Evidence of meeting #6 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was use.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Ann Cavoukian  Executive Director, Global Privacy and Security by Design, As an Individual
Teresa Scassa  Canada Research Chair in Information Law and Policy, Faculty of Law, Common Law Section, University of Ottawa, As an Individual
Martin French  Associate Professor, Department of Sociology and Anthropology, Concordia University, As an Individual
Daniel Weinstock  Full Professor, Department of Philosophy, McGill University, As an Individual

3:45 p.m.

Conservative

The Chair Conservative Pat Kelly

I call this meeting to order.

Welcome to meeting number six of the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

We're starting late because of votes. I'm going to dispense with parts of the regular preamble. I think members are familiar with how we operate.

Pursuant to Standing Order 108(3)(h) and the motion adopted by the committee on Thursday, January 13, the committee commenced its study on the collection and use of mobility data by the Government of Canada.

Today, I would like to welcome our witnesses in this first panel. Our witnesses attend as individuals.

We have witnesses Ann Cavoukian, executive director, Global Privacy and Security by Design; and Teresa Scassa, Canada research chair in information law and policy, Faculty of Law, Common Law Section, University of Ottawa.

We will get right into the opening statements from our witnesses, which will be for five minutes each at the absolute maximum, please.

We'll begin with Dr. Cavoukian.

Dr. Ann Cavoukian Executive Director, Global Privacy and Security by Design, As an Individual

Thank you very much, Chair.

I'm very pleased to be able to speak to you today because I was so concerned with the complete lack of transparency on the part of PHAC, the Public Health Agency of Canada.

Transparency is critical on the part of government agencies, of course. They report to individual citizens, and there was no transparency associated with PHAC accessing—I think they said it was 33 million—Canadians' cellphone data. I found it so disturbing.

I have to read one thing to you, which really resonated to me. MP René Villemure said that PHAC was using the data “without telling anybody”. That, to me, is appalling. You don't just operate by yourself as a government agency, accessing people's very sensitive mobile data.

They didn't consult with the Privacy Commissioner of Canada, Commissioner Daniel Therrien. Commissioner Therrien said, “I do not think anyone would seriously argue that most users knew how their data would be used.” Did the government inform users that their mobility data would be used for public health purposes?

The question of transparency and notice to individuals, to the public, of how information is being used on sensitive data such as mobility data is critical. On mobility data, when you track it, you know where people have been, who they've been associating with, their movements, etc.

I know you might say, “Well, but the data was de-identified—no problem.” There are always problems. It's not a 100% solution, de-identifying data, as you know—phishing, hacking, ransomware.... This is huge. There are brilliant hackers who gain access to so much personal information, and the fact that no one was aware within the government that this was happening, and the total lack of transparency and notice, that's what concerned me enormously. I would say, privacy is all about control. It's about personal control relating to the use and disclosure of your personal information, and location mobile data, this is very sensitive. Nobody knew this was happening, and that's what I find so alarming, and that's why I'm focusing on the lack of transparency.

I want to suggest to you that it is high time for us to upgrade our privacy laws. PIPEDA, the federal private sector legislation, came in during the early 2000s. Our Privacy Act for the public sector came in during the 1980s. These are old statutes. We need to upgrade them and make them reflect what's taking place today in terms of the massive gaining of access to personal data and tracking the data and all kinds of implications and conclusions that could be made on the basis of that, without any notice being provided whatsoever. The public is not aware of the fact that this is taking place.

The fact that the government did this without consulting the Privacy Commissioner of Canada.... They'll say, “Oh, well, we told them.” I know what the commissioner said. The commissioner said, “They informed us”, but there was no consultation in terms of gaining input on whether this was appropriate or not.

Having served as a privacy commissioner for many years in Ontario, I'll say that it's absolutely critical to connect with the Privacy Commissioner and his team, where they can look “under the hood”, so to speak. I always say, “Trust, but verify.” These days, I don't even say “trust”. You need to look under the hood of the data-gathering practices and you need to make the public aware of what's taking place.

3:45 p.m.

Conservative

The Chair Conservative Pat Kelly

You have one minute left.

3:45 p.m.

Executive Director, Global Privacy and Security by Design, As an Individual

Dr. Ann Cavoukian

This kind of openness and transparency is absolutely critical.

I'll end my remarks by emphasizing that these things can't be done quietly behind the scenes. No, the government has to be open and transparent, consult with people such as the Privacy Commissioner, and provide notice.

Thank you very much.

3:45 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

For up to five minutes, Dr. Scassa, go ahead, please.

Dr. Teresa Scassa Canada Research Chair in Information Law and Policy, Faculty of Law, Common Law Section, University of Ottawa, As an Individual

Thank you, Mr. Chair.

Thank you for the invitation to address this committee on this important issue.

The use of mobility data and the reaction to it highlights some of the particular challenges of our digital and data society. It confirms that people are genuinely concerned about how their data are used, and it also shows that they struggle to keep abreast of the volume of collection, the multiple actors engaged in collection and processing, and the ways in which their data are shared with and used by others. In this context, consent alone is insufficient to protect individuals.

The situation also makes clear that data are collected and curated for purposes that go well beyond maintaining consumer or customer relationships. Data are the fuel of analytics, profiling and AI. Some of these uses are desirable and socially beneficial while others are harmful or deeply exploitative. The challenge is to facilitate the positive uses and to stop the harmful and exploitative ones.

The situation also illustrates how easily data now flow from the private sector to the public sector in Canada. Our current legal framework governs public and private sector uses of personal data separately. Our laws need to be better adapted to address the flow of data across sectors. Governments have always collected data and used it to inform decision-making. Today, they have access to some of the same tools for big data analytics and AI that the private sector has, and they have access to vast quantities of data to feed those analytics. We want governments to make informed decisions based on the best available data, but we also want to prevent excessive intrusions upon privacy.

Both PIPEDA and the Privacy Act must be modernized so they can provide appropriate rules and principles to govern the use of data in a transformed and transforming digital environment. The work of this committee on the mobility data issue could inform this modernization process.

As you've already heard from other witnesses, PIPEDA and the Privacy Act currently apply only to data about identifiable individuals. This circumstance creates an uncomfortable grey zone for de-identified data. The Privacy Commissioner must have some capacity to oversee the use of de-identified data, at the very least to ensure that reidentification does not take place. For example, the Province of Ontario addressed this issue in 2019 amendments to its public sector data protection law, amendments that defined de-identified information for the purposes of use by government, required the development of data standards for de-identified data and provided specific penalties for the reidentification of de-identified personal data. The discussion paper on the modernization of the Privacy Act speaks about the need for a new framework to facilitate the use of de-identified personal information by government, but we await a bill to know what form that might take.

The former bill C-11, the bill to amend the Personal Information Protection and Electronic Documents Act, which died on the Order Paper last fall, specifically defined de-identified personal information. It also created exceptions to the requirements of knowledge and consent to enable organizations to de-identify personal information in their possession and to use or disclose it in some circumstances, also without knowledge and consent. It would have required de-identification measures proportional to the sensitivity of the information and would have prohibited the reidentification of de-identified personal information and imposed stiff penalties.

The former bill C-11 would also have allowed private sector organizations to share de-identified data, without knowledge or consent, with certain entities, particularly government actors, for socially beneficial purposes. This provision would have applied to the specific situation before this committee right now. It would have permitted this kind of data sharing and without the knowledge or consent of the individuals whose data were de-identified and shared. The same provision, or a revised version of it, will likely be in the next bill to reform PIPEDA introduced into Parliament. When that happens, some important questions need to be considered. What is the scope of this provision? How should socially beneficial purposes be defined? What degree of transparency should be required on the part of organizations that share our de-identified information? How will private sector organizations' sharing of information with the government for socially beneficial purposes dovetail with any new obligations for the public sector? Should there be any prior review or approval of plans to acquire and/or use the data, and what degree of transparency is required?

I hope the work of this committee on the mobility data issue will help to inform these important discussions.

Thank you.

3:50 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

We go to the first questioner in the six-minute rounds.

Mr. Kurek, you have six minutes.

3:50 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you very much, Mr. Chair.

I appreciate both of the witnesses joining us here at the committee today and giving your opening statements. It's been very helpful that you've been able to share your expertise.

Dr. Cavoukian, you mentioned in your opening statement that privacy is about control. Certainly, we heard from the Privacy Commissioner about the lack of consultation and it appears to be the lack of control metric frameworks in place regarding the data that PHAC would have received. Can you speak more about the need for that control within a framework to ensure that data is protected?

3:55 p.m.

Executive Director, Global Privacy and Security by Design, As an Individual

Dr. Ann Cavoukian

I personally am a very strong believer in exercising control and allowing individuals to exercise control over the uses of their data. Traditionally, this has been linked with identifiable data. It has your name, address and other identifiers linked to it. Then, of course, you should be able to exercise total control.

There are means by which the data can be strongly de-identified, as has taken place here. Then our laws, the way they exist right now, no longer apply, because if data is considered to be de-identified, they no longer fall under privacy laws. That's one of the reasons I believe we need to upgrade our laws and reflect that in this day and age, even if you have strongly de-identified data—there are very strong ways of de-identifying data, and I'm not going to suggest otherwise—the risk of reidentification still exists.

I would like us also to explore other means of de-identification. For example, there are now new forms of de-identification that tend to have an extremely low risk of reidentification. This is called “synthetic” data, and this is now growing and being used.

What I'm urging is that people need to be able to retain control of their data, and especially with mobility data, which is so sensitive. I think if anyone had been asked...which PHAC did not do. If anyone had asked or given notice to the 33 million Canadians whose information and mobility data they gained access to whether they would have consented to that—no way, in my view. I think it would have been highly unlikely.

So I think we need to upgrade.

3:55 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you very much for that.

You started, I think, to answer the second question I had. It regards the ability to reidentify anonymized and aggregated data. Now, in terms of the government's response thus far, the minister a number of weeks ago said not to worry; it's anonymized and aggregated; just trust us.

Can you speak to some of the concerns that exist around reidentifying some of that data?

3:55 p.m.

Executive Director, Global Privacy and Security by Design, As an Individual

Dr. Ann Cavoukian

I want to be clear that they did go to great lengths to strongly de-identify the data and then use it in aggregate form. That does minimize the risk of reidentification. I don't want to suggest otherwise. I'm just saying that with mobility data—your cellphone, which lives with you and basically goes everywhere with you—there is such sensitivity associated with that and all the locations you go and who you may associate with, if the data were able to be reidentified and connections made on the part of the government, I think that would be extremely troubling.

So at the very least, the government should have provided notice to the public saying, “This is what we're doing. Here's why we're doing it. We want to track your movements in this COVID pandemic world.” Is that a sufficient reason? Would people have felt the return was sufficient? We have to have some debate about these issues. PHAC can't just decide to do that, as the MP said, without telling anybody. That's what I objected to the most—the total lack of transparency.

3:55 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

I appreciate that. Thank you.

Part of the concern I have had is that I've seen a copy of a slide deck provided to the government by the company BlueDot. The information in that slide deck was very, very general and aggregated. But in the appendix, it spoke of very, very detailed information that BlueDot was receiving. Are you confident that the information that has been provided to public health...?

It seems to be more detailed than what that slide deck entailed, but we don't know exactly was meant by anonymized and aggregated. Are you confident that it has respected Canadians' privacy?

3:55 p.m.

Executive Director, Global Privacy and Security by Design, As an Individual

Dr. Ann Cavoukian

What you just told me I find very concerning, quite frankly. I understand the general data would appear very general and you couldn't get anything, but you just referred to data that was much more specific. That concerns me enormously.

That's why I want federal Privacy Commissioner Daniel Therrien to be looking under the hood at all of this. Why was he not consulted as opposed to just being informed? That's completely unacceptable. The minute you get into anything that is more potentially identifiable or detailed, as you were just describing, sir, that's when all the concerns arise. We can't have that.

4 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you very much, Doctor.

I have one quick question for Dr. Scassa.

You mentioned that there must be standards for de-identified data. Are you confident that those standards exist within the information that's been provided for the government with the data that was used?

4 p.m.

Conservative

The Chair Conservative Pat Kelly

You have 10 seconds, please.

4 p.m.

Canada Research Chair in Information Law and Policy, Faculty of Law, Common Law Section, University of Ottawa, As an Individual

Dr. Teresa Scassa

I don't have any direct knowledge of particular data standards that were used with respect to de-identifying the mobility data in question.

If legislation is going to extend to de-identified data, which it should, it should certainly extend to addressing or identifying what standards should apply, what de-identification standards should apply—

4 p.m.

Conservative

The Chair Conservative Pat Kelly

[Inaudible—Editor] with further questions.

I'm going to have to go to Ms. Hepfner now for six minutes.

4 p.m.

Liberal

Lisa Hepfner Liberal Hamilton Mountain, ON

Thanks very much, and thank you to the witnesses for joining us today on this very important issue.

I do want to come back to you, Ms. Scassa.

Last month you did a news interview. You spoke about how many of the stories around this mobility data issue focused on the government processing of the data rather than the fact that it's actually private companies that collect and sell location data.

Can you elaborate on why that's an important distinction?

4 p.m.

Canada Research Chair in Information Law and Policy, Faculty of Law, Common Law Section, University of Ottawa, As an Individual

Dr. Teresa Scassa

I think it's part of the overall data ecosystem, as some people refer to it, in which we find ourselves. It's that movement that I spoke about between private and public sectors, the flows of data from private sector to public sector.

There's a tremendous amount of mobility data being collected by all kinds of actors in the private sector. At the beginning of the pandemic and throughout the pandemic, companies like Google and Fitbit were publishing their analytics based on people's mobility data, analytics for Canadian cities and Canadian areas. This mobility data about us is collected by many different private sector actors and there are commercial applications for these data. As we can see in this example, government can be applying for that data.

I think that's why it's important that we need to think about modernizing both our private sector and our public sector data protection laws. We need to think about the way in which data flows from the private sector to the public sector and is then used by the public sector.

I think, in particular, that flow between public and private has been one that hasn't really been well considered in legislation in the past. Certainly the collection in the private sector context of these enormous quantities of data, and not just location data, but very fine-grained data about all of our activities, is a real issue.

4 p.m.

Liberal

Lisa Hepfner Liberal Hamilton Mountain, ON

Thank you very much.

I'd like to go back to you, Ann Cavoukian, to address a couple of things that you talked about in your opening statement.

First of all, there is no 33 million. That's a false number that keeps getting circulated. I just want to make that clear. Telus does not have 33 million customers. There's a lot of misinformation that's circulating—

4 p.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Point of order. Tel—

4 p.m.

Conservative

The Chair Conservative Pat Kelly

What is your point of order?

First state what is outside of usual practice or rule, and state your point of order.

Thank you.

Go ahead Ms. Hepfner.

4 p.m.

Liberal

Lisa Hepfner Liberal Hamilton Mountain, ON

Thank you. I appreciate that.

You were concerned about the lack of transparency. That was your point. Actually what we heard from the Privacy Commissioner when he came to speak to this committee was that he agreed the Prime Minister did put out a news release when the government started accessing mobility data from private collectors.

There is a public website where people at any time can check to see how this data is being used to inform the pandemic response. The chief public health officer, Dr. Theresa Tam, was regularly putting out messages on social media and in many other ways to show how this data is being used. I wasn't in government at the time but I knew this was happening.

The Privacy Commissioner, when I asked him, couldn't answer how the government could have been more transparent in this process. I'm wondering if maybe you can give us some suggestions about how the process could have been even more transparent than it already was.

4:05 p.m.

Executive Director, Global Privacy and Security by Design, As an Individual

Dr. Ann Cavoukian

With due respect, I don't call that transparency. I know Commissioner Therrien very well. He did not say his office was consulted on this, not at all. Being informed of something is very different from being consulted on something. You go to people to consult them, because they have expertise in an area.

As he said, he would have looked under the hood. It's essential to examine how information is being de-identified, aggregated and used for a variety of different purposes. Things can go wrong in a million different places. He may have also said, “I think we need to notify the public. I wasn't aware of any of this, as a member of the public, until I read the stories about it that broke out, all relating to the complaints associated with this, and the fact that John Brassard and others were saying nobody knows anything about this. It hasn't gone to the ethics committee. It was, in my view, not transparent.”

If you know what website to go to, and look underneath, you can find something. That's not transparency. In my view, you have to push it out, tell people, and tell the public what you're doing with their information and their mobility data. I'm not going to suggest there was transparency here.

Lisa Hepfner Liberal Hamilton Mountain, ON

Back to Ms. Scassa, can you talk about something else the Privacy Commissioner brought up, that it may not be realistic or reasonable to get meaningful consent in every instance, and yet mobility data is very useful in a public health response?

Can you comment on whether you see the usefulness of mobility data, and should governments have use of this data that has already been collected to respond to something like a pandemic?