Information & Ethics Committee on May 9th, 2024

We have ongoing complaints and litigation with some of those social media platforms, so there are clearly some issues that we're looking into.

We were in litigation following a complaint decision on Facebook. We have a matter vis-à-vis Google in terms of questions on the de-indexing of information. We're looking into our investigation of TikTok.

These social media platforms are attending and participating in terms of the global privacy discussions and meetings, and they are providing their input. They are listening to the comments and the input of the community, but I will continue to reiterate to them through both our promotion and persuasion tools and also the compliance tools where necessary.

Data about people's location and visited websites provide information about their interests. That is why we are concerned about browsing and localization cookies, and the use of this information to profile people.

So, indeed, refusal is an element that would be relevant to the protection of information. That is why the discussion about witnesses and accepting them is important, because it is all about getting information pertaining to our areas of interest.

By refusing cookies, you restrict the use of certain things. Some uses are unavoidable, however, and there will also be a request for consent to use the information for targeted advertising, for example.

One of my concerns is that these choices are not always easy to make. The simplest choice is to accept everything. However, I would like the choice to refuse everything to be much simpler and more accessible. Often, you have to go through two or three other levels to get there, and even then, you have to provide details. On the other hand, the option of accepting everything is always there.

In my opinion, there is still work to be done here.

If the person leaves the site, no further information is collected.

However, we are rightly concerned that we do not always know what we are consenting to. It can also prevent us from accessing a service we would like to be able to use otherwise.

These elements are part of our thinking. Furthermore, as algorithms become more and more powerful, artificial intelligence can detect more things with less information. So we need to be vigilant in this respect.

Recently, for example, we carried out an audit in this area, but the results have not yet been made public. We did what we call a data sweep. Working with international partners, we randomly checked a number of websites to see if there were any deceptive ways of communicating on these websites that encouraged people to give up too much privacy. We have done this in conjunction with the authorities in charge of protection competition, because there are clearly overlaps. When we get the results, we will be able to say that we have concerns about certain sites.

So far, we have tended to comment on undesirable practices and targeted cases where we condemn an organization, which we do after receiving a complaint. There are ongoing complaints that are cause for concern.

For my part, I want to see more sites where privacy is included by default. My concern is that website visitors face a choice. It is easy to accept everything, but it is not easy to refuse everything.

Parameters can be set by default. Sometimes consent is given automatically. Sometimes, to continue, you have to click on “accept all”, and this is an aspect we are looking into. My colleague from the UK has made this a specific issue.

In Bill C‑27, for example, the emphasis is on making consent easy to understand and simpler. In addition, organizations are required to be more proactive, and there is a greater role for my office in preparing guidelines. It also provides for the authority to issue orders. So, that is why I think this bill is a step in the right direction.

Until proven wrong, I am going to assume that an organization will abide by the law. If not, there is recourse to the courts, hence the importance of being able to issue orders.

In Canada, certainly, most organizations or companies care about their reputation and their customers. They want to do the right thing, so they will comply with a recommendation. We saw that, for example, in the Home Depot case, where recommendations were made that were followed, and there was good co-operation.

However, it is important to be able not only to make orders, but also to issue fines. I am not saying this because I want to use these powers, but they help responsible decision-making and motivate decision makers to prioritize privacy. Without it, those decision-makers might prioritize other areas where organizations could be fined because there are no fines in our sector.

I think those numbers are low. This is one of the reasons we have highlighted technology and children in our strategic priorities. I think there is a sense that technology is more and more intrusive. It's relying more and more on data and on personal information to fuel tools and innovation, so there are some of the discussions we have been having here today in terms of consent to use websites, in terms of what can people do to protect their personal information. I think Canadians feel they are bombarded by requests for their personal information, so it's important that the institutions and the systems provide recourse and provide proactive discipline in organizations, not only to protect privacy but to be seen to protect privacy.

We are seeing these types of concerns. We are seeing that Canadians want to see more rigorous legal protections of their privacy rights. This is why we're advocating for a modernized legislation whereby I would have order-making powers. There would be the possibility of fines. There would be the possibility of real consequences if privacy is not respected.

We also need to see more proactive privacy protections that are done at the front end. I have been calling for privacy impact assessments to be a legal obligation, both for departments and for private sector organizations.

I think there's work to be done. It shows that Canadians care about their privacy and that collectively we need to be mindful of this so that Canadians do not feel, as they seem to now, that it can be a trade-off between your personal information and innovation.

In some of these investigations we're focused on the consent. Are you obtaining meaningful consent by Canadians, and are you doing that in an appropriate way with respect to the age? We have guidance on that in terms of the fact that what is appropriate for an adult isn't going to be appropriate for a child, for a minor.

There are different types of circumstances, and Bill C-27 recognizes that by protecting minors' information and treating it as sensitive, so that's an additional positive step to recognize the best interests of the child.