Information & Ethics Committee on May 10th, 2021

Thank you, Mr. Chair. Can you hear me?

Good morning, Mr. Chair and members of the committee.

I am pleased to meet with you for the next two hours to discuss our 2021–22 Main Estimates, our activities in general, and then the fundamental issue of facial recognition. All of this, of course, in a context where a very important bill, Bill C-11, has been introduced in the House of Commons.

Last year was one of transition for many organizations, and our office was no exception. We quickly shifted to adapting our processes to continue serving Canadians during the pandemic.

It was also a year of transition on the budgetary and legislative fronts. Our office received a permanent increase of 15% in the 2019 federal budget to address the most urgent needs of the OPC pending legislative reform. This allowed our office to expand our policy and guidance functions, to enhance our advisory services for organizations and to address pressures resulting from new mandatory breach reporting requirements in the private sector.

We also received temporary funding to help us reduce a very large part of our investigative backlog of complaints older than a year. We met and even surpassed our target and reduced the overall backlog of complaints by 91%. We are very proud of that.

Over the past year, our work has included the publication of guidance on protecting privacy during a pandemic, as well as a contextual framework for government institutions to protect privacy in the context of COVID-19 initiatives. Consistent with this framework, we reviewed and advised the government on the COVID Alert app. Following a public consultation, we released key recommendations for regulating artificial intelligence.

We also completed our first breach records inspections report—again, this is about data leaks. In addition, we analyzed and provided recommendations on several legislative initiatives. This included a submission on the statutory review of the Access to Information Act, another submission on the modernization of the public sector Privacy Act, which was the subject of a consultation by the Department of Justice.

Finally, after a detailed analysis of Bill C-11, we completed another brief. All these documents, with the exception of our brief on Bill C-11, are available on our website.

While the injection of funds in the 2019 budget helped us to reduce our backlog and to increase our capacity, there is still a very significant gap. Given the marked acceleration of digitization caused by the pandemic, we continue to struggle meeting the demand in guidance, guidelines and advisory work, and to assist our investigators to address complaints filed by concerned Canadians.

In the government's fall economic update, funds were allocated to support the implementation and enforcement of Bill C-11. This is clearly a good thing. However, now that we know the extent of our new responsibilities under this legislation, we believe additional funding will be required.

Bill C-11 imposes several new responsibilities on the OPC, including the obligation to review codes of practice and certification programs and give advice to individual organizations on their privacy management programs. It should be noted that these are non-discretionary activities, meaning that every time an entity or organization seeks our advice or approval, we will be required to provide our considered opinion.

We welcome the opportunity to work with business. In recent years, I have restructured my office towards a greater proactive approach to guide and engage with organizations toward compliance with the law. We created two new directorates to engage proactively with private and public sector organizations, on a voluntary basis, on privacy risks of a high-impact nature. These activities have increased during the pandemic. Actually, they've been very popular.

As you know, another role we play is to investigate complaints alleging violations of the act. However, it is not our only role. In order to be an effective regulator, we must be able to be strategic in our enforcement and advisory activities, applying a risk-based approach.

As we explain more fully in our submission on Bill C-11, we are concerned that with the non-discretionary nature of our responsibilities under that bill, we will not be able to both serve complainants and organizations and focus on harms to Canadians in general. The issue here is not primarily financial, although in our view additional resources will be required. The OPC should have the legal discretion to manage its caseload, respond to the requests of organizations and complaints of consumers in the most effective and efficient way possible, and reserve a portion of our time for activities we initiate, based on our assessment of risks for Canadians. Such discretion is enjoyed broadly by domestic and international regulatory partners, both within and outside the privacy protection sphere.

Another option to balance our various activities could be ensuring that the OPC's role of approving codes of practice and certification programs under the proposed Bill C-11 be conditional on the payment of a cost recovery fee to ensure that we have the capacity for that task as well as for our other priorities. No regulator, ultimately, has enough resources to handle all the requests it receives from citizens and regulated entities. It is important that my office have the flexibility to allocate resources in ways that will offer the most benefits for Canadians and adjust activities to address new and emerging trends.

In addition to changes brought by C-11, proposals made by the Department of Justice in its recent consultation on modernizing the Privacy Act, the public sector act, would also see significant changes to our role in the public sector, of which we are largely supportive. This includes a new public education mandate, the power to issue guidance to government institutions, a role in issuing advance opinions and overseeing pilot projects, and greater discretion to publish compliance outcomes, among others. Justice's proposals also include an enhanced compliance role for our office, such as expanded proactive audit powers and a form of order-making. We have already begun to plan for these eventualities.

In closing, I would like to point out the fact that, as we look to the future, it will be important that modern privacy laws allow us to act as an effective regulator. Our office should also be provided with the financial resources necessary to implement these laws.

I look forward to working with Parliament on improving the legislative proposals to ensure our modern privacy laws adequately protect the privacy rights of Canadians, while promoting responsible innovation.

Thank you for your attention.

I welcome your questions.

We have efficiencies, but not really due to the telework environment. We had to adjust very rapidly, obviously, to the telework environment, ensuring that our colleagues, our employees, had the required technology to continue to provide their services. There was no increased efficiency due to the pandemic, but there was no loss of efficiency either.

There were efficiencies due to technology regardless of the pandemic, in that, for instance, we used, for the first time, an electronic form for the filing of complaints leading to investigations. That allowed us to be more efficient in the first stages—the triage part of our investigations. So technology did help at the end of the day, yes.

Technology will certainly be part of the solution. We're working right now on a way to use technology when we receive breach reports, for instance, by companies. We think that automation can help increase efficiency in reviewing these reports.

At the end of the day, though, I think the greater use and the huge acceleration of technology in recent years, and particularly due to the pandemic, means that we have many more issues to examine. Overall, there's a need to increase resources, but we're doing what we can to increase efficiencies.

It's simply due to the fact that I have not yet been called to testify on Bill C-11. I'm waiting for members of Parliament to send me an invitation. We're ready to go, and as soon as we have a request from members of Parliament, we will be very glad to oblige and put this up on our website.

As I mentioned in my statement.... First of all, I need to acknowledge that in the economic statement of last fall, I believe something in the order of $18 million annually was set aside in that quasi-budgetary document. However, this was not only for the OPC, but for all of the government institutions that will be called upon to implement Bill C-11. We will have a share of it.

That amount was arrived at after consultation with our office before we saw Bill C-11. Now that we see Bill C-11, we see, in particular, our role in approving codes of practice by industry and giving advice upon request to companies about their privacy programs. We did not know that when we gave our estimates to the government, but now that we do, increased funding will be required.

Beyond increased funding—and I'll repeat the point that I made in my statement—we are totally welcoming of the role given to us by Bill C-11 on codes and advice to companies. However, frankly, we cannot do that for each and every request that we will receive. It's why I think we want to engage with business in that regard. Some additional funds will be required, but we also need discretion to manage our workload and to continue what we have done until now, which is to offer our services but not have to answer each and every request. We deal with those that seem to raise the higher privacy risks, for instance.

This is in part about money and in part about discretion for us to say yes to most requests but no to others if our budget cannot accommodate this.

In a word, yes.

Before the pandemic, we were already in a world where a digital revolution was unfolding. The pandemic made this revolution explode. As a result, public and private organizations, including commercial enterprises, are having to go increasingly digital and are therefore asking us more questions about how to do things in a privacy-friendly way.

A number of businesses and organizations have come to us, including a group in Toronto that provides advice to businesses across Canada, as well as a number of federal government departments, particularly Health Canada. These groups have turned to us for advice on new programs that have had to be created extremely quickly as a result of the pandemic to ensure that this is done in a way that respects privacy.

There is no shortage of topics that could be investigated. So we need to use our resources to investigate the topics that pose the most risk. For example, we started an investigation into the use of artificial intelligence in employment. This seemed to me to be a particularly important issue because of the serious risks it poses for job applicants.

The challenges lead us to make choices. For all departments, financial resources are not unlimited, and we are not asking for an unlimited budget either. It's normal that our financial capacities have limits. We try to allocate our activities based on a risk analysis. Among our activities are investigations, which we take the initiative on, as opposed to complaints. People come to us with complaints that we have to respond to. It's important to respond to them because, for them, we are a mechanism for access to justice for citizens. However, they will not necessarily be aware of the practices that are the most risky for privacy, hence the need to be able to start investigations ourselves. We need to be able to do both.

Furthermore, we also need to play a proactive role, for example, by providing advice to companies and government departments and issuing guidelines. Bill C-11 will give us an approval role in codes of practice and allow us to advise companies. All of this is great, but because of the accelerating digital revolution, we need more funding. We are in the process of quantitatively assessing our needs. Unfortunately, some requests will have to be denied because we can't do everything.

I'll go out on a limb and say that in terms of the private sector, it's probably about 50%. In addition to that, new roles would be given to us as part of the Department of Justice's proposed reform of the public sector, if that were to happen in the not-too-distant future. A substantial increase in the budget would then be required.

Obviously, Parliament will make a decision based on the scope of our requests. However, we're talking about a substantial increase because of two factors: the acceleration of the digital revolution and the privacy issues this poses, on the one hand, and on the other, the new responsibilities we'd have under this bill.