Evidence of meeting #61 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Robert Watson  President and Chief Executive Officer, Information Technology Association of Canada
Dennis Hogarth  Vice-President, Consumers Council of Canada
Scott Smith  Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
André Leduc  Vice-President, Government Relations and Policy, Information Technology Association of Canada

4:25 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

My concern about order-making powers goes back to the experience some businesses have had with the Canadian anti-spam legislation, as an example, under which the order-making power and the compliance organization and the organization that is there to give guidance are all the same people. That creates a difficult situation for businesses. It would change the relationship between the OPC and businesses right now, which is an amicable relationship. I would be concerned that this amicable relationship would dissolve.

4:25 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

Okay.

4:25 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

We're saying that order-making powers at this time are not necessary; that there is a good working relationship between OPC and the industry.

I somewhat disagree with Mr. Hogarth, in that there is significant cost to a company if it doesn't comply, and companies are aware of that.

Also, just to be certain, what we're talking about today is not going to stop cybercrime at all; it's going to happen. That's a different topic altogether. If somebody's coming to steal your information, really you need to put in place other applications to stop that, not more and more regulations.

4:25 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

I'll go back, then, to you, Mr. Watson, on another line of questioning, on the right to be forgotten and the right to erasure. You made comments about education being needed, not necessarily legislation, for that.

We have struggled at the committee level trying to determine what type of incident is necessary to enable that right to be forgotten and the right to erasure. Essentially, what I feel should be forgotten by everybody else might not necessarily be the opinion of my colleagues on the other side of the table.

With those different opinions in mind, how do you formulate this education to be relevant and successful?

4:25 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

Again, I'll start, and André can jump in here.

On the right to be forgotten, first of all, before we are forgotten we ought to remember the different types of people—and I mean age groups—using the Internet. The young kids really don't care what they give over; it's of no concern to them. They may mature into a different attitude, but right now they don't care and they give information freely.

If you're doing business with somebody, the Privacy Commissioner and the privacy laws allow the right to have your information private. That's agreed. But the right to be forgotten.... I understand the concept. I just think that trying to put in regulations to deal with it is exactly what you said: there are so many different applications and so many different situations that it will be very burdensome for anybody to try to comply with, or even keep up with.

4:25 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

Yes.

4:25 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

That is the problem.

4:25 p.m.

Vice-President, Government Relations and Policy, Information Technology Association of Canada

André Leduc

You won't see a lack of compliance from the industry in responding to a judicial order. We have judicial procedures in place, if a judge decides that the content on a website needs to be taken down. You won't have any issue—the company or the website host will take it down. This is the problem: the issue you'll run into is what happens when that website is hosted in Brazil.

Adding regulation is not necessarily, then, the best practice. We already have laws on the books that will deal with this issue, and you already have compliance with judicial orders for the content to be taken down. The fear would be in deputizing the ISP industry to respond to these. If a consumer says that he or she wants that information about him or her taken down, how many times are they going to get these types of requests?

There is a judicial procedure for this.

The issue Robert brought up is that the Privacy Commissioner might be better suited for education, as an ombudsperson better situated to educate and work with the provinces through the school systems to educate young people about the danger that anything you post online may stay there for the rest of your life. These don't come down instantly, and when you see young girls posting nude pictures or whatever it might be, once they're on a website they're cut and pasted onto another and another and another.

There's no better way to control it than educating the youth about the dangers inherent with that. Trying to regulate having all of these websites take down this content is an endless game of whack-a-mole, and you'll never be able to catch up.

4:30 p.m.

Conservative

The Chair Conservative Blaine Calkins

All right. Thank you very much.

Mr. Choquette, you have the floor for seven minutes.

May 16th, 2017 / 4:30 p.m.

NDP

François Choquette NDP Drummond, QC

Thank you very much, Mr. Chair.

I want to go back to the right to be forgotten. It’s an important issue that everyone may face some day. The privacy commissioner’s report entitled “Online reputation: What are they saying about me?” mentioned some online information about a Spanish man with a debt that had not been repaid. The information was easy to find; it just needed a search engine like Google.

That case was eventually heard and the information was removed, not just from the page where it was to be found, but also from the online search mechanism. That is one issue, but there is also the other issue you mentioned, vulnerable people.

More and more, children are being asked for personal information, especially their email addresses. Similarly, we cannot go shopping without being asked for them either. Then we get all kinds of advertising messages.

I have a daughter who will be 15 soon. She is bombarded from all sides and often asks me for my credit card so that she can shop online. These are important matters.

What are your recommendations on the right to be forgotten?

4:30 p.m.

Conservative

The Chair Conservative Blaine Calkins

Go ahead, Mr. Smith.

4:30 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

Some of the comments earlier were in regard to the right to be forgotten. The ability of the Government of Canada, for instance—or any government around the world—to remove the digital footprint of a particular posting is next to impossible from a regulatory standpoint. You can't do it globally.

As a matter of fact, there was a case in B.C. recently where an individual had been stealing intellectual property and selling it on the web, and there was an attempt to have that reference removed globally. There was push-back from the company involved, saying, “You're out of your jurisdiction. How can you possibly say globally, from a B.C. court?” That's a real challenge.

The issue should be more around how companies address this. Companies that are reputable and value their reputation are, I think, complying with these kinds of requests, particularly where children are involved. In trying to regulate that, and in trying to say, “This fits but that doesn't fit,” you're asking for trouble in terms of either missing something or going too far. It's next to impossible to get a perfect balance.

4:30 p.m.

NDP

François Choquette NDP Drummond, QC

What do you think about it, Mr. Hogarth?

4:35 p.m.

Vice-President, Consumers Council of Canada

Dennis Hogarth

I agree that it's very difficult in this day and age to track down information once it's put in.

I think we're placing too much emphasis here on kids who abuse the Internet. There's more at stake than that: things such as personal health information, things that are put into databases as a result of credit card purchases, and data that companies have a lot of control over but store long beyond the time they should, especially in the case of young people. If they're identified as people under the age of 16, they should have the opportunity to have that information erased by the time they get older.

There are different categories of information. I agree that it's difficult to recover something once it's out on the web, but there's a lot of other information that we lose track of when we always focus on Internet-based information. Really, there's a lot of other information in databases that becomes stale-dated and no longer relevant, and should in fact be purged.

4:35 p.m.

NDP

François Choquette NDP Drummond, QC

You talked about modernizing the approach to consent. I do not remember any more who asked whether we had read the entire consent page, with its tiny font, to see what we were consenting to. Personally, I confess that I do like everyone does; I accept the conditions and move on. We can’t decline the conditions because otherwise we can’t get access to the services we want.

How can we modernize the approach to consent?

4:35 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

Concerning the principle behind the right to be forgotten and the right to make sure you know what you're signing, there are laws in Canada. If somebody's information is on a web page, there are laws already available to them to have it taken off the web page. They're there; you don't need anything else to do it. To reach out somewhere else to have your information taken off a web page because you've decided to do something different.... We can't do that anyway, so we can't add regulation.

As to the right for consent, those documents are long. They are that long because there has been a lot of interaction between governments and the lawyers of governments and the lawyers of the organizations to put those together. Believe me, an organization would rather have those documents be as short as possible. They make those documents that long not only to ensure that they're protecting themselves but also to protect the consumer, because if they were ever taken to court, they would have to make sure that the stuff in there gave proper rights to the consumer in purchasing that product. It's in there; they have to make sure it is, because you can't, as an organization anywhere in the world, especially Canada, dupe a consumer: you would never survive the courts.

It's in there, then. To try to put together regulations to say “make sure you know what you're signing” is just not necessary. It's something that's already....

4:35 p.m.

NDP

François Choquette NDP Drummond, QC

I would like to hear what Mr. Hogarth has to say about this.

4:35 p.m.

Conservative

The Chair Conservative Blaine Calkins

Pardon me, Mr. Choquette, we're at seven minutes, but we'll get back to you in a few minutes.

Mr. Saini, please.

4:35 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Good afternoon, gentlemen. Thank you very much for your presentation.

I want to talk about something that hasn't really been explored, something regarding consent.

Mr. Hogarth, you sent a brief to the committee, and in it you talked about a sliding scale of consent: whether it should be explicit or whether it should be implicit. I know that last year in August, ITAC proposed, in response to the OPC's call for some consultation, as the brief mentioned, a new exception to consent for legitimate business interests.

Now that we're at the point that we're reviewing PIPEDA, and also in light of the fact that in a year the GDPR is going to come online, where do you think we should go with consent? What are your opinions on this?

Mr. Smith, I don't have any readings on you, so you might want to contribute your thoughts on this matter also.

4:35 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

If you'd like me to start, that would be great.

There were some changes to consent less than two years ago that were intended as a clarification. I think the comments around a meaningful consent are a little bit misguided, in that what companies are collecting by way of information is not identifiable. For the most part they're collecting behavioural data; they're collecting something that they can then create predictive models out of. The idea that they're going to take the time and expense to merge data files in order to identify a specific individual.... They're not going to do that. There's no benefit to them; there's no incentive for them to do it. The real value is in that aggregated data and the predictive models it creates.

The idea that we're going to create a new model of consent whereby the information that's coming out of your Fitbit to accompany it, which in turn is sold to drug manufacturers, as an example.... There's no personal data being sold; it's the aggregated data and the value of that aggregated data that's being sold.

4:40 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

It's an interesting concept, the degree of consent. There's absolute consent, saying that the person has to absolutely consent to every single interaction that is going to happen, and that's very impractical, all the way to the fact that....

I don't know whether you saw that in Toronto a council person suggested that all cellphones' FM frequency ability should be turned on so that in case there's any emergency, they can get to every single cellphone with a broadcast. You can argue that this is a socially responsible consent. Sure it is, because no matter where you are in the area and where they need to find you, it doesn't matter; it's for the benefit of the social good, because there might be an emergency such that you need to be found—that type of consent.

Also, there's consent whereby you simply contract with a cellular service provider to use their service, and because of that—they have to know your whereabouts, obviously—they're able to build a better network.

It's the degree of consent, then, that's the issue.

4:40 p.m.

Vice-President, Government Relations and Policy, Information Technology Association of Canada

André Leduc

I'd add to that. In his opening remarks, Robert pointed out the reasonable person test. Whether consent is the right vehicle is a question that you guys are measuring now. The question is, is it informed consent? Are people just clicking through that button and never reading anything? Is that happening almost 100% of the time? I would venture a guess that, yes, that's what's going on.

If you want to ensure that businesses, including the public sector, are using personal information responsibly, I would suggest that you add that reasonable person test. Would a reasonable Canadian think that this is an appropriate use of their personal information, or not? The courts have 100 years of experience dealing with the reasonable person test. It seems that in today's fast-paced world, taking the time to actually understand and read about what you're consenting to, the company is trying to be transparent. That's why these privacy policies and the end-usage legal agreements are so long. It's because we've added legal liability to the scenario, and so on. Their lawyers are saying, “We have to indemnify ourselves of legal responsibilities through these things”, but nobody reads them.

Is it informed consent? I would venture a guess to say, likely not, in 99.9% of cases. You'd be better off looking at what is a reasonable, responsible use of Canadians' personal information when it is collected.

4:40 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Mr. Hogarth.

4:40 p.m.

Vice-President, Consumers Council of Canada

Dennis Hogarth

I agree that nobody is reading these privacy policies. They've gotten too complex, too legalistic. That's why I think there should be a third-party assessment of some sort made of organizational privacy policies so that consumers can be warned if there are terms and conditions and certain privacy policies that they should be aware of. Somebody could maintain a website that basically reports on the major issues and features of these different privacy policies.

On the issue of consent, we totally agree that there is no way you can have fully informed consent in today's world. That's why we say that probably you need to expand the definition of sensitive information for those things where you need to get explicit consent and implied consent for the rest. The consumer and the public need a reference point for these policies to determine whether they're good, bad, or indifferent.

4:45 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

I'll continue with you, Mr. Hogarth.

In your submission, you also wrote that organizations should retain information no longer than is reasonably required. That fits into part of what my colleagues have mentioned in regard to right to erasure in article 17 of the GDPR.

Can you give us some examples of how we can deal with this, especially in this era of big data?