Evidence of meeting #92 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Cherie Henderson  Assistant Director, Requirements, Canadian Security Intelligence Service
Sami Khoury  Head, Canadian Centre for Cyber Security, Communications Security Establishment
Peter Madou  Director General, Intelligence Assessments, Canadian Security Intelligence Service
Sharon Polsky  President, Privacy and Access Council of Canada

5:15 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

As lawmakers, one thing you could do is not enact Bill C-27, because that's not going to make it better; it's going to make it worse.

What can we do? Is PIPEDA a comfort? No, it is not, because it's not sufficient, as Jennifer Stoddart said when she was in the final days of her role as commissioner. It could use some more teeth. How many years ago was that? It still needs some more teeth. Sure, Canadian organizations are responsible for the proper collection, use, disclosure and all the rest of it under PIPEDA, but when the information goes offshore, they lose control of it. We as Canadians have no recourse when our information is in a foreign nation and goes into the wind, or when we see things that breach our privacy, whether from Equifax, Meta, Google or any other organization.

One commission or another somewhere in the world hammers them with a multi-million dollar fine or hundreds of millions of dollars as a fine. They put it in their financial report as a line item, and it reduces their tax liability—that's sweet, on to the next. That's all. It's lunch money to them. It's to the company, not an individual.

Ali Ehsassi Liberal Willowdale, ON

Thank you for that.

Something else we should be very much concerned about is ransomware. Could you talk about the intersectionality between these social apps and the information that's obtained and then leveraged against consumers?

5:15 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I think that ransomware, like so many problems we have online, is a reflection of society. It is the same type of crime that was committed before the Internet. The Internet is a tool that allows the perpetrators to commit these crimes in greater numbers, with greater efficiency and cost efficiency from their side, with greater returns. That's terrific, but it's no different. It's really no different.

The problem is education, again. You can have the best technology, the greatest security, but if somebody doesn't have the courage to question the boss or to call up the president and say, “Excuse me, ma'am, but did you actually send this?” or if they don't have the curiosity or the skepticism, especially nowadays, to question what is presented in their email—and I'm sure they act in good faith—and if they click the wrong thing, that opens the entire organization up to ransomware and to problems.

The organization can recover, but what about all the individuals whose personal information has now been compromised? In the case of Equifax, there were 146 million Americans, and the payout, the negotiated settlement, the fine.... I remember Kevin Mitnick, when he was still alive, on LinkedIn showing the cheque he got for $5.42. That was supposed to help him recover. In Canada, the Canadians who were affected got one or two years of credit monitoring that was administered through Equifax's American organization.

Ali Ehsassi Liberal Willowdale, ON

My last question is this: Given that you probably have had the opportunity to look at various jurisdictions, what jurisdiction would you say does the best job of ensuring that privacy rights are protected?

5:20 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

At this point, I would say it's the EU, because of the GDPR and because, at the very last minute, they put the brakes on a piece of legislation that would have required, basically, encryption to be broken to facilitate the ability of the police to find the predators. The police do that now without the encryption back doors.

5:20 p.m.

Conservative

The Chair Conservative John Brassard

Thank you, Ms. Polsky and Mr. Ehsassi.

Mr. Villemure is next.

Do you have your earpiece in, Ms. Polsky?

5:20 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I do.

Thank you.

5:20 p.m.

Conservative

The Chair Conservative John Brassard

That's wonderful.

Mr. Villemure, you have six minutes.

René Villemure Bloc Trois-Rivières, QC

Thank you very much, Mr. Chair.

I too want to wish my colleague Mr. Kurek a happy birthday.

Good day, Ms. Polsky. It's a pleasure to have you here.

How would you describe the behaviour of social media platforms in terms of privacy protection?

November 20th, 2023 / 5:20 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I would say they are self-interested, because they are for-profit organizations. They do what they have to in order to improve their bottom line and to provide the greatest return possible to their investors and shareholders.

René Villemure Bloc Trois-Rivières, QC

Are they all the same, or are there some that are better than others?

5:20 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I think there are some that are better. They do take a greater interest in individuals' privacy. I could name the Tor Project, Signal, and Proton. These are the three that come to mind. They're not particularly social media platforms, but they are certainly communications tools that don't take any information, any metadata, anything. They don't keep it. That provides much greater security. As well, their encryption technology is much stronger.

René Villemure Bloc Trois-Rivières, QC

In terms of privacy protection, social media platforms are all the same, meaning they aren't very good. Is that correct?

5:20 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

That's a very difficult one, because each one of them has its own interests at heart. They collect the information and provide advertisers with the opportunity to reach our eyeballs. I don't know that any of them is really interested in our privacy.

René Villemure Bloc Trois-Rivières, QC

On that subject, could you comment on surveillance capitalization and tell us what a committee such as ours can do to counter its impact?

5:20 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

“Surveillance capitalism”, the term that Shoshana Zuboff coined, is a wonderful term. We could also call it “surveillance economy”, because nowadays much of our economy is based on surveillance in one way or another, whether we realize it or not.

What can be done? Before a drug is allowed to be sold in Canada, before a vehicle is allowed to be sold and licensed in Canada, and a lot of other products, they have to be tested by an independent Canadian authority to make sure they are fit for purpose and safe. I think the same thing has to apply to the technology we all use every day, which is now being sold by self-interested corporations. That all fosters the surveillance economy.

The only way of pulling back from having our information used continuously as fodder for surveillance.... Spin doctors say, “Well, everybody is okay with it because they keep giving their information”, despite the fact that we have very little option or no way of opting out. It's up to our government to regulate it, despite the objections of big tech.

René Villemure Bloc Trois-Rivières, QC

You said earlier that, despite the efforts expended on C‑27, it did nothing to protect us from those kinds of invasions of privacy, is that not correct?

5:25 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

Well, I think it's a step backwards from what we now have in PIPEDA. First of all, the first word is “consumer”—the consumer privacy protection act—labelling us all as consumers. We are commodities, with our information to be commoditized.

It provides a private right of action once we complain to the commissioner, who is—like most of them—chronically underfunded. Once they finally get around to assigning the file, investigating, deciding and determining, it will go to a new tribunal, which I expect will have to at least review this, if not provide a fulsome re-investigation. If the tribunal agrees with the commissioner that a fine is in order, then the offending company has the right to take it to court.

How many years will that take? Once they have exhausted their legal recourse, you and I get to advance our private right of action. We then pay another lawyer and go through another 7-10 years.

René Villemure Bloc Trois-Rivières, QC

So it isn't very useful.

You mentioned earlier that merely going to a web site, before even clicking on the consent form, constituted data. Could you tell us a bit more about that?

5:25 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

Yes, this is a feature that.... I've found that in a lot of organizations, the people who create the websites don't talk to the people in the privacy office, shall we say. It's the old story that we'll put in all of these wonderful tools that can collect information, and it's really neat to say, “Hey, we can maybe do something with it in the future”, without knowing—because of lack of education—that they are overcollecting. The way it works is similar to a cookie. Before you even see the website you have called up, the fact that you are there has already been transmitted to Facebook and data brokers.

5:25 p.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Villemure and Ms. Polsky.

Next, we have Mr. Green, for six minutes.

Go ahead, please.

Matthew Green NDP Hamilton Centre, ON

Thank you.

I certainly appreciate your quite right analysis of the consumer as the commodity. I think this absolutely underscores most of what we're talking about here.

Were you here during the previous panel? If you were, you would have noted that in my lines of questioning I brought up quite frequently the notion that there isn't one bogeyman in this scenario, but in fact all platforms are engaged in this type of surveillance capitalism. Whether or not a foreign state actor has direct access via ByteDance, or another dictatorial regime purchases it as the highest bidder from another, fundamentally there isn't really a difference. They have the data.

Would you agree with that analysis?

5:25 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

Absolutely. Our information is being sold, traded and bid on in real time. We don't know it and we can't say, no, don't do that, because we have no idea who is bidding on our information. We don't have a direct relationship with them. We have no recourse. Our information is gone.

Matthew Green NDP Hamilton Centre, ON

On that, I want to talk about the recourse. You mentioned the teeth that you would like to see in legislation.

With specificity, could you just take a moment and reflect on the types of teeth you would like to see in a proposed legislation that would deal with privacy in a more fulsome way?

5:25 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I can give you a very quick example.

The way companies now are fined, but not the individuals, is meaningless. By contrast, after the Enron scandal, 20 to 25 years ago, the United States passed the SOX legislation. The complete name is the Sarbanes-Oxley Act of 2002. It said very simply that the person at the head of the organization is responsible for everything in the financial statement. If things go sideways, they personally face multi-million dollar fines and jail time. Companies around the world, including Canada, scrambled to make sure that they were SOX-compliant. We need the same thing.