Thank you, Mr. Chair.
Thank you for the invitation to address this committee on this important issue.
The use of mobility data and the reaction to it highlights some of the particular challenges of our digital and data society. It confirms that people are genuinely concerned about how their data are used, and it also shows that they struggle to keep abreast of the volume of collection, the multiple actors engaged in collection and processing, and the ways in which their data are shared with and used by others. In this context, consent alone is insufficient to protect individuals.
The situation also makes clear that data are collected and curated for purposes that go well beyond maintaining consumer or customer relationships. Data are the fuel of analytics, profiling and AI. Some of these uses are desirable and socially beneficial while others are harmful or deeply exploitative. The challenge is to facilitate the positive uses and to stop the harmful and exploitative ones.
The situation also illustrates how easily data now flow from the private sector to the public sector in Canada. Our current legal framework governs public and private sector uses of personal data separately. Our laws need to be better adapted to address the flow of data across sectors. Governments have always collected data and used it to inform decision-making. Today, they have access to some of the same tools for big data analytics and AI that the private sector has, and they have access to vast quantities of data to feed those analytics. We want governments to make informed decisions based on the best available data, but we also want to prevent excessive intrusions upon privacy.
Both PIPEDA and the Privacy Act must be modernized so they can provide appropriate rules and principles to govern the use of data in a transformed and transforming digital environment. The work of this committee on the mobility data issue could inform this modernization process.
As you've already heard from other witnesses, PIPEDA and the Privacy Act currently apply only to data about identifiable individuals. This circumstance creates an uncomfortable grey zone for de-identified data. The Privacy Commissioner must have some capacity to oversee the use of de-identified data, at the very least to ensure that reidentification does not take place. For example, the Province of Ontario addressed this issue in 2019 amendments to its public sector data protection law, amendments that defined de-identified information for the purposes of use by government, required the development of data standards for de-identified data and provided specific penalties for the reidentification of de-identified personal data. The discussion paper on the modernization of the Privacy Act speaks about the need for a new framework to facilitate the use of de-identified personal information by government, but we await a bill to know what form that might take.
The former bill C-11, the bill to amend the Personal Information Protection and Electronic Documents Act, which died on the Order Paper last fall, specifically defined de-identified personal information. It also created exceptions to the requirements of knowledge and consent to enable organizations to de-identify personal information in their possession and to use or disclose it in some circumstances, also without knowledge and consent. It would have required de-identification measures proportional to the sensitivity of the information and would have prohibited the reidentification of de-identified personal information and imposed stiff penalties.
The former bill C-11 would also have allowed private sector organizations to share de-identified data, without knowledge or consent, with certain entities, particularly government actors, for socially beneficial purposes. This provision would have applied to the specific situation before this committee right now. It would have permitted this kind of data sharing and without the knowledge or consent of the individuals whose data were de-identified and shared. The same provision, or a revised version of it, will likely be in the next bill to reform PIPEDA introduced into Parliament. When that happens, some important questions need to be considered. What is the scope of this provision? How should socially beneficial purposes be defined? What degree of transparency should be required on the part of organizations that share our de-identified information? How will private sector organizations' sharing of information with the government for socially beneficial purposes dovetail with any new obligations for the public sector? Should there be any prior review or approval of plans to acquire and/or use the data, and what degree of transparency is required?
I hope the work of this committee on the mobility data issue will help to inform these important discussions.
Thank you.