Information & Ethics Committee on June 2nd, 2022

Digital ID, like all technologies, can be helpful and privacy protective or harmful to privacy depending on how it is designed. It is certainly conceivable that digital ID could enhance the verification process and the authentication process, allowing citizens to have access to services.

It is certainly conceivable that digital ID would be better from a privacy perspective than SIN numbers and the antiquated ways we have to identify ourselves currently. It all depends on how the technology would be designed. It is certainly possible that digital ID would lead to the data being available to many players or actors, corporate or governmental, that should not have access to all of this data, but it doesn't have to be designed that way. It could be designed in a way that provides authentication, which is the first part, and then controls correctly who in a department or who in a company has access to what information because they have a legitimate need for it.

Yes. I think digital ID is certainly an issue that has the potential to enhance access to services in a privacy-protected way. It's important to design it properly. It's entirely an issue worthy of consideration.

Estonia is often referred to, but it is a very small country with a very small population. It is a model, and if need be, my office could provide other examples, if you wish.

Sure.

Statistics Canada is a good example leading to my answer to Ms. Saks, namely that the principal amendment to make to the public sector law is to have a standard of necessity and proportionality limiting the collection of information by government institutions.

Statistics Canada had laudable objectives of better understanding certain problems of the poor's access to programs, so it went about getting extremely detailed—actually line-by-line—financial reports of banks and financial institutions to better understand citizens in order to give them access to better services. In our view, this very pervasive look at financial records was not proportional and necessary. We did not say that the objective was not laudable and legitimate, but there was just too much information obtained by this government institution. We have since worked with Statistics Canada and are still working with them to improve their systems, but I think the main lesson is that it is crucial that the standard of necessary proportionality be incorporated in a future public sector law.

I've actually started a number of activities during my term for the OPC to not only investigate violations after the fact but also to give advice to companies and departments as they design programs to ensure that those programs comply with the law.

We've already started quite a few engagement activities with government departments, and they are more and more popular among government departments. I would encourage the new commissioner to continue on that path. It is unquestionably much better to think about privacy protection—it's the privacy by design concept—early in the development of a program or initiative than at the end, obviously. We have started discussions, and we would encourage further discussions.

By the way, these discussions will hopefully provide better knowledge of privacy principles on the government side. On our side, it provides a better grounding of operational realities within which our privacy principles are to be implemented. It's a good and useful two-way conversation to have. I'm not saying it's always that meaningful and useful, but that could be one improvement to be made. We should continue these engagements to ensure that there's a true dialogue between the regulated entities that engage with us, and to be really conscious and aware of the context within which departments operate.

For Canadians, “Stay alert.” My overall thought is that given the complexity of new technologies and business models, I'm not expecting people to read 50-page privacy polices to protect their privacy. That's why a regulator is not a panacea, but it is really fundamental and essential. It will not solve the problem by itself, but it is really important that citizens have an expert body like the OPC to look after them, have their backs, and protect them.

Yes, there are certain measures that can be taken, but there is a very important limit nowadays to how people can actually protect their privacy.

I think the level of understanding and knowledge about the issue of privacy among the population is better now than it was eight years ago. That's one of the things I'm quite proud of. I don't claim that people are experts in privacy, far from it, but privacy used to be seen as an issue for experts, for technologists or for people who are maybe not quite on earth. Now we see that privacy is connected to the exercise of fundamental rights: democracy, in the case of Cambridge Analytica, surveillance, in the case of Clearview AI and Tim Hortons, etc.

Privacy is important, and I think people understand it better. It's a bit confusing, but people have a better understanding. It may bring some behavioural changes in the population. I hope it will especially lead to people putting more pressure on elected officials to pass the laws needed to protect them.

I don't think any consumer is asking for the right to have more privacy policies to read in order to be able to give consent. I believe that citizens want to participate in the digital economy and receive digital services from government in a secure manner, knowing that laws have been passed to protect them and that public bodies have been appointed to ensure that their rights are respected.

I think the biggest challenge is the appeal of new technologies. They can be very helpful and useful to society and to companies. Some companies have become extremely profitable. They provide very helpful services, but because new technologies are appealing and cheap to use, we forget that they also create harms. It is essential that the laws and how they are applied continue to facilitate responsible innovation, but reintroduce the idea that it should not be the wild west, that the Internet is not an unregulated place. It needs to be properly regulated, but it needs to be regulated in a way where, again, the rights we have acquired over the years, if not centuries, like privacy, are not set aside because technology is so easy, appealing and profitable.