Information & Ethics Committee on June 1st, 2017

Ease of retrieval is a moving target. Think of the history of libraries and how arduous it used to be look something up. At one time they had card catalogues, so you had to look it up and then wander through and find your book. Things are changing every decade in terms of how easy it is to retrieve information, so I don't know that we'd want to create legislation at this moment in time based just on the fact that it's easier to retrieve information now. That's going to change. Hopefully, it's going to become embedded under our skin.

Retrieving information is going to become a very seamless, painless experience, and that's the beauty of PIPEDA: it's technology neutral and isn't based on any particular point in time and technology.

Rather than focusing on the ease of access, it's more about how relevant the information is to a specific individual and the sensitivity of the information. I say that, because it's relatively easy to get information about the location of thousands of people using the Queensway at rush hour to deliver traffic information; and it's relatively easy to analyze thousands of different voice patterns in order to feed a translation program that does it automatically on the fly on your device.

It's still not really relevant to an individual, as some of the tougher questions we'll be dealing with today are when you're dealing with specific pieces of information tied to an individual that may have reputational harm or benefit.

That doesn't necessarily mean that PIPEDA needs to be reformed or that consent needs to be re-examined to address that. It is a subset of the conversation, and it's one that needs to be addressed specifically in the context of an individual understanding what information is available about them and what recourse they have to have that information removed within the context of how society thinks that information should be available.

I think there's a point to be made about individual identification, such as whether the individual can specifically be identified, because there's a lot of good and new information available that is flowing because it can be aggregated. It's anonymous, really, because it's large-scale information that can be mined in new ways.

I think it sort of flips the question, and it's a question of protecting only when it's individually identifiable and harmful to reputation or has some other unforeseen consequence, if you will.

I think there's a challenge in the sort of prescriptive legislation that the United States has. Saying 13 is the barrier to having an account with online services effectively means that you have a world in which people pretend they're older than 13. As you said, they click on the.... Or services aren't developed for people in that age group, because the burden of trying to meet that standard is so great that the investment is very large.

That's one of the reasons why it's taken us to this point to develop some of those tools to help families and individuals try to create that structured environment. You're completely right, though, in that parents alone can't see and educate their children and you can't get children to realize the risk of their behaviour online without outside help.

I'm the vice-chair of MediaSmarts, which is a digital literacy organization, and we also work with coding programs like Actua and Ladies Learning Code to try to attack this program from two different directions—making sure that children have the technical skills to understand the devices they're carrying around and the programs they're interacting with and also making sure that their parents and their community and their teachers have the civic programming to be able to have a sophisticated conversation with people who are developing as adults around their interactions online.

To your point about—and it's a word that hasn't been mentioned yet—predators, there are specific technological investments that we and other companies are making in those particularly graphic and horrific parts of online activity. We're intercepting those as quickly as possible and working with law enforcement to eliminate that portion of behaviour online, because there's a recognition that there's a very dangerous space that needs to be addressed directly and forcefully.

That obviously would be individual business decisions by each member. I think that would be an interesting conversation to have.

I obviously can't speak to any individual case, but in my mind any fine would not make any difference. The reputational damage and the threat of reputational damage is far greater than any sort of threat of enforcement powers or something like that.

In this particular case in the report from the commissioner, it was a multi-month engagement with the commissioner's office on what was an exceptional instance of an advertiser not following the policies we had instituted on our advertising platform. It took some digging to identify what the Canadian complainant had seen and where, and how that had expressed itself in the ads they had seen. It was a challenging experience for us, but it was also a learning experience both for us and for the privacy commissioners.

The reason I stated to Mr. Kelly that the answer was no is that every one of the examples from previous reports of major significance that have been brought up today has had an impact and has resulted in behaviour change on the part of the company. Winners came up 10 years ago, and that had a tremendous impact on TJX, the parent company, and on Winners' attitude towards privacy controls.

The Globe24h.com case was an example of the current framework evolving as it should, in that there was no reaction to the report of the Privacy Commissioner, so the Privacy Commissioner went to the Federal Court and got an order, and the website was taken down.

At the moment, there are bad apples, and there are people who don't respond in a timely manner, but for companies like ours, the opportunity to engage with the privacy commissioners and work through both the technical and the privacy policy-based nature of the complaint in a very honest and transparent way, without the possibility of an administrative order or a monetary fine being produced as a result of that frank and open discovery, is a benefit. It's a really constructive engagement, especially in a space that is fast-moving, where you can discover individual occurrences that have extreme personal impact but don't have a broader implication like the one you mentioned.

Yes.

I have two observations in response to that.

We are still talking about a very small number of companies that are the product of findings and aren't responding to the findings or aren't engaging in the process itself.

Second, what would the structure of the Office of the Privacy Commissioner look like after you give it powers for administrative monetary penalties? I don't think the commissioner could continue being an officer of Parliament. Does it end up being structured like the Competition Bureau or another administrative tribunal? How do you then have that ombudsperson and public information role, as well as this stricter organization with greater enforcement powers?