Information & Ethics Committee on May 16th, 2017

Thank you, Mr. Chairman.

I am Dennis Hogarth, the volunteer vice-president of the Consumers Council of Canada. I'd like to say that the council is pleased to contribute to this study.

The Consumers Council is a national not-for-profit organization that supports the protection and strengthening of consumer rights and the awareness of consumer responsibilities. It works with consumers, government, and business for a better marketplace. Consumers have a clear stake in privacy, the implementation of PIPEDA, and any improvements that might be made through this review.

Important issues have been raised during this study. They reflect the need for more clarity in definitions and interpretations in Canadian privacy legislation.

In terms of the emerging electronic environment, by 2020 more than 50 billion Internet devices will be used globally, all developed to collect, analyze, and share data, mainly from consumers. A massive, growing number of data points are collected, often referred to as “big data”.

Consumer data is collected both actively and covertly through search, social media, credit card transactions, and such sites as Amazon, Expedia, and many others. Information is also now collected more passively through seemingly benign devices that report on location, living habits, and personal preferences. Every Internet connection records information about a user. Although data can be disassociated from personal information to prevent a privacy risk, when data is combined into a big data environment and analyzed with sophisticated software, we now know that the identity or profile of specific individuals can be unmasked.

In terms of the personal information risk, privacy laws lag the sophisticated uses of personal information. The accumulation of personal data creates a risk both for organizations holding it and for consumers whose information is stored.

A 2016 study by PricewaterhouseCoopers reported that many organizations still don't fully understand the risks of cybercrime and how to effectively respond to and manage these types of incidents. Issues range from low board-level appreciation of risks to weak controls used by third-party outsource vendors. Whereas consumers once knew what information we provided to organizations and why we provided it, we are now unlikely to know what information is stored about us, where it is stored, and how it is used.

This brings us to the issue of consent. Data analysis techniques grow ever more sophisticated and are now capable of accessing massive data stores. Personal information is collected, matched, and used in so many ways that it seems inconceivable that the current consent models will remain feasible or meaningful. Organizational privacy policies are often complex and one-sided and often lack transparency.

For meaningful consent, consumers need to understand how their data will be used. It is doubtful that consumers will even be able to read and fully understand the policies; yet they must overlook this to participate in an unavoidable electronic world.

A sliding scale for consent has been discussed as a possible solution. Sensitive personal information would require explicit consent, as always, but use of less sensitive information might be subject to implicit consent. To enable such a solution, the definition of sensitive information would need expansion.

Increasingly, privacy protection may turn less on who obtains personal information and more on how it is stored and kept from detrimental use. To mitigate risk, greater controls must be established around organizations that make sophisticated uses of personal information. These organizations need particular oversight to ensure that they use information appropriately.

On the issue of children and privacy, the council agrees that information collected from children under the age of 16 should be prohibited, unless authorized by a legal guardian. However, age is not authenticated easily, and children can fool systems. Without some form of reliable registry system to verify age, controls will be hard to implement without generating new privacy concerns. Regardless, protections for children included in the general data protection regulation, GDPR, should be considered for inclusion in any revisions planned for PIPEDA.

As to the right to be forgotten, where possible and practical, PIPEDA should restrict organizations from retaining personal information that is no longer reasonably required for processing, or where it is outdated or unable to be confirmed as accurate. Reasonable limits should be placed on the retention of certain types of personal information by controller organizations or outside processors.

Big data will create greater difficulty in identifying personal data when consumers make personal information requests of organizations. Equally, it may be difficult to identify what information needs to be deleted. Technical solutions such as meta tagging of data may assist this process, but such systems could be prohibitively costly for smaller organizations to implement.

On the issue of enforcement, organizational focus on privacy has drifted. Therefore, PIPEDA compliance by organizations remains problematic, largely because non-compliance carries minimal risk. The Office of the Privacy Commissioner must have strong, effective enforcement measures and penalties, including punitive fines and other measures for compliance failures.

We believe that a more appropriate model would include an OPC function to review published organizational privacy policies and practices, especially where these organizations are known to make extensive use of personal information. These organizations should be required to register with the OPC, providing a description of how they collect, use, and control personal information.

Periodic compliance reviews should be made against published policies and controls over data. Review results could be posted online so that consumers can know how their information is used. Oversight could be enhanced through a regulatory model that uses independent third parties.

With regard to compliance with EU standards, the GDPR represents the current gold standard for the world and will likely form the basis for future revisions to many national privacy laws and practices. Aligning PIPEDA with GDPR might involve more effort by Canadian organizations, but compliance would provide greater protection for consumers while making Canada more competitive than non-compliant countries such as the United States. In a rapidly evolving electronic world, Canadian companies will benefit over the long run. We therefore recommend that the committee carefully consider steps to ensure that Canadian privacy legislation continues to be accepted by the EU as adequate.

Finally, on consumer privacy rights, consumer privacy rights in Canada are applied inconsistently. The OPC's website refers to the various federal, provincial, and other bodies involved. Legal gaps and overlaps exist that create confusion and will grow as a concern for consumers, who want consistent rules for organizations using their information.

In February 2012, the U.S. White House issued a report that included a consumer privacy bill of rights governing consumer data privacy. While not legally binding on organizations, the report provided appropriate guidance about privacy expectations. The council believes that the clear statement of privacy rights and responsibilities set out in the White House report should be considered for implementation in Canada.

I thank you for the opportunity to make this presentation on behalf of the Consumers Council.

Thank you very much, Mr. Chair and members of the committee, for allowing me to come to address you today.

As was said, I represent the Canadian Chamber of Commerce. We are a not-for-profit trade association and are the vital connection between business and government. We have a network of over 450 chambers of commerce across the country. You are probably familiar with one from your own communities. They're all members of the Canadian Chamber of Commerce, which is the umbrella organization. By extension, we represent close to 200,000 businesses across the country, of all sizes and in every single community.

My role at the chamber is intellectual property and innovation policy from the innovation perspective. That's what you're going to hear about from me today with my remarks. You're also going to hear some similar themes to what I think you heard from the other witnesses, so I hope I don't bore you.

We hear a lot about the pervasiveness of big data and about how both governments and companies are collecting information on us. Much of what we hear comes across as negative and invasive. That's unfortunate. Personal data is the core to creating an innovative product line and user experience.

In a 2016 Accenture survey of more than 500 businesses globally, more than three-quarters of the survey respondents said big data provides better and more personalized customer service, and over half of those respondents said it enhances customer loyalty. Others indicated that the information helps them break into new markets, improve target advertising, and build better products. In a nutshell, data enables innovation.

With your indulgence, I'd like to highlight a few examples of why data is so important to innovation and competitiveness.

First, it's about understanding customers. Big data is used to better understand customers, their behaviours, and their preferences. To maintain a competitive edge, companies are moving beyond traditional datasets and using social media and browser logs as well as text analytics and sensor data to get a more complete picture of their customers.

The big objective in many cases is to create predictive models, tailored not to the individual. The information they're collecting, yes, is about individuals, but they don't really care about the individual information. It's about the collective; it's about the large balance of information that they're collecting to identify patterns of behaviour.

A good example of this might be the use of data by ski resorts. Radio frequency identification device, RFID, tags are inserted into lift tickets. They can cut back on fraud and wait times at the lifts as well as help ski resorts understand traffic patterns, which lifts and runs are most popular, at which times of day, and even help track the movements of an individual skier, if he or she were to become lost. All of this benefits the customer by making the experience more seamless. I know I'd be happy if I got a text telling me there was two feet of fresh powder on my favourite run, even though my employer might not be so pleased that I disappeared for the day.

The second theme is optimizing business processes.

Big data is also increasingly used to optimize business processes. Retailers are able to optimize their stock based on predictions generated from social media data, from web search trends, and from weather forecasts. Employers are able to optimize work flow by monitoring patterns of behaviour and adjusting processes wherever those behaviour patterns demonstrate high productivity.

Next is personal quantification.

We can now benefit from the data generated from wearables. How many of you have a Fitbit? I see one hand, just for the record.

It collects data on our calorie consumption, activity levels, and sleep patterns. While it gives individuals rich insight, the real value is in analyzing the collective data. Analyzing the decades-worth of sleep data in a single night that's collected will bring entirely new insights that can feed back to individual users.

The same is true in life sciences. Clinical trials of the future won't be limited to by sample sizes but can potentially include everyone.

While big data is used to enable law enforcement, it is also used by our financial institutions. Credit card companies monitor behaviour patterns. When those patterns deviate from predicted norms, customers are notified, which helps prevent fraud and identity theft.

PIPEDA predates social media, it predates video streaming, and it predates the notion of ransomware, which we all heard about this past week; yet it has done a pretty good job of remaining relevant as technology has evolved.

As principled legislation, the need for government action to react to technological change hasn't been necessary. Judicial oversight has proven time and again to be an adequate recourse where an organization has stepped outside the boundary of reasonable use of data.

Notwithstanding, significant changes were made to PIPEDA in 2015. Legislative change on something as ubiquitous as privacy legislation will always have a profound impact on business that results from the uncertainty these changes introduce to the economy. Some of those changes introduced in 2015 are not even yet in effect. We're still waiting for the details on how companies will be expected to comply with the breach notification requirements and the keeping of records indefinitely on all of those breaches. We don't really understand right now what that's going to mean. While the clarification to the definition of consent did little more than recognize a common best practice by making that change, it did cause some consternation in the business community as to what the change was attempting to accomplish at the time.

Although we need to monitor what happens in other jurisdictions to ensure our laws are compatible with our trading partners, to ensure the free flow of data and the ability to innovate, doing so preemptively could have unintended consequences. For instance, changes to the general data protection regulation in Europe are imminent, and equivalency in Canada might be put to the test. However, we must understand that the GDPR is much broader than just privacy. It's as much about the public sector and security as it is about privacy.

For instance, a comment was made about the U.S. and the U.S. surveillance. That is a factor when we're dealing with the GDPR. It's a lot more than just our privacy legislation.

Tightening controls on the collection, use, and disclosure of personal information will not likely have a positive impact on privacy protection. The manner in which information is collected and the business model that information collection is built on makes tighter controls untenable, and we're talking about basic behaviour. Trying to create a consent model around behaviour is next to impossible.

Sharing personal information requires trust. Maintaining that trust requires digital responsibility best practices, and to name a few of those: ensure personal data management meets consumer expectations; show transparency in how personal information is sourced; give people more control over their data; explain the benefits consumers earn from sharing information; and use data for social improvement.

The companies that embrace these best practices will be the ones to prosper as new technology such as blockchain evolves that will put control of personal information back in the hands of the individual.

While this past weekend's WannaCry ransomware attack may not have been focused on personal information, it is certainly a global wake-up call regarding the vulnerability of the digital economy. That means we also need a more robust response to cybersecurity concerns.

I'll give you a couple of recent statistics. In the third quarter of 2016 alone, 18 million new malware samples were captured. More than 4,000 ransomware attacks have occurred every day since the beginning of 2016. The amount of phishing emails containing a form of ransomware grew to 97.25% during the third quarter of 2016, which was up from 92% in the first quarter of 2016. Although 78% of people claim to be aware of the risks of unknown links in emails, they click anyway.

The data that's collected, stored, and used by organizations is extremely valuable. Some of that value is yet to be conceived, but governments and organizations alike are vulnerable to attack and I would argue that resources would be better used in international collaboration to target the criminal enterprises attacking databases rather than monitoring the organizations that are innovating and serving customers.

With that I will conclude my remarks. Thank you for your attention.

I'll answer, and then André will jump in.

We think the European model is very burdensome. It in fact puts the responsibility onto the organizations to decide who stays on and who comes off. In our view generally, people who are putting information out there are generally doing it through the proliferation of smart devices whereby they're putting information out. All through that process with smart devices there are checks and balances, even on the device.

You can have a check and balance in whether you want to have an application on your device and whether you want that application to follow you; you can decide whether you want any emails from that organization at all, and although you don't read them all, you do have to agree to the terms and conditions of anything you buy on the site.

You are thus making a conscious decision every time you progress on the device, and the organizations have put that in place because frankly, for any organization these days, the reputational risk of doing something for an individual and having it go out into hyper space—of doing something wrong—is just not worth it. They are taking care of it and are quite willing to work with the Privacy Commissioner to keep up with modern organizations.

André, do you have anything to add?

Adequacy remains highly important, especially pursuant to the EU trade deal and the free flow of data between Europe and Canada. I wouldn't go so far as to say the GDPR is the gold standard. One would have to measure the privacy levels in Europe against those in Canada.

Maintaining adequacy is important, and we believe that PIPEDA in its current form will allow us to maintain that adequacy and to continue with the free flow of information between Canada and Europe, which again is going to be even more important once we are able to implement the EU-Canada trade deal.

There's little question. An example coming out of the EU is the cookies example. Every website that you have in Europe has a warning that pops up first.

I'm not sure anybody is more or less protected by this policy. It's burdensome for companies and it's burdensome for the consumers who, I would venture to guess, 99.99% of the time when visiting a website will click through and allow cookies to come through on the website so that they can get the information they're looking for.

Is this type of regulation really doing anything, then? We talked about whether anybody has ever spent the time to read through the privacy policies that you see posted on a website, or do you just click through very quickly so that you can get to what you need to get done? Consumers in this day and age are always just clicking through.

There's also a system of checks and balances built into privacy legislation. It is not in the best interest of a private sector company to abuse the personal information of their own customers or clients. You can talk to T.J. Maxx, you can talk to Home Depot, you can talk to Target about the implications of having a significant data breach. Those companies were the victims of a data breach, of hackers getting into their system and accessing the personal information of their customers. They're being victimized, and they're doubly victimized by it by having a number of consumers.... For the larger businesses, that's great; they'll survive. For a Canadian SME.... You'll lose half your customers. That's usually an end-of-life incident.

It is, then, in the best interests of the businesses when they're collecting the information.... You can see how valuable it is now. As we point out, it is the new oil. There's a very high level of value for it, and protecting and storing that information and being able to analyze it is in the best interest of these private sector entities.

I'm not saying it wouldn't be burdensome. I'm saying we should make a comparison of the key points in the GDPR versus PIPEDA to make sure that we maintain compliance to the extent possible. I'm not saying that we wholesale implement the GDPR for Canada.

I think some of the main points, about four of them, have been identified as things that need to be looked at, such as children's privacy, which is a key one. As an example, when I checked out of a Staples store, my daughter was 14 and they tried to sign her up with her email address. It was a clerk who was probably 17 or 18 years of age.

There are things that need to be tightened up in terms of our infrastructure. I don't think people are properly trained in organizations, just as they probably aren't as aware as they should be in the general public.

Certainly we should do whatever we can to try to maintain that compliance with GDPR, at least to the extent that we remain adequate. Believe me, I've dealt with situations where we tried to transfer information to the U.S. and it's really very difficult if you have to go on a company-by-company basis.

Certainly as you get into an environment where more and more stuff gets pumped into these databases, they're not going to stay within a single organization. They are going to cross organizational boundaries and you'll lose track of the information. That's why I'm basically saying that we should come up with a standard.

Meaningful consent is very impractical now. We really need an environment where organizations are tested, where somebody else basically reviews privacy policies because we can't all do it, as has been raised. Nobody here has probably reviewed more than one or two of the privacy policies that govern their lives, and there might be 20, 30, or 40 of them out there. There should be a third-party review and a standard against which these privacy policies are tested.

The order-making powers are unnecessary, so my comments refer back to the judicial system and the fact that it has been very competent in dealing with any issues where companies have crossed boundaries.

When you refer to all acts, which acts do you mean?

Order-making powers are going to be essential to achieve compliance. As I said in my testimony, the problem is that organizations aren't stepping up, because they see minimal risk in non-compliance. If they have to spend $50,000 to comply versus taking the risk of non-compliance and there's essentially little risk of being fined or penalized, they're going to take the easy route.

I have actually seen that in practice.