Information & Ethics Committee on Sept. 25th, 2017

I'm a big fan of consent. I just think that in some circumstances it isn't realistic, and I'm afraid this is one of them. It's interesting to have service providers agree on a model of consent, but what that means is that they're going to have to agree on what algorithms are going to do. I actually don't think that's feasible. I'm a professor, so feasibility isn't usually a big deal with me. I usually put feasibility to the side and talk about principle, so here I am using my own argument against me.

First of all, I'm not sure that's feasible. Even if there was going to be agreement about what algorithms will do and what they won't do, most service providers don't want to disclose what their algorithm does because it's how they make their money. There's an intellectual property there that they don't want to share.

I worry that the more we build up people's idea that we shouldn't worry because we've taken care of consent, the more we'll lose sight of the fact that we're dealing with something that is so difficult to know. Maybe if we thought about regulating the processes by which information is being dealt with, then we could say we've created an environment where consent or informed consent actually makes some sense.

I just say good luck.

Oh, oh!

I think Canada has to make choices as to what will work for Canada. We don't have to take the United States model. I don't think that's necessary.

Or the GDPR model. We have different cohorts, different regulations and rules. We can set our own, but it should be meaningful and it should have enough teeth to make sure people comply with it. You can tier it, you can do all sorts of things there. It can be an absolutely “made in Canada” model for sure. I don't think we have to take the European model and say 4% and 2%. That's your job.

I agree with that.

We haven't really thought deeply about it.

In lots of industries it's not subjective at all. Certainly, CRA has rules with regard to how long you're keeping.... Financial institutions, the doctors, the lawyers, all have governing bodies that assist them in developing document-retention policies. There's a reasonableness test there, that when you reasonably no longer need that data, it's time to make it go away, unless the law says you have to keep it for a longer period of time.

Coming up with a policy for when documents should be destroyed is not a difficult process at all. Most companies have a retention policy as to how long they're going to keep documents. That's not the biggest hurdle there, for sure.

It's kind of like the current provision that talks about accuracy and completeness in the principles in PIPEDA. It's because it's kind of amorphous that it becomes difficult to use it or to know when an organization is.... In some cases, no. Maybe in health care, no. Maybe in the context of health care, or those kinds of situations, you might be able to know.

Right.

In the online context and the data that's being kept by service providers, it's supposed to be accurate and relevant to the original purpose for collection. If the original purpose for collection is to use it to create aggregates for marketing, then when does it ever not become relevant? I think it is difficult to do that. I think the reason these principles are general is that to say something specific would not work for all the kinds of data you're dealing with.

It is in 2019.

We're hoping to bring young people together to talk about the Internet and what they want, and privacy will be a big part of that. If any of you would be interested in being part of that, you can let me know.

However, that's an informal process. We should start thinking about formal processes that look a lot more like the human rights committee in the Senate, where hearings were held on bullying and cyber-bullying. These things do directly affect young people, and they often affect them in different ways than they affect adults.