Information & Ethics Committee on Dec. 5th, 2024

I believe that the contribution of your committee, through its reports and recommendations, as well as the contribution of my office, through its investigations and recommendations, are important. In fact, on our side too, we're taking a close look at public communications and user-friendly tools.

We need to reinforce the importance of privacy not only in general, but also in the more specific context of breaches. We sometimes tend to see this as a very technical issue. Yes, we don't like complicated passwords or multi-factor authentication. However, it's important to understand why this is important. In the world we live in, a lot of information is transmitted over multiple platforms, so we need to develop the reflex to realize that when information is compromised, it has a major impact on people.

These are lessons we can already draw from our first report. We told the people in charge that they were underestimating the impact it has on people. We also told them that, when the problem arises, you can't point the finger at one department or another. We're a team and we need to find solutions.

I think one of your recommendations, in the report you just tabled today, concerns privacy literacy, and I support it. Equipping people is very important. With my provincial and territorial colleagues, I'm discussing the idea that there should be mandatory privacy courses in schools. It should be part of the learning process. The more tools we can give people, the better.

However, I also think that we shouldn't relieve organizations of their responsibilities. So it's not just a question of equipping people. It's also about organizations making privacy as easy as possible for people.

I agree with you. We and our international partners reported this summer on deceptive cookie and consent form practices. We found that these practices were widespread. Complex language and psychological tools are being used to push people into making choices that are not good for them and that will make them reveal too much information.

So we need to better equip people to recognize such practices and challenge them. Organizations must also continue to do their part to make it easy for individuals to protect their privacy. It may never be easy, but it has to be easier than it is right now.

Absolutely. In fact, in our Home Depot survey, we found that when people asked for an e-mail receipt instead of a printed one, the information was communicated to Meta. However, this was not indicated at all to customers at the checkout. One of the company's responses was that it was in their policies on their website and that customers could find this information there. We told them it wasn't acceptable to put such a burden on people, and that it wasn't part of people's reasonable expectations to have to research this extensively before giving consent. This kind of practice leads to consent fatigue.

Recently, we won our case against Facebook over its consent practices. The Federal Court of Appeal pointed out that the texts on which Facebook's consent practices were based were often longer than an Alice Munro short story. It's complex and doesn't help users understand what they're consenting to.

Yes, that's right.

Oh, oh!

For the public sector, under the Privacy Act, I'm mandated to keep confidential the information that I received in my mandate, unless I'm making it public in an annual or a special report to Parliament, so there's a limit. In the private sector legislation, I also have to keep it confidential, but the act gives me the authority to make it public if I determine that making it public is in the public interest. That is the authority we regularly use to make private sector matters public, including with press conferences, so that's the practice.

In fact, the practice of the OPC used to be that, once a year, all of the public sector complaints were made public through the annual report. I decided to change that this year, because I felt it was too long to wait an entire year before making these things public. That's why we started doing special reports, including in this matter—to make it public to Parliament. I take the point, perhaps, of having more press conferences, and these should be done as well.

There's no benefit. I agree with you absolutely, Mr. Green. This is something that should be amended in the Privacy Act. We've been calling for legislative amendments to the Privacy Act for some time. It's a 40-year-old piece of legislation. This should absolutely be one of the changes.

In the meantime, I've started to use this special tool of doing a special report to Parliament, and we're going to reflect as to whether we can do more, including press conferences.

I'm sorry; I didn't hear the last part of your question.