Information & Ethics Committee on Feb. 10th, 2022

Thank you very much, Chair.

I'm very pleased to be able to speak to you today because I was so concerned with the complete lack of transparency on the part of PHAC, the Public Health Agency of Canada.

Transparency is critical on the part of government agencies, of course. They report to individual citizens, and there was no transparency associated with PHAC accessing—I think they said it was 33 million—Canadians' cellphone data. I found it so disturbing.

I have to read one thing to you, which really resonated to me. MP René Villemure said that PHAC was using the data “without telling anybody”. That, to me, is appalling. You don't just operate by yourself as a government agency, accessing people's very sensitive mobile data.

They didn't consult with the Privacy Commissioner of Canada, Commissioner Daniel Therrien. Commissioner Therrien said, “I do not think anyone would seriously argue that most users knew how their data would be used.” Did the government inform users that their mobility data would be used for public health purposes?

The question of transparency and notice to individuals, to the public, of how information is being used on sensitive data such as mobility data is critical. On mobility data, when you track it, you know where people have been, who they've been associating with, their movements, etc.

I know you might say, “Well, but the data was de-identified—no problem.” There are always problems. It's not a 100% solution, de-identifying data, as you know—phishing, hacking, ransomware.... This is huge. There are brilliant hackers who gain access to so much personal information, and the fact that no one was aware within the government that this was happening, and the total lack of transparency and notice, that's what concerned me enormously. I would say, privacy is all about control. It's about personal control relating to the use and disclosure of your personal information, and location mobile data, this is very sensitive. Nobody knew this was happening, and that's what I find so alarming, and that's why I'm focusing on the lack of transparency.

I want to suggest to you that it is high time for us to upgrade our privacy laws. PIPEDA, the federal private sector legislation, came in during the early 2000s. Our Privacy Act for the public sector came in during the 1980s. These are old statutes. We need to upgrade them and make them reflect what's taking place today in terms of the massive gaining of access to personal data and tracking the data and all kinds of implications and conclusions that could be made on the basis of that, without any notice being provided whatsoever. The public is not aware of the fact that this is taking place.

The fact that the government did this without consulting the Privacy Commissioner of Canada.... They'll say, “Oh, well, we told them.” I know what the commissioner said. The commissioner said, “They informed us”, but there was no consultation in terms of gaining input on whether this was appropriate or not.

Having served as a privacy commissioner for many years in Ontario, I'll say that it's absolutely critical to connect with the Privacy Commissioner and his team, where they can look “under the hood”, so to speak. I always say, “Trust, but verify.” These days, I don't even say “trust”. You need to look under the hood of the data-gathering practices and you need to make the public aware of what's taking place.

This kind of openness and transparency is absolutely critical.

I'll end my remarks by emphasizing that these things can't be done quietly behind the scenes. No, the government has to be open and transparent, consult with people such as the Privacy Commissioner, and provide notice.

Thank you very much.

Thank you, Mr. Chair.

Thank you for the invitation to address this committee on this important issue.

The use of mobility data and the reaction to it highlights some of the particular challenges of our digital and data society. It confirms that people are genuinely concerned about how their data are used, and it also shows that they struggle to keep abreast of the volume of collection, the multiple actors engaged in collection and processing, and the ways in which their data are shared with and used by others. In this context, consent alone is insufficient to protect individuals.

The situation also makes clear that data are collected and curated for purposes that go well beyond maintaining consumer or customer relationships. Data are the fuel of analytics, profiling and AI. Some of these uses are desirable and socially beneficial while others are harmful or deeply exploitative. The challenge is to facilitate the positive uses and to stop the harmful and exploitative ones.

The situation also illustrates how easily data now flow from the private sector to the public sector in Canada. Our current legal framework governs public and private sector uses of personal data separately. Our laws need to be better adapted to address the flow of data across sectors. Governments have always collected data and used it to inform decision-making. Today, they have access to some of the same tools for big data analytics and AI that the private sector has, and they have access to vast quantities of data to feed those analytics. We want governments to make informed decisions based on the best available data, but we also want to prevent excessive intrusions upon privacy.

Both PIPEDA and the Privacy Act must be modernized so they can provide appropriate rules and principles to govern the use of data in a transformed and transforming digital environment. The work of this committee on the mobility data issue could inform this modernization process.

As you've already heard from other witnesses, PIPEDA and the Privacy Act currently apply only to data about identifiable individuals. This circumstance creates an uncomfortable grey zone for de-identified data. The Privacy Commissioner must have some capacity to oversee the use of de-identified data, at the very least to ensure that reidentification does not take place. For example, the Province of Ontario addressed this issue in 2019 amendments to its public sector data protection law, amendments that defined de-identified information for the purposes of use by government, required the development of data standards for de-identified data and provided specific penalties for the reidentification of de-identified personal data. The discussion paper on the modernization of the Privacy Act speaks about the need for a new framework to facilitate the use of de-identified personal information by government, but we await a bill to know what form that might take.

The former bill C-11, the bill to amend the Personal Information Protection and Electronic Documents Act, which died on the Order Paper last fall, specifically defined de-identified personal information. It also created exceptions to the requirements of knowledge and consent to enable organizations to de-identify personal information in their possession and to use or disclose it in some circumstances, also without knowledge and consent. It would have required de-identification measures proportional to the sensitivity of the information and would have prohibited the reidentification of de-identified personal information and imposed stiff penalties.

The former bill C-11 would also have allowed private sector organizations to share de-identified data, without knowledge or consent, with certain entities, particularly government actors, for socially beneficial purposes. This provision would have applied to the specific situation before this committee right now. It would have permitted this kind of data sharing and without the knowledge or consent of the individuals whose data were de-identified and shared. The same provision, or a revised version of it, will likely be in the next bill to reform PIPEDA introduced into Parliament. When that happens, some important questions need to be considered. What is the scope of this provision? How should socially beneficial purposes be defined? What degree of transparency should be required on the part of organizations that share our de-identified information? How will private sector organizations' sharing of information with the government for socially beneficial purposes dovetail with any new obligations for the public sector? Should there be any prior review or approval of plans to acquire and/or use the data, and what degree of transparency is required?

I hope the work of this committee on the mobility data issue will help to inform these important discussions.

Thank you.

I personally am a very strong believer in exercising control and allowing individuals to exercise control over the uses of their data. Traditionally, this has been linked with identifiable data. It has your name, address and other identifiers linked to it. Then, of course, you should be able to exercise total control.

There are means by which the data can be strongly de-identified, as has taken place here. Then our laws, the way they exist right now, no longer apply, because if data is considered to be de-identified, they no longer fall under privacy laws. That's one of the reasons I believe we need to upgrade our laws and reflect that in this day and age, even if you have strongly de-identified data—there are very strong ways of de-identifying data, and I'm not going to suggest otherwise—the risk of reidentification still exists.

I would like us also to explore other means of de-identification. For example, there are now new forms of de-identification that tend to have an extremely low risk of reidentification. This is called “synthetic” data, and this is now growing and being used.

What I'm urging is that people need to be able to retain control of their data, and especially with mobility data, which is so sensitive. I think if anyone had been asked...which PHAC did not do. If anyone had asked or given notice to the 33 million Canadians whose information and mobility data they gained access to whether they would have consented to that—no way, in my view. I think it would have been highly unlikely.

So I think we need to upgrade.

I want to be clear that they did go to great lengths to strongly de-identify the data and then use it in aggregate form. That does minimize the risk of reidentification. I don't want to suggest otherwise. I'm just saying that with mobility data—your cellphone, which lives with you and basically goes everywhere with you—there is such sensitivity associated with that and all the locations you go and who you may associate with, if the data were able to be reidentified and connections made on the part of the government, I think that would be extremely troubling.

So at the very least, the government should have provided notice to the public saying, “This is what we're doing. Here's why we're doing it. We want to track your movements in this COVID pandemic world.” Is that a sufficient reason? Would people have felt the return was sufficient? We have to have some debate about these issues. PHAC can't just decide to do that, as the MP said, without telling anybody. That's what I objected to the most—the total lack of transparency.

What you just told me I find very concerning, quite frankly. I understand the general data would appear very general and you couldn't get anything, but you just referred to data that was much more specific. That concerns me enormously.

That's why I want federal Privacy Commissioner Daniel Therrien to be looking under the hood at all of this. Why was he not consulted as opposed to just being informed? That's completely unacceptable. The minute you get into anything that is more potentially identifiable or detailed, as you were just describing, sir, that's when all the concerns arise. We can't have that.

I don't have any direct knowledge of particular data standards that were used with respect to de-identifying the mobility data in question.

If legislation is going to extend to de-identified data, which it should, it should certainly extend to addressing or identifying what standards should apply, what de-identification standards should apply—

I think it's part of the overall data ecosystem, as some people refer to it, in which we find ourselves. It's that movement that I spoke about between private and public sectors, the flows of data from private sector to public sector.

There's a tremendous amount of mobility data being collected by all kinds of actors in the private sector. At the beginning of the pandemic and throughout the pandemic, companies like Google and Fitbit were publishing their analytics based on people's mobility data, analytics for Canadian cities and Canadian areas. This mobility data about us is collected by many different private sector actors and there are commercial applications for these data. As we can see in this example, government can be applying for that data.

I think that's why it's important that we need to think about modernizing both our private sector and our public sector data protection laws. We need to think about the way in which data flows from the private sector to the public sector and is then used by the public sector.

I think, in particular, that flow between public and private has been one that hasn't really been well considered in legislation in the past. Certainly the collection in the private sector context of these enormous quantities of data, and not just location data, but very fine-grained data about all of our activities, is a real issue.

With due respect, I don't call that transparency. I know Commissioner Therrien very well. He did not say his office was consulted on this, not at all. Being informed of something is very different from being consulted on something. You go to people to consult them, because they have expertise in an area.

As he said, he would have looked under the hood. It's essential to examine how information is being de-identified, aggregated and used for a variety of different purposes. Things can go wrong in a million different places. He may have also said, “I think we need to notify the public. I wasn't aware of any of this, as a member of the public, until I read the stories about it that broke out, all relating to the complaints associated with this, and the fact that John Brassard and others were saying nobody knows anything about this. It hasn't gone to the ethics committee. It was, in my view, not transparent.”

If you know what website to go to, and look underneath, you can find something. That's not transparency. In my view, you have to push it out, tell people, and tell the public what you're doing with their information and their mobility data. I'm not going to suggest there was transparency here.