Information & Ethics Committee on Dec. 4th, 2023

One example might be just the terms and conditions on social media. We will agree to the harvesting of all kinds of data for whatever purposes because we want to use that app. Most of the studies show that what we're all undergoing is privacy fatigue, where we essentially know it's bad for us, but agree to it anyway. This is really paternalistic and this is the problem. Essentially, what we're saying is that people shouldn't be agreeing to this because they don't really understand what they're agreeing to. It's then being sold on to data brokers, which Dr. Caraway talked about, and then we lose control. We don't actually know what happens to the data.

California does a better job, with its law, of basically saying you need to be able to track that data and who it all goes to. If you rely on consent, you can withdraw that consent and know where that data goes. All those are avenues to data protection and privacy laws.

A lot of data is harvested by even the most prominent social companies. This is everyone from Facebook...I would include Google, Instagram and TikTok. They'll collect everything that you post—that's all of your personal data—and they'll also track all of your so-called transactional data and interaction data.

Facebook is successful because it's able to leverage your social connections at scale. Google is successful because it can leverage your purchasing intent at scale.

They can take this information, use it in a digital context, package it with almost zero marginal cost and then sell it to data brokers.

The Cambridge Analytica thing is a great example, because actually the initial data harvesting that happened didn't violate Facebook's terms at the time. They had a reciprocal data exchange agreement in place. It was only when the This Is Your Digital Life app shared it with Cambridge Analytica that the actual scandal happened, because that's how they—

Most of the provisions right now are the same old things that have been in PIPEDA since the year 2000, I suppose, which is why we're now revisiting it.

The thing we need right now is an enumerated right to privacy that's part of a legal test when you're thinking about an injunction or a fine.

Thank you, Mr. Chair.

My name is Matt Malone, and I am an assistant professor at Thompson Rivers University faculty of law in Kamloops. Today I am attending the meeting in a personal capacity.

I am going to use my opening remarks to share my thoughts using a case study, which is specifically regarding the selective ban of TikTok on government-issued devices that was announced in February 2023. As the committee might recall, that selective ban was accompanied by a statement about concerns relating to privacy and security.

These stated concerns do not explain several things. First of all, they do not explain why the government waited five months to act on the underlying intelligence brief that warned about TikTok's practices. Second, they do not explain why the government continues to buy advertising on TikTok itself. Finally, they do not explain why the government has ignored that TikTok is not the only app that retains user data in foreign jurisdictions and potentially shares it with foreign regimes.

As the Treasury Board Secretariat confirmed to me a couple of days before this hearing, none of the following apps are banned from download and use on government-issued devices: the Russian-affiliated VKontakte social media app, the Russian-affiliated Yandex app, and the Russian-affiliated Mail.ru app, as well as other social media apps, like Facebook, Instagram, Tinder, Snapchat, Bumble, Grindr, Truth Social, Gab and Discord, which was implicated in the 2022-23 Pentagon leaks and which Dr. Laidlaw noted does not have child safety protection measures in place.

As I recommended in a recent article—and as I'll take this opportunity to recommend again now to the President of the Treasury Board—I believe that a better privacy and security baseline would see the government ban all social media apps on government-issued devices, unless there is a strong business justification otherwise. It's crazy to me that the apps I just listed are not banned on government-issued devices. I also believe that the government should stop buying ads on all social media services.

Even with such bans in place, it is worth noting that federal privacy law places no meaningful constraints on data transfers to jurisdictions like Russia and China. An internal government brief that I obtained through the Access to Information Act notes that Bill C-27 and the proposed privacy legislation currently before Parliament avoided putting into that bill any new or European-style restrictions on the transfer of personal information across borders specifically out of deference to commercial interests. It's very telling that the privacy bill before Parliament is being stewarded by the industry portfolio in cabinet, not a portfolio in human rights, public safety or national security.

Like many social media apps, TikTok does deserve opprobrium for its privacy violations, data harvesting and narrative control practices, and for granting access to data despite assurances otherwise. Like other social media apps, it is a vector for online harm visited on young people. Its business model is focused on privacy-invasive, targeted advertising that exacerbates the mental health crisis affecting young people. The app's safety features for children are all easy to bypass.

Through various access to information requests, I have seen several internal briefings where Canadian government actors repeatedly identified these problems. I'm happy to talk about these.

However, it's important to note that the real culprit here is Canadian law, because it does not stop these practices for TikTok or any other social media service. As TikTok lobbyists appearing before this committee repeatedly underscored, TikTok's handling of Canadians' user data is governed by Canadian law. That's the problem. Canada's privacy laws fail to respect the rights and interests of individuals and collectives in the digital age. Enforcement is basically non-existent. At the federal level, the Office of the Privacy Commissioner has become skilled at making fanfare announcements about its investigations, but it is very slow at investigating, as I learned in my own complaint about the ArriveCAN app, which was ultimately sustained.

Law enforcement has struggled to adapt to the new digital landscape as well. The RCMP's national cybercrime and fraud reporting system, which this committee recently heard about in glowing terms as part of this study, is actually two years behind schedule and still in beta testing. Its website says that it accepts only 25 complaints per day nationwide.

To give members another illustrative example, as I learned in a recent access to information request, the RCMP's cybercrime investigative team has only eight employees in all of Alberta. Here in British Columbia, where there was a recent tragic sextortion case involving a young person that was carried out over social media, there are only four employees on the cybercrime investigation team for the entire province. There are none in Saskatchewan, Manitoba or any of the maritime provinces.

With privacy and data protection legislation that deprives citizens of meaningful protection, government funding priorities deeply out of alignment with stated values and actual needs, and gaps in law and policy that the government shows no urgency to fill, the federal government's policies and practices pose significant challenges to addressing the real types of harms that we are seeing perpetuated these days on social media.

To wrap up, I want to thank the committee for its unexpected invitation.

I also want to give a particular shout-out of appreciation to the MP for Mississauga—Erin Mills for her leadership on this very important issue. I've been very impressed with her work on this file.

I look forward to answering, to the best of my abilities, any questions that the committee members might have.

Thanks.

Thanks very much.

Thanks for the invitation to share our perspectives on this important issue.

Good evening. I'm Sam Andrey, and I'm the managing director of The Dais, a policy think tank at Toronto Metropolitan University. We work to develop the people and ideas that we need to advance an inclusive and innovative economy, education system and democracy for Canada.

I have my colleague Joe Masoodi here with me. Together with our former colleague Yuan Stevens, we published a report three years ago called “Home Ice Advantage”, which examined the subject before the committee today, the transborder data security of social media platforms. While a lot has changed in the last three years, the core challenge of inadequate protection for Canadians remains.

Social media platforms collect, transfer and store a wide variety of personal and sensitive information, including personal identifying information, private messages, location, financial information and biometric data. These platforms have been purposefully designed to keep individuals online and engaged to reap as much data about them as possible. Through the aggregation of this data, it is possible to create detailed profiles and inferences about individuals, including their political opinions, sexual orientation, religion, income, health, or details about their families. This is true of TikTok but also of most major online platforms.

Despite the significant risks to Canadians through the potential misuse of this data, there are currently inadequate protections over how Canadians' personal data is transferred and stored, particularly outside of Canada. This threatens Canadian sovereignty and the digital security and privacy of Canadians. Personal data can be accessed by national security and law enforcement agencies in countries without sufficient legal protections, such as China. I think it is also worth adding that technology companies can experience buyouts, mergers and bankruptcy that can change where and how personal data is stored and the privacy protection it receives. Finally, malicious actors can always take advantage of data with insufficient safeguards.

In our annual survey of online harms, we found that Canadians have very low trust in social media platforms, both to keep their data secure and to act in the best interests of the public, ranking well below other technology companies and other organizations of a variety of types. In fact, trust in TikTok, specifically, fell significantly last year, to last place. Only 7% of Canadians say that they have a high degree of trust in the platform, despite its rapid growth with nearly 30% of Canadians using the platform.

TikTok has been the subject of particular scrutiny, given its corporate structure. As was pointed out earlier in the committee, prior to 2019, TikTok's privacy policy was transparent in stating that it shares people's information “with any member or affiliate of [its] group” in China. This line was later updated to remove that specific location reference, but the sharing provision remains. That same provision is also in the privacy policy of WeChat, which is used by 6% of Canadians. As our colleague Mr. Malone has pointed out, it is true of many others.

Canada's current privacy law does not prohibit companies from transferring personal data to third parties or outside of Canada in this way. We think that there is an opportunity before parliamentarians to respond to these risks through the proposed Bill C-27. However, as it currently stands, Bill C-27 would, in some ways, allow for even easier data sharing to take place between corporate actors by eroding what limited consent provisions do exist. Proposed section 18 of the CPPA creates new, large carve-outs for companies to share data without either knowledge or consent through the inclusion of language like “business activities” and “legitimate interest”.

We don't think that it should be the exclusive responsibility of Canadians to educate and protect themselves online. We would propose that there be more precise requirements added to the bill to ensure that equivalent levels of protection are provided for data when it's transferred outside of Canada. We would also suggest requirements that near the EU's GDPR, to obtain explicit informed consent from Canadians for the transfer of their personal data to jurisdictions that do not provide equivalent levels of protection, providing information about both the specific countries involved and the specific data. While a lot of people have pointed out to this committee that there's consent fatigue, we, at least, think that transparency with respect to data transferred to countries outside of Canada is important.

We'll end by saying that Canadians overwhelmingly support such a change. A representative survey that we conducted found that 86% of Canadians support requirements to keep Canadians' data in Canada, with only 3% disagreeing.

Thanks for your time. We look forward to your questions.

I'm happy to jump in.

I believe one of the problems that Canada faces is that we're not a large power and we're stuck between approaches to privacy and data protection among large powers that are diametrically opposed. Failing to act soon will lock us into one of those approaches. The Europeans have adopted a more restrictive approach. Ever since the drafting, passage and implementation of the GDPR, we've seen an array of restrictive measures, which are leading to things like data localization, stricter requirements around data transfers, and a robust equivalency test.

The United States is taking a diametrically opposed approach with its regulatory framework, in which it has not updated its privacy legislation, and there's no uniform privacy legislation in the United States. At the same time the U.S. is doing that, it's exporting, through trade treaties and governance bodies worldwide, a view of data governance and privacy that locks in what Canada can do.

Discussions about data transfers have to take into consideration the fact that the Canada-United States-Mexico agreement has a prohibition on restricting cross-border dataflows, and it has other restrictions that are relevant as well. The CPTPP has similar restrictions.

One of the problems with Canada's failure to act is that we're getting locked into one of these approaches. Unfortunately, we show no urgency around acting. The Privacy Act, which regulates government conduct, hasn't been updated in over 40 years. PIPEDA is well in need of a meaningful update, not just tweaks. I personally don't believe that Bill C-27 is the appropriate way to do that.

I'll let the other panellists chime in.

I would add that I agree with the premise of your question, that we are falling behind in some respects, though I think we have, as Dr. Laidlaw put it, second-mover advantage to learn from some of the lessons and some of the flawed legislation or approaches that have been passed in allied jurisdictions.

On AI regulations specifically, I think Canada is moving quickly as relates to the rest of the world, which I think is a good thing, but, yes, I would say we need to move more quickly, and Bill C-27 is part of that.

When you look at the resources that are available, they're not meeting the demand. In 2018, when Public Safety went through a cybersecurity update and threw a lot of money at the RCMP to get more serious about online cybercrime, that was when the initial announcement was made about NC3, the national cybercrime coordination centre.

I wrote about this three years ago and said that we were already waiting a long time to get this rollout happening, but fast-forward three years, and that reporting system is two years behind schedule. If you visit the website right now, it will tell you that the system is still in beta testing and that it accepts only 25 cybercrime complaints a day for the entire country, which is really low. In a series of access to information requests regarding the number of resources that were devoted in terms of personnel, I discovered that there are several provinces that don't have any cybercrime investigators, which is a really shocking statistic. Here in B.C., the third-largest province in the country, we have only four full-time people on the cybercrime team.

I believe these tools need to be rolled out more rapidly. There should be more transparency around them, and legislation should be crafted around what we're seeing, because these tools allow us to understand what types of harms are being perpetuated. There are all kinds of analyses you can run based on the reporting data that comes in, and NC3 shows that more than half the reports that go to NC3 are about ransomware. It's really interesting that Canadian legislation ignores ransomware, which is the biggest cybercrime threat we're facing.

One thing that's interesting to take into consideration when we talk about Bill C-27 is also Bill C-26, which would regulate things like ransomware for critical industries.

I think there isn't enough money given to the RCMP in this area, frankly.