Information & Ethics Committee on Feb. 28th, 2022

Thank you very much, Chair.

Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in internet and e-commerce law, and I'm a member of the Centre for Law, Technology and Society. I appear in a personal capacity, representing only my own views.

I'd like to thank the committee for the invitation to appear on this issue, which represents an exceptionally thorny privacy challenge. I recognize that some of your witnesses have brought differing perspectives on the legality and ethics of this collection and use of mobile data.

From my perspective, I'd like to start by noting three things. First, ensuring that the data was aggregated and de-identified was a textbook approach to how many organizations have addressed their privacy obligations—namely, by de-identifying data and placing it outside the scope of personally identifiable information that falls within the law. Second, the potential use of the data in the midst of a global pandemic may well be beneficial. Third, it does not appear that there's a violation of the law, because the data itself was aggregated and de-identified. The public notice may not have been seen by many, but that, too, is not uncommon.

I think this creates a genuine privacy quandary. The activities were arguably legal, and the notice met the low legal standard. Telus, I think, is widely viewed as seeking to go beyond even the strict statutory requirements, and the project itself had the potential for public health benefits.

Now, there could have been improvements. The Privacy Commissioner of Canada, I think, should have been more actively engaged in the process, the public notification should have been more prominent, and there should have been opportunities—and should still be opportunities—for opting out, but I'm not entirely convinced that these steps would have changed very much.

The OPC would surely have pushed for more prominent notification and some assurances on the de-identification of the data, but it seems likely that the project would still have continued. Similarly, better notices would have benefited the few Canadians who paid attention, but I think we can recognize that it's a fiction to suggest that there are millions actively monitoring privacy policies or similar web pages for possible amendments. Yet, despite all of these factors, something doesn't sit right with many Canadians.

I believe the foundational problem that the incident highlights is that our laws are no longer fit for purpose and are in dire need of reform. It's not that I think we need laws that would ban or prohibit this activity. Again, most recognize the potential benefits. Rather, we need laws that provide greater assurances that our information is protected and will not be misused, that policies are transparent and that consent is informed. That doesn't come from baking in broad exceptions under the law that permit the activity because the law doesn't apply. Instead, it means updating our laws so that they contemplate these kinds of activities and provide a legal and regulatory road map for how to implement them in a privacy-protected manner. The need for reform applies to both the Privacy Act and PIPEDA.

With respect to the Privacy Act, there have been multiple studies and successive privacy commissioners who have sounded the alarm on legislation that is viewed as outdated and inadequate. Canadians rightly expect that the privacy rules that govern the collection, use and disclosure of their personal information by the federal government will meet the highest standards. For decades, we've failed to meet that standard.

The failure to engage in meaningful Privacy Act reform may be attributable in part to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important role in educating the public about PIPEDA and broader privacy concerns. The Privacy Act needs to include a similar mandate for public education and research.

With respect to PIPEDA, I would need far more than five minutes to identify all of the potential reforms. Simply put, the issue has inexplicably been placed on the back burner. Despite claims that it was a priority, the former Bill C-11 was introduced in November 2020 and there was seemingly no effort to even bring it to committee. The bill attracted some criticism, but this isn't rocket science. If Canada is looking for a modernized privacy law and wishes to meet international standards, the starting point is the European Union's GDPR.

Notwithstanding some of the recent scare tactics from groups such as the Canadian Marketing Association, the reality is that GDPR is widely recognized as the standard. Global multinationals are familiar with its obligations. There are innovative rules that seek to address the emerging digital challenges, and there are tough enforcement powers and penalties. There's room to tweak the rules for Canada, but we should not let the perfect be the enemy of the good.

Modernized privacy rules are not some theoretical exercise. As this recent event demonstrates, failing to implement those rules leaves Canada in a difficult position, with potential conflicting rules at the provincial level, compliance strategies that may still undermine public trust, and policy implementation choices that fail to maximize the benefits that can come from better data—

Thank you, Mr. Chair.

First of all, let me introduce myself. I was the speaker of the National Assembly of Quebec for six and a half years and a parliamentarian for 25 years. I often lecture about ethics. I have written numerous texts and I have worked with institutes of ethics, particularly the one at the Université Laval. I am active in the Mouvement démocratie nouvelle, which is principally, but not exclusively, focussed on the reform of the voting system. I have been its president for some years.

To get tothe crux of the issue, we know that the Public Health Agency of Canada contracted Telus to collect personal cellphone data from millions of Canadians without their knowledge or consent.

There appeared to be no transparency in the operation, which theMinister of Health defended nevertheless. We also know that the Privacy Commissioner of Canada—we found this out very recently—had been informed about the government's intentions, but was kept at a distance from the process. The consequence is that basically three problems became clear.

First, in terms of ethics, the whole thing was done in secret. So the operation was hidden from view and Canadians were not told that the operation was happening.

Second, when the Privacy Commissioner of Canada showed up, he was basically kept at a distance. By keeping the Privacy Commissioner of Canada at a distance, the government made it impossible for one of the mechanisms in the act, namely the Office of the Privacy Commissioner of Canada, to play its role. Not only did the government keep at a distance the agency responsible for overseeing the way in which political leaders handle the protection of privacy, but it also acted in secrecy and made no apologies for doing so.

Third, the issue was normalized. When certain things were revealed and votes were held on the matter in the House of Commons, members who had passed the motion at committee ended up on the government side.

What is the consequence? When there is no transparency, when the behaviour does not use the mechanisms provided for in the act to protect Canadians and their privacy, their trust in the political institutions and in their political leaders, their elected representatives, is undermined.

Each year, there are surveys on the level of trust that Canadians have in their political leaders. Unfortunately, for years, all the political science studies tell us that the level of trust is very low. Each time something else happens, or there is another kerfuffle—a Toronto newspaper made this one public—that runs counter to the way in which leaders should behave, the public's trust does not go up, it goes down or it stagnates.

We need to recognize that trust is the basic building block of democracy. A democracy cannot work if the public does not have a minimum level of trust in their elected representatives, their political leaders.

These days, we can easily see how a dictatorship works. You don't need any involvement from Parliament. One man decides to send a part of the world into war, and there we are at war. Conversely, in a democracy, mechanisms exist. Mechanisms are a social contract between the public and its political leaders. The contract is built on trust, which is why democracies, like the parliaments in Ottawa, Quebec City and anywhere else, have provided themselves with mechanisms, codes of ethics and codes of conduct to safeguard that level of trust.

For example, the National Assembly of Quebec has a code of ethics and a code of conduct. One of the points in that code deals with the strength of one's word. I could have chosen others but that is one example.

Let me go back to this situation, this affair. As the previous witness said, it's not really the end of the world. It's not the scandal of the century in terms of affronts to privacy. But it is one factor in a number of factors that end up combining with a whole bunch of factors that, over the years, undermine the public's trust.

When we don't consider that to be important, when we normalize an event like this—

Oh, my time is up all ready!

So I will wait for the questions, Mr. Chair, but I feel that I have said what had to be said.

That's a great question. I think the starting point is the question of whether data can ever be reidentified. Can you put humpty dumpty back together again? I think that's one of the really exceptional challenges in this area. We see it play out on a lot of different issues.

From what I've seen in the testimony, certainly coming from the provider's perspective in terms of their responses and what they tried to do, it does sound like there was a genuine effort to try to ensure that it would not be identifiable, with various guardrails. I think it does come to the question that Mr. Charbonneau raised, the question of trust. If you don't have effective frameworks, if you don't have full transparency associated with this, if it's simply buried at the bottom of a web page that no one is going to take a look at, it's natural that people are going to raise these kinds of questions.

From the outset, the minister asked to be trusted. For political leaders to be trusted, they must behave in a trustworthy manner. When a government ignores the main body that Parliament has created to protect the privacy of Canadians, when the Privacy Commissioner is not involved and is kept at a distance, how can we completely trust this government or one of its ministers?

Once again, this is not the scandal of the century, but it is one of a number of scandals—some much more serious than others—that undermine people's trust. If the government is asking to be trusted, our answer must be that it must deserve that trust and that it must act legally and transparently.

Why was this operation done in secret? Why not clearly tell the public exactly what was going to be done, why it was going to be done and what the result was going to be?

One must not justify one's behaviour retroactively. One must be transparent from the outset, put one's cards on the table and use the protection mechanisms that guarantee—

I think—

No. If it had acted transparently, we wouldn't be here today.

I think it's hard to say that it has been fully transparent given the limited disclosure and the fact that the Privacy Commissioner wasn't more actively engaged. It's quite clear that this could have been done far better.

I'd start by saying that keeping that door open is something that we see both companies and perhaps governments trying to do in terms of potential multi-use of data down the road. That's partially where these problems really start to arise. I think that you can make a credible case in some circumstances, but trying to leave full flexibility down the road starts to really tear at the public trust that we've just been hearing about.

If you have effective legal rules in place, then that simply isn't an option, because what you have to do when you have powerful legal rules in place is justify the use, and you try to circumscribe some of those uses so that they're more clear-cut and the consent itself is only valid for those narrow groups of uses, as opposed to essentially opening the door to alternative uses down the road as issues potentially arise.

No, that was really the point that I wanted to drive home with my opening statement. I think that at the moment both the Privacy Act and PIPEDA simply are not fit for purpose.