Thank you very much, Chair.
Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in internet and e-commerce law, and I'm a member of the Centre for Law, Technology and Society. I appear in a personal capacity, representing only my own views.
I'd like to thank the committee for the invitation to appear on this issue, which represents an exceptionally thorny privacy challenge. I recognize that some of your witnesses have brought differing perspectives on the legality and ethics of this collection and use of mobile data.
From my perspective, I'd like to start by noting three things. First, ensuring that the data was aggregated and de-identified was a textbook approach to how many organizations have addressed their privacy obligations—namely, by de-identifying data and placing it outside the scope of personally identifiable information that falls within the law. Second, the potential use of the data in the midst of a global pandemic may well be beneficial. Third, it does not appear that there's a violation of the law, because the data itself was aggregated and de-identified. The public notice may not have been seen by many, but that, too, is not uncommon.
I think this creates a genuine privacy quandary. The activities were arguably legal, and the notice met the low legal standard. Telus, I think, is widely viewed as seeking to go beyond even the strict statutory requirements, and the project itself had the potential for public health benefits.
Now, there could have been improvements. The Privacy Commissioner of Canada, I think, should have been more actively engaged in the process, the public notification should have been more prominent, and there should have been opportunities—and should still be opportunities—for opting out, but I'm not entirely convinced that these steps would have changed very much.
The OPC would surely have pushed for more prominent notification and some assurances on the de-identification of the data, but it seems likely that the project would still have continued. Similarly, better notices would have benefited the few Canadians who paid attention, but I think we can recognize that it's a fiction to suggest that there are millions actively monitoring privacy policies or similar web pages for possible amendments. Yet, despite all of these factors, something doesn't sit right with many Canadians.
I believe the foundational problem that the incident highlights is that our laws are no longer fit for purpose and are in dire need of reform. It's not that I think we need laws that would ban or prohibit this activity. Again, most recognize the potential benefits. Rather, we need laws that provide greater assurances that our information is protected and will not be misused, that policies are transparent and that consent is informed. That doesn't come from baking in broad exceptions under the law that permit the activity because the law doesn't apply. Instead, it means updating our laws so that they contemplate these kinds of activities and provide a legal and regulatory road map for how to implement them in a privacy-protected manner. The need for reform applies to both the Privacy Act and PIPEDA.
With respect to the Privacy Act, there have been multiple studies and successive privacy commissioners who have sounded the alarm on legislation that is viewed as outdated and inadequate. Canadians rightly expect that the privacy rules that govern the collection, use and disclosure of their personal information by the federal government will meet the highest standards. For decades, we've failed to meet that standard.
The failure to engage in meaningful Privacy Act reform may be attributable in part to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important role in educating the public about PIPEDA and broader privacy concerns. The Privacy Act needs to include a similar mandate for public education and research.
With respect to PIPEDA, I would need far more than five minutes to identify all of the potential reforms. Simply put, the issue has inexplicably been placed on the back burner. Despite claims that it was a priority, the former Bill C-11 was introduced in November 2020 and there was seemingly no effort to even bring it to committee. The bill attracted some criticism, but this isn't rocket science. If Canada is looking for a modernized privacy law and wishes to meet international standards, the starting point is the European Union's GDPR.
Notwithstanding some of the recent scare tactics from groups such as the Canadian Marketing Association, the reality is that GDPR is widely recognized as the standard. Global multinationals are familiar with its obligations. There are innovative rules that seek to address the emerging digital challenges, and there are tough enforcement powers and penalties. There's room to tweak the rules for Canada, but we should not let the perfect be the enemy of the good.
Modernized privacy rules are not some theoretical exercise. As this recent event demonstrates, failing to implement those rules leaves Canada in a difficult position, with potential conflicting rules at the provincial level, compliance strategies that may still undermine public trust, and policy implementation choices that fail to maximize the benefits that can come from better data—