Information & Ethics Committee on April 17th, 2018

I don't think there's a short answer to that question, but if there were one, I would say that we have tried our darndest to come up with a reasonable answer in the study we've made in the consent report and the recommendations and measures we are taking in relation to it. You augmented that significantly, I think, with your report as a committee in February. So it's not one thing. It's a series of things.

On that level, I think the answer is that the personal information of individuals is something they need to be able to be in control of. You put it in terms of ownership, and that is something that is sometimes said. I would rather say that it is a human right, that privacy is a human right, to control your privacy, and therefore what information you allow to be known by others, and to what end, is because you choose to do that, because you think it provides a benefit for you, as opposed to giving consent for an extremely broad purpose, which is then open season for others to interpret as they see fit.

Yes, with legal rules—that's the role of government—to ensure that this philosophical concept is actually respected.

I believe the incentives to spread around data by people who are profiting from it are great. Giving in a little bit is not only a slippery slope; it is a foregone conclusion that it will happen to a wide degree, and it's just a matter of time before political parties and commercial list builders and consumer surveillance groups all come together and offer each other large sums of money for the data.

A suggestion I would have for looking into a potential kind of compromise would be to decide that everybody has a right to own their own data. If you want to give a charity the right or permission to share your data with another charity of similar mind, I don't think it's unreasonable to expect that the first charity you gave the information to should send you an email saying they're planning to share your information with such and such a group and ask whether that is okay—“Opt in here to share it”—or at least send you a notification that they are sharing it. Nothing then is done in the darkness; nothing is done under the table; everything is known, and there's a paper trail and there is consent.

It is more than time that Canada legislates. I have made that point many times. The GDPR, the European regulation, is certainly a good standard to compare ourselves with, but I think it's important for each country to develop its own legislation. There might be cultural or constitutional reasons that certain rules would be different, but certainly the European model is a good model. I've made a number of recommendations inspired by that model.

The main point is that it is high time—it is past time—to legislate.

I have both a positive answer to that and a negative answer to that.

I'll start with the negative. There is no way to guarantee that any bit of data, any string of characters you submit or that are identified with you, will not be propagated down the line to another company. Data multiplies. I see it all the time. There is just no way to prevent it. It's too prolific.

I do have a suggestion on how to work towards the goal of containing the amount of data that is multiplying out there for whatever purpose. That suggestion is to have on the books laws that have teeth. These companies will not deal with large databases of information if they know that it is a huge liability and a potential threat to their bottom line. It's not until the regulators can issue fines that affect profits and stock value that these companies will respect what the regulations say.

I can't speak specifically to the numbers and calculations, but I believe that is in the same vein as what I'm talking about, that, yes, it takes something with teeth attached to it to really get executives' attention. GDPR has gotten a lot of executives' attention.

Because of the ongoing investigation and our legal obligations, the most important of which is not to draw any conclusions before completing this investigation, I would like to qualify your remarks slightly.

The conclusions you attribute to me would be more a function of what we generally see, as representatives of a regulatory agency, with the behaviour of all companies and the legislation that applies to them. Every day, we see that privacy policies are very permissive in that they allow for a very broad use of information, which is not always consistent with informed consent.

Can we say that Facebook violated privacy based on the facts alleged? We will certainly be looking into it. Our investigation is ongoing and we cannot draw conclusions yet. I can tell you what issues we will be looking into, but we are not going to talk about any conclusions in this case.

In general, we will be asking ourselves whether the two companies we are investigating, Facebook and Aggregate IQ, have violated the federal privacy legislation and, in the case of British Columbia, the provincial legislation.

More specifically, we will be examining whether Facebook's privacy policies actually were too permissive and whether they played a role in the subsequent use of the information by analytics firms to give advice that may or may not have been useful to political parties, among other things.

We will also be trying to determine, as I said earlier, whether the recommendations made by the Office before I arrived in 2009 are still applicable in 2018.

Finally, we will be looking at the role played by Aggregate IQ in all this and how the company collected the information. Was it done in accordance with the legislation? We will mainly consider the type of data analysis that was done. Did the final product, as communicated to the political parties, comply with privacy protection laws?

All those questions are relevant, and we will examine them. Obviously, I cannot draw any conclusions right now.

Yes.

Factually, how does Facebook ensure that a third party, the people conducting the research, obtains the personal information of its users in a manner consistent with the consent given by the users and with the privacy requirements?

In addition, how does Facebook protect the data of its users against anyone who might want to use them for inappropriate or unauthorized purposes? I am thinking here of malicious hackers, the so-called bad hackers.

Finally, last week, Mr. Zuckerberg said that the time has come for Facebook to have appropriate regulations. So what does this mean for Facebook, especially in terms of our recommendations—in the Office of the Privacy Commissioner of Canada—of this committee's recommendations, and the European regulations?