Information & Ethics Committee on Feb. 28th, 2022

I'll take a slight detour just to note that the Privacy Act, the part in terms of the obligations that the federal government has with respect to privacy, should not be overlooked at all. If anything, there's a core element there when we talk about the increasing desire for government, and some would say the need for government, to have more data in order to make better data-driven decisions, which may necessarily implicate data collection issues. In the case of the Privacy Act, that is even older in terms of when it was drafted and the failure to update it.

Thank you for that opportunity.

I'll note that I've had the pleasure of appearing before this committee through multiple Parliaments. This committee has issued multiple studies on this question and made recommendations. There isn't a lot to rewrite here. It's one of these issues that just never seem to rise to the level of actual legislation.

Among the things we could do, I mentioned off the top the ability of the Privacy Commissioner to play a more proactive role in terms of public education and research about the relationship Canadians have with their governments in terms of the data that gets collected. We could also strengthen protections—for example, limitations on the data that government collects, so information is only collected where it is strictly necessary for its programs or activities. That hearkens back to one of the earlier questions of keeping the door open to other kinds of uses. There's a need to ensure that in fact it's the opposite: not only that we carefully circumscribe what gets collected, but that we identify that right from the very beginning.

In terms of breach disclosure-related issues, there is a need to ensure that if the data that is collected is put at risk—and we have had incidents in the past—the individual users themselves are adequately informed. Privacy impact assessments are necessary to ensure...and embed those within the law where some of these new programs are launched.

Then, when we think about this kind of issue in particular, which really opens the door to these large datasets, we need to think about the interaction that the federal government may have with private sector participants, because this represents a relatively new situation. It used to be the government might collect the data itself. Now we have, effectively, platforms or intermediaries that may be collecting some of that data and making it accessible to government. We need to establish effective precautions and safeguards in that regard. Was appropriate consent obtained? Is it de-identified? Have you worked with the Privacy Commissioner to ensure that's the case? Even if it was de-identified, what level of consent was obtained, as in this kind of case? Those are some of the things we could be, and I think should be, thinking about with respect to the Privacy Act.

In terms of PIPEDA reform, the way I would do it, to be totally candid, is to sit there with the GDPR text on the one hand, look at PIPEDA on the other, and then add in the bill that comes forward and engage in a benchmarking exercise to see where we stand. That's not to suggest that there can't be Canadian-specific reforms; I think there unquestionably can be. However, it is universally acknowledged that....

An easy one, of course, is the enforcement side of things. We don't have strong penalties. Our federal commissioner doesn't even have order-making power. That puts the federal commissioner in a position unlike almost any other privacy or data commissioner anywhere in the world in terms of not having the necessary tools to ensure effective compliance.

Then—

Privacy laws are designed to be context-specific. They ought to be, and should be, adaptable to those kinds of situations.

In a situation where there are heightened concerns—let's say in a global pandemic or a war—some of the choices that get made and the balance that gets struck may well be different from those in other situations, which may be more mundane and don't raise those issues. The same, of course, is true depending on the sensitivity of the information. If we're dealing with sensitive health or financial information, the kinds of safeguards we'd expect may be different from questions about where I might have gone for lunch yesterday.

I think that the law itself is able to account for these different kinds of circumstances. The problem is that, if you don't have effective enforcement of those rules and you haven't modernized some of the consent-related provisions and the like, you're working with a very weak hand in terms of ensuring you have effective protections.

I think it depends a little bit on the kind of data. It's an interesting question to pose: Can you opt out? Well, you can opt out, certainly, or you ought to have the right, I would say, to opt out of a program like this.

It doesn't seem to me that.... This is useful information, to be sure, and I think you can make a compelling case that it's valuable to have that sort of information, this kind of data. You see it play out in a number of different places. There's a lot of talk about waste water, for example, and trying to measure COVID-19 levels that way, as well.

We are anxious to get more data. The ability to opt out in those circumstances would seem to be appropriate. There might be circumstances, though, where the dependence of public health does require certain kinds of disclosures. We get that, of course, when we go into certain places and are required to disclose our vaccination status. That strikes me as entirely reasonable.

It seems to me that there are differences, depending on the circumstances in which this might be used and the data that's involved.

Let me emphasize once again that we have the Office of the Privacy Commissioner. Basically, the goal of that institution is to help political leaders and the public to see things clearly and, potentially, to find compromises or to assess risks for the public. It's impossible for everyone in Canada's population to provide an opinion. We have to have one entity representing the public and responsible for monitoring and protecting privacy—

…and determining how the government is behaving.

Sure. I can try.

I would start by noting that my read of the commissioner's response was that he felt that his office should have been more actively engaged in this process, so I recognize it—

Fair enough. In terms of public transparency, I think your point highlights how this issue is often addressed by organizations, whether in the government or in the private sector, which is to say, “Hey, it was all there. All you had to do was go out and find it.” Most people don't know what BlueDot is. Even if they did, they still wouldn't necessarily know where the data was coming from or how it was collected down the line. So the need for full public education on this in terms of how that data would be collected in the first place, and then made more broadly available, is really important.

I was actively involved, for example, in the COVID Alert app discussions and was part of one of the studies that fed into that. There was a recognition that because you needed the public to actively install that, there needed to be a significant education program so that they would both trust it and understand it. You need to do the same kind of thing in this context where that kind of data is being collected—

I'm just going to respond that in fairness, I don't think my response is shifting over to consent. I think my point with respect to COVID Alert and my point here is that if you want people to trust in these programs, you need to explain in as many forums as possible and as clearly as possible what data is collected and what's being used. That happened with COVID Alert. I'd argue that it did not happen in this context.