Evidence of meeting #68 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was online.
A recording is available from Parliament.
4:05 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Exactly, and when it comes to recommendations of regulation, the Privacy Commissioner by himself would need to seek regulation, for example, in Canada, by the CRTC in terms of service providers. Have you considered that?
4:05 p.m.
President and Chief Executive Officer, Boys and Girls Clubs of Canada
I can't honestly say we've considered that at this point.
4:05 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
With regard to destruction of information or the right to be forgotten, I'll ask all three of you, are you suggesting that at the age of majority there would be universal destruction of this information, or would it need to be by individual directive, ideally?
4:05 p.m.
Chair, National Association for Information Destruction - Canada
That would not be my area of expertise, for sure. Our thought is that when the information is no longer needed, it should be destroyed regardless of how old the person is. When the purpose for which you've collected that information is no longer valid, you should have no need to keep that information and it should be disposed of properly at that point.
4:05 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
However, as you've said, with regard to medical records, for example, we only learn of breaches of confidentiality when it's discovered.
4:05 p.m.
Chair, National Association for Information Destruction - Canada
A well-run facility has record-keeping practices and those records are being destroyed in conjunction with those policies, so it's only in situations where somebody isn't following the policies or doesn't have a policy that you get those breaches.
4:05 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Then you would recommend the formation of a regulation with penalties and regular audits, or proof of—
4:05 p.m.
Chair, National Association for Information Destruction - Canada
Our recommendation is that the Privacy Commissioner needs to have proper teeth. His office needs to have the ability to impose penalties, to make orders, and to do it proscriptively so that, in advance of a problem happening, they can go into an organization and do audits and have some powers there.
4:05 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Briefly, could you give an example of the COPPA penalties, from the lowest violation to the greatest?
4:05 p.m.
Chair, National Association for Information Destruction - Canada
In our written submission we listed several of the various fines from various jurisdictions around North America, ranging from small fines all the way up to the $1.5-million range. Jurisdictions all across North America have created structures by which they impose fines for these things, based on severity.
4:05 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Are these fines based on individual infractions, or class or group infractions?
4:05 p.m.
Chair, National Association for Information Destruction - Canada
I don't know the answer to that, but I could certainly find it for you.
4:05 p.m.
Prof. Jane Bailey
We threw around the term “right to be forgotten” pretty easily just a minute ago; I did it, too. Just to be clear, to say what we mean.... What do we mean by a right to be forgotten? Even in the EU currently, without thinking about what's going to happen in 2018, it's not really a right to be forgotten. It's a right to request a delinking of your information from a search engine, which in some ways has the best of both worlds, in the sense that, practically speaking, most people are not going to go to more trouble than a Google search. If that link is no longer something that pops up in a Google search, you get effective, practical obscurity from that kind of measure, without the downside.
I am conscious of having colleagues who are interested in the Internet as an archive of our history for the future, and thinking about what full and permanent erasure might mean. Even if you said, “We'll take things off the market for 100 years”, as we do in archives sometimes, 100 years from now somebody can look at this.
I think the idea of a right to be forgotten that's a practical measure for delinking is actually an interesting practical response, provided that we have some understanding and accountability about how service providers are making these decisions when requested to make these decisions. We need accountability, transparency, and disclosure from them about how many requests they are getting, what the bases of their decision-making are, how many they agree with, how many they dismiss, and those sorts of things. I think that's a practical kind of a right to be forgotten that can give a certain amount of relief.
The other thing is, if we just did the preventative thing in the first place and said.... Just to point out, Google Classroom is used, mandated, across the Ottawa-Carleton District School Board, and we, as parents, have been assured that Google has agreed that it will not be collecting our children's information when they are using those services, and it will not be using those for commercial purposes. I guess we all believe that, because that's what they said.
To say it's not possible is more rhetoric. We have to be conscious, as consumers and citizens, that there is a certain rhetorical element to this: these things are impossible, too expensive, too difficult. We need to think about how to prevent the collection in the first place so that the destruction issues, the delinking issues, and the inaccessibility issues are not the monumental problem that they are now for a generation of kids. We can do something for the next generation of kids.
4:10 p.m.
NDP
Erin Weir NDP Regina—Lewvan, SK
Thanks very much, Mr. Chair. It's great to be here.
Great minds might think alike, because MP Kent has asked a lot of the questions that I had in my mind about the actual content of this proposed legislation. I may return to some of those points.
Something I would like to ask the panel about is their views on the mechanisms to enforce those rules, and specifically whether they have any thoughts about the proposed civil remedies.
4:10 p.m.
President and Chief Executive Officer, Boys and Girls Clubs of Canada
I guess I'll start.
We haven't thought about what the penalties would be. I'll be quite honest; that hasn't been our area of thought process.
We have seen this in two ways in the U.S. To ensure compliance, there have been sweeps from time to time of the sites that would be the most obvious—I am speaking especially of children and youth in these cases, sites targeted at children and youth. The other way is simply the reporting mechanism that might happen from citizens and others who are concerned about behaviours that are egregious or out of line that could be reported, so it would be a sort of self-reporting mechanism.
Aside from that, you do need something like a sweep mechanism that allows you to do what they've done in the U.S., a survey of sites and a report on compliance, with the possibility for fines and some kind of corrective measure.
4:10 p.m.
Prof. Jane Bailey
I'm a lawyer. Sure, legal actions are good. I am certainly never against opening up a panoply of remedies for citizens. However, the reality of civil actions is that most people can't afford them anyway, so who would use those mechanisms? Maybe we'll be able to use them for classes and we'll get public interest organizations that can use them. We do have public interest organizations that are already trying to deal with privacy in courts. I wouldn't put a huge stock in individuals having to assert their rights. I would think ideas like audits or sweeps, where the OPC has authority to check for violations, are important.
In terms of remedies or penalties, we have to remember that we are dealing largely with market forces, so we have to make it cost more not to protect privacy and respect privacy than to just ignore it. That's what I would say about that. In effect, what this means is that the monetary penalties would have to be quite significant in many cases.
4:15 p.m.
Chair, National Association for Information Destruction - Canada
Sure.
In our written submission, we listed several penalties. I don't think anybody wants to see penalties be punitive for a small business that has made a mistake, but when you have instances of systematic or egregious breaches, the penalties have to be significant enough to hurt. It's sad that you have to get to that point, but unless the legislation has teeth and is backed by the Privacy Commissioner, who has the ability to enforce things, you don't move the people who are on the margins.
Good businesses are doing what they're supposed to be doing. It's the people who are on the margins who are making decisions to dispose of something or not to handle something or not to properly protect their net worth. They're making decisions on the margins because there isn't a financial penalty if they get caught doing it improperly. It's on the margins that you can move the needle. That's where people have a choice to do it right or not to do it right. You incentivize them to do it properly.
4:15 p.m.
NDP
Erin Weir NDP Regina—Lewvan, SK
One theme that underscores this act is the notion of Canadians providing consent for their information to be used in certain ways. With the proliferation of online technology, are there some practical problems with that standard? I know I'm guilty of sometimes ticking the box to agree to certain terms and conditions when I'm trying to download something or do something online. Is it realistic to make consent the standard for electronic privacy protection?
4:15 p.m.
Chair, National Association for Information Destruction - Canada
I'm not an expert on that part of it, for sure. With regard to youth, I think you need to have more than just consent. I think you have to have protection before consent. You have to have the mechanisms to protect people before saying, “Click here to agree with our sharing your information”. You have to do it to a higher level. As adults, we have the choice to click “yes” without reading the box. Children don't....
4:15 p.m.
Prof. Jane Bailey
I wouldn't limit it to young people. This isn't about infantilizing adults or saying that people are stupid. This is a group of well-educated people in this room, and I'm sure most of us have no idea what we've agreed to in the privacy policies we've agreed to and would not have the capacity to understand most of the things that are being done with our data; nor would the data service providers be able to provide us with a comprehensible explanation of it. I'm sorry, I'm like a broken record, but consent in those circumstances is a word we say to make ourselves feel better about the horse we've unleashed from the barn that is just about to run over us.
4:15 p.m.
Director, Research and Public Policy, Boys and Girls Clubs of Canada
I would also add that in some instances, you have to check that box in order to even use the application. A young person who wants to use Instagram thinks, “Of course I want to use it”, so it's a choice between using it or not. You don't have the choice to say, I want to use it, but please don't use my information. That's not one of the options.
