Evidence of meeting #87 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was tiktok.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Philippe Dufresne  Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Michael Maguire  Director, Personal Information Protection and Electronic Documents Act, Compliance Directorate, Offices of the Information and Privacy Commissioners of Canada

6 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

I don't want to speculate as to what we would say, but we would consider appropriate advice to Canadians in a circumstance.

6 p.m.

Conservative

Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON

Thanks for your answers.

6 p.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Dufresne. Thank you, Mr. Barrett.

Ms. Khalid, you have six minutes. Go ahead, please.

6 p.m.

Liberal

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thank you very much, Mr. Chair.

Thank you to the witnesses for appearing today on double shift with two different issues. We really appreciate it.

I want to pick up on something you said with respect to your study and report based on children and TikTok.

How much of a distinction is there between privacy rights specifically for children and for the general public at large? Is there a significant overlap, or are there extra issues we deal with for children?

6 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

There are extra issues, in the sense that we will generally consider minors' information or children's information to be “sensitive information”. That brings with it greater obligations in terms of care and in terms of methods of consent.

We've issued guidance under current law about obtaining meaningful consent. We are expecting organizations to make it user-friendly and so on, but specifically with respect to children, there are circumstances in which they won't be able to give that consent. They may need a parent to do that if they're below a certain age. In our current guidance, although certain provinces might take different views, for us, if they're under13 years old, there's almost a presumption that you need that parental consent.

It certainly has to be considered in how you look at information. They will have different needs. They will have greater vulnerabilities. That is something that's recognized in the European legislation. It's proposed to be recognized in Bill C-27, which I certainly hope will happen.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

You talked about meaningful consent. What does that look like in the context of social media platforms that have so much access to Canadians' information?

October 25th, 2023 / 6:05 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

Again, in terms of meaningful consent, Bill C-27 would make it stronger in terms of explicitly saying that this has to be provided in information that the person can understand. That's what we look at. This is very complex information. How are you giving those notices? Are you giving a notice that only an expert will understand?

Even if you're an expert, you may be reviewing this at the end of the day. You may be tired. You may be bombarded with so many things. Every time you go on a website, you get a cookie page or whatnot. We provide a number of tips in that guidance: Make it user-friendly. Make it not just a one-time thing. Make sure that you sometimes provide follow-ups. Make it as understandable as possible. In the context of children, make it appropriate to the child. Maybe there are opportunities for video or other ways.

The goal is to provide the information so that individuals can understand what's going on and to bring that same innovation.... We often talk about innovation requiring data, and that's true, but let's use innovation to protect data. That would assist in terms of the consent and the explainability.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

How does that protection of data play out when we see that a company like TikTok is storing data in the U.S., in Singapore, in Malaysia and not in Canada? How do we control the servers or the access to Canadian data when it's physically not present in Canada?

6:05 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

Right. Well, the law will still apply if Canadians are affected. A number of factors will give us jurisdiction, even if the information itself may be stored elsewhere. We look at those factors, those links, and then we apply the law to the organization and to the treatment of the information at issue.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thank you.

When we had TikTok representatives here with us, David Lieber, who appeared at the last meeting, said the following:

We also have a biannual transparency report where we disclose [a] number of government requests that we receive from governments throughout the world....if we did receive a request from the Chinese government, we would certainly disclose it in our transparency report.

Have you looked at these transparency reports? What kinds of details do they provide? Are they actually transparent?

6:05 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

In preparing for this appearance, I was briefed on these types of reports. I think the question to be considered is about the extent of it. If you're pointing to a report to say that this report will give transparency, I would ask what the report is about. What will it report on? Will it report only on Canadian government requests? Will it report on governments all over the world? That's an important element to make sure of.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Especially with data not being stored physically in Canada, if there's a request made by X, Y, Z state or country to say, “Hey, TikTok, can you give us all the data on every 16-year-old girl who likes MAC lipstick?”, should TikTok have a duty to report to Canadian authorities the request for information by a country that is not Canada?

6:05 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

This is not something that we've investigated or turned our minds to. Generally, if we look at a matter on the protection of information, we'll look at the safeguards. We'll look at what the risks are. We'll look at what measures you're putting in place to protect that information. Based on that, we'll make our recommendations and our findings.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Do you find that companies like TikTok and other social media platforms would heed some of your recommendations? How do you anticipate that some of your recommendations would be applied within Canada in terms of privacy?

6:05 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

This is where the order-making power is an important element. Right now, we would make recommendations. It's up to them to decide if they're going to follow up. If there's order-making power, that can be enforced.

6:10 p.m.

Conservative

The Chair Conservative John Brassard

Thank you, Ms. Khalid.

It's now over to Mr. Villemure for six minutes.

René Villemure Bloc Trois-Rivières, QC

Thank you, Mr. Chair.

Mr. Dufresne, how would you describe the platforms' appetite for protecting privacy?

6:10 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

What I can tell you is that the platforms attend privacy conferences. They are very involved, very aware and very interested when it comes to privacy issues.

My office examines what the platforms do and how they use the information. That's what our recommendations are based on. For example, we give platforms recommendations on data scraping, so the practice of collecting large amounts of data on the web. We let the platforms know that we expect more of them. We expect them to be more proactive, and to treat data scraping as though it were an invasion of privacy and to protect and handle the information accordingly. We are engaging with them. They've sent us feedback on our position, and we are engaged in a discussion.

As I mentioned earlier, we are involved in a court challenge against Facebook related to the use of information by Cambridge Analytica. We are also conducting investigations into ChatGPT and TikTok. The process exists. Intentions and statements aren't what interest us. What we care about is real results for Canadians.

René Villemure Bloc Trois-Rivières, QC

In other words, you care about everything that's said and done.

Would you say that, every time you manage to make some headway on privacy, the platforms look for ways around it or ways to go further in order to protect their business, which is basically selling people's data?

6:10 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

I think we have to be aware that there is often an economic incentive to use information. It's normal, it's part of the economic system. States and regulatory bodies must therefore be able to create incentives in the other direction to protect information. I see two kinds of incentives. First, there's a positive incentive, which recognizes good behaviour and gives reputation-related rewards; but you also need a negative incentive, which uses legal constraint. We need laws that will tell these platforms and organizations that they have a proactive obligation to publish their privacy plan, that they have a proactive obligation to conduct audits, that they have a proactive obligation to minimize data use and explain it properly. If they don't, there can be audits, investigations, orders and fines. I think all this is necessary to have proper regulation.

René Villemure Bloc Trois-Rivières, QC

Is your power a sufficient deterrent to force platforms to follow your recommendations? We mentioned the power to issue orders, but do you lack other tools?

6:10 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

At the moment, I lack the power to issue orders and the ability to impose administrative monetary penalties. If an organization is raking in millions or tens of millions of dollars using data and there are no monetary penalties when a breach occurs, going in that direction becomes tempting. This must be avoided.

René Villemure Bloc Trois-Rivières, QC

For companies with billions of dollars in sales, I don't know what a deterrent fine would be.

We've heard about the 345-million euro fine imposed on TikTok in Europe, for multiple infringements. However, how effective is such a fine when the company has multi-billion dollar sales?

6:10 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

That's why the European model, which is the General Data Protection Regulation, the model in Quebec, which is Bill 25, and the model proposed in Bill C‑27 provide that it's going to be a maximum amount of $10 million, for example, or 3% of sales. I think that addresses the issue you raised.

If a company has significant sales, $10 million isn't a lot; setting a percentage addresses that.

René Villemure Bloc Trois-Rivières, QC

According to the European community, establishing a percentage works well.

What do you think about TikTok being banned in several countries around the world, including some European communities?