Evidence of meeting #24 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was laws.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:40 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The fact that we do not have laws adapted to the technologies of the fourth industrial revolution at the beginning of the 21st century creates in itself an environment that gives rise not only to potential risks, as I said, but to real harm for individuals.

Would the Tim Hortons app situation still have occurred if the laws had been modernized? Maybe, but the chances would have been much less. Would the Clearview AI problem have occurred if the laws had been adapted to modern technology? Again, the chances would have been much lower. Regulation will not solve everything, but a strong law, rigorously enforced, and sometimes with penalties, is an incentive for all actors, departments and companies to respect the law. Clearly, Canada's delay in adopting modern laws has resulted in situations that have caused harm to Canadians.

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

There is certainly a danger in inaction.

The Vice-Chair Liberal Iqra Khalid

Thank you, Mr. Lemire.

We'll now go to Ms. Collins for two and a half minutes.

Please go ahead.

Laurel Collins NDP Victoria, BC

Thank you, Madam Chair.

According to the departmental results indicator listed in the departmental plan, in the most recent fiscal year, only 45% of Canadians felt that businesses were respecting their privacy rights.

From your perspective, why is this number so low? The target for this indicator is 90%. What measures need to be taken to achieve that goal? Also, do you think that goal is achievable by the deadline of March 2023?

4:40 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

By March 2023, probably not.

Is it a realistic target to say that 90% of Canadians should have confidence that their data is appropriately protected by companies and government? I think it is. How long that should take—

Laurel Collins NDP Victoria, BC

What measures need to be taken in order to reach that target?

4:40 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I think it's a function of a series of measures. It starts with a law that actually protects the privacy of citizens and consumers. It starts with that. As I say, it also requires that the regulator have appropriate resources, and I've said that I think we need to double our complement to apply the new laws that are about to come. The laws need to provide incentives for companies and departments to comply with the law. That is, in big part, what is missing currently.

Technologies do exist. They are attractive and—

Laurel Collins NDP Victoria, BC

I'm sorry to interrupt, but we have such limited time.

You also mentioned the need for independent, proactive audits. You mentioned it in your comments and in your introduction.

Can you talk a little bit more about why this is so necessary and how it would actually improve the work of your office?

4:40 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

In short, because individuals are not in a position to understand and know how their information is collected and used given today's technologies, there needs to be an independent third party like the OPC who can actually look under the hood, as we say, and do proactive audits to bring the level of confidence up because we cannot rely only on consumers to identify issues that they complain about.

The Vice-Chair Liberal Iqra Khalid

Thank you very much, Ms. Collins.

We'll now go to Mr. Bezan for five minutes.

Go ahead, sir.

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Thank you, Madam Chair.

I congratulate and thank Commissioner Therrien for his very successful career, his service to Parliament and his service to all Canadians in the important work that his office has conducted over his tenure.

You said in your opening comments, Commissioner, that there could be no innovation without trust and there's no trust without the protection of rights. You're talking about industry and industry stakeholders. You go on to say that interoperable laws are in Canada's interest.

As we move forward as legislators, as you quite eloquently said, it's our responsibility at this committee, in the House of Commons and the Senate, to develop these new laws. What is the gold standard that we should be looking at for interoperability with other countries to ensure that our businesses and industries are competitive, while protecting the privacy rights of all Canadians?

4:45 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I hesitate to talk about the gold standard. Many people, when asked what the gold standard is, refer to the European Union's GDPR. It is certainly an excellent standard. There are similarities between our recommendations for law reform and the European GDPR. It is an excellent standard. Other countries have adopted similar laws—not exactly the same law.

I'm not advocating that Canada adopt a carbon copy of the GDPR, but there are elements of the GDPR that make a lot of sense, such as the rights basis, proactive audits and objective standards. By the way, the GDPR is sometimes, if not often, characterized as “prescriptive”, i.e., adopting rules that are too minute and get in the way of commercial operations. This is in contrast to Canada's laws, which are principles-based—PIPEDA being principles-based.

I think it is a misconception to talk of the rights-based law as a prescriptive law. A principles-based law is in Canada's interest. We need to have tech-neutral and industry-neutral laws in the technological sector. That makes a lot of sense. In the very same way, a rights-based law protects citizens with rules that are at the same level of generality as a principles-based law. Therefore, both principles-based law and rights-based law are equally adaptable and flexible to the digital world, which is a necessity with the digital world.

4:45 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

We have the digital world that we have to work in, and then you also have the standpoint of working within confederation. As we know, every province is ultimately responsible for the regulation of the majority of businesses and industries, including on the privacy side, as we just saw with the investigation that you did of Tim Hortons' app with the privacy commissioners of other provinces

Are there any laws coming down at the provincial level that we should also be looking at adapting, or should the federal government be leading and the provinces be adapting to the laws that we bring in? As you said, they should be principles-based to ensure that we continue to have innovation and aren't creating too much red tape that will hamstring our businesses here.

4:45 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

At this point, the most modern law is the Quebec law, which is also a rights-based law. Some say that it is too prescriptive in some regards, for instance, in how it deals with cross-border data transfers. It may be a legitimate criticism of that law, but there are many elements of the recent Quebec law that I think you should be considering.

I would say that Ontario, of course, has not adopted a new law, but has put out very detailed and thoughtful consultation papers on how it might regulate the private sector. That is also worthwhile. British Columbia had a parliamentary committee that issued a report along those lines. All three of these provincial jurisdictions are advocating for rights-based laws.

4:45 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

I appreciate that.

A final question I have—and I believe I am probably getting close to the end of my time, Madam Chair—is on the investigation of Tim Hortons that you did. Quickly, how can you make sure that all of the data they collected has been purged permanently from their databases?

Also, are you aware of any other investigations being conducted against other companies that have apps that track the mobility data of Canadians?

The Vice-Chair Liberal Iqra Khalid

That concludes your time, Mr. Bezan, but I'll ask Monsieur Therrien if he wants to answer briefly.

4:50 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We have a commitment from Tim Hortons that they'll delete it. If we have reason to doubt that, we can ensure that through technological means.

At this point, no, there is no other investigation under our control on geolocation. We hope that the lessons of Tim Hortons will apply to other companies.

4:50 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Thank you.

The Vice-Chair Liberal Iqra Khalid

Thank you very much.

We'll now go to Ms. Saks for five minutes.

Go ahead, Ms. Saks.

Ya'ara Saks Liberal York Centre, ON

Thank you, Madam Chair

Thank you, Monsieur Therrien.

Monsieur Therrien, in our conversations with you in this room, we have talked about the notion of de-identified data in relation to PHAC. I have a few questions I want to ask in the time that we have, but could you just briefly provide an update on the investigation you conducted on the de-identified data in relation to PHAC?

4:50 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's still ongoing.

Ya'ara Saks Liberal York Centre, ON

Okay, so there's no conclusion as of yet from it?

4:50 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Ya'ara Saks Liberal York Centre, ON

That takes me into more of a general question of where we're at. Given that you expressed your support for innovation, but being mindful of its applicability in terms of privacy, and given that mobility data can improve everything from how we manage our public health to where businesses put their shops—and Google knows where I and all of us go grocery shopping weekly—and the associated privacy protections that are needed to support innovation, do you support establishing a standard for the de-identification of data? We heard here, for example, of privacy by design. Do you support a set of standards for that?

4:50 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, with the condition that technology will change. A standard that would be a good standard in 2022 might no longer be good in 2028. This would need to be reassessed with technology. There might be a technology that makes re-identification in 2028 much easier, for instance, so the standard would need to evolve. But, yes, the idea of having a standard is certainly appropriate.