Evidence of meeting #61 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Robert Watson  President and Chief Executive Officer, Information Technology Association of Canada
Dennis Hogarth  Vice-President, Consumers Council of Canada
Scott Smith  Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
André Leduc  Vice-President, Government Relations and Policy, Information Technology Association of Canada

4:55 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

I'd be inclined to agree with that. What you're talking about is essentially a historical record. If it makes the news and it's true, then it exists in one form or another. Just because you've taken it off the Internet.... As André pointed out, it's still going to exist in another form somewhere. Even if it's not online, it's probably still going to be available somewhere. Somebody is going to be able to look it up. You're never truly forgotten.

4:55 p.m.

Liberal

Wayne Long Liberal Saint John—Rothesay, NB

Mr. Hogarth, do you have anything to add to that?

4:55 p.m.

Vice-President, Consumers Council of Canada

Dennis Hogarth

I think of somebody who is charged with a crime, for example, but basically is found innocent. Ten years later, the news reports are still out there, and they show up when a search is made. That is the sort of information that probably needs to be forgotten in some way, shape, or form. If somebody is found innocent but the charge is still out there, or the press is still out there, it's going to have an impact on their career and future life.

4:55 p.m.

Liberal

Wayne Long Liberal Saint John—Rothesay, NB

Okay. Thank you.

We do have Fitbits. Our family has Fitbits. We went out and bought Fitbits a few months ago. A few of my friends who have younger children came. I signed up my Fitbit, did all my things, went on my iPhone, synced it, and pressed approve, approve, approve.... Yesterday, I did 15,168 steps, my resting heart rate was 59, I travelled five miles, and I slept for four and three-quarter hours.

That's okay for me. I pushed all the notifications and buttons. But what do we do to protect children? For example, I believe the stat is that 70% of 14-year-old kids have phones now. What do we do explicitly to protect those children from that same thing? The 14-year-old child with his Fitbit basically went through the same thing I did in pressing “yes” for everything. How do we protect children under PIPEDA? What do we do with meaningful consent?

Mr. Leduc.

4:55 p.m.

Vice-President, Government Relations and Policy, Information Technology Association of Canada

André Leduc

There were updates in the Digital Privacy Act in order to focus on the protection of minors—not the guys with hats who live in caves, but the children who we have to deal with—and it has to be a balanced approach.

Robert pointed out that we need better education. This is the advent of the Internet. It's a really big thing. Whether it's the school systems, the parents, or the community groups, we need to be educating kids about the potential dangers.

When you're dealing with something like Fitbit, where it's tracking your heart rate and everything, there isn't a lot of danger there. What we're talking about on the big data side—it's really exciting—is that maybe they'll be able to notify you by a text message half an hour before you have your heart attack. That's where we're heading. That's where big data analytics is going.

In terms of protecting minors, it's very difficult to put the onus on the company that is collecting that information, other than asking you if you are under the age of 18, under the age of 19, or under the age of 21, and saying that if you are, you have to get the consent of your parents in order to fill in that information.

Beyond that, there isn't a lot there. How many 14-year-olds would go to their parents to get the okay to fill in the information on the Fitbit? How many parents would go, “Would you just leave me alone?”

Again, I know that I keep reiterating the same point, but when you look at the reasonable use, the reasonable connection, and a reasonable person test for evaluating what is okay and what isn't, you see that it's a lot easier than trying to regulate a consent regime that maybe doesn't really have any value to it. You're not really getting informed or educated consent, and you can't really tell the age of the person you're collecting from, because I would venture to say that most 14-year-olds would ignore that fact and say, “Oh, it won't let me if I'm 14, so I'll just click on 18, and then I'll get through.”

May 16th, 2017 / 4:55 p.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you very much, Mr. Long. I appreciate that.

I'll take the round for the Conservatives for the next five minutes, if that's okay with my colleagues.

As a former IT professional, I understand completely what you're saying when you say that data is the most valuable corporate asset. That's been the way of the information age for quite some time, and now, as you've said, data is becoming more valuable than oil, which is interesting.

Mr. Smith, I'm going to you, because I'm going to follow up on what Mr. Long's question was. Data is becoming very, very useful. Actually, it's information that is more useful. Data is raw facts, whereas information is actually coalesced information that's of value and is of use.

Here's my question for you, Mr. Smith. You have been very clear that it's the data, the de-identified data that predicts trends and so on, that a particular user or group of users in a certain age group—or a certain whatever—might be interested in, so that we can have predictive modelling for the purposes of sales and business. I don't think most people have a problem with that.

I actually like the fact that my iPad from time to time knows what I'm thinking more than I do. That's okay, but for a Fitbit, what about the fact that if a Fitbit and its information about sleep patterns, a resting heart rate, and any other health information gleaned from that Fitbit were to get into the hands of a prospective employer prior to an interview? What if it wasn't de-identified, we actually knew who that individual was, and it became an issue, much like the genetic discrimination bill that we just passed in Parliament? What if it became an issue that was keeping somebody from getting a prospective job? Perhaps that Fitbit is measuring their weight and other habits they have that might predispose somebody to prejudice when that person is applying for a job.

I would be interested to see what the point of view might be from Mr. Hogarth and Mr. Smith on this.

5 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

I think I referred to this in my remarks, but I don't remember. My response to that is, what would be the reputational damage to a company like Fitbit if it came out that they were selling that information to employers, insurance companies, or what have you? They would be out of business very quickly.

Yes, there is a value to that information, and there is possibly even a temptation to sell that information to prospective employers, for instance, but the likelihood of it happening for a company that wants to remain in business—

5 p.m.

Conservative

The Chair Conservative Blaine Calkins

What if the employer is Fitbit?

5 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

Again, I think that goes back to the privacy policies that are already built in and the fact that they are not collecting identifiable personal information at all. They're not doing it.

Could it happen? Sure. Is it likely to happen? No.

5 p.m.

Conservative

The Chair Conservative Blaine Calkins

Okay. I believe you.

Mr. Hogarth.

5 p.m.

Vice-President, Consumers Council of Canada

Dennis Hogarth

I have a simple question. Is Fitbit information health information? It's covered under the sensitive categories that require explicit consent. It's as simple as that. For that information to be used by another party would require explicit consent. If it pertained to a minor, it would require the parents' consent.

5 p.m.

Conservative

The Chair Conservative Blaine Calkins

Fair enough, I appreciate that.

I have a question for Mr. Watson or Mr. Leduc.

When it comes to the threshold for compliance, monetary penalties, we talked about how it's different.

Mr. Leduc, or maybe it was Mr. Watson...I think you said it would be okay for Target, that they'd survive. Target is going to survive because they're a large enough company, but a small or medium-sized enterprise might not survive if their data is breached and there were monetary penalties associated with it through any changes that this committee might recommend in the legislation.

Should there be a threshold? I'm not much for arbitrary lines in the sand when it comes to legislation, but should there be a threshold, so that companies that are small and don't necessarily have a privacy person appointed...?

I mean, I had my own IT company before I did this. I was a one-man shop. I was my own privacy consultant in my company. What do we do for those smaller companies? Should we have an exemption so that those companies would be not affected in the same way as a larger corporation, or is there an inequity and unfairness inherent in that?

5 p.m.

Vice-President, Government Relations and Policy, Information Technology Association of Canada

André Leduc

I didn't mention this in the opening, but I did my MBA thesis on small and medium-sized enterprise, the compliance with PIPEDA and CASL, and the impacts on those small firms. I went so far as to do a survey of small businesses, and did some focus-group testing with them as well.

The issue that you'll run into is one that you mentioned. A larger corporation would be able to survive. If you hit them with $100,000 penalty, they can pay it and continue on with the business they were doing. When it comes to a smaller enterprise, $100,000 would definitely be the difference between that business continuing and ceasing operations and filing for bankruptcy.

In the case of a data breach, the business is being victimized by a hacker who has infiltrated their system and removed information in order to either damage that enterprise or collect personal information about their customers. With regard to having rules and regulations in place that require companies to understand that they need to keep the information they collect secure, that understanding is already there.

Penalizing a small enterprise for being the victim of a data breach is probably not the best course of action. Bringing them in and having the OPC sensitize them to an understanding of what happened in the hack, doing the investigation—they'll understand the engineering behind it—is probably a better course.

That's the system now. They bring in the small and medium-sized enterprise and explain what the issues were, and ensure that they're compliant going forward.

5:05 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

Can I add to that?

5:05 p.m.

Conservative

The Chair Conservative Blaine Calkins

Very quickly, please.

5:05 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

A quick point is that large companies would be impacted even more than small companies, again because of their reputation.

I can assure you that every board now looks at any incident dealing with social media at all very seriously. Just look at the mortgage company in Toronto that didn't pay attention to a couple of misstatements three or four years ago. It's not as if they were insolvent, but all their investors pulled their money.

5:05 p.m.

Conservative

The Chair Conservative Blaine Calkins

Well, Mr. Watson, nobody around this table understands that something we said four years ago might come back to haunt us.

Monsieur Dubourg, for five minutes, please.

5:05 p.m.

Liberal

Emmanuel Dubourg Liberal Bourassa, QC

Thank you very much, Mr. Chair.

I would like to welcome the witnesses who have joined us this afternoon.

Thank you for your presentations and the briefs you submitted.

My first question goes to Mr. Watson.

The point you make in your brief is that there is no reason to change the legislation and that it remains current. Despite the technological advances, you feel that there should be no amendments to the legislation.

Is that what you are saying, in fact?

5:05 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

We think there's an evolution coming, for sure. The Internet is evolving and evolving fast. There's no question about it.

We believe that the act in place now is good. What should happen is that the OPC should be more like an ombudsman, putting out guidance, working with the industry, suggesting changes. Industry will go with it. There's no question about it. There's no lack of wanting to go along with it. They're just very concerned that if you start layering regulation on regulation, it will never stop. It will get complicated, that's all.

5:05 p.m.

Liberal

Emmanuel Dubourg Liberal Bourassa, QC

I agree.

You are still on the same wavelength. The other aspect deals with penalties. You said that the commissioner should not be given more powers because the collaborative approach is working well. Is that correct?

5:05 p.m.

President and Chief Executive Officer, Information Technology Association of Canada

Robert Watson

I agree. They can come out and say that this company is not co-operating and they need it. If they come out with any sort of statement at all, whether it's soft or hard, it will not be taken lightly by the company, and I don't know any company that would take it lightly.

5:05 p.m.

Liberal

Emmanuel Dubourg Liberal Bourassa, QC

Okay.

Let me now turn to you, Mr. Hogarth.

Your report contains a number of cautions with regard to metadata. You say that, in 2020, there will be more than 50 billion devices connected to the Internet and that a lot of information will be obtained covertly, if I can put it that way.

You are a Fellow of the Order of Chartered Professional Accountants.

First, are there any control measures similar to the ones you suggest we could look at in order to improve this bill?

Second, can you comment on what Mr. Leduc said? When he answered a question, he said that it would be difficult to implement control measures for children from 14 to 16. What can we do to make sure that the data collected are appropriate?

5:05 p.m.

Vice-President, Consumers Council of Canada

Dennis Hogarth

First of all, one thing that I pointed out in my brief was that it's authentication that's the issue, and that's going to become an increasing issue, not only for people who are underage, but for all of us. How do you authenticate that you are the actual person who's providing consent or giving access to your data? That's something that needs to be looked at in detail. That's going to involve technology, however you look at it. That's going to be, I think, the major issue.

Your first point was?

5:10 p.m.

Liberal

Emmanuel Dubourg Liberal Bourassa, QC

It was regarding control.

Can we implement more control measures to make sure that the data collected are appropriate?

5:10 p.m.

Vice-President, Consumers Council of Canada

Dennis Hogarth

Control over big data.... For a lot of this stuff, when I say it's being collected covertly, it's a situation like your thermostat at home collecting a lot of different data points of information about how you run your household. They're now talking about the fact that refrigerators are actually gathering information about everything, including what's in the fridge.

You have automobiles that are providing information that could be very valuable to insurers. I don't believe that you give consent to your car to say that you can or can't provide all of that information.

Increasingly, we're going to have to look at ways of looking at those industries, not necessarily from a consent model, but from a standpoint of doing a review or an audit of how they're using information and then asking, is it in fact reasonable? Does it pass the reasonableness test?