ETHI Committee Meeting

     I call this meeting to order.

    Welcome to meeting number 26 of the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

    Pursuant to Standing Order 111.1(1), the motion adopted by the committee on Thursday, June 9, 2022, the committee will commence consideration of the certificate of nomination of Philippe Dufresne to the position of Privacy Commissioner, referred to the committee on Wednesday, June 8, 2022.

    I would now like to welcome our witness and congratulate him on his nomination.

    I will turn the floor over to him, for up to five minutes, for an opening statement.

     Thank you, Mr. Chair and members of the committee.

    It's a great honour and privilege for me to appear before you today to discuss my qualifications and competencies to perform the important role of Privacy Commissioner of Canada.

    I will take this opportunity to thank you for all the work you do as parliamentarians in legislating, deliberating and holding the government to account.

    My professional life has been dedicated to the strengthening of Canada's public institutions and to the protection and promotion of the fundamental rights of Canadians.

    I have done this for 15 years in the human rights context at the Canadian Human Rights Commission. I have continued this work for the past 7 years in the context of administrative and constitutional law, in my capacity as law clerk and parliamentary counsel of the House of Commons and, if appointed, I would continue do so as Privacy Commissioner of Canada.

    Prior to my appointment as law clerk of the House in 2015, I was the Canadian Human Rights Commission’s senior general counsel, responsible for the commission's legal and operational activities pursuant to the Canadian Human Rights Act, the Employment Equity Act, as well as the Access to Information and Privacy Acts.

    I was lead counsel for the commission in the landmark first nations child welfare case before the Canadian Human Rights Tribunal, which led to the largest settlement of its kind in Canadian history. Prior to this, I was lead counsel in the House of Commons v. Vaid case before the Supreme Court of Canada, which remains the leading case on parliamentary privilege in Canadian law today.

    In addition to the Vaid case, I have appeared before the Supreme Court on 14 occasions in cases, raising issues such as the separation of powers, the impartiality of tribunals, the accommodation of persons with disabilities, freedom of expression, and the balancing of national security and human rights.

    My experience at the commission has a number of direct correlations with the role of Privacy Commissioner. It involved the promotion and protection of fundamental rights, and the investigation of complaints in an expeditious and procedurally fair manner. It required the appropriate balancing of fundamental rights with public interest considerations, and the ability to explain complex concepts in a plain language and accessible manner. It also involved working with the public and private sectors to find constructive solutions, building a culture of rights, considering international norms and comparators, and working with provincial counterparts.

    In my current role as the law clerk of the House, I am the chief legal officer of the House and I lead the office responsible for the provision of legal and legislative services to the House and its members.

    I have successfully defended the House’s privileges in the Boulerice v. Board of Internal Economy case, and led the legal team representing the Speaker of the House in the context of a judicial review application brought last year with respect to the House’s power to compel the production of documents.

    I have been tasked by multiple committees to interpret and apply privacy law principles, most recently in reviewing proposed redactions made to documents that were requested by committees as part of their studies.

    I have played a key role in the development of codes and policies to prevent harassment on the Hill and to ensure an inclusive and safe environment for members of Parliament and staff. I was proud to be the House administration's diversity and inclusion champion for the last five years.

    Throughout my career, I have always placed the utmost importance on public service and on giving back to my community and my profession.

    As such, I have served in various capacities in the Canadian Bar Association, including as president of the constitutional law section and executive board member of the Quebec Branch. I have also served as president of the International Commission of Jurists Canada, an institution that promotes judicial independence in Canada and internationally.

    I believe in the importance of education and mentoring, and have been a part-time professor in several law faculties and continue to serve as a judge in the Laskin bilingual administrative law mooting competition.

    In all my roles, I have been guided by the values of balance, impartiality, fairness, excellence, the rule of law, the public interest and respect for the democratic and legislative processes. Those are the values that, if appointed, I propose to bring to the Office of the Privacy Commissioner of Canada.

    For all these reasons, I believe that I would bring to the role of Privacy Commissioner a vast and unique array of experiences and knowledge, as well as the unwavering belief that Canadians' fundamental privacy rights require strong advocacy, protection, promotion and education on an ongoing basis.

    As Privacy Commissioner my vision would be privacy as a fundamental right, privacy in support of the public interest and of Canada's innovation and competitiveness, and privacy as an accelerator of Canadians' trust in their institutions and in the digital economy.

    In closing, I would like to take this opportunity to thank Daniel Therrien for his outstanding service and leadership these last 8 years.

    I have been impressed with all of the great work done by the OPC team during his mandate and, if appointed, I look forward to working with this dedicated group of committed professionals in protecting and promoting the privacy rights of Canadians.

    With that, I would happy to answer your questions.

     Thank you very much.

    To begin, we have Mr. Bezan for up to six minutes.

    Thank you, Mr. Chair.

    I want to congratulate Commissioner Dufresne on his appointment. You've always proven yourself to be a person of integrity who's highly professional. I'm looking forward to working with you in this new role.

    I want to go over some of the highlights of your time as law clerk at the House of Commons, specifically the work that you did with the Canada-China special committee that studied the Winnipeg lab leaks and the case of parliamentary privilege that you argued on behalf of Parliament.

    Can you talk about that in the context of the Privacy Act? Can you talk about that with regard to parliamentary privilege and the supremacy of Parliament, as well as the committees that you're before right now and the work that we do?

    I think the cases on parliamentary privilege and my work as law clerk have shown that courts have recognized, rightly, the fundamental role of Parliament, the fundamental role of the House and its committees, and the need for the House and committees to have the ability and the powers to do their work and to do so in cases covered by privilege in an autonomous way that's not going to be subject to review elsewhere. At the same time, I've always advocated to the House and committees that having this authority and this power is something that ought to be exercised responsibly, having regard for the public interest consideration and turning your mind to this.

    In the context of privacy, there are similar aspects there, where I firmly believe privacy to be a fundamental right and it has to be protected. At the same time, I don't see privacy as being opposed to the public interest or to innovation. You can have both—you need to have both—and, as commissioner, I would work towards that goal.

    As you know, the Public Health Agency of Canada president at the time, Iain Stewart, refused to table those documents and was called before the bar in the House of Commons to be admonished by the Speaker.

    Do you believe that was an appropriate and consistent way of dealing with that individual, as well as protecting the integrity of Parliament?

    The assessment of the appropriateness of House or House committee decisions I would leave to the House to make. What I've said to committees is that they have the authority and the House has the authority to request documents. When they don't receive those documents, the House has certain powers, including taking steps as it did in this case. However, it is up to the House and it's up to committees to decide.

    It's not going to always be appropriate, and that's what privilege recognizes: That it is a decision for the House to make.

    Because the government refused to hand over those documents and—

    I have a point of order, Mr. Chair.

    Make sure you stop the clock, please.

    Yes, the clock is stopped.

    Ms. Khalid, you have a point of order.

    I'm questioning the relevance of this line of questioning. Mr. Dufresne's here as the Privacy Commissioner. I'm not sure why we're questioning him with respect to his role as law clerk.

    That's precisely the purpose of the meeting. It's to review the CV and the professional background of the candidate. Yes, we always need to make sure that our questions are relevant, but I think that's the purpose of the meeting today.

    Go ahead.

    Thank you, Mr. Chair.

    Just before you turn on the clock, in rebuttal to that point of order, this committee is definitely on the issue of looking at the credentials, the experience and the background of a government appointee. That's the reason we're having this committee meeting under the Standing Orders and under—

    Thank you, Mr. Bezan. I've ruled on it. I think that will be enough.

    Your clock is running. Go ahead.

    I'll continue on, Mr. Chair.

    Going back to this, the government took the unprecedented move of refusing to hand over the documents and then, ultimately, threatened to take Parliament—the House of Commons—to the Supreme Court of Canada. As law clerk and parliamentary counsel of the House of Commons, you would have been in the position to make the argument in front of the Supreme Court.

    If it hadn't been for the election, would you have been in preparation for that? How would you have argued the case to protect the supremacy of Parliament?

     In representing the Speaker of the House in this matter, we did in fact file written submissions to the Federal Court. We took the position in that case that the House had the authority to do what it did, and that the authority had not been limited by the adoption of the Canada Evidence Act. That matter was discontinued following the dissolution of the House.

    That's where it went in terms of the court process.

    Although the House was dissolved at that time and that Parliament came to an end, do you believe that is still considered a breach of privilege of the Parliament of Canada and that this should still be dealt with down the road? Does it undermine the constitutional validity of the House of Commons?

    I think in this matter the House made its decision. A challenge was brought, and the House and Speaker made a ruling and filed legal representations in court setting out what I, as law clerk, took to be the proper legal view, which is that the House had the legal authority to do what it did and it had not been constrained by the Canada Evidence Act.

    Thank you.

    Commissioner, you and I were chatting before committee about the new technologies and about the work that this committee has already been undertaking in terms of mobility data, facial recognition and artificial intelligence. As you look ahead, how do you view your role as it relates to modernizing current legislation and regulations, keeping up with the changing times, and how that impacts Canadians' privacy?

    This is a very important time for privacy, which is one of the many reasons I was interested in being commissioner. There needs to be modernization of the two fundamental privacy laws: the Privacy Act and PIPEDA. Parliamentarians will have a role to play, the commissioner will have a role to play, and stakeholders and industry will as well, but this is a priority. As commissioner, I look forward to putting forward the values that I've set out here today in comments with respect to potential new legislation tabled in the House.

    Outreach is very important to me. I believe Canadians need more information about privacy. Commissioner Therrien did great work in that respect, and I look forward to continuing that. The report that this committee has issued on mobility is a good example of a document that can serve to educate and to explain those concepts that are complex but that touch literally everyone. This is something I would be working toward.

    Thank you.

    Mr. Fergus, you have up to six minutes.

    Thank you very much, Mr. Chair.

    I'd like to begin by congratulating Mr. Dufresne on his appointment and welcoming him.

    Mr. Dufresne, I have been following your career with great interest for several years. I must tell you that I cannot think of a better person to occupy this important, and even sensitive, position.

    Mr. Dufresne, I have a few questions to ask you.

    My colleague Mr. Bezan mentioned your previous career as a parliamentary counsel of the House of Commons. Personally, I would like to focus on your experience as senior general counsel of the Canadian Human Rights Commission.

    How does this role serve you as Privacy Commissioner?

    Thank you very much, Mr. Fergus.

    I think my role with the Canadian Human Rights Commission will serve me in good stead. It has trained me well, because there are many similarities between this mandate and that of the Privacy Commissioner.

    The Canadian Human Rights Commission deals with fundamental legislation. It deals with fundamental rights of Canadians, which must be protected and interpreted in a broad and rigorous manner. At the same time, we are talking about a law that must be interpreted in the real world, taking into account public interest considerations and consequences. We need to ensure that there is a better understanding of this legislation, both for Canadians and for industry and governments. It is a matter of using several tools to achieve the goal of protecting and promoting these fundamental rights. These tools can be education, interaction and prior agreements. They can also be policies or laws, complaint mechanisms, as well as legal decisions. There is a multitude of potential tools.

     At a time when technological change is having such an impact on our society, it is important to consider all of these tools and the proactive tools. I gained this experience at the Canadian Human Rights Commission where I dealt with pay equity cases, among others. These were cases that resulted in huge compensation awards for employees who had been discriminated against. It took a lot of time, and it required complaints. We saw this in the new Pay Equity Act, which is a more proactive model.

     I think this combination of proactive tools and complaint systems, all based on a law model, has similarities with my new role and will have trained me well. My experience pleading before the higher courts, including the Supreme Court, has served me well. This experience is useful in communicating complex concepts in a simple and accessible way for all Canadians.

    I'm going to continue in that vein.

    You mentioned that this role also exists to determine the privacy rights of individuals in relation to their government.

    When you got the call about your candidacy, I imagine you began to visualize your role in this position. What should be the scope of your responsibilities, not only for the privacy of Canadians in relation to their government, but also for the privacy of Canadians in relation to the private sector?

     Some say we live in an age where people's privacy is threatened by all the software, by all the private companies that examine and monetize all the personal data of individuals.

    How do you see your role in this aspect of privacy?

    Thank you for your question.

     It is a fundamental one. In one of my previous answers, I said that the right to privacy and privacy issues affect everyone. It affects younger people, older people, people who are fascinated by technology, and even those who are not. There is a lot of potential and innovation involved in this context. However, there are also risks.

     It is very important to have a privacy regime in place for private industry. As commissioner, my role would be first to be there to advise Parliament when the next modernization of the private sector privacy legislation comes before Parliament. It all starts with that legislation and the principles that flow from it to address the recommendations you made in your report.

    The Privacy Commissioner also plays the role of interlocutor with Canadians, and with private industry as well. It's very important that there be a legal regime and that there be incentives in the right direction. I think we also need to have discussions with the private industry representatives to find out their concerns and realities. It is important that the regime be both practical and easily accessible to Canadians so that they understand their privacy rights and their opt-out rights. It is also important to facilitate access for private industry so that they understand what they need to do. This role of the commissioner was intended whether it was to review codes of practice or to provide advice.

     I'm going to have to step in.

    I'm sorry. It's time to go to Monsieur Villemure.

    Go ahead, Monsieur Villemure.

    I would like to reassure my colleague Mr. Fergus: I will continue in the same vein as he did.

     Mr. Dufresne, I congratulate you on your appointment. Your curriculum vitae speaks for itself. We are pleased to have you here today.

    I would like to touch on a few points.

    Many Canadian citizens feel that they are under surveillance and that this surveillance undermines their trust in institutions. What is your opinion on this surveillance?

     As was mentioned before this committee, it is important that the regime does not focus exclusively on the notion of consent, that it does not completely leave it up to citizens to inform themselves about these provisions, which are often very complex, to understand them and to say "yes" or "no.”

     Canadians need to be reassured by a legal regime based on a fundamental right model. This regime needs to frame certain practices that should not be allowed even if there is consent and others that could be allowed without consent. There is also an element of transparency. Companies and government need to take proactive approaches and do privacy audits. We need to have what is called integrated privacy and better communication about these provisions. That way, Canadians will know what is really going on. Sometimes this concern is well founded, but it can also come from a lack of understanding of what is going on, which leads to doubts and suspicions.

    One of the themes that came out of your recent work on mobility was about communicating what was being done, what data was being collected, why it was being collected and how it was being used. There were a lot of concerns.

    The recent Tim Hortons investigation raised other concerns of this type.

    I think there's a lot of work to be done in terms of the legal regime, communication and education.

    Past events have shown us that companies are still creative and that starting a dialogue with them is a very good idea. However, there will always be things that are legal but not ethical.

    In such cases, how proactive do you intend to be in order to keep up with a market that is always in motion?

    I think we need to have ongoing exchanges with private industry, but also with citizens, interest groups, and the academic and parliamentary communities.

     As for what is legal but unethical, this raises very important questions. If it is legal and unethical, should it continue to be legal? Shouldn't the legal regime be regulating that?

     When I worked for the Canadian Human Rights Commission, I interacted with leaders who were acting in good faith and who absolutely wanted to do the right thing. However, they were faced with several legal obligations in this or that area. They had some flexibility, a framework. It was wishful thinking, but it was not legally binding. People set their priorities.

    In my opinion, you have to put the incentives in the right place. If all we do is say that this is wishful thinking or an ideal, it is unrealistic to think that companies will necessarily give priority to this rather than to legal obligations that have deadlines and consequences.

     So we need something that is clear.

     We recently presented a report on mobility. Commissioner Therrien told us that he had been consulted, but that he had not been involved in the study in question.

    The office of commissioner guarantees the citizen's trust in the government. What should we think when the government itself does not consult its own representative in such cases?

    In your discussions with Commissioner Therrien, he noted that he had offered his services, but that the government had chosen to use its own experts. I believe that Commissioner Therrien recognized that the government had the right to do that and that his office was not necessarily the only one with expertise.

     However, where it becomes important is in terms of this trust. The fact that internal advice was sought has raised suspicions. Will these opinions be as independent as the external ones? This is a role that the commissioner can play, and this was the subject of recommendations in your report. The commissioner can do proactive audits. So he could check that, discuss it with you and then validate what you are doing. I think that would be useful.

    Do you think that the fact that the commissioner was consulted but not involved was due to a lack of credibility on the part of the Office of the Commissioner? Or do you think that it was a prerogative or a right that the government chose to exercise?

    I hesitate to comment or to speculate on that, because I was not involved in this file in any way. That said, I think that, with regard to the consequences that were discussed before this committee, we heard several people tell you that it was preferable for the commissioner to play that role. You made recommendations in that regard.

    Since it is still a bit unclear to citizens, what could the Office of the Privacy Commissioner do with regard to privacy education?

    A recommendation has been made in this regard under the federal Privacy Act, which has a more explicit mandate on this subject and which already exists under the Personal Information Protection and Electronics Documents Act, for the private sector.

    There are a number of tools, but again, you have to be creative. The Office of the Privacy Commissioner publishes a lot of excellent material, but I think we could look at creating an educational model for high school students and younger students, not necessarily for experts or practitioners. I think the Commission d'accès à l'information du Québec has been working on that.

    Thank you very much.

     Thank you.

    Now we have Mr. Green for up to six minutes.

    Thank you very much, Mr. Chair.

    I'm going to begin by stating a bit of my disappointment with having Mr. Dufresne here today before us for this appointment, only insomuch as I didn't have a chance, in my very short time, to really pick his brain as the law clerk. He was obviously very capable and well respected around the table and now will be changing roles into this position.

     I first want to thank you for your incredible public service under that role. I had the very brief privilege to see you before the Emergencies Act review committee, in which you provided us sage advice with a duty of candour that I expect you will carry on in your role as commissioner.

    My friend Mr. Fergus referenced your time at the Human Rights Commission. I'm wondering if you can talk about this, because I heard you call it a “fundamental right”. Can you begin by expanding on why you believe privacy is a fundamental right for Canadians and how, as the commissioner, you would bring a rights-based approach to your work within the privacy commission?

    Thank you, Mr. Green, and thank you for your role in the emergencies committee as well. It was a privilege to appear before you in this capacity.

    I think that human rights and privacy rights are fundamental. Privacy rights have been recognized in the Universal Declaration of Human Rights at the same time as we had a major recognition of human rights. They deal with aspects that are of fundamental importance—and again, this was recognized, as far back as 1948—for individuals and have a need to be protected from actions of the state. That was the focus in the declaration. We see now in the context of privacy that it's not just vis-à-vis the state, but it's also vis-à-vis the market, and we've used the words “surveillance capitalism”.

    Privacy has been recognized. It has been recognized by the Supreme Court as being a fundamental value in a modern democratic state in the Dagg matter in talking about being grounded in physical and moral autonomy and the freedom to engage in one's thoughts, actions and decisions. I think that if this was true in 1948 and it was true in 1997 in the Dagg case, it's certainly true today, where we see even more potential for privacy and for information being shared, collected and obtained without individuals knowing.

    It is something that I would be—in my role should I become commissioner—advocating very strongly for. It has been done by the commissioner, Commissioner Therrien. I will certainly continue to do that, and I hope and like to think that I will bring credibility as a human rights practitioner in doing so.

    You referenced PIPEDA, the Personal Information Protection and Electronic Documents Act. Obviously, there's the Privacy Act as well. How do you see your role in providing advice to Parliament on those bills?

    I see the role in providing advice in appearing before this committee, in publishing opinions and recommendations, and in engaging with officials, with parliamentarians and with academia. I think one of the discussions that I've seen in the OPC is on greater outreach, perhaps broader outreach, with academia, with practitioners, with citizens, with industry and with the private and the public sectors.

     I see a very important role there, but certainly, deciding what will be in the modernized PIPEDA and the modernized Privacy Act is of course the prerogative of Parliament, so it will be for yourselves—this committee and ultimately the House—but as commissioner, I will certainly be doing everything to provide you with my best advice in the circumstances and in ensuring that the new bill that becomes law is rights based and makes sense for Canadians to trust and to participate in the digital economy and to have trust in their institutions.

     Moving forward, and I'm sure you've given this a lot of thought, what are going to be your main priorities during your tenure?

    My main priorities are going to ensure that Canadians can have better understanding and better protection. The private sector law has expectations that may come first. Certainly it did with Bill C-11. It would be a priority to ensure that Canadians can participate in the digital economy. Canada's market—

    Do you have more to comment on Bill C-11? I'm glad you brought that up, because it's certainly one that we seem to have gotten bogged down on. I'm wondering if you would share any perspectives on Bill C-11, the former one.

    A lot of the comments that have been made by the Commissioner to this committee in terms of looking at de-identified information, looking at a rights-based model, looking at increased powers for the Privacy Commissioner in terms of order-making powers, looking at penalties and the regime therefore, those are important things, as are looking at consent and calibrating to make sure consent is meaningful, looking at proportionality and necessity, and ensuring that certain purposes and certain uses are defined as either not being allowed or being allowed, without consent, but in appropriate cases.

    Those are opportunities, again. We have to align them with looking at the international sector, the GDPR, what's happening in Quebec with Bill 64, ensuring there's interoperability and ensuring that we can deal with the private and public sector in a way that's consistent. We've seen, in terms of your study on mobility, these public-private partnerships. We see that more and more, so how do you ensure there is more harmony, that the government can't contract out by using private sector firms and that it's the same protection everywhere?

    Thank you.

    Thank you.

    Mr. Williams, go ahead for up to five minutes.

    Thank you very much, Mr. Chair.

    Through you, and to echo the sentiments from the rest of our colleagues, it sounds like we have the right person in the role. Thank you very much for coming today.

    I wanted to get a bit more into the old Bill C-11. Privacy is obviously a lot harder to protect these days, because it is digital. You mentioned looking at consent, proportionality and the GDPR. Is there anything else you've seen in your work as a law clerk on the assessment of the old Bill C-11, and how effective it is? Do you see that modelling the GDPR from Europe at this point?

    Some of the concerns that were raised, and there have been lots of comments made by the OPC, including recently to this committee, not necessarily looking back to Bill C-11 but anticipating, in terms of the new iteration, what some of those elements should be. The first one being a rights-based framework, so making sure this is a regime that is not exclusively based on consent and that it recognizes privacy as a fundamental right. Dealing with de-identified information is very important, and ensuring there are prohibitions on reidentification, as well as calibrating to make sure it doesn't fall outside of the law. Dealing with automated decisions and artificial intelligence, all of these new things that weren't present.

    There were some discussions on Bill C-11 in terms of whether you needed a tribunal to review the commissioner's decisions in terms of penalties. The OPC took the position that it should not be and that it should be a final decision of the OPC, subject to a judicial review. This is going to be important to look at. I share the concerns in terms of delays, if you add layers of review that just make it longer before you have a final resolution. I share the concerns about the federal commissioner having perhaps less authority than provincial counterparts, but there were some other options that were raised in this discussion as to whether there could then be a direct appeal to the Federal Court of Appeal or a specialized tribunal.

    The key point is to ensure that the OPC is able to operate within that regime effectively. There have been discussions in terms of resources. There's a concern that was raised in terms of the new powers or responsibilities for the commissioner to verify codes of practice. The commissioner, I think rightly, raised the fact that, if that's the case, there may need to be some discretion in terms of where you focus that work because, otherwise, it can very quickly take a lot of your resources.

    This is something that I did at the Human Rights Commission. We adopted a public interest strategic litigation approach, where we would focus our key resources on the key cases that would have the biggest impact for Canadians, and that was very successful.

     That sounds great.

    I think the biggest criticism of Bill C-11 in the past has been its ability to stifle innovation as much as protect it. You said earlier to Mr. Bezan that privacy is not opposed to innovation and that we can have both. How do you think we can have both? What do you think is an appropriate balance of privacy and innovation?

    I would say it's for the same reason that I don't see human rights as being stifling of innovation or the public interest. These are things that can coexist. It requires collaboration. It may require better understanding and better communication, but I see it as coexisting in the sense that privacy rights that are strong, that are well known and that are practical are going to generate trust in Canadians to be participating in the digital economy.

    That's going to be good for industry. It's going to create trust and credibility for the Canadian economy and industry vis-à-vis counterparts in Europe and other markets. It's going to generally send the message that this is supportive of trade and commerce. I do not see those as being opposed.

    Thank you very much, sir.

    You did talk about the expansion of the role and about the role that you see the Office of the Privacy Commissioner playing in terms of the Privacy Act and PIPEDA. One of my main questions is this: Do these pieces of legislation need real teeth, strong and forceful penalties, to be effective?

    I did, and I think I was talking about incentives. I think incentives are important. In terms of the existence of these powers and these penalties, you hope not to use them, but I feel that the fact that they exist gives a greater impact in terms of the views and the positions that are expressed by the OPC. It gives greater incentives in terms of compliance and also in terms of delay. If what you have is a recommendation that then is considered and can be made into an order later on if there's an application to the court, this really adds time to the process. I think we are seeing a trend.

    This is the last question, sir. Do you believe your office should be the one enforcing these penalties?

    Well, that's up to—

    It will have to be a yes or no. We're out of time.

    Is that a yes or a no?

    That's up to Parliament, but I will act accordingly.

    Thank you.

    Ms. Khalid, you have up to five minutes.

    Thank you, Mr. Chair.

    Thank you, Monsieur Dufresne, for coming in today. We really appreciate your putting your name forward.

    Maybe I'll start by asking this. Has the experience of being a law clerk, sitting in Parliament and watching the proceedings happen put you in a unique role to understand and to.... Although you were more reactive in terms of the actions you had to take, in this role as the Privacy Commissioner, do you see yourself being more proactive on the issues that you've outlined as priorities? We hear that a lot of complaints come to the Privacy Commissioner's office. How would you manage resources to be more proactive, if that's the case?

    Thank you.

    For me, the role of Privacy Commissioner is a combination, in a way, of my experience as a human rights lawyer for the commission and as a counsellor for the House. I think there is an important role in understanding parliamentarians and understanding legislators and understanding laws. There's also the ability to work with multiple parties, with members from all parties with different interests, and to balance that and understand that.

    In terms of proactivity, I think as Privacy Commissioner I would be more proactive in terms of expressing views on what legislation should be. As law clerk, I would not typically do that. I would be focusing more in terms of the rights and privileges of parliamentarians. As commissioner, I would view the role, absolutely, as being proactive in terms of promoting, protecting and expressing views, and in terms of the complaints process, ensuring that it is used as effectively as possible—talking about strategic use, focusing on big cases, ensuring that the resources are used as well as they can be, and then ensuring that there is that discretion for the commissioner to have that greatest impact.

    That's not to say that individual cases are not important. They are. You have to focus on them, but there's a way of doing both.

    Thank you.

    We've talked a lot about privacy in the digital era. I think we would be remiss if we didn't also talk about the other side of that coin, and that is the era of disinformation. Do you see yourself as Privacy Commissioner having a role in kind of combatting that disinformation that is spread throughout not only the public but also the private sector?

     I do. I think it's incumbent on public officials. Certainly, I would see that for agents of Parliament. I saw the commission as being important to express views to correct the record if misstatements are being made.

    It's absolutely essential, of course, to be always fair with the facts. There is a lot of credibility that comes with such positions. I believe it should be used not only to make findings if there's a finding against the government, but if there's a finding to be made in favour of the government or industry, to highlight that something was done in the proper way and to show why. That is also part of generating trust to show that well.

    This is consistent with the idea of having proactive audits, in that they can bring reassurance. The goal is not to go in there and necessarily blame or find fault, but to go in, work collaboratively and find solutions. If there is fault to find, if there is resistance and if that ultimate complaint is needed, so be it.

    There's real opportunity, as well, to highlight when it is done properly. I think it is important for Canadians to hear that and to hear it from officials.

    Thank you.

    We are currently studying facial recognition technologies. We heard from a number of witnesses that a moratorium on the use of facial recognition technologies is necessary in order for the government to go forward and protect Canadians' privacy rights.

    I wonder what your views are on a moratorium and whether you think it's actually possible. Do you think that, as government, we'd be able to keep up with protecting the privacy of Canadians by way of a moratorium?

    I think there may be situations where it's appropriate.

    What's important is to have a regime and to have guidelines. I think that's what you've heard from Privacy Commissioner Therrien and others. A joint framework was issued on June 2, I believe that, until there is legislation, here's how it should be done in terms of proportionality, necessity, minimal intrusion and using it in appropriate cases. That is a good document. That is a good starting point in terms of how we deal with the situation now, but there is also a strong call for having a framework.

    Thank you very much.

    Thank you.

    Mr. Villemure, you have the floor for two and a half minutes.

    Thank you very much, Mr. Chair.

    Mr. Dufresne, a number of companies are asking for a legislation that would clearly establish what they can do. Other companies say that this would generate costs and prevent them from doing business.

     Our American neighbours have rather minimal privacy legislation, let's just say. What is your position on the ability of large companies to regulate themselves in this regard?

     The problem with self-regulation is that it is about incentives. In some areas, there are regulations and obligations. We have seen situations where there have been inappropriate use or problems with perception.

    I don't think that self-regulation will give you the confidence that comes with a law regime and that leads to more specific and clearer elements for Canadians.

    It's a complex issue and it's a reality that affects us all. We've all seen the examples of Tim Hortons, Facebook, and Clearview AI, which demonstrate that we need a regime in this regard.

    Thank you very much.

     I have very little time left and I'm going to ask another question.

     You talked a lot about trust. Trust is found, among other things, in compliance. Is it found strictly in compliance? More broadly, what do you call trust?

     Firstly, I think that trust comes from having a clear legal regime based on a law model. So Canadians know that this regime protects them and that the full responsibility to protect themselves in this new world is not delegated to them.

    Secondly, this confidence comes from the existence of mechanisms and bodies such as our office. These bodies provide citizens with a clear understanding of what they need to do and the assurance that they are protected in terms of the basics. They also know that companies know their obligations.

     We talk about the concept of privacy by design, we talk about creating that culture of privacy. When companies start to set up these programs in a transparent way, communicate their obligations with respect to complaints and meet their obligations with respect to proactive disclosure, that's when you approach a culture of privacy.

    Thank you very much.

     Thank you.

    Mr. Green, you have up to two and a half minutes.

    Thank you very much.

    You're going to be putting together a plan for your department. You're going to be taking steps to pick up wherever Mr. Therrien left off. In doing that planning, what do you see as your biggest challenges?

    Thank you.

    Of course, I very much look forward to meeting the team and speaking with all the colleagues.

    I've looked at the DPR. I think one thing that is top of mind is the fact that, with the extension order for the Privacy Act in July and the expansion of the mandate, there will be an influx of new cases. That is something I know the commissioner has asked for additional funding for. That's going to be something to follow up on.

    It has also been stated that, if the new PIPEDA is modelled on Bill C-11—hopefully with improvements based on a lot of the comments made—it, too, would require a doubling of resources, as I think Commissioner Therrien mentioned.

    These would be some of the immediate discussions I would have with the team.

    Specifically, in terms of order-making power and what kind of structure is needed, Commissioner Therrien talked about adjudicators and so on. Those are some of the elements, as well as making sure the office is prepared to advise Parliament when this bill comes in.

    What do you think about a longer-term horizon?

    The longer-term—

    With technology where it's at, and with how our legislation seems to get left in the dust whenever there is a new transformation, under Moore's law, what do you see as our long-term challenges for your—

    I think long-term challenges will focus on the digital innovations we're seeing, on making sure there is the legal framework and on making sure the OPC has the internal expertise to provide good advice on that, in terms of codes of conduct.

     There have been some discussions on de-identification and the prevention of reidentification. What is appropriate? How do you accept it, and what kinds of mechanisms do you need to put in place so de-identification is accepted as such? Are you minimizing the risk of reidentification? This is fundamentally important to ensure there is that framework.

    On artificial intelligence, more and more of these decisions are being made by algorithms using information, so how do you address that? There were some elements in the GDPR and Bill C-11 related to algorithmic transparency, understanding how those decisions are made and, ideally, being able to challenge those decisions. From a human rights standpoint, there were concerns raised about profiling, so how do you deal with this technology that is at an accelerating pace?

    I think this is one of the challenges. Technology is accelerating very quickly, and legal amendments not as quickly. We need to find ways.

    Thank you, Mr. Dufresne. We're quite a bit over time.

    Mr. Chair, he's as excited as I am.

    Yes.

    Do we have another round, Mr. Chair?

    I have Mrs. Gallant, followed by Ms. Hepfner. That will take us to the end of two full rounds. We do have additional time, if other members would like it. We may have time for another question, but my intention was to complete the second round. We'll see if we have a motion, at that point, on the issue of the nomination.

    With that, I'll now go to Mrs. Gallant.

    Thank you, Mr. Chair.

    Through you, often we find out about a breach in privacy after the fact, such as the metadata from people's phones that Health Canada purchased from cell carriers to justify the cruel and inhumane lockdowns we suffered through.

    Do you see, in your role as Privacy Commissioner, requiring the telecoms and web giants, for example, to obtain pre-approval from your office on metadata before implementing, using or selling the information?

    I think this was one of the recommendations in terms of either proactive audits or making sure, when you're dealing with this type of metadata or location-tracking—it was discussed in this committee in the context of the government, but also in terms of a third party—that individuals are aware. What is the information collected? Why is it going to be collected? What is the purpose? It would also be to constrain whoever it's going to be shared with, if anyone. There were concerns about keeping it even within government, or within a department if you're going to share with other departments. How do you proactively provide that information?

    I think that's one of the elements. Oftentimes, the information may be there, but the onus is on the individuals to do a lot of digging to find it. I think one of the themes that came out in your report—and I agree—is making it as user-friendly as possible. Make it simple, make it easy to opt out and make it easy to know what is happening.

     You don't believe, though, that it should receive your approval prior to being implemented, unless it has the easy opt-in and opt-out.

    I'm not sure that it would be necessarily realistic that the OPC, in every single case, provides approval, but there may be certain cases where it is required, so focusing on that.... The more serious it is, of course, I think the more important it will be to ensure that it is vetted, whether it be by OPC or otherwise.

    The user would still have the opportunity to use the app or the operating system, or whatever it is that the cellphone covers, if that's what they are signing up for. When they say opt out, they opt out of that aspect of it, but they can still have it, so they are not under any type of duress to sign up.

    We also have the case of the Tim Hortons app. Users were told that geolocation functions were only being accessed when they had the app open, but it was later learned that the app was collecting information even when it wasn't open.

    Do you see the role of the Privacy Commissioner as having anything, again, to pre-empt such an aspect? In particular with this one, nobody can cash in their points unless they download the app so they say, “Okay, I can't have my points unless I give them access to this information.”

    Right. Your last comment, Mrs. Gallant, highlights what was mentioned in this committee in the mobility study as being a culture of “I agree”. It's a culture of clicking “yes” to the policies, because you want to use the technology. I think this is part of making sure that Canadians can use and participate in this digital technology, but not at the cost of their privacy rights.

    In the Tim Hortons incident, what came out was that there was a concern in terms of the purposes. There was no legitimate need for all of this information. It was very intrusive in the sense that it kept doing it, even when the app was not in use, and it was doing it very frequently. There was a concern about the consent. Users had not been informed as to how extensive it was going to be, and they didn't understand that it would result in their location information being used in such an excessive way. There were also concerns about the contract clause with the provider being too flexible in terms of how they could use it and in terms of the privacy accountability regime.

    I think those are all areas where the Privacy Commissioner, with a proactive audit mandate, could have engaged and had discussions, saying, “Make sure that there is privacy by design here and make sure that there's a privacy impact assessment that's meaningful.”

    There's a role for the OPC. There's also a role for legislation in mandating these types of accountability processes.

    It would be the OPC or legislation that would need to be put in place to require all the apps that are already out there and, unbeknownst to us, collecting information or having information sold without our immediate knowledge....

    The OPC would be able to do certain things based on authorities that it are given under the act. I would start with the act to ensure that, if it is to require organizations to do such things, and if it is to allow the OPC to be auditing it, that would be the place to start.

    Thank you, Mrs. Gallant.

    Now, for what I think will be our last round, we have Ms. Hepfner for up to five minutes.

    Thank you very much, Chair.

    Through you, I would like to ask Mr. Dufresne what he thinks about the idea of the concept of a single digital identity. There's this idea that we could all have one Canadian national identity and we could have more control over our own information, but at the same time, some people are afraid that it would give the opportunity to have us tracked.

    Could you weigh in on that whole idea?

    Maybe I should have mentioned that in the answer to the earlier question from Mr. Green, I believe, on future issues to look at. This is a good example. I would want to learn more about the specific technical aspects of it.

    You had a discussion, I believe, with Mr. Therrien on that. It came through that there is potential in that. There's potential for it to be a very useful and very effective tool, perhaps more so than SIN numbers and other such things, but there are also risks in terms of privacy.

    This is an example where you would want to have a strong privacy impact assessment, ensuring how this is used, how safe it is and how the information is going to be contained. Again, it's reaching that public interest benefit for Canadians but not at the expense of privacy.

     Thank you.

    As a federal privacy commissioner, how do you expect that you would interact and work with privacy commissioners at the provincial level?

    I would expect and commit to work very collaboratively with those colleagues who do fundamentally important work, and there are some areas of parallel with PIPIDA. In certain provinces it will be the provincial legislation such as in Quebec, B.C. and Alberta. There's a strong need to collaborate with all of the provincial authorities, and we've seen it. There have been joint investigations whether for Clearview AI or the issue of Tim Hortons. These are good examples.

    It is very important not only for the exchange of expertise and knowledge but also in terms of the impact, so I would look forward to continuing that. I look forward to meeting all of them, hopefully, after the confirmation.

    Thank you.

    Earlier I tried to bring a motion to this committee that looked at the privacy of people working at home. There wasn't enough appetite on the opposition benches to move forward with that study, but there has been evidence that employers are increasingly surveilling employees at home.

    With this change in the way our society is functioning, how quickly could your office adapt to upcoming issues like the privacy of people working from home?

    I think it's important for the federal commissioner or provincial commissioners to be at the forefront of these types of issues. This is an example of something that's happening perhaps in the employment realm, so perhaps there are some provincial jurisdiction aspects to that, but it has an impact on privacy. For new technology, new benefits, again, what are the implications and how do we minimize the impacts on privacy?

    It may not be, depending on jurisdiction, the OPC that would be enforcing that, but I do see a role in terms of communicating and raising this issue. I think it's important to keep on top of these new, evolving technologies, and as part of my vision, I do see the OPC as being a centre of excellence for all things related to privacy.

    With one minute left, I just want to take you back to what I think I've understood. We've been talking, especially with the mobility data report, about informed consent, and what I think I'm getting from you today is that we move away from this idea of informed consent, take the onus off the user and put it on the legislation and the company.

    Is that what I understand? Because informed consent is so hard to properly get, maybe we don't put the onus on the user. We put the onus on the companies and the legislation.

    There's always going to be a place for consent, and when consent is needed it has to be meaningful. It has to be consent that is informed, and the individuals have to know what's happening and why and have the ability to opt out.

    There may be situations where consent is not appropriate and it should rather be something that is not permissible in terms of use, that it is not a legitimate use, so we need both. We need a regime that says there are certain no-go zones. There are certain things you can't do even with consent. There are certain things you have to consent to, and there may be things that you're not going to be consenting to because there is such a public interest, public health, or it's not possible to have that. It's a range.

    Thanks very much.

    All right. With that, I don't see anybody with other questions.

    Ms. Khalid, you would like the floor.

    Thank you, Chair.

    I do have a motion to move. I move:

    The motion is in order.

    (Motion agreed to)

    Some hon. members: Hear, hear!

     Thank you to nominee Dufresne for coming today.

    I will report this recommendation to the House as soon as I possibly can.

    With that, the meeting is adjourned.