Information & Ethics Committee on May 16th, 2017

I think of somebody who is charged with a crime, for example, but basically is found innocent. Ten years later, the news reports are still out there, and they show up when a search is made. That is the sort of information that probably needs to be forgotten in some way, shape, or form. If somebody is found innocent but the charge is still out there, or the press is still out there, it's going to have an impact on their career and future life.

There were updates in the Digital Privacy Act in order to focus on the protection of minors—not the guys with hats who live in caves, but the children who we have to deal with—and it has to be a balanced approach.

Robert pointed out that we need better education. This is the advent of the Internet. It's a really big thing. Whether it's the school systems, the parents, or the community groups, we need to be educating kids about the potential dangers.

When you're dealing with something like Fitbit, where it's tracking your heart rate and everything, there isn't a lot of danger there. What we're talking about on the big data side—it's really exciting—is that maybe they'll be able to notify you by a text message half an hour before you have your heart attack. That's where we're heading. That's where big data analytics is going.

In terms of protecting minors, it's very difficult to put the onus on the company that is collecting that information, other than asking you if you are under the age of 18, under the age of 19, or under the age of 21, and saying that if you are, you have to get the consent of your parents in order to fill in that information.

Beyond that, there isn't a lot there. How many 14-year-olds would go to their parents to get the okay to fill in the information on the Fitbit? How many parents would go, “Would you just leave me alone?”

Again, I know that I keep reiterating the same point, but when you look at the reasonable use, the reasonable connection, and a reasonable person test for evaluating what is okay and what isn't, you see that it's a lot easier than trying to regulate a consent regime that maybe doesn't really have any value to it. You're not really getting informed or educated consent, and you can't really tell the age of the person you're collecting from, because I would venture to say that most 14-year-olds would ignore that fact and say, “Oh, it won't let me if I'm 14, so I'll just click on 18, and then I'll get through.”

I think I referred to this in my remarks, but I don't remember. My response to that is, what would be the reputational damage to a company like Fitbit if it came out that they were selling that information to employers, insurance companies, or what have you? They would be out of business very quickly.

Yes, there is a value to that information, and there is possibly even a temptation to sell that information to prospective employers, for instance, but the likelihood of it happening for a company that wants to remain in business—

Again, I think that goes back to the privacy policies that are already built in and the fact that they are not collecting identifiable personal information at all. They're not doing it.

Could it happen? Sure. Is it likely to happen? No.

I have a simple question. Is Fitbit information health information? It's covered under the sensitive categories that require explicit consent. It's as simple as that. For that information to be used by another party would require explicit consent. If it pertained to a minor, it would require the parents' consent.

I didn't mention this in the opening, but I did my MBA thesis on small and medium-sized enterprise, the compliance with PIPEDA and CASL, and the impacts on those small firms. I went so far as to do a survey of small businesses, and did some focus-group testing with them as well.

The issue that you'll run into is one that you mentioned. A larger corporation would be able to survive. If you hit them with $100,000 penalty, they can pay it and continue on with the business they were doing. When it comes to a smaller enterprise, $100,000 would definitely be the difference between that business continuing and ceasing operations and filing for bankruptcy.

In the case of a data breach, the business is being victimized by a hacker who has infiltrated their system and removed information in order to either damage that enterprise or collect personal information about their customers. With regard to having rules and regulations in place that require companies to understand that they need to keep the information they collect secure, that understanding is already there.

Penalizing a small enterprise for being the victim of a data breach is probably not the best course of action. Bringing them in and having the OPC sensitize them to an understanding of what happened in the hack, doing the investigation—they'll understand the engineering behind it—is probably a better course.

That's the system now. They bring in the small and medium-sized enterprise and explain what the issues were, and ensure that they're compliant going forward.

Can I add to that?

A quick point is that large companies would be impacted even more than small companies, again because of their reputation.

I can assure you that every board now looks at any incident dealing with social media at all very seriously. Just look at the mortgage company in Toronto that didn't pay attention to a couple of misstatements three or four years ago. It's not as if they were insolvent, but all their investors pulled their money.

We think there's an evolution coming, for sure. The Internet is evolving and evolving fast. There's no question about it.

We believe that the act in place now is good. What should happen is that the OPC should be more like an ombudsman, putting out guidance, working with the industry, suggesting changes. Industry will go with it. There's no question about it. There's no lack of wanting to go along with it. They're just very concerned that if you start layering regulation on regulation, it will never stop. It will get complicated, that's all.

I agree. They can come out and say that this company is not co-operating and they need it. If they come out with any sort of statement at all, whether it's soft or hard, it will not be taken lightly by the company, and I don't know any company that would take it lightly.

First of all, one thing that I pointed out in my brief was that it's authentication that's the issue, and that's going to become an increasing issue, not only for people who are underage, but for all of us. How do you authenticate that you are the actual person who's providing consent or giving access to your data? That's something that needs to be looked at in detail. That's going to involve technology, however you look at it. That's going to be, I think, the major issue.

Your first point was?

Control over big data.... For a lot of this stuff, when I say it's being collected covertly, it's a situation like your thermostat at home collecting a lot of different data points of information about how you run your household. They're now talking about the fact that refrigerators are actually gathering information about everything, including what's in the fridge.

You have automobiles that are providing information that could be very valuable to insurers. I don't believe that you give consent to your car to say that you can or can't provide all of that information.

Increasingly, we're going to have to look at ways of looking at those industries, not necessarily from a consent model, but from a standpoint of doing a review or an audit of how they're using information and then asking, is it in fact reasonable? Does it pass the reasonableness test?