Information & Ethics Committee on Feb. 10th, 2022

I don't think we can make any assumptions that there was a presumption of consent, not at all. I know consent is difficult. I agree that doing this on a large scale can be extremely difficult. I understand all of that. However, at the very least, provide notice, meaning you publicize. You are the government. You're PHAC. You publicize that you're doing this.

At the very least, you go to the Privacy Commissioner, you alert him, and ask for his input and assistance in making sure the public is aware of what's taking place. You alert him that it's being strongly de-identified and aggregated, and therefore the commissioner feels it's appropriate, something like that. You don't do it quietly, in my view. I think that's big mistake.

I totally agree with you. This grows distrust. There's already such fleeting trust anyway. Trust of government is diminishing on a daily basis, and this just leads to the further erosion of trust. I'm very concerned about that. Certainly, one would say you should be able to trust your government. I don't believe we're in a position to do that right now.

It's a very good question, sir. It baffles my mind. I honestly have no idea. When I served as commissioner in Ontario, I was always consulted. If I hadn't been consulted, especially on something like this, I would have been extremely concerned, because that's my business—to get under the hood and look at what's taking place.

I cannot imagine why the government—PHAC—did not consult properly with the Privacy Commissioner of Canada, Daniel Therrien, who is an excellent commissioner in this role. It makes no sense to me.

I hesitate to put a number on it, sir, only because I would probably give it the lowest number and I don't want to be unfair. I haven't examined everything.

This contributes to the erosion of trust enormously. There is already so much distrust out there. Let's leave it at that.

I must admit that this was staggering to me. I had not seen anything on this scale with such a large number of individuals' mobility data being accessed without any notice to the individuals. Forget about consent, but just notice.... It's about public awareness, so that someone would know what was taking place.

When you take this to the Privacy Commissioner.... Had they consulted, the commissioner would also examine the benefit of engaging in this kind of access to the data versus what the results would be. They track people's movements. What is the benefit of that? I don't know. I say that as a question. None of this is open.

They have such strong privacy laws. The GDPR—the general data protection regulation—came into place in 2018. It is one of the strongest laws that exist. I was delighted that it includes my “privacy by design”, which strengthens it even more, builds privacy and embeds it into the code of your operations. I don't think they could have done this.

That's an interesting question. I'm going to give a different example of the Clearview AI situation. You had a private sector company that created a facial recognition database based on scraped data that was then used by the RCMP. The Privacy Commissioner has already said that you can't have a legitimate use by a government actor of data that was collected illegitimately. That relationship is always interesting and it's an important one.

One of the challenges is that, on the one hand, you want to facilitate the use of data for socially beneficial purposes. The private sector is collecting vast quantities of data. There are legitimate questions in some cases about the quality of the consent, the quality of the collection practices and the kinds of data that are collected. In this case, we're looking at mobility data, which are very sensitive, but there are lots of other very sensitive data as well.

It becomes really important to think about that massive amount of data that's being collected under all sorts of privacy policies, which we don't have the time or even the skills to read and understand completely, that may become a product that is then sold to government, as well as to other actors, for their analytics. Right there, if there are flaws in that collection and it is sold, you carry over those flaws and those issues into the subsequent uses of those data.

That relationship is tremendously important.

I see your question and it's an interesting one. If the government is engaging in that kind of surveillance and there are certain rules that the government has to follow, specifically with respect to their collection of that data, and here it's being sourced from the private sector, it does fall under a different set of rules now. It's de-identified and so on, and it doesn't have the same weight or impact that surveillance data would, or the same implementations necessarily as surveillance data would have, depending on how it's used in the context. However, it's also data that the government doesn't really have the capacity to collect in that fine-grain and detailed way.

Again, the privacy issues are very important, but the ability of governments to use the best available data to make important public policy decisions is also important. The trick is finding that appropriate balance between the two.

Mr. Chair, the gold standard that is usually the reference point would be the GDPR in Europe and the rules that have been put in place there, with the proviso that there's no way to copy what's in the GDPR and transplant it to the Canadian context. Every country has its own particular context. It's not a question of saying, “Well, that's the one that we need to have”, but the GDPR sets an excellent standard.