Thank you very much, Mr. Chair and members of the committee, for allowing me to come to address you today.
As was said, I represent the Canadian Chamber of Commerce. We are a not-for-profit trade association and are the vital connection between business and government. We have a network of over 450 chambers of commerce across the country. You are probably familiar with one from your own communities. They're all members of the Canadian Chamber of Commerce, which is the umbrella organization. By extension, we represent close to 200,000 businesses across the country, of all sizes and in every single community.
My role at the chamber is intellectual property and innovation policy from the innovation perspective. That's what you're going to hear about from me today with my remarks. You're also going to hear some similar themes to what I think you heard from the other witnesses, so I hope I don't bore you.
We hear a lot about the pervasiveness of big data and about how both governments and companies are collecting information on us. Much of what we hear comes across as negative and invasive. That's unfortunate. Personal data is the core to creating an innovative product line and user experience.
In a 2016 Accenture survey of more than 500 businesses globally, more than three-quarters of the survey respondents said big data provides better and more personalized customer service, and over half of those respondents said it enhances customer loyalty. Others indicated that the information helps them break into new markets, improve target advertising, and build better products. In a nutshell, data enables innovation.
With your indulgence, I'd like to highlight a few examples of why data is so important to innovation and competitiveness.
First, it's about understanding customers. Big data is used to better understand customers, their behaviours, and their preferences. To maintain a competitive edge, companies are moving beyond traditional datasets and using social media and browser logs as well as text analytics and sensor data to get a more complete picture of their customers.
The big objective in many cases is to create predictive models, tailored not to the individual. The information they're collecting, yes, is about individuals, but they don't really care about the individual information. It's about the collective; it's about the large balance of information that they're collecting to identify patterns of behaviour.
A good example of this might be the use of data by ski resorts. Radio frequency identification device, RFID, tags are inserted into lift tickets. They can cut back on fraud and wait times at the lifts as well as help ski resorts understand traffic patterns, which lifts and runs are most popular, at which times of day, and even help track the movements of an individual skier, if he or she were to become lost. All of this benefits the customer by making the experience more seamless. I know I'd be happy if I got a text telling me there was two feet of fresh powder on my favourite run, even though my employer might not be so pleased that I disappeared for the day.
The second theme is optimizing business processes.
Big data is also increasingly used to optimize business processes. Retailers are able to optimize their stock based on predictions generated from social media data, from web search trends, and from weather forecasts. Employers are able to optimize work flow by monitoring patterns of behaviour and adjusting processes wherever those behaviour patterns demonstrate high productivity.
Next is personal quantification.
We can now benefit from the data generated from wearables. How many of you have a Fitbit? I see one hand, just for the record.
It collects data on our calorie consumption, activity levels, and sleep patterns. While it gives individuals rich insight, the real value is in analyzing the collective data. Analyzing the decades-worth of sleep data in a single night that's collected will bring entirely new insights that can feed back to individual users.
The same is true in life sciences. Clinical trials of the future won't be limited to by sample sizes but can potentially include everyone.
While big data is used to enable law enforcement, it is also used by our financial institutions. Credit card companies monitor behaviour patterns. When those patterns deviate from predicted norms, customers are notified, which helps prevent fraud and identity theft.
PIPEDA predates social media, it predates video streaming, and it predates the notion of ransomware, which we all heard about this past week; yet it has done a pretty good job of remaining relevant as technology has evolved.
As principled legislation, the need for government action to react to technological change hasn't been necessary. Judicial oversight has proven time and again to be an adequate recourse where an organization has stepped outside the boundary of reasonable use of data.
Notwithstanding, significant changes were made to PIPEDA in 2015. Legislative change on something as ubiquitous as privacy legislation will always have a profound impact on business that results from the uncertainty these changes introduce to the economy. Some of those changes introduced in 2015 are not even yet in effect. We're still waiting for the details on how companies will be expected to comply with the breach notification requirements and the keeping of records indefinitely on all of those breaches. We don't really understand right now what that's going to mean. While the clarification to the definition of consent did little more than recognize a common best practice by making that change, it did cause some consternation in the business community as to what the change was attempting to accomplish at the time.
Although we need to monitor what happens in other jurisdictions to ensure our laws are compatible with our trading partners, to ensure the free flow of data and the ability to innovate, doing so preemptively could have unintended consequences. For instance, changes to the general data protection regulation in Europe are imminent, and equivalency in Canada might be put to the test. However, we must understand that the GDPR is much broader than just privacy. It's as much about the public sector and security as it is about privacy.
For instance, a comment was made about the U.S. and the U.S. surveillance. That is a factor when we're dealing with the GDPR. It's a lot more than just our privacy legislation.
Tightening controls on the collection, use, and disclosure of personal information will not likely have a positive impact on privacy protection. The manner in which information is collected and the business model that information collection is built on makes tighter controls untenable, and we're talking about basic behaviour. Trying to create a consent model around behaviour is next to impossible.
Sharing personal information requires trust. Maintaining that trust requires digital responsibility best practices, and to name a few of those: ensure personal data management meets consumer expectations; show transparency in how personal information is sourced; give people more control over their data; explain the benefits consumers earn from sharing information; and use data for social improvement.
The companies that embrace these best practices will be the ones to prosper as new technology such as blockchain evolves that will put control of personal information back in the hands of the individual.
While this past weekend's WannaCry ransomware attack may not have been focused on personal information, it is certainly a global wake-up call regarding the vulnerability of the digital economy. That means we also need a more robust response to cybersecurity concerns.
I'll give you a couple of recent statistics. In the third quarter of 2016 alone, 18 million new malware samples were captured. More than 4,000 ransomware attacks have occurred every day since the beginning of 2016. The amount of phishing emails containing a form of ransomware grew to 97.25% during the third quarter of 2016, which was up from 92% in the first quarter of 2016. Although 78% of people claim to be aware of the risks of unknown links in emails, they click anyway.
The data that's collected, stored, and used by organizations is extremely valuable. Some of that value is yet to be conceived, but governments and organizations alike are vulnerable to attack and I would argue that resources would be better used in international collaboration to target the criminal enterprises attacking databases rather than monitoring the organizations that are innovating and serving customers.
With that I will conclude my remarks. Thank you for your attention.