Information & Ethics Committee on Nov. 20th, 2023

Evidence of meeting #92 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

Use of Social Media Platforms for Data Harvesting and Unethical or Illicit Sharing of Personal Information with Foreign Entities
Committee Business

MPs speaking

John Brassard
Michael Barrett
Pam Damoff
René Villemure
Matthew Green
Jacques Gourde
Parm Bains
Damien Kurek
Mike Kelloway
Ali Ehsassi

Also speaking

Cherie Henderson  Assistant Director, Requirements, Canadian Security Intelligence Service
Sami Khoury  Head, Canadian Centre for Cyber Security, Communications Security Establishment
Peter Madou  Director General, Intelligence Assessments, Canadian Security Intelligence Service
Sharon Polsky  President, Privacy and Access Council of Canada

5:40 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

There are places, well-funded organizations, that promote education, but it's a drop in the bucket. I think it's a matter of public policy to require.... I realize this is not a federal jurisdiction thing, but I'm sure the federal government could have some influence, perhaps, with its provincial and territorial colleagues, to say, “Include this in the mandatory curriculum, from pre-kindergarten.”

5:40 p.m.

Liberal

Pam Damoff Liberal Oakville North—Burlington, ON

I know that's my time.

I used to be on the public safety committee, and digital literacy is something that we've asked for many times in terms of getting it into the schools.

Thanks for being generous with your time, Chair.

5:40 p.m.

Conservative

The Chair Conservative John Brassard

I'm probably the most generous guy you'll ever meet.

5:40 p.m.

Some hon. members

Oh, oh!

5:40 p.m.

Conservative

The Chair Conservative John Brassard

What are you laughing at? Just look up my profile on Facebook.

Mr. Villemure for two and a half minutes.

5:40 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you to our very generous chair.

Ms. Polsky, earlier, my colleague Matthew Green and you were discussing improvements needed to ensure people aren't trapped and without recourse once they give their consent. In my opinion, many elements of that discussion are extremely interesting. Could you tell us more?

5:40 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I've lost the interpretation.

5:40 p.m.

Conservative

The Chair Conservative John Brassard

We've lost interpretation, Mr. Villemure.

Ms. Polsky, make sure you're on the right channel. You want English.

5:40 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I'm on English, but it faded away. I couldn't hear the translation for the entire question.

5:40 p.m.

Conservative

The Chair Conservative John Brassard

Okay.

Mr. Villemure, I paused the clock on your time. You may ask your question again. We'll make sure that Ms. Polsky is able to understand it. Please start over.

5:45 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you very much, Mr. Chair.

Ms. Polsky, you were talking with my colleague Mr. Green, who will speak after me. You both listed solutions to prevent people from being trapped without any recourse on the issue of consent. I'd like you to speak more about possible solutions, which I find quite interesting.

November 20th, 2023 / 5:45 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

One of the things we see in existing Canadian and foreign legislation is consent that has no granularity. You have to consent to the organization collecting information from you and about you. It'll be shared with its business partners and affiliates. You don't know who those are, where in the world they are or what they're going to do with it.

Bill C-27 maintains the status quo, except it's going to have to be in simple, non-legalese English. It doesn't change anything. It's not granular. We need granularity.

Actually, the Quebec government has a new piece of legislation that was enacted about a year ago. The consent portion of it came into effect in September this year. It is better. It's not what it needs to be. It still gives the organizations the reins.

We need to turn it around so that the organizations are compelled to comply with legislation and be rated on their compliance by an independent organization that creates a publicly available index, if you will. We can then all go to this index and determine whether or not we want to deal with an organization based on its compliance with the legislation. It is then up to us to give our consent.

5:45 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

I'm going to use my final 10 seconds to summarize your opinion that we need privacy legislation similar to the Sarbanes‑Oxley act, a driver for this kind of activity. I'm very interested in the connection to this legislation. Could you clarify your thoughts on the matter or send us documents in writing?

5:45 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I'd be happy to send more information. I'm working with colleagues who are developing an international standard and a facility to do just what I've been describing. It turns it around, puts us in the driver's seat and compels organizations to comply with legislation.

That's important, considering there are still a lot of them in Canada that have yet to comply fully or at all with PIPEDA, 20 years later.

5:45 p.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Villemure and Ms. Polsky.

Mr. Green, you have two minutes and 52 seconds. Go ahead, sir.

5:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

I appreciate the reverse onus. I agree. However, if compliance is an issue, why have this rating mechanism that you've imagined, instead of just hard regulation and hard compliance that would have some kind of teeth, with fines that meet a disincentive or, worse, with criminal culpability?

5:45 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

Go at it with both prongs, so that the organizations have to comply. Think of it as what Ralph Nader did long ago with the auto industry. Some people called it public shaming.

If you don't know how an organization is complying, whether it's complying or to what extent it's complying, you're in the dark.

5:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

I would agree.

5:45 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

Make it so that it has to publicly fess up.

5:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

You mentioned that Bill C-27 is the status quo, and I appreciate that. It's basically making them use plain English, but it's still putting the onus on the person rather than the corporation.

Will more legislation be needed to properly regulate social media platforms, in your opinion?

5:45 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

I think there are an awful lot of laws already on our books that address the societal problems and the human nature problems that we see online and in social media. I don't know that having more laws—certainly, not more bad laws—is going to improve anything, so the answer is no.

Look at what we already have and enforce that.

5:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Then you think that what we have is sufficient.

5:45 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

If the people in a position to enforce had the authority to enforce the laws, yes. Now we have people who have the responsibility, but not enough authority or funding.

5:50 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

To be clear, increasing the authority for oversight over these platforms, with teeth that include a reverse onus on the corporation, as well as regulation and/or public shaming, would be your recommendation to provide better oversight for social media platforms.

5:50 p.m.

President, Privacy and Access Council of Canada

Sharon Polsky

Yes, but I would challenge you on your reference to “a reverse onus on the corporation”. No, it's an obligation they already face under legislation. Make them comply.