in promoting privacy. They do that in the private sector. I think that because there are greater concerns among the public sector, it's important to extend it to that sector.

In terms of specifically how that would work, I imagine it would be parallel to the way it currently works in private sector promotions. They could be sponsoring research, sponsoring conferences, in order to promote engagement by public agencies—or via academics or NGOs—with the public in terms of getting them to understand their privacy rights.

It's generally a parallel, I think, to the way it works currently.

That's a very technical question. As far as the technology inside the black box goes, governments or companies sometimes argue that the information is proprietary and therefore confidential, that it would reveal business practices. According to them, competitors could benefit from disclosure of the information.

It essentially comes down to replacing or supporting decisions made by humans with recommendations that are practically decisions in and of themselves. In a number of cases, in fact, it would be very tough for an individual to challenge what the computer has deemed a good decision. In order to challenge what comes out of the black box, a person has to be very confident in themselves and their expertise. That's key.

When people make decisions, they normally have reasons for making them. The data they used to arrive at their decision are known. It's important to keep that option open It's not a good idea to create a situation where it isn't possible to reconsider what the decision-maker did. If the decision came out of the black box, it's important to know that.

That doesn't necessarily mean knowing exactly how the circuits are connected, technology-wise. Rather, it means knowing which data were part of the data mix. It's actually a matter of knowing, overall, how the data were organized to arrive at decision x or y.

The commissioner made two recommendations, one being the introduction of a necessity test, which isn't in the current legislation. It is, however, in our public sector act here, in British Columbia. It's very important because it raises the requirement level. The data collection has to be necessary. Information can't be collected simply because it would be beneficial to have. That isn't permitted; the information has to serve a purpose. That is why, then, the recommendation is important.

That's going to be very tough to do in one minute.

What I will say is that situations like this need to be taken more seriously by the police, and the reason I phrased it the way I did is that I think that when threats are made against journalists, it is a threat to democracy, and I think that these need to be taken more seriously.

In terms of Twitter's specific role in it, I think companies need to be given the freedom to manage the platforms the way they want to. If a company wants to say that they're a family-friendly platform and they're going to moderate very heavily, I think that's a fair point. If a company wants to say that people can say whatever they want and the only time they're going to take material down is if it's specifically illegal and they are ordered to do so by the state, I think that's also a fair position for them to take.

As long as there's a multiplicity of different platforms available and people can choose how and where they want to engage, I think that's a fair point in terms of the specific regulations.

It depends on the platform. Twitter has traditionally taken a much lighter hand, and now they're engaging more heavily because of the pressure they've come under. Facebook has always engaged more heavily, but again, they're coming under pressure. They recently have faced some criticism for deactivating certain Palestinian sites under pressure from the Israeli government. Facebook has faced criticism for deactivating Kurdish websites under pressure from the Turkish government.

It's a very challenging political situation once you expect these intermediaries to be the arbiters of acceptable content. It can also be problematic because in some cases you don't really have a proper appeal mechanism. If the government orders you to make a particular decision—if it says, “This content is illegal, so don't publish it”—you can appeal it. There are all these procedures in place. However, if Facebook is the one that's telling you what is or is not acceptable, there aren't the same kinds of procedural protections there.

This is why I'm leery of governments off-loading that responsibility. Specifically, you see cases—I'll point to South Korea as one—of the government doing this as basically a way to impose censorship indirectly, cases of the government leaning very heavily on tech companies to do the content moderation for them. There are very abusive content controls as a result.