Evidence of meeting #96 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was estonia.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Liia Hänni  Senior Expert, e-Governance Academy
Raul Rikk  Programme Director, National Cyber Security, e-Governance Academy

10:20 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

It started earlier. It was a part of Estonian state-building from scratch, actually, after the Soviet occupation. We had this vision and strong political will to build up a modern state and our technology. We had some technologically knowledgeable people, and also politicians who believed that technology could support us in these efforts to modernize and build a really modern state. There was no political opposition to the use of technology.

There was opposition when we introduced digital identity cards in 2001. There was debate in the constitutional committee. Some members of the committee asked why we needed this digital identity, what kinds of services the government would offer. It was difficult to explain at that time what exactly we would do with this digital identity, but we still had some vision that digitalization would go on and that sooner or later we'd need to have the opportunity to identify ourselves in the digital world. We made this very correct decision not to make our identity card for digital identity a voluntary action. You are obliged in Estonia to have a digital ID card. All citizens and residents of Estonia must have it.

10:25 a.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

I understand. I want to to thank you for that.

I want to turn back to the question of a government doing any data mining outside of just direct government services.

I can see the rationalization of a government's saying that in order to understand the impacts of a vaccination program or an economic program that it is running, one of the great datasets out there for how people are talking about a program or a service or a certain government policy is social media. As a government, we do polling all the time, but we also know that polling is limited in terms of its understanding. Many people are spending more and more time online, and more people are having their political or just their local discussions in social media environments.

You said earlier that the government doesn't do any data mining off the Facebook social media site. There are many others, and there are others that are more popular in Estonia. Why not? Why wouldn't...? Understanding the good-intentioned motivations—not even nefarious motivations—of a government to do this, and with the breaches just within Facebook itself, one could imagine a government having a contract whereby it would understand our latest child care policy and whether it's having any effect by mining data and finding out what people are saying about it on Facebook, Twitter, or Instagram.

10:25 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

In Estonia, social media are still very much used in the public sector, but that's basically for communication with citizens. It's not exactly necessary to take from Facebook this information on what people think about the government and government services. We are quite open to direct co-operation with our government, rather than through Facebook.

Definitely there is a lot of information in Facebook. I'm not speaking against this opportunity to use this information to improve services, for example, or to better understand political processes, but definitely not to profile our citizens in order to get some more political power and political interest. I think this is what you are talking about.

10:25 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

Profiling is not allowed according to the new EU data protection regulation. It is prohibited, basically.

10:25 a.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

I'm sorry. I missed the first part of your sentence. What is prohibited in the new EU regulation?

10:25 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

Profiling.

10:25 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

Profiling persons.

10:25 a.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

Profiling persons is prohibited in the EU regulation by governments. Sorry, just to be clear, has it been made illegal for governments to profile their citizens?

10:25 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

Yes. Basically, you cannot profile persons through the social media.

10:25 a.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

It would be helpful for the committee if you have that regulation handy, because I don't. I don't know if other committee members follow EU Internet regulation guidelines, but if your government were able to provide that to us, that would be something I would be personally interested in.

Thank you, Mr. Chair.

10:25 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, gentlemen.

Next we have Ms. Vandenbeld and then Ms. Murray.

We are a little tight for time. We still have five minutes of committee business to deal with, so I have to cut things off at that point.

Go ahead, Ms. Vandenbeld.

10:25 a.m.

Liberal

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

Liia, you mentioned that this is part of state-building in Estonia. This is something that goes back a few decades now, and from the very beginning it was imagined that you would get to where you are today.

If you have existing very sophisticated architectures that weren't conceived and built bit by bit in that direction, is it harder to take existing architectures and then apply this than it would be, for instance, to go into an emerging democracy and start from scratch? Are there are challenges that come with the fact that you already have government services and digitization in various departments that are already centralized? Looking at the fact that we're already very sophisticated, how difficult would it be to do what Estonia did?

10:30 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

Sometimes I think it was easier for us to build a system by seeing technology as a facilitator. In many democratic governments or democracies, governments are already working very well, so there is no pressure to change the state processes and to use new technology, but I think that because development will go on and the use of technology by citizens will go on, the government therefore also needs to understand that it is time to reconsider how government is operating.

It's hard, because you have this system that is working well, so why should you make another plan for government development? I think it is necessary, but it needs a lot of political energy, understanding, and strategizing to have some new goals in terms of how countries should meet this 21st century. This is actually very interesting work for the politicians of the world in terms of understanding these opportunities to pick a wide national consensus about the direction that the country would like to take. This is why I congratulate you. You have this opportunity now.

10:30 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

If I may add to that, the process is still going on. I've put up one slide that shows the main regulations in the EU. The same thing that has happened in Estonia is now happening in the EU states. The first directive, the EU data regulation, is all about electronic identity and providing digital trust services. The second directive is about how to manage incidents. The third one is about data protection.

Now the EU wants to take on the same logic at the EU level. In the last five to 10 years, the EU has made significant efforts to put forth and agree on these regulations and directives, so now this will be even bigger.

March 22nd, 2018 / 10:30 a.m.

Liberal

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

In terms of compelling reasons, I think 2% of GDP saved is a very compelling reason.

I'll go back to the trust issue, because of course we're in a very different environment today than we were in the 1990s or the 2000s in terms of the level of trust that citizens have in digital data and also in government.

Ms. Hänni, could you talk about what the level of trust was in government when you embarked on this, as opposed to, for instance, the fear there is if you're sharing information between departments? I know we've had concerns in Canada that certain information is being shared with security services, or that we have health information or tax information being shared with other departments.

How do you protect against this? What would you see as the level of trust that citizens had in government generally and in the Internet and how it might be different today, and how would we overcome that?

10:30 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

How to build trust I think is your basic question.

It depends on the situation you have in your country. In Estonia, coming from this totalitarian system where Big Brother was watching us all the time, and our own government, it was such a different situation that we didn't even ask if we should be concerned that our own government would misuse our data. This problem of non-trust has been so strong in Estonia, as I understand it, but still people should know how a system works. With their having this concern, government should be able to explain what is behind this data exchange and how citizens' data is protected. There is lots of work there, and there is a rising need for that.

However, once again, paper documents are much more unsecure than digital information.

10:35 a.m.

Liberal

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

I have one other quick question. It's about age. At what age do you start collecting the data? Is it at birth? Is it when people first get a driver's licence? At what age would the citizens themselves be able to access and have control over their data?

10:35 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

Actually, the first digital data will appear in our system when a baby is born. Already then, as I said, they're a digital citizen of Estonia with a personal identification code, with even a digital ID card, because it can be used for travelling. Parents, of course, are responsible for the data on their babies and can also access their babies' data—for example, medical data—but we have no time to speak about these medical records, the medical systems we have.

Yes, collection of data starts from birth, actually, but again government can collect data only when there is a legal power given to the government to ask for the data. This is very important to understand. It is not up to the different government agencies to ask for my data if they have no legal grounds for it. This kind of authorization of data usage by different agencies is based on law. When public servants want to go into the system, they need to have this authority—

10:35 a.m.

Conservative

The Chair Conservative Bob Zimmer

I'm sorry, Ms. Hänni, but we have one last question and we only have about two minutes left.

Sorry, Ms. Murray; we have approximately four minutes or less.

10:35 a.m.

Liberal

Joyce Murray Liberal Vancouver Quadra, BC

Thank you very much. I just want to thank you for your country's leadership on digital government. I had the pleasure of spending time with Siim Sikkut, your CIO, in Wellington for the signing of the Digital 7. Estonia clearly is positioned as a leader in the international community, so congratulations.

I wanted to ask about watchdog functions. If someone has a complaint around a breach of privacy or perceived breach of privacy of data, is there a watchdog?

In our country we have a commissioner with respect to privacy. We also have a commissioner whose job it is to deal with complaints and do investigations. They have order-making power with respect to access to government information by citizens. I'm interested in Estonia's structure of compliance and oversight. Specifically, I'm very interested in whether the privacy oversight is combined with the access to information oversight, as it is in New Zealand and in many of the other leaders I spoke with in Wellington. We have separated those functions, and I'm interested in Estonia's approach.

10:35 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Ms. Murray.

I'm sorry, Ms. Hänni and Mr. Rikk, but could we get a written response to Ms. Murray's question? Can you respond that way? We're out of time, unfortunately.

I want to thank you again for presenting to us in Canada. I appreciate your time and all the patience in working out our technical difficulties. It's much appreciated.

Thank you for your leadership on digital governance.

We're going to suspend and go in camera to deal with committee business.

[Proceedings continue in camera]