Evidence of meeting #5 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was good.
A video is available from Parliament.
11:40 a.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thank you very much, Commissioner.
I'm almost out of time, but I do want to ask one more quick question.
Was your office consulted on the tender that has been put on hold to continue this practice going forward, in what the explanation suggests is not only for the COVID-19 pandemic but possibly beyond that? Has your office been consulted and, if so, what does that look like?
11:40 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We were not consulted. We asked for information in late 2021 about this process and were given some information, but I would not say that this constituted a consultation. We were informed.
11:40 a.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thank you very much, Commissioner. I appreciate that.
11:40 a.m.
Conservative
11:40 a.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
Thank you very much.
I want to thank Mr. Therrien for joining us today and answering all these very important questions. I agree with my colleagues.
I want to go back to your opening statement when you were talking about transparency and consent. You wondered whether it was obvious to Canadians that their data was being used this way.
I believe it was as early as 2020 that there was a news release from the Prime Minister's Office about the fact that Public Health was going to start using de-identified mobility data to help with its fight against COVID-19. I wasn't part of the government at the time, but I certainly remember hearing about this happening. I remember the tweets regularly from our chief public health officer, Theresa Tam, talking about this data and what it meant. We knew, for example, if public health measures were being followed because the mobility data showed that people weren't moving as much, and then we could find trends because of the mobility data. I saw regularly information coming from the government about how this data was being used, and I didn't see any concern about it until the opposition brought it up a couple of months ago.
When you say that the government could have been more proactive in its communications about the use of mobility data, how exactly would you suggest that could have been done better?
11:40 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Transparency is tough. As I said in my opening remarks, the government has a COVIDTrends web page that does a fairly good job of explaining to Canadians that their mobility data is used. You don't need to go through a 60-page privacy policy to find that out, but in order to get to that page, you need to know that the program exists and that there is something called COVIDTrends. Once you're there, it does an okay job of transparency.
Beyond the web page, I think you're right to ask how the government can be proactive. It would be through communication strategies and news conferences that are given by PHAC and others, for instance, so that would be proactivity.
The bottom line for me is that I highly doubt that the majority of users of mobility services knew that their data was collected, despite the efforts made by the government.
Transparency is important, but it is not sufficient to ensure that data is properly regulated. That's why I said that in addition to transparency, in addition to consent, there needs to be an authority for the regulator, as we're doing now, to investigate a situation like this to ensure that privacy is protected.
11:45 a.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
Thank you.
When you say that most users didn't know that their data was being used in this way, what are you basing that on? Do you think people don't know that their data is being used, or that mobility data is being used?
11:45 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think this is the case generally, that people do not have an awareness or a consciousness of the many ways in which their data is used. Hopefully a cellphone user would know that their data is collected by Telus and maybe by a few companies around Telus, but they would not know generally that their data is used for a program like this. I think that's pretty clear.
When we speak to Canadians, their premise is that their data is used for the purposes for which they provided it to the company or the department in question, and maybe a few around, but not for any and all purposes that we see nowadays. That's not the expectation of people. I think that's pretty clear.
11:45 a.m.
Conservative
11:45 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you, Mr. Chair.
Thank you, Commissioner, for your candour and the detail you provided.
I imagine that the Office of the Privacy Commissioner was created to maintain public trust in privacy. You spoke of trust in your remarks, and we all know that when trust is not there, mistrust sets in, and then eventually gives way to distrust.
Do you feel that these incidents—I don't want to use the word “scandals”—around privacy erode public trust in authorities, in general?
11:45 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes, and the government introduced legislation in the previous Parliament precisely to improve Canadians' confidence in how their data was being used.
11:45 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Well, as we've seen, the law was a bit lacking.
We were discussing the European regulations a little earlier. I believe you referred to the European Union's general data protection regulation.
11:45 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes.
11:45 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
What might we “import” from that regulation to our legislation?
February 7th, 2022 / 11:45 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I am going to somewhat reiterate the answer I gave earlier to Mr. Green. In our annual reports, we explained that in general terms.
I will go back to the trust part of your question. Consent and control are ways to ensure that Canadians have trust. However, I don't believe that Canadians or users in general around the world want to have to consent or not consent to the myriad uses of their data. Canadians want to be able to use modern technology with the assurance that their rights will not be violated. This depends in part on individual consent, but more importantly, it depends on Canadians being assured that someone is there to protect their interests. However, that individual must have the powers to do that.
11:45 a.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
So basically, Canadians need to be able to understand that and place their trust in you.
11:50 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes. On the one hand, they must exercise their consent and, on the other, they must place their trust in someone else.
11:50 a.m.
Conservative
11:50 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
There are some very interesting things here, particularly around the idea of a rights-based law.
It was noted in the opening remarks by Mr. Therrien that Justice Canada outlined a similar approach in its proposals for the Privacy Act modernization. He went on to state that some would prefer that de-identified information be removed from the reach of privacy laws. In Mr. Therrien's opinion, who would those people be who would seek to benefit from de-identified information being removed from the reach of privacy laws?
11:50 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Obviously, that would be people who want to innovate with as few limitations or restrictions as possible, like the idea that de-identified information would not be subject to privacy protection.
11:50 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Right off the bat, to be de-identified, at its source it has to be identified.
Could Mr. Therrien perhaps comment on whether or not there could have been...? Maybe that's too close to the investigation; I'll stay away from that.
He mentioned the idea of greater power to proactively audit the government and the private sector. I want him to reflect on that, expand on what that might look like and also perhaps add in this idea of defining what legitimate commercial interests are. I will share with you that I have a significant concern about the commodification of private information and the way it's used in big data.
11:50 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
On the question of proactive verifications, I'll say this. The idea is not to be a thorn in the side of governments or companies that want to innovate responsibly. The point is that data flows are so complex and business models are so complex that individual Canadians are not well placed when identifying violations of private [Technical difficulty—Editor] and that a body like the OPC is better placed, not to go after thousands of companies a year, but on a risk basis to, again, go under the hood in a number of places where we think there might be risks so that we can either reassure Canadians that the law has been respected or intervene and sanction companies that have not complied with the law, so that confidence in the system is enhanced.
