Evidence of meeting #45 for Transport, Infrastructure and Communities in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cities.
A recording is available from Parliament.
12:25 p.m.
Conservative
Alain Rayes Conservative Richmond—Arthabaska, QC
Thank you, Madam Chair.
My first question is for you, Ms. Scassa.
You pointed out a number of yellow flags and warnings as regards privacy issues.
Could you suggest some solutions since this is a real concern for all levels of government? We are caught in the middle. If we want to move forward, we need data, but how far would we be willing to go to protect that data?
What would you recommend to the committee so that it can move forward, not hold things up, and not stand in the way of progress?
12:25 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
It's a good question. If I were able to answer it in a nutshell, then we'd all be in great shape. Unfortunately, it's one of those very complicated problems.
I think there are a number of issues that I see coming up in this context repeatedly and that need to be addressed. Obviously, one of them is the whole private sector data protection puzzle. I think the standing committee on access to information is going to be looking at the Personal Information Protection and Electronic Documents Act. I think there are some significant issues with the capacity of that statute to deal with the collection of personal information by private sector actors in the big data era. One piece of the policy puzzle would be to look at that as something that really needs to be modernized and updated to address some of those challenges.
In the smart cities context, what I've seen now for quite a number of years is a growing conflict between the ways in which we've structured data protection: we have public sector legislation and we have private sector legislation, and then of course at the public sector level, you have provincial and you have federal.
I think this is increasingly challenging when you have projects that blend together both the public and the private, so that you have governments that are contracting with the private sector for services that are going to involve the collection and processing of this data. I gave you the example of the public transit smart card data, where perhaps you have a cash-strapped municipality interested in a lucrative offer they're receiving for their smart card data and so on. You have more and more issues in which the lines between public and private are not as clear as the legislation would make it seem and the norms that are established under the different statutes are not necessarily compatible, so they can be quite different. I think that's one area that requires some attention. How do you create a framework for this blended data protection context?
12:30 p.m.
Conservative
Alain Rayes Conservative Richmond—Arthabaska, QC
On my Apple phone, I have access to Facebook and Twitter. I truly believe that all these multinationals already have access to all my personal information. I do not honestly think it is protected. I think they have access to it somewhere on a server.
Is it reasonable to expect that, given a government structure which I would go so far as to describe as archaic as regards the evolution of society—and that includes all orders of government, regardless of political parties—, it is possible to create legislation with regard to all this information and be confident that it is handled appropriately and safely by companies? In your view, would it be unrealistic to expect that?
12:30 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
We have to try nonetheless. I think it is essential that we try.
There are, however, other measures that governments can adopt. For instance, as I said earlier, governments buy information from the private sector. I am seeing this more and more. This is essentially big data from the private sector that can be used for analysis purposes. It is easier and less expensive to get this data from the private sector. It is often collected by companies that offer consumer applications. Consumers use those application. The data is then collected and purchased and used by government.
That leads me to the following question. Should governments that wish to collect personal data and information from the private sector have minimum standards as to the privacy policies of those companies? Is it enough to simply buy personal data from any company? Does the government have standards regarding the purchase of that data? We can demand certain conditions to protect citizens.
12:30 p.m.
Conservative
Alain Rayes Conservative Richmond—Arthabaska, QC
Okay.
I just have a few seconds left so I will hand it over to a colleague. My next question was for another witness and might have taken some time.
Thank you very much.
12:30 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
Thank you.
Dr. Scassa, I know that you have a privacy background, so I will address this question directly to you. As we can see, smart communities by their nature require the collection of substantial amounts of data from citizens. How should communities and technology providers address the privacy issue linked to the collection of vast amounts of data?
12:30 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
This is essentially the challenge. This is the challenge under private-sector data protection legislation as well. There have to be certain norms for the collection of personal information and for compliance with those norms.
12:35 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
In the smart cities context?
12:35 p.m.
Liberal
12:35 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
If you mean an example of how a city or a government should go about ensuring.... I have already given the example of contracting for data in the hands of private sector companies. I do think it's important that governments set basic standards for any personal information they'll be acquiring from private sector companies or aggregated information that requires citizens to use apps. If you'll be collecting app data from certain types of apps, then maybe you should say that you will only purchase data from companies that set these basic standards in their policies.
12:35 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
According to you, then, who should own the data collected, and why?
12:35 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
I think there are a couple of questions there. Often where data is provided by app companies to governments for planning or other purposes, they retain ownership of the data. I think that's an interesting and significant issue for municipalities, for a number of reasons. Often they'll say that this is aggregate data that's been provided and it's not specific to individuals, so the impact on the individual comes in terms of what's happening to their personal information in relation to the private sector context.
In terms of ownership, that becomes interesting. Of course, if the app company retains ownership, then the government is restricted in terms of what it can do with that data, who it can share that data with, and in what circumstances.
12:35 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
Irrespective of who will own this data, what safeguards should be instored in order to address the privacy issue and thus protect personal information? What are the three main safeguards that you think would be ideal to have some level of protection of personal information?
12:35 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
Where the government is collecting personal information directly, or where the government is collecting it through the private sector, I suppose, there needs to be a level of transparency in terms of the practices that are taking place so that people can understand what data is being collected and what purposes it's being put to. That principle is already there in the legislation, but I think its application certainly needs to be improved. I think we all feel that there isn't sufficient transparency. We don't know what's happening to our personal information. Greater transparency would be pretty high on my list. Obviously that's easy to say and much harder to do, in terms of just listing things, but I would say greater transparency.
I'm also extremely concerned about a porousness in the link between private sector data and government surveillance and monitoring of citizens. This is something that is becoming an increasing problem, that all of these masses of data collected by private sector companies are relatively easily accessible, under our current laws, by government agencies. I think that raises transparency issues and also raises surveillance issues.
12:35 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
Finally, should we have some type of safeguard on the utility of the data—for example, a time frame on who can use it and for what purposes, for what objectives?
It will be very hard to control this data. There's so much being collected, just in our phone.
12:35 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
Yes.
12:35 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
We could somewhat have control if we said that we were going to control the usage of it, or the usage of reusing the data that's been collected. For example, do we get the person's authorization to do so, or is it used with certain specific boundaries?
12:35 p.m.
Canada Research Chair in Information Law, University of Ottawa, As an Individual
Purpose limitation is already in the legislation, but I agree that it's something that has become problematic in terms of its monitoring and enforcement. It is an important principle.
12:35 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
Thank you.
I have a question for you, Dr. Schooling, with respect to smart communities. In your view, because of their reliance on digital technologies and the risk of cyber-attacks, how should cybersecurity concerns be addressed and what should be the role of our federal government in this regard?
12:35 p.m.
Director, Centre for Smart Infrastructure and Construction, University of Cambridge, As an Individual
Certainly in the U.K., the national government is taking a significant interest in this. My centre looks at things more from the position of the physical infrastructure rather than the sorts of personal private data the previous speaker was talking about, but even so, there are security implications in this. Some of the data we want could potentially come from people's mobile phones, such as travel data and that sort of thing. There's definitely a role for the federal government, and there's definitely role for the standards organizations as well.
In the U.K., we are currently developing some standards around cybersecurity for smart cities. One of the reason for this is that you really have to assume that someone will hack you at some point, and if you're using digital infrastructure to manage your critical physical infrastructure, that includes your water supply, your power supply, your transport systems, etc. A malicious hack into that could potentially derail very important and critical national infrastructure. You need to have systems that are appropriately secure from each other such that they can't interfere with each other but at the same time will allow the healthy and useful sharing of data. I think there's definitely a role for the federal government in making sure that is happening.
12:40 p.m.
NDP
Robert Aubin NDP Trois-Rivières, QC
Thank you, Madam Chair.
Welcome to our guests. Thank you for being here and sharing your expertise.
Ms. Scassa, you are being bombarded with questions since you are probably the first witness with whom we can really discuss privacy. I sensed your concerns about Canadian legislation in this area.
Can you compare our laws with those in other countries in this area? Is our country on par with others or are we definitely lagging behind?
