Evidence of meeting #87 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was tiktok.
A recording is available from Parliament.
5:25 p.m.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
Okay.
Your annual report notes that the Office of the Privacy Commissioner has developed various strategies to promote efficiency gains that include “exploring options for automation to help staff work more efficiently”. Have any of the office processes been automated?
5:25 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
We've not automated processes. I'm looking to my colleague, Mr. Maguire.
We've been looking at a first step in terms of systems efficiencies, in terms of risk management profiles, in terms of.... We've developed a tool to identify real risk of significant harm in the case of breaches, so that's an automated process. We're obviously carefully monitoring AI and generative AI.
We did make the decision that for the moment—because we are investigating ChatGPT and hoping to conclude that investigation in the coming months—we are not using that tool at the OPC for the moment, but we will be considering, obviously, appropriate uses of any tools that could assist us, again making sure that they are privacy compliant.
5:30 p.m.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
You've already stated that ChatGPT is at risk here and that you're studying it now. Considering that there are so many different versions of ChatGPT or other AIs like it, are you looking at any others?
5:30 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
For the moment, we are investigating OpenAI and ChatGPT, but again, when we do these investigations, we try.... If we identify lessons or principles, they can assist, hopefully, and can guide other organizations.
For instance, in the Home Depot decision, while we made our conclusion specific to Home Depot, this was a practice that was being used in the industry. When I made my report public, I called on other organizations, any organizations that would be using a similar practice of sharing information when Canadians asked for an email receipt instead of a printed receipt, and I said that this is against privacy law and it needs to stop. A number of organizations were identified as having that practice. We reached out to them, and a great many have stopped, if not all.
That is a systemic impact that we look to have as well, even if we're dealing with one specific case.
5:30 p.m.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
You mentioned working with Quebec and others. There's the Global Privacy Assembly. Can you maybe elaborate on how participating in those international bodies improves...?
5:30 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Certainly, and thank you for the question. We talked about that in the annual report.
There is a very strong active domestic—federal-provincial-territorial—Canadian community, but also internationally there are a number of groups. I've been very active with the G7 round table of data protection authorities. Data protection authorities are essentially privacy commissioners from the G7 countries. We meet annually. We met a year and a half ago in Bonn, Germany. This year we met in Tokyo. One of the key themes of that group has been that we need to have cross-border data flows to ensure that we can have strong international trade when data is travelling from jurisdiction to jurisdiction. How do you ensure that it's protected and safe?
There are number of tools—legislative tools, contractual programs and so on. We have discussions on that. AI has been a growing topic. Last June in Tokyo we issued a statement about our expectations. I think it was one of the first statements in which privacy commissioners set out our expectations for AI from a privacy perspective. We said, for one thing, that current laws apply. Privacy law applies. It's not a legal void. We already have protections and we are going to apply them. We stated our expectation that organizations have privacy by design, that they have privacy impact assessments when developing these tools, and that they do this.
It was a call to action. I was happy to see, in the industry department's voluntary code of practice for AI that was launched a couple of weeks ago, that the G7 declaration was highlighted, as was a reminder that the Privacy Act continues to be important.
5:30 p.m.
Conservative
The Chair Conservative John Brassard
That's wonderful.
Thank you, Mr. Dufresne. Thank you, Mr. Bains.
Now we go to Mr. Villemure for two and a half minutes.
5:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you, Mr. Chair.
I'd like to use my time to give notice of a motion.
Here it is:
That, pursuant to Standing Order 108(3)(h), the committee undertake a study of the RCMP’s decision not to pursue a criminal investigation into Prime Minister Justin Trudeau following the reprimand issued by the Conflict of Interest and Ethics Commissioner regarding his involvement in the SNC-Lavalin affair; that the committee devote three meetings to this study; that the committee request to appear, for one hour per witness: (a) the former Conflict of Interest and Ethics Commissioner, Mr. Mario Dion; (b) the Conflict of Interest and Ethics Commissioner, Mr. Konrad Winrich von Finckenstein; (c) the RCMP Commissioner, Mr. Michael Duheme; (d) Mr. Frédéric Pincince, International Investigations, Ontario Division; (e) representatives of the Royal Canadian Mounted Police in 2019 who may be involved; and, lastly, (f) the former advisor to the Prime Minister, Mr. Gerald Butts; that the committee report to the House; and that, pursuant to Standing Order 109, the committee request a comprehensive response from the government.
5:30 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Villemure.
You're placing a motion on notice. Is that correct?
5:30 p.m.
Conservative
The Chair Conservative John Brassard
I stopped the clock. You have two minutes and 26 seconds left.
Do you want to question the witnesses?
5:35 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you, Mr. Chair.
My apologies, Commissioner, for that interruption.
You mentioned something earlier that brought back a lot of memories. You said that information isn't necessarily public by virtue of being online.
I'd like you to explain that statement, because it's a concept I don't think everyone grasps.
5:35 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Absolutely.
Privacy laws apply to personal information, information that can identify us, because it has to be protected. That information can be used to draw a number of conclusions about us. The law sets out an exception: public information is not subject to certain obligations. Nevertheless, the exception has a very narrow definition. It has to be prescribed by regulation, and it's very limited.
Generally speaking, information that is online is public. Personal information, however, is still personal information. That means organizations are not allowed to use the information however they wish. They have to adhere to the applicable principles. That is the reason why we have investigated organizations that used excessive means to collect photos online to build facial recognition databases and, then, tried to sell them to police.
First, we conducted an investigation into the company Clearview AI, and we found that the database went way too far. There was no framework of restrictions, and the company did not set parameters with respect to necessity, proportionality and so forth.
Second, we conducted an investigation and tabled a special report to Parliament on the RCMP's use of the company at the time.
We found that the RCMP violated the act by using the company and failed to meet its own obligations. The RCMP has since stopped using the company and initiated the national technology onboarding program.
That is a very clear example of how information that appears online is still considered personal information.
5:35 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
That's a helpful clarification.
We learned a new word this week, spamouflage.
What concerns do you have around privacy and spamouflage?
5:35 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Giving people false information, using information that appears to be true but isn't to mislead Canadians is a worrisome practice. That's why generative AI is worrisome. The OECD surveyed G7 ministers and put out a report. The thing that worried them most about AI was disinformation. Privacy was third. That underscores how important it is to protect privacy overall and to guard against disinformation.
5:35 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
The OECD report is publicly available.
5:35 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Dufresne and Mr. Villemure.
We now go to Mr. Boulerice for two and a half minutes.
5:35 p.m.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Thank you, Mr. Chair.
Mr. Dufresne, at the end of our discussion in the previous round, you talked about how your office applies the principles of necessity and proportionality. In your last report on privacy during the pandemic, you point out that the current law isn't satisfactory because those principles are not adequately reflected.
Can you explain all that? How far apart are the principles you want to see in place and the current law?
5:35 p.m.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Yes, of course.
Under the Privacy Act, the public sector's obligations are less stringent than the private sector's. Departments are required to show that the information is used for purposes related to their respective mandates. For example, they have to show that they have a legal mandate to do X, so they can do it.
Some obligations are more specific, like those at issue in the Canada Post case. When an organization uses information indirectly, the obligation threshold is greater. It has to ask for permission. The first major consideration when a public organization uses information is whether the activity is relevant to its mandate.
We think it's important to impose the obligations of necessity and proportionality, in keeping with international principles and practices in the private sector. The idea is to consider what information the organization is collecting and for what purpose. It's a bit similar to how it works for charter human rights. Is the organization's purpose important enough? Will the measure achieve the purpose? Has the organization done everything possible to minimize the use of the information in achieving its purpose?
We underscored those principles in our report on the pandemic, and we apply them. While we realize they aren't binding, we apply them and use them to inform our recommendations. We've been able to draw some useful lessons. On the whole, the government adheres to the principles. Occasionally, we're of the view that there should have been more information on how the organization assessed the discarded options, but that, on balance, its decision was justifiable.
It's a standard that encourages decision-makers to ask questions about what they're doing and whether they are minimizing the risks. That's more or less what we are asking.
One of my major recommendations for Bill C‑27 is to require organizations to conduct audits and privacy impact assessments, or PIAs. It's about considering what the risks are and which measures can minimize them.
PIAs are good for privacy, and they're good for Canadians.
5:40 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Dufresne and Mr. Boulerice.
We have a few rounds. The next members will have turns of five minutes, starting with Ms. Gladu, followed by Mr. Kelloway.
Go ahead, Ms. Gladu. You have five minutes.
5:40 p.m.
Conservative
Marilyn Gladu Conservative Sarnia—Lambton, ON
Thank you, Chair.
Thank you, Mr. Dufresne and Mr. Maguire, for being here tonight.
I want to start off with how I'm very disappointed that Canada Post was taking people's private information and selling it to others. I'm even more disappointed that when you pointed it out and asked Canada Post to stop, they didn't really do anything until the issue went public, and now they're just reviewing it.
Is there no remedy from you or the federal government that could make Canada Post stop taking people's private information and selling it?