Good morning, and hello from Manchester.
Thank you, Chair and committee, for the invitation to appear before you today.
I'm the Information Commissioner of the United Kingdom. I regulate data protection and freedom of information as well as a host of other personal information-related legislation.
I'm pleased to have the opportunity to speak to you today about the work of my office in investigating the use of personal data for political campaigning purposes.
I've watched some of the earlier sessions of your inquiry with great interest, and based on that, I need to set out something clearly at the outset.
In the U.K. and across the EU, information about individuals' political opinions is considered a particularly sensitive category of personal data to which additional safeguards under data protection law are applied. What that means, therefore, is that political parties and campaigns are subject to a combination of data protection, direct marketing, and electoral law when engaging in processing of data for electoral purposes with oversight by my office and the electoral commission. This has always been the case since data protection legislation was first introduced more than two decades ago, and it's simply accepted as a cultural norm.
These rules are there to ensure free and fair elections, and they do not undermine democratic engagement in the U.K. Instead, political parties have to engage with voters in a manner consistent with that law. Recognizing the special place of political parties in a democratic society, they've been given special status under U.K. data protection law to allow parties to carry out their campaigning activity.
In my complaint-handling role, I consider complaints from individuals against political parties when they think that their data has been misused. The number of complaints has never been particularly high. Other than a spike at election time, political parties have not, in the main, been a sector generating a high proportion of complaints. My office has maintained an ongoing dialogue with parties, meeting with them regularly and issuing bespoke guidance on how they can comply with the law when they are campaigning.
However, the EU referendum in the U.K. in June 2016 was an unusual exercise by British norms. Instead of being fought by established political parties, the referendum was led by campaign groups that were, in some cases, fuzzily constituted coalitions of like-minded bodies. The U.K. law on data protection is written to take account of political parties, but in a country where few referendums take place, the law has less to say about non-party campaign groups. This is made, considering potential breaches of the law during the referendum campaign, more challenging for my office.
We were concerned about some of the campaigning practices that we heard about and the provenance of the personal data used by campaign groups to target individuals. That's why in May 2017, I announced a formal investigation into the use of data analytics for political purposes. The original goal of the investigation was to pull back the curtain on how personal information was used in modern political campaigns.
At its heart, data protection law requires organizations to process data fairly and transparently, but rapid social and technological developments in the use of big data means that there's limited knowledge of or transparency around data processing techniques, including analysis, algorithms, data matching, and profiling to micro-target consumers and voters.
I think these techniques are attractive to political parties in campaigns as it enables them to target individual voters with messages in keeping with their political interests and values, but this isn't a new game played by different rules. The law continues to apply whether campaigning is conducted offline or online.
My investigation now involves over 30 organizations, including political parties and campaigns, data companies, and social media platforms. Among those organizations is AggregateIQ, which was used by a number of U.K. campaign groups, a company that this committee has already heard from.
What we didn't expect at the outset of our investigation was to be looking at the what, when, how, why, who of a reported 87 million Facebook profiles alleged to have been mined by an academic and passed on to a U.K. political consultancy working on the U.S. 2016 election and other political campaigns, plus multiple other lines of inquiry that I can't talk about at this time. This naturally raised concerns both in the U.K. and abroad and officers of Facebook and Cambridge Analytica have been called to account in various national parliaments.
I'm sure you understand that I can't speak about the particulars of an active investigation. The investigation is progressing at pace. Enforcement activity is ongoing, so it wouldn't be appropriate for me to comment further.
What I can say, though, is a number of organizations have freely co-operated with our investigation. They've answered our questions and they've engaged with us. But others have attempted to undermine the inquiry by failing to provide comprehensive answers to our questions, refusing to co-operate altogether, or challenging the process. In these situations we've been forced to use our statutory powers to make formal demands for information.
Some of my lines of inquiry are more developed than others, but an update on the entire investigation will be provided in a report issued by my office in the coming weeks. Whilst my colleague, Commissioner Therrien, is conducting his own investigation into Facebook, there are areas of joint interest that cut across both of our investigations. As Commissioner Therrien noted, the ICO and the OPC have a co-operative relationship and we can share information if it's necessary for our investigative purposes in the public interest.
When I think about your committee's work, I can see two distinct lines of inquiry: first, the immediate concern of Facebook, AggregateIQ, and others and whether existing laws in Canada have been broken, and then a second longer-term line of inquiry, a wider consideration of public expectations of the use of their data in the political context and whether the law needs to be changed. This inquiry is rightly looking not just at data protection law but also at other areas, such as electoral law, to see how these issues can be addressed.
I mentioned my report to be published in the coming weeks. I will be making findings as to whether individuals' rights were infringed, but I'll also be making policy recommendations on how the U.K. government and others could address the failings that I've uncovered, including greater transparency in political campaigning. While every jurisdiction is different, there may be some relevant lessons that could be read across into the Canadian context.
To put my cards on the table, and I say that against a backdrop of fully recognizing the public interest of political parties being able to communicate with voters, which is of course a cornerstone of democratic engagement, I believe that the use of individuals' data by political parties needs to be addressed in Canadian law. Canadians should be able to bring a complaint to an independent regulator.
The law that we have in the U.K. is built on sound foundations and principles and doesn't unnecessarily fetter the democratic process. In the U.K.'s data protection law, political parties have a legal justification for processing the personal data of individuals when carried out for electoral purposes.
My office is only part of the oversight picture in the U.K. The U.K.'s Electoral Commission is responsible for overseeing elections and political spending. Where there is crossover, my office can work with the Electoral Commission or decide which body should take the lead.
This is not to say that everything about the U.K.'s data protection regime is perfect. I said the system works for political parties, and it largely does. The Brexit referendum was a different beast, as I noted earlier. Non-traditional campaign groups either unfamiliar or unconcerned with data protection law may have crossed that line into unlawful activity, and I think the temporary nature of those groups has made pursuing them for the failures of data protection law more challenging.
The U.K. law already equips me with recourse to criminal sanction if a notice from my office goes unanswered. This means that even if a campaign group or an organization winds itself up, I can still have recourse to pursue individual former officers of that group. This might seem like a lot of powers for one body to hold, but as a regulator, I'm answerable to Parliament and I must be able to justify how I go about using my regulatory tools. I think the ICO has always been a proportionate and responsible regulator, and never more so than in the context of political campaigning where we are acutely aware of the inherent public interest in democratic engagement. This approach will continue under the GDPR and the new U.K. data protection bill when it's enacted.
The manipulation of voters via micro-targeting risks undermining our democratic model, and isn't that a major concern for all of us?
Thank you very much. I look forward to answering any questions you may have.
Good morning, Chair, and thank you very much to the committee for the invitation to appear this morning, particularly alongside—it's a great pleasure—my colleague Commissioner Denham from the U.K. In fact, only a few short weeks ago, I was in the U.K. assisting Commissioner Denham with the investigation to which she made reference.
It wasn't long after my return to British Columbia that I was conferring with Commissioner Therrien at the Office of the Privacy Commissioner of Canada agreeing to jointly conduct an investigation into Facebook and the B.C. company, AggregateIQ, a company with which this committee is very familiar. That investigation continues. Of course, I'm not at liberty to disclose much about it until our work is complete in that regard.
What I would like to do this morning is pick up on themes referenced by Commissioner Denham that relate to the broad aspects of your committee's mandate. I'm referring to seeking out legislative remedies that will help assure Canadians of the privacy of their data and the integrity of our democratic and electoral processes.
Beyond investigating companies like Facebook and Cambridge Analytica, which are critical inquiries to be sure, it is also important for Canada's political parties themselves to take some measures for restoring confidence in the democratic processes in our country. I would invite you, as my colleague Commissioner Therrien has, to subject yourselves to accountability measures regarding the way in which you collect and use the information of Canadian voters.
A question worth pondering, I think, is whether the Cambridge Analytica scandal would have happened were it not for the increasing demands on political parties to gather and analyze personal data in the hopes of understanding it and using it to persuade voters. Democracy requires the citizenry to have trust and confidence in the political process, and a significant element of that process concerns how political parties collect and use the personal information that belongs to Canadians.
Parliament and some provincial legislators have created offices that oversee the collection and use of personal information by private and public bodies. Curiously, that oversight, with few exceptions, does not apply to political parties. British Columbia is an exception. B.C.'s Personal Information Protection Act, or PIPA, applies to all organizations in B.C. It is substantially similar to PIPEDA and for that reason generally supplants PIPEDA's authority in my province.
Political parties in my province have been subject to PIPA since its enactment in 2004. In the 14 years that have since passed, I can assure you that democracy has continued to thrive unimpeded in British Columbia. We have not heard concerns or suggestions that laws protecting the personal information of voters restricts the ability of political parties or candidates to engage voters.
Political parties in B.C. can and do collect personal information about voters, but they do so under the same reasonable legal responsibilities and obligations that apply to other organizations.
PIPA also gives citizens the legal right to request and correct the personal information that political parties collect from them and to register a complaint if necessary. These complaints are adjudicated by my office. A citizen's right to exert control over their personal information is a fundamental principle of privacy law. It is a principle strengthened by the EU's general data protection regulation, which Commissioner Denham just made reference to, and which comes into effect in Europe in just a few days.
You may be interested to know that my office is now undertaking a broad investigation of how the elected parties in our legislature collect and use voters' personal information. Those parties, I would note, have fully co-operated with our office's investigation. I expect that the investigation will result in recommendations and guidance that will help parties improve their privacy practices.
Of course, I know that recent proposed amendments to the Canada Elections Act will require political parties to adopt a policy to protect personal information and to provide it to the Chief Electoral Officer. These proposals are only a minimal step forward. They attempt to address the principle of transparency, but that is only one element of a proper data protection regime.
The proposed amendments do not require parties to respond to a voter's request for the information the party holds about them, nor does it allow a voter the right to ask a party to correct inaccurate information about them. Perhaps most important, there is no provision for an impartial third party to hear and determine a voter complaint. These basic legal standards have been a part of British Columbia law for years and are the norm in many western democracies. There should be nothing for political parties to fear in any of these legal obligations. In fact, implementation will do nothing but enhance the confidence of citizens in their democratic institutions.
With that, Mr. Chair, we are happy to take any questions you may have.
Mr. Chair, and members of the committee, thank you for the invitation to appear today. It's a pleasure to be speaking with you again about these important topics.
I'd also like to acknowledge that today is a particularly emotional day for Parliament. I had the good luck to spend time with Gord Brown both on and off the Hill, and I know he will be missed.
Google works hard to provide choice, transparency, control, and security for our users, and we appreciate the opportunity to tell you about how we protect Canadians and our billions of users around the world. I thought it might be a helpful context for this conversation to quickly touch on Google's presence in Canada.
For a company that is just 20 years old, we have some deep Canadian roots. Sixteen years ago, Google selected Canada as the location of its first international office. Since then, we have steadily grown to over a thousand employees in Canada, with over 600 programmers and AI researchers in Montreal, Waterloo, and Toronto. Our mission is to organize the world's information and make it universally accessible and useful. Google services provide real benefits to Canadians, whether it's Search, Maps, Translate, Gmail, Android, Cloud, or our hardware devices, our products help people get answers, organize their information, and stay connected.
Our advertising products help Canadian businesses connect with customers around the globe, and our search tools help Canadians find information, answers, and even jobs. Just a few weeks ago, we rolled out new ways for Canadians to find jobs using Google Search.
As you may know, Google has invested significantly in Canada's burgeoning artificial intelligence ecosystem, not only through the funding of organizations like MILA in Montreal and Vector in Toronto, but also by establishing research labs that have helped Canada attract and retain world-leading talent.
Our engineers work on significant products like Gmail, the Chrome browser, and Cloud, products used by billions of people around the world. We have a Canadian team developing safe browsing technology that prevents malware attacks and phishing scams, keeping the open web safe and secure.
This brings me to how Google has long thought about privacy and security. Google has been investing in tools and teams over the past five years to provide users with industry-leading transparency, choice, and security regarding their data. We offer tools such as My Account, Security Checkup, Privacy Checkup, Takeout, Google Play Protect, and more, all with the aim of protecting users' data, allowing users to make easy and informed privacy decisions, and affording users the opportunity to easily take their data with them to other platforms.
In 2015, we launched My Account, or myaccount.google.com, which provides Canadian users with quick access to a centralized, easy-to-use tool to help manage their privacy and security. This is used extensively. There were over two billion visits globally to this tool in 2017, including tens of millions by Canadians. While we continue to promote the use of this tool, it's clear that awareness is growing and that Canadians are using it to make informed choices.
Google promotes Privacy Checkup to users on a recurring basis so we can help our users keep their privacy choices up to date as their use of Google services changes over time. Users can see the types of data Google collects, review what personal information they're sharing, and adjust the types of ads they would like Google to show them. In addition, we have a tool called Security Checkup which helps users understand what devices and apps are accessing their data.
On our Google-licensed Android platforms, we've developed Google Play Protect, which monitors devices for potentially malicious apps. We design our products and implement product policies that prioritize user privacy. It's part of our commitment to ensuring our users understand how we use data to improve their experience with Google products and services. It's hard to keep data private if it's not secure, which is part of the reason we have built such a strong security team at Google. It's also why we have not only focused on the security of Google and our services, but have helped the entire Internet industry bolster security through our leadership with projects like Safe Browsing, HTTPS Everywhere, email encryption in transit, and our leadership on promoting two-factor authentication security keys.
We know that our users are people. They are family members, friends, and neighbours. Some are relying on our products to build their company, and they're non-profit. Others just need help finding a product, an address, or opening hours, but every one of them is putting their trust in us, and we recognize the enormous value of the trust Canadians put in us.
Thank you again for the opportunity to be here today, and I look forward to answering your questions.
Mr. Chairman, and committee members, I have closely followed your committee because I believe Canadians are facing the most important public policy issue of our time: data governance.
Canada's innovators know that data flows have transformed commerce and made data the most valuable asset in today's data-driven economy. Businesses use data to create as well as access new markets and to interact globally with both customers and suppliers. Control over data and networks allows dominant firms to hinder competition and extract monopoly rents from their customers and to deceive consumers via their data collection strategies. Vast troves of data are collected and controlled by foreign unregulated digital infrastructures. This is why the Council of Canadian Innovators called on our governments to design a national data strategy to ensure that cross-border data and information flows serve the interests of Canada's economy.
A national data strategy should codify explicit treatment of competition in the data sections of free trade agreements, including the right to competitive access to data flowing through large data platforms that have de facto utility status. If Canada doesn't create adequate data residency, localization, and routing laws that protect Canadians, then our data is subject to foreign laws, making Canada a client state.
While the Facebook scandals instigated the recent set of testimonies before this committee, I urge you to arm yourself with the facts about the data-driven economy, which is completely different from the knowledge-based economy that proceeded it and the production-based economy of the 20th century.
Intangible commodified data does not function the same way as tangible goods. The data-driven economy gets its value from harvesting, identification, commodification, and then use of data flows.
What we have heard from companies such as Facebook, including at this committee, is an inaccurate picture of what is happening. The Cambridge Analytica and Facebook scandal is not a privacy breach, nor is it a corporate governance issue. It's not even a trust issue. It's a business model issue based on exploiting current gaps in Canada data governance laws.
Facebook and Google are companies built exclusively on the principle of mass surveillance. Their revenues come from collecting and selling all sorts of personal data, in some instances without a moral conscience. For example, in Australia, Facebook was caught selling access to suicidal and vulnerable children.
Surveillance capitalism is the most powerful market force today, which is why the six most valuable companies are all data driven. Their unique dynamics require a made-for-Canada strategic and sovereign policy approach, because data and intellectual property are now key determinants of prosperity, well-being, security, and values.
Data underpins all aspects of our lives, as you can see from the illustration I gave you as a framework. As an intangible asset, data has critical non-commercial effects. With this in mind, I make the following recommendation: implement GDPR-like provisions for Canada. GDPR offers valuable lessons and a point of departure for Canada's legislators and regulators. It is a universally acknowledged advance in privacy protection and control of data.
European policy-makers recognize that whoever controls the data controls who and what interacts with that data, today and into the future. This is why they ensured that EU citizens own and control their data. Similarly, Canadians should own and control their data. Canadians need to be formally empowered in this new type of economy, because it affects our entire lives. For our democracy, security, and economy, Canadian citizens, not unaccountable multinational tech giants, need to control the data that we and our institutions generate.
By focusing only on individual privacy, Canadians can find themselves plugging just one of many holes, which is, in effect, plugging nothing. We need a horizontal lens to legislation and policies. Privacy and digital public and private services aren't opposing forces. For example, Estonia shows that better data governance leads to increased privacy in digital services.
Economists consistently show that the data-driven economy is unfolding at a speed that outpaces the creation of evidence-based policy-making. I urge you to work with Canadian innovators and experts who understand open technologies, data sciences, competition, standard-setting, strategic regulations, trade agreements, algorithm ethics, IP, and data governance.
We need them to help craft detailed policies that are technical in nature. By working with experts, we can advance our country and ensure Canada doesn't miss participating in the data-driven economy, like it missed prospering in the knowledge-based economy over the past 20 years.
On a personal level, as a Canadian, I am deeply worried about the effect mass surveillance-driven companies have on both Canadian society and individual Canadians. Personal information has already been used as a potent tool to manipulate individuals, social relationships, and autonomy. Any data collected can be reprocessed, used, and analyzed in the future, in ways that are unanticipated at the time of collection. This has major implications for our freedom and democracy.
I am concerned that without the design and implementation of a national data strategy, our politicians are moving ahead with initiatives with foreign companies that are in the business of mass surveillance. Some of these companies have a proven track record of using data for manipulative purposes. Unfortunately, history offers sobering lessons about societies that practise mass surveillance.
It is the role of liberal democratic government to enhance liberty by protecting the private sphere. The private sphere is what makes us free people. There is no individual consent to, or opting out of, a city or a society that practises mass surveillance, and this is the path Canada is currently on. Therefore, in addition to putting in place appropriate economic incentive structures and regulatory frameworks, I also urge you and fellow elected officials to act boldly to preserve our liberal democratic values, to promote the public interest, and to assert our national sovereignty.
I thank you for considering my recommendations and for the opportunity to present here today.
My question is for Mr. McKay.
On Tuesday, Google announced that it will soon be possible to use artificial intelligence to converse on the phone in our place. That means that my Google virtual assistant will be able to make a hair appointment for me and record it in my personal agenda. I will simply have to ask it to do so.
What worries me about this is that, if it is possible to find information about a third party and enter it in someone's personal agenda, those same robots could ask a multitude of questions to 100,000 people. Do you like blue, for example. The robots could ask seven, eight, nine, ten, eleven or twelve questions, and then analyze the answers.
In terms of data, we are now in the wild west. It is changing so quickly. Companies like Google and Facebook can get personal information about people. After that, there will be a void. They will be able to do anything they want with the data, data that people voluntarily gave them.
With these tools, Google's strategy is to sell services and to give services to the public. How will you protect the data you can record? Can you use this kind of robot to get data that you will then resell to third parties later on?
Based on the core principles, no. The aspects that I'm zoning in on are, one, that you have personal ownership of your data and personal control over it, that you have awareness of what they're doing, and that you have what's called the right to delete and the right for portability.
The second thing, which we haven't had much discussion on, which is a very central part of the GDPR and this was a tremendous tug-of-war between Brussels and Washington over many years, is this element of safe harbour in routing. It is important to understand that no matter what we regulate in Canada, I've been told by experts that something akin to 80% and 90% of our data is routed through the U.S. Even if I sent you an email across this table, it's routing outside. It's called a boomerang effect. You have to understand that, per U.S. law, Canadian data has no rights whatsoever in the United States. You have no right to privacy; you have no right to anything. What the EU also did was manage the routing so that it never left the jurisdiction of what they prescribed as appropriate treatment of that data.
The GDPR is nuanced. It was the subject of many years of debate, from many perspectives. Using GDPR-like approaches is a minimum we should take in Canada, and then look at other forms of activities, such as the economic development opportunities for primary industries that Mr. McKay talked about, and many other aspects that we could extend beyond that.
It's also very important to remember, although it's not the purview of this committee, that in parallel the EU did a sustained set of studies and plans on competition behaviour for what's called the inherent asymmetry of data, where the big get bigger. If you want to promote economic advancement and prosperity, you also have to look at the competitive structures of that.
Competition and GDPR dance in harmony through pretty much a decade of work.