Okay.
Evidence of meeting #5 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was good.
A video is available from Parliament.
Evidence of meeting #5 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was good.
A video is available from Parliament.
11:30 a.m.
Conservative
11:30 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
Through you, Mr. Chair, to Mr. Therrien, I just want to introduce myself as the honourable member representing Hamilton Centre. I only have about six minutes, so I'm going to put some questions to you in a rather rapid way. I ask for your forgiveness if it seems as though I might move you along on a particular question to get to the next one.
I share the concern of members around the table about the discrepancies regarding what we heard in our February 3 meeting, last week, what the Public Health Agency of Canada presented, along with the minister, in terms of what the engagement was with your office. I've heard you now say that you were informed. I'll share with you that in the previous meetings there was the implication that there was a collaboration or a consultation.
I want to be clear on the difference between having your office be informed of something on an ongoing basis versus what it might look like if you were actually engaged in consulting with the department on matters of privacy. In a brief description, can you just lay out the difference between those two things?
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
When we are in engagement, whether with a public sector institution or a commercial organization, we receive detailed information about the information flows and the protections given to information, so as to be able to say not only that in principle privacy is respected, but that in fact we have actually looked “under the hood”—to use an expression—to ensure that indeed the personal information of Canadians has been protected.
Here, we did not have a chance to look under the hood.
11:30 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I will take it that it will likely be part of the ongoing investigations that you have, based on complaints, to look under the hood in terms of the framework that you put forward, which was explicit in terms of the need for technical and other means to be implemented to protect the information. Is that correct?
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Indeed, and the law, of course.... We'll look at our framework and the law.
11:30 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Can you be more explicit about your framework? Without getting into the deep technical weeds, are all ministries, all departments within the federal government, aware of your framework, given the very sensitive nature of this time during COVID and the sharing of information and the effects on privacy?
February 7th, 2022 / 11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
The framework was distributed to all departments and we have certainly had discussions with several of them, so my sense is that indeed the framework is known within the federal government.
11:30 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Are other departments actively engaging you in a more one-to-one consultative process?
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
There are a number of departments, maybe not a majority, but Health Canada certainly.... The Public Health Agency is the agency that consults us the most during the pandemic. One would expect that. A number of other departments—
11:30 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Except for this. Just to be clear, when you offered to review their technical means to use de-identified data and provide advice, PHAC declined. Is that correct?
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes. They informed us of the program but declined our offer to look under the hood.
11:30 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I'm going to switch gears now. Something that I'm very interested in is your identification of the urgent need for law reform. I couldn't agree more. Rather than have this study be a giant fault-finding mission, my hope is that facts could be presented to this committee that will become part of the recommendations of this committee to ultimately reform the gap between...what you've identified as legitimate uses for commercial interests and social good.
In the remainder of this time, could you present to this committee some of the points of urgent law reform that you would be exploring and recommending, in a preliminary way?
11:35 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I would start with the fact that data, including personal data, is necessary for economic development, economic growth and for the social good. We're not saying that data should not be used. It is the way of the 21st century. It is the way of the future.
However, the fact that data can be used for good, of course, does not mean that it is always so. We have seen many cases over the years of data used against the interests of individuals. Think of Cambridge Analytica, for instance, and the link to democracy.
The framework needs to allow for flexibility and innovation in the use of data for legitimate commercial interests and the public good, but within a framework that protects privacy as a human right, enforced by a regulator who can audit or investigate to ensure that, in individual circumstances, the data indeed was used correctly or not, and when not, there should be consequential penalties for players, corporations, that have violated the law.
Essentially, that is the framework that we have.
11:35 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
You referenced Cambridge Analytica. That to me brings up Facebook. We look right now at Europe's restrictions on Meta's use of U.S. servers under a so-called “privacy shield”. Is there a need for us in Canada to have our own privacy shield as it relates to international servers?
11:35 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I would say simply this: not necessarily a privacy shield, but laws need to be interoperable between countries and within Canada.
11:35 a.m.
Conservative
The Chair Conservative Pat Kelly
With that, we go to the next round.
We will begin with five-minute slots, starting with Mr. Kurek.
11:35 a.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thank you very much, Commissioner. I appreciate your being here to join us today and share what I think are very valuable insights into this important subject. There seems to be a key metric here, the de-identified and aggregated data really being the capstone of what we're trying to get to the bottom of.
Commissioner, the minister this past week said that they had biweekly meetings with the Privacy Commissioner's office. I believe that's what the minister said. Did the subject of this data and what “de-identified” and “aggregated” actually meant come up during any of those meetings?
11:35 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
It is true that we have had meetings roughly every two weeks with the Public Health Agency on various measures related to COVID and their impact on privacy. In the period in question—it was in the early days of the pandemic, March and April 2020—there were a lot of subjects being discussed, including the COVID Alert app. We were informed of the particular program that you are currently reviewing on the basis that the government felt that it was obtaining anonymized and aggregated data. It's on that basis that we offered to provide advice. It was declined. We don't have a role to pre-authorize every government initiative, so we left it at that.
11:35 a.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
That you for that, Commissioner.
When it comes to de-identified and aggregated data, what are some of the risks associated with that? We have yet to hear or see exactly what that data looks like. Could you describe some of the risks that could be associated with that, and maybe provide a definition of what that means, especially in the context of something like this? We're talking about the data of what has been suggested—although there are varying accounts—to be 33 million mobility users' information.
11:35 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Data is de-identified because it was originally identifiable. We start with personal information. There's no question that a telco like Telus had information about its users' mobility data, because it is necessary for Telus to obtain that information in order to deliver the service that they offer to their clients. You start with what is clearly personal information about users of telecom services. De-identification means that you transform that personal information through technological means—which I'll ask my colleague Martyn Turcotte to describe, if we have the time—to reduce the risk that individuals will be identified.
What needs to be understood is that, even when data is properly de-identified, there is always a risk of re-identification through data matching, through all kinds of possibilities. That is why, given the risk of re-identification in every case, we are suggesting that it is not good policy under the current law to treat de-identified information outside the scope of the Privacy Act.