Information & Ethics Committee on Feb. 7th, 2022

We received complaints at the very end of 2021, about two months ago. We referred questions to the appropriate departments a few weeks ago, but we're still waiting for their responses. I wish I could tell you that we will be able to conclude the investigation while your study is under way, but I don't think we possibly can.

As I told you, we still haven't received a response from the departments. I don't mean to imply that the responses are late. It's just the normal course of events. In the months following the completion of your study, we will be able to close the investigation.

In a formal investigation, if we had been consulted, we could have made conclusions based on information that, I would remind you, the government still hasn't provided to us. In addition, in an investigation, you have to hear from both the complainant and the respondents, which draws out the investigation.

As I mentioned earlier, we offered our advice, but the government decided to seek it elsewhere.

In this case, I'm going on the premise that consent has a role to play in protecting privacy, but it's unrealistic in today's modern world to expect that all commercial or government use of a customer's data should be subject to consent. That brings us to the concept of consent that is oftentimes implied.

In the event of implied consent, the legal principle is that properly de‑identified data, being something that is entirely possible to do, is simply not personal information under current public sector law. So the government can collect and use it as it sees fit, without having to protect privacy. This is entirely possible, even though we haven't yet reached a conclusion.

Therefore, the rule that seems to apply in this case is that, if properly de‑identified, data is not personal information and consent is not required.

That's one reason we recommend that, even if data is de‑identified, the law should be amended to remain subject to the Privacy Act, so that certain principles apply, even to de‑identified data.

No. People aren't fully aware of certain uses.

That essentially amounts to saying that cellphone users were unaware of the practice and therefore were unable to opt out. People can't withdraw consent when they don't know it's an option.

As I was saying, in my opinion, more steps should have been taken by Telus and the government to inform Canadians of how their data was being used.

The principle of transparency should definitely be included in the Privacy Act. There should be greater transparency.

I would say that in Europe, the laws are certainly more stringent. That said, we can provide you with a more detailed answer in writing, if you wish.

That's right.

As I said in my remarks, I don't think the ultimate solution is simply greater transparency and explicit consent, given that data is used in an extremely wide range of ways, sometimes for good reasons, sometimes for bad.

Therefore, you need objective criteria, covering things like legitimate commercial use and using data to serve the public good, that a regulatory agency would enforce. Consent is important, but a regulatory agency also needs to play a role in properly protecting Canadians, given the complexity of how their data is being used.