Information & Ethics Committee on Oct. 25th, 2023

Good afternoon, Mr. Chair.

Good afternoon, members of the committee.

I am pleased to be here today to discuss my 2022‑23 Annual Report to Parliament, which highlights the important work that my office is doing to protect and promote the fundamental right to privacy in a time of unprecedented technological change.

It is encouraging to see this continued focus on the importance of privacy, as it impacts virtually all aspects of our lives.

Many of the public interest issues that you are seized with as parliamentarians—children's rights, online safety and cybersecurity, democratic rights, national security, equality rights, ethical corporate practices and the rule of law—all have privacy implications and, I would argue, all depend on strong privacy protections.

In this digital era, as you will see from some of the work and investigations my office has conducted this year, routine activities of daily life—for example, socializing online, using mobile apps, getting packages delivered or going to the checkout counter—can also raise privacy issues.

Since my appointment as Privacy Commissioner in June 2022, I've identified strategic priorities for my office that helped frame our work over the past year and that will guide the way ahead. These include addressing the privacy impacts of the fast-moving pace of technological advancements—especially in the world of artificial intelligence and generative AI—protecting children's privacy, and maximizing the OPC's impact in fully and effectively promoting and protecting the fundamental right to privacy.

To support these priorities, this past year we have engaged extensively with our domestic and international counterparts to identify and undertake collaborative opportunities.

We have also continued to advocate domestically for the modernization of Canada's privacy laws. I was honoured to appear before the Standing Committee on Industry and Technology last week in the context of their study of Bill C‑27, the digital charter implementation act, 2022, where I made 15 key recommendations needed to improve and strengthen the bill. I was pleased to see a number of them endorsed by Minister Champagne in the form of amendments that will be put forward to the committee, and I look forward to the work of Parliament in reviewing this important bill.

I will now turn to some of our compliance work from the last year.

We accepted 1,241 complaints under the Privacy Act, representing an increase of 37% over the previous year, and 454 under the Personal Information Protection and Electronic Documents Act, or PIPEDA, a 6% increase over the year before.

One of the public sector investigations highlighted in this year's report involved Canada Post's Smartmail marketing program. Our investigation revealed that Canada Post builds marketing lists with information gleaned from the envelopes and packages that it delivers to homes across Canada. It makes these lists available to advertisers for a fee. We found this contravened the Privacy Act, as it was done without the knowledge and consent of Canadians. We recommended that Canada Post stop its practice of using and disclosing personal information without first seeking authorization from Canadians. As a possible solution to remedy this matter, we recommended that Canada Post send a mail notice to Canadians to inform them of this practice and indicate an easy way for Canadians to opt out.

Until the tabling of my annual report, which made this decision public, Canada Post did not agree to implement this solution. After the report was made public, Canada Post issued a statement that it would review its policies. I expect Canada Post to comply with the Privacy Act and I look forward to hearing from them on the next steps to resolve this matter.

The report also highlights some of our private-sector investigations from last year, including our investigation of Home Depot's sharing of the personal information of customers who opted for an electronic receipt instead of the printed one at checkout with a social media company.

Home Depot has since stopped that practice and implemented my offices recommendations. This case underscored the importance of businesses obtaining meaningful consent to share customers' personal information.

Another important area of our work is addressing breaches in the public and private sectors.

We remain concerned about possible under-reporting of breach incidents in the public sector. The number of reported breaches fell by 36% to 298 last year, and only one of those reports involved a cyber-attack. This compares to 681 breach reports from the private sector, of which 278 were cyber-related.

We also engage in groundbreaking policy work, provide advice and guidance to organizations in both the public and private sectors on privacy matters of public interest and importance, and continue to provide advice to Parliament.

We know that privacy matters to Canadians more today than ever before and that they are concerned about the impact of technology on their privacy. Our latest survey of Canadians found that 93% have some level of concern about protecting their personal information and that half do not feel that they have enough information to understand the privacy implications of new technologies. This is why the work of my office to deliver concrete results that have meaningful impacts for Canadians and privacy in Canada is so important.

In closing, I would like to thank this committee for its work over the years, including the many reports and recommendations in the field of privacy. I cite them often. We certainly consider and consult them very often, and I know that Canadians do as well.

I look forward to continuing our efforts to ensure that privacy rights are respected and prioritized by government institutions and businesses alike, and to position Canada as a global leader on privacy.

I would now be happy to answer your questions.

We have issued some investigations. One involved Clearview AI, an organization that was scraping the images of Canadians online and creating what was described as almost a permanent lineup of facial identification. We found that this was a violation of the privacy legislation and made recommendations to the organization. The organization ultimately decided to depart Canada. That was a high-profile instance of a concern.

We are continuing to monitor the situation with international colleagues. We have recently issued a statement on data scraping, calling upon social media organizations to take steps to protect the information, to inform and to have some measures in place. We also highlighted some steps that individuals can take as well.

It is something that we are certainly focused on.

There are two things, Mr. Barrett.

In our statement dated August 24, 2023, we talked about some of the privacy risks in terms of data scraping. Some of them include targeted cyber-attacks, identity fraud, monitoring, profiling and surveilling of individuals, unauthorized political or intelligence-gathering purposes, or unwanted direct marketing or spam.

There are a number of risks, which is why we are calling on social media companies, and indeed all organizations, to respect privacy obligations. We set out a number of ways in terms of risk mitigation techniques that social media companies can and should take to protect that information from bad actors that would scrape the information.

We also, again, highlight some practices and advice to individuals, although it is not on individuals to protect themselves exclusively: The organizations have a duty, and there is advice that can be taken.

You made reference to TikTok. I initiated a commissioner-initiated complaint with respect to TikTok last year. We initiated this in February—this is a joint investigation—and I am moving forward with my provincial colleagues from Quebec, Alberta and British Columbia. We initiated that to look at the privacy practices. We are looking forward to completing this investigation, hopefully, by the end of March 2024.

Thank you very much, Ms. Fortier. I'm happy to see you in person as well.

We addressed this issue early in my term, because it's important that we make quality decisions, but how fast we make them is equally important. Decisions must be delivered within a reasonable timeframe. However, when too many requests are received, it takes longer to respond. We've therefore identified a need and obtained additional resources from Parliament. We're grateful for that.

We're looking at this issue from all angles. We're reviewing our internal processes to determine whether we can operate in a more agile way, whether we're adequately managing risk, whether we can use other technologies, and whether we can use incentives to encourage organizations to resolve disputes more rapidly, for example. I'm a big believer in voluntary dispute resolution.

To improve efficiency at the Office of the Commissioner, I've had a lot of discussions with industry and government representatives to understand the barriers and benefits. One thing I'd like to do is recognize the government's or industry's good work when it comes to privacy, not just their shortfalls, to encourage them to continue moving in the right direction.

There are many opportunities to improve efficiency at the Office of the Commissioner, but it certainly remains one of the main challenges. That's why our efficiency is one of my three strategic priorities, along with technology and protecting children's privacy.

We're really going to do everything we can to improve the way we operate. We've already started to see an improvement.

Yes, for the moment, privacy breaches in the public sector are reported in accordance with Treasury Board directives. There's a legal obligation in the private sector. We definitely have recommendations on the subject. I think it's useful to have binding legal obligations because that encourages organizations to take action. We need them in both the public and private sectors.

However, I also think it's a matter of understanding and communication. You have to understand the criterion for reporting privacy breaches. Sometimes organizations acting in good faith have a poor understanding of that criterion or else underestimate the risk of harm.

We saw this in some of our investigations this year. Some organizations indicated that they hadn't reported a privacy breach because they thought the risk of harm wasn't high enough. In some cases, we disagreed and determined that there had been a risk of financial harm, reputational harm or disclosure of sensitive information.

Consequently, we have some work to do to increase awareness, and we have to make sure we have the necessary tools for that purpose. However, we will continue working on this and encourage organizations to look into these issues. When they report breaches to us, we can offer them opinions and advice and work with them. That's really our objective.

We also work with citizens because we have to find solutions to protect the victims of those breaches.

One of the things I think about is how to communicate with citizens more effectively. What you've done in your riding with your seminars and discussions is very good, and it's a good step in the right direction.

We have to get to a point where Canadians understand what's happening, and we have to equip them to do that. Technology advances very quickly. You can see that with generative artificial intelligence, and other technologies will emerge. Sometimes Canadians may feel confused about it all because everything changes so quickly.

What can we do about it? Sometimes I hear people say it's too late to protect privacy because everything's moving too fast, and they give up. If there's one thing that I consider a concern, it's that.

I think it's important to tell people that we have to protect privacy, that it's possible to do so, that institutions can do it and that people can do it as well. Statutes will never be amended as quickly as technology evolves. The same is true of the regulations the government makes.

However, we need to pass legislation based on principles that can be applied to new technology. I'm a real believer in privacy risk assessments and in making them an obligation. I'm a true believer in transparency and in communicating more and more effectively with Canadians about what can be done with their information and how it will be used.

Consent provisions are often very hard to understand, even for experts. Consequently, people grow tired of it all. In the investigations I discuss in my report, whether they concern Canada Post, Home Depot or Tim Hortons, people are sometimes surprised by what's done with their information.

In our discussions with organizations, we asked them to be proactive and to make that information readily accessible. Sometimes their response is that their information is provided in the privacy policy on their website or at the post office. Then we tell them that they're asking Canadians to bear the burden of searching for that information when those organizations are in a better position to communicate it than they are.

I think we have to hold public discussions, be transparent and have obligations to be transparent.

The phenomenon you're describing has accelerated even more with artificial intelligence. We may think we know our personal information will be used by such and such an entity. However, do we really know what anyone can conclude about us based on that information? What inferences can be drawn? Sometimes postal codes or tastes in music, for example, can help someone deduce a person's sexual orientation, income level and so on. People don't know all that.

I recommended that Bill C‑27 provide for a transparency obligation so that, when people reached a decision with the help of artificial intelligence, they could request an explanation in every case. However, the current version of the bill provides that a general account may be provided only in cases that would have a significant impact on the individuals concerned. I recommended that part be deleted because, for the moment, I think it's better to encourage more transparency rather than less.

We have to try to find pleasant ways to explain this. One of my mandates is to try to acquire tools. We provide a lot of information on our website, and we try to explain it all as best we can, but I think we can do better.

We also have to talk about children, because I think the message has to be adapted to suit the audience.