Evidence of meeting #155 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
4:30 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Do you have information indicating that, right now, for instance, the facial data captured by my phone has been transferred to some database? Does that happen, in your view?
4:30 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
No, not as far as your personal cell phone goes. Other investigations, however, are concerned with data obtained through visual recognition.
4:30 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
You're referring to devices located near doors and other systems.
4:30 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
Yes.
4:30 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I see.
Are Canada's current laws robust enough to deal with organizations or individuals that misuse people's personal information?
4:30 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
As Mr. Therrien, the commissioner, has already said, reforms are needed to bring Canada's privacy laws up to date in both the public and private sectors. It's definitely time for reforms.
4:30 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
You mentioned in your opening statement how quickly technology is changing right now. Do you think our laws and your office are keeping pace with all of that change or are we behind?
4:30 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
Legislatively speaking, we are definitely behind. The priority, in our view, is bringing our laws up to date and adopting measures to ensure privacy protection is at the heart of our laws.
4:30 p.m.
Liberal
The Chair Liberal John McKay
You can give your 20 seconds to Mr. Motz in the next round.
Mr. Dubé, please, for six minutes.
4:30 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
I'd like to thank all the witnesses for being here today.
To our witnesses, with respect, just quickly before I get to my questions, I did have an opportunity to send my colleagues a notice of motion. I understand that I'm not within the 48-hour delay, but I did want to take an opportunity with my time to read the motion and explain in 30 seconds or less its rationale. It reads:
That, pursuant to Standing Order 108(2), the Committee invite the Minister of Public Safety and Emergency Preparedness to appear, no later than Friday, June 21, 2019, to respond to and take questions on the 2018 Public Report on the Terrorism Threat to Canada tabled in Parliament on Tuesday, December 11, 2018.
Quickly, for the benefit of colleagues, the rationale is that we've heard from communities named in this report that there is a concern about what impact that can have. I think that when we see some of the terrorist activities being committed here and abroad against faith groups and other communities, it's become pretty clear that there needs to be a rethinking of how these groups are identified in these reports and a better understanding of the thought process behind them.
I understand that it's based on information from our national security services, but at the same time, the government is the one responsible for tabling it in the House. We're looking to have a dialogue with the minister on that issue given the concerns that have been raised. Among others, they include the Sikh community. At the appropriate time, I will move the motion forward for debate and, hopefully, for approval.
That said, thank you for indulging me. I was just taking advantage of the opportunity.
I have a few questions for you.
We often hear about the Internet of things. You mentioned that, oftentimes, businesses aren't aware of all the data they hold or that, conversely, they are aware but keep it anyway even when the data aren't pertinent.
My question ties in with some of the questions that were asked earlier.
When people download apps on their phone and give their consent, rarely do they realize how much access to the data on their phones they are agreeing to share in exchange for the app. In terms of repercussions, how does that tie in with the issue we are studying? When people use banking applications or fingerprint identification to access their account from their phone, for example, what is the impact of using their phone in that way?
4:35 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
You raise a very relevant point. It ties in with public education. Even for people who are familiar with information technology, all sorts of details are not apparent or clear. Our office and the government, as a whole, should conduct public awareness campaigns to educate people about the potential loss of their personal information in different circumstances.
4:35 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
A public education scenario we often hear about involves government regulatory requirements related to vehicles. For example, if a particular model is under recall because of a safety defect, manufacturers go to great lengths to inform customers, advertising in the media, making phone calls, sending emails and even using snail mail.
Do you think manufacturers should be required to do more to inform customers about cell phone operating system updates? Unless they pay attention to the right websites or subscribe to sites like Gizmodo, customers rarely know the reason for an iOS update on their cell phone, for instance.
4:35 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
It has to do with consent. If an individual is abreast of changes, new software, new techniques and such, and a major change is made, the company in question absolutely has to obtain the individual's express consent again. Whenever changes are made to the technology, the company must contact consumers to notify them of the change and its effects.
4:35 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you.
I have two more questions for you.
If a data breach occurs or information is disclosed, are the mechanisms in place under the current requirements adequate, for instance, in terms of fines?
My next question follows up on what you said earlier. Should more resources be allocated to the Office of the Privacy Commissioner so that it can keep pace with technological changes? Perhaps that's something we could take into account in our study.
4:35 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
Yes, definitely.
The commissioner and the commissioner's office do not have sufficient authority to deal with the challenges emerging as far as business and society in general are concerned. Not only are legislative improvements needed, but also, the commissioner needs to be empowered to impose penalties and fines, for example.
4:40 p.m.
Liberal
4:40 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
Thank you.
My first question is about moneylenders, because we've been talking about financial institutions and banks. I am hoping you can clarify whether there are differences in the rules applying to moneylending institutions. I know, for example, that OSFI covers banks but not moneylending institutions. Are there differences, and does that give you any cause for concern, from a privacy perspective, when we're looking at cybersecurity as an issue?
4:40 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
Our office does have a mandate to look at federally regulated institutions like our banks. The office does have an oversight role with respect to banks, as well, and the protection of privacy in banks.
I would add that the banking world is changing. We have the potential for open banking internationally, and coming to Canada, too, which will change business models and the way personal information and data flow among financial institutions. This is also extraordinarily consequential with lots of implications.
The bottom line is that the standards, regulations and laws have to be adapted for this evolution, which is both technological and also in business models. They have to be in place before major changes take place.
4:40 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
Fair enough about the open banking, but I'm talking about the places that are on corners. I don't want to give any names specifically, to be picking on any names, but I'm talking about the places used by people who don't really have bank accounts and who are bringing in a cheque and getting their money back at whatever the interest rate is. These are not banks, then, so they fall outside of those regulations. I'm wondering if you have any comment on that with regard to privacy issues.
4:40 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
The general context is that these businesses are covered by our private sector law, or provincial laws that are substantially similar. They are subject to the law, but I have nothing to offer to the committee specifically about these particular institutions.
4:40 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
They don't fall within your purview. Do you review them, as well?
4:40 p.m.
Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
Yes, we do in those instances where the provincial laws are not substantially similar.
