Evidence of meeting #24 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was laws.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It was not the dream of certain companies or departments to be investigated by the Privacy Commissioner, and I understand that. In the case of the mobility data, the government used experts. It was not legally required to consult us on the details.

To my mind, the basic issue is that citizens do not have the information they need. In any event, the rules governing the use of technology and information are so complex and the contracts are so complicated that we cannot expect that the normal and usual course of action for a consumer with a potential problem would be to lodge a complaint with my office.

That leads us to proactive audits. In my opinion, proactive audits would be very helpful in restoring trust in government and companies as to the use of mobility data. They are already conducted in other countries, and even in some Canadian provinces. They would allow the commissioner's office to verify compliance, or in other words to guarantee citizens that their data is being used correctly. From time to time, the commissioner's office could conduct specific audits to ensure that, in a given sector or company, the information that the company or department says it is using in accordance with the law is indeed being used that way.

Ultimately, what the government did was legal under the current act. In my opinion, however, it did not inspire a great deal of confidence in citizens and consumers. The commissioner's office needs the tools to conduct these proactive audits. They should not be broad or seek to examine all commercial or government activities. Rather, they should evaluate the risk and the environment to ensure that certain practices that might be problematic for the public are subject to investigation. In addition, the concerns would have to be confirmed, in which case the commissioner's office could recommend or, better yet, order changes, or confirm that everything was done correctly. That would inspire public trust.

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

Indeed. As you know, the RCMP obtained licenses from Clearview AI. Allow me to quote your report of February 2, 2021:

In addition, we have determined that Clearview has collected, used and disclosed personal information of individuals in Canada for inappropriate purposes that cannot be justified by obtaining consent.

Can we say that the RCMP was negligent or in violation in its use of facial recognition technologies?

4:15 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I would not say negligent. I have pointed instead to public-private partnerships. The government and its institutions are increasingly calling upon private companies that have developed technologies—which is normal—to help government carry out its programs. In this case, it was the RCMP.

It is normal for a federal government institution to call upon the private sector, but in so doing it must not be able to use data that it could not collect itself. Violations of laws cannot be subcontracted to the private sector.

In this case, the company clearly violated the law applicable to the private sector, that is PIPEDA, or the Personal Information Protection and Electronic Documents Act. The RCMP called upon this company, which violated the law.

In our opinion, a reasonable interpretation of the law for the public sector, which governs the RCMP, is that it should have verified the legality of the company's practices, which it hired by contract. This applies to the RCMP, but equally to all government departments.

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

Quite right.

Thank you, Mr. Chair.

4:20 p.m.

Conservative

The Chair Conservative Pat Kelly

We now have Ms. Collins for six minutes.

Laurel Collins NDP Victoria, BC

Thank you, Mr. Chair.

I also want to thank Mr. Therrien for all the work he's done. I remember the Harper government's Bill C-51 in 2015. I so appreciated your criticism and commitment to upholding Canadians' privacy rights. That has been ongoing. Thank you for your service.

In your departmental plan, you indicated that your office is reviewing potential structural and operational changes. Can you describe what changes you're considering and what impact they might have?

4:20 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll be glad to do that.

As I recall, Bill C-11 was tabled in the fall of 2020. The government has announced that a successor will be tabled in 2022, perhaps before the summer.

I thought it was important that the OPC start thinking about how it would be organized to inherit new responsibilities that the earlier Bill C-11 would have given the OPC. We don't know what the new bill will say, but there's a chance, of course, that it will have many elements of Bill C-11. The idea is to get ahead of the curve and think about how we would exercise these responsibilities, so we're not caught off guard if the transition period after the adoption of the bill is shorter than we would hope.

Among the responsibilities that Bill C-11 would have given the OPC—and we think it's likely this will continue to be the case—is order-making. It would be subject to appeal before a tribunal, which we think is unnecessary...but still order-making. That would require, we think, the setting up of an adjudication branch of arbiters or adjudicators. Right now, we have investigators who make recommendations, but with new legislation that has order-making powers, we would likely need to have adjudicators somewhat distant from investigators to ensure the fairness of processes.

That is one area we looked at.

The bill also provided for a review function of the code of practice.

We have looked at all the new authorities Bill C-11 would have given the OPC, and we have given some thought to how we would exercise these responsibilities.

Laurel Collins NDP Victoria, BC

Thank you so much.

You also mentioned that, in July, foreign nationals abroad are going to have the same rights as Canadians in terms of their ability to request access to personal information.

Can you explain how the extension order will impact the operations of your office, and how much of an increase in complaints you expect to receive as a result?

I will then have some questions about budgets.

4:20 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll start by explaining what the current law is.

The Privacy Act gives Canadian citizens the right to access personal information about themselves held by the government. That right does not exist for foreign nationals, except when they proceed through Canadian agents—

Laurel Collins NDP Victoria, BC

Just because we're quite short on time—we have about a minute—do you want to...?

4:20 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

To cut this short, the government expects that there will be a very significant volume of access requests by foreign nationals, some of them immigrants interested in their immigration status, and proportionally there will be an increase of complaints with the OPC. We think there will be an important resource demand for the OPC. We have made a request to the government, which has not been denied. It's under consideration. We think it's really important to receive funding for this activity.

Laurel Collins NDP Victoria, BC

You have stated that you communicated your need for increased funding to the government, yet no new funding was provided.

4:25 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Laurel Collins NDP Victoria, BC

Did the government provide a response to why they refused to increase the funding to your office? Do you feel that the federal government is responsive to the needs of your office?

4:25 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

For the extension order, there has not been a refusal. The request is still being studied.

Laurel Collins NDP Victoria, BC

And overall?

4:25 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Overall, I think the issue is that we're going to inherit many new responsibilities, first under this order and then under new laws in the private sector or public sector. That's why we think we need to increase our resources significantly, probably to double them. When you look at other data protection authorities, that's generally the trend.

We have had some budget increases by the government, but definitely, with new responsibilities, we will need significant new funding.

Laurel Collins NDP Victoria, BC

You briefly mentioned backlogs and that you had the bridge funding. Do you expect that there will be continued complaint backlogs going forward?

4:25 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

At this point, we're in a situation where unless we're provided further funding, yes, we expect the backlogs to grow. But I'm an optimist, and with new laws and a new extension order, I certainly hope there will be some funding that will help ensure that we can deal with these complaints in a timely manner.

Laurel Collins NDP Victoria, BC

Thank you.

4:25 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

Mr. Williams, you have up to five minutes.

4:25 p.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Thank you, Mr. Chair.

Mr. Therrien, thank you. I'll join the rest of the committee in thanking you for your service, sir.

You made a great statement in the text of your remarkts that it is “neither realistic nor reasonable to ask individuals to consent to all possible uses of their data in today’s complex information economy”, and you specifically mentioned AI. You also said, “While disruptive technologies have undeniable benefits, they must not be permitted to disrupt the duty of a democratic government to maintain its capacity to protect the fundamental rights and values of its citizens.”

We're going to start with a case study just to kind of go through this. What I'd like to do is to try to relate this to changes that we need to make to Bill C-11, whenever it comes back to us. Yesterday you made a statement regarding mass surveillance of Canadians through the Tim Hortons app. Canadians who downloaded this popular app learned that their movements were being tracked every few minutes. You rightly pointed out that this kind of tracking can reveal to the company where people live, work and go to school, even where they may take medical appointments.

When it comes to Bill C-11, what changes do we need to see so that this doesn't happen further to Canadians?

4:25 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I'll speak in some detail, but I would refer you to the key recommendations for a new private sector law that accompanied a letter I sent to this committee further to its study on data mobility. There are two or three pages of specific recommendations. I'll just point to the ones most relevant to your question.

When consent is appropriate—it's not always appropriate, but when consent is appropriate—it is very important that it be meaningful. Bill C-11 would have removed from the law the requirement in the current law that consumers need to have the knowledge and understanding necessary for consent to be meaningful. I think knowledge and understanding, which was not in Bill C‑11, needs to be reintroduced in the law.

Bill C-11 also allowed companies to define purposes for which they would collect information almost unfettered. Other laws provide parameters. Companies can only collect information for purposes that are “specified, explicit, and legitimate”. That allows the regulator to then determine whether the purposes defined by a company were indeed specific, explicit and legitimate.

Another important factor is accountability. We think that accountability in Bill C-11 was defined to broadly. It is important that corporate accountability be defined by an objective standard, i.e., adopting procedures to comply with a law. Bill C‑11 simply said that so long as companies adopt procedures, that's a demonstration of accountability. That is too subjective. The law needs to set out objective standards such as accountability means and procedures to comply with the law.

In broad terms, the law should not refer to subjective standards defined by companies or departments. The law should define objective standards that are knowable by citizens and companies. Companies would know and would have certainty through objective standards. These objective standards could be examined by the regulator to determine whether indeed the company was accountable in such a way as to comply with the law or whether there was sufficient consent based on knowledge and understanding by the consumer.

4:30 p.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Thank you very much. That's very helpful before we move forward on trying to make that work for Canadians and for Canadian companies.

Just to go back to Tim Hortons right now, as a result of your intervention, did they end up stopping the tracking they were doing?

4:30 p.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The Tim Hortons application did indeed track their users' movements every few minutes of every day. I think that shows, among other things, that the current law—in part because it does not have penalties and in part because it does not define accountability as I've suggested—allows companies to use technology because it exists, because it may be helpful or useful, and eventually to collect information even though they may not have a direct use for it.

Before companies engage in the use of these technologies, they should be required by law to properly assess the privacy risks of that activity and they should only collect information to the extent that it is proportionate to the uses of their commercial objectives.