In the interest of time, I will use a slightly truncated version of my speech. If you see me skipping paragraphs, it's to save time.
Thank you for the opportunity to speak with the Committee today.
Today I would like to address four subjects that have drawn Elections Canada's close attention and that relates to your study: foreign interference, the digital information environment, cybersecurity and privacy.
I am grateful for this opportunity to explain to the Committee what role Elections Canada is playing to preserve trust in our electoral process, and to outline where we are collaborating with others, on the understanding that no single solution and no agency working alone can address these threats.
Let me first start with the issue of foreign interference, which overlaps in part with the other topics that I have identified.
In Canada, recent concerns about foreign interference have been primarily around issues of foreign funding of third parties—entities that seek to influence the electoral debate without participating directly as parties or candidates.
Bill would significantly expand the third-party regime and include measures that aim to eliminate opportunities for foreign funds to be used in Canadian elections. This includes an anti-avoidance clause and a ban on the sale of advertising space to foreign entities.
As you are aware, foreign interference can take other forms, including disinformation campaigns and cyberattacks.
The expansion of the web and social media has transformed our information environment. Citizens are no longer simply struggling to determine who is a journalist; they are unlikely to know whether a given social media post or ad was sent by a bot or a human, or whether it is a genuine expression of belief or part of an influence campaign, domestic or foreign.
There is no simple solution to this, but elements of a response are emerging. Efforts to increase digital literacy are, in my view, a key element. It is reassuring to know that Canadians are increasingly cautious about what they see or read on social media. I would add that they generally trust the conventional media.
Bill would include a requirement for social media platforms to publish and preserve archives of election and partisan ads. This is a positive step that supports transparency and aids enforcement.
Bill would also clarify and expand existing provisions against some kinds of online impersonation, as well as false statements about candidates.
Elections Canada's specific and essential role is to ensure that Canadians have easy access to accurate information about the voting process, including information about where, when and how to register and to vote.
In preparation for the next election, we plan to launch a voter information campaign starting next spring. We will also be monitoring the social media environment throughout the election period, which will enable us to rapidly correct any inaccurate information about the voting process. And we will create an online repository of all of our public communications, so that citizens and journalists can verify whether information that appears to be coming from Elections Canada actually is. This is something that I have encouraged political parties to consider doing regarding their own communications, to have a central repository of their communications.
Together with the Commissioner of Canada Elections, we have also engaged representatives from social media platforms to better understand how they operate and to establish channels of communication to rapidly respond to incidents during the election.
A third area of concern is cybersecurity. While we continue to rely on hand-counted paper ballots, Elections Canada is increasingly delivering online services to voters, the candidates and the parties. One of my key responsibilities is to protect Elections Canada's digital assets, based on the advice and expertise of our federal security partners.
Over the last two years, we have made significant investments to renew our IT infrastructure and to improve our security posture and practices. As part of this effort, we are also providing security awareness training to staff at headquarters and to all 338 returning officers in the field.
Other participants in the electoral process, including media and parties, must also protect themselves against hacking. The Canadian Centre for Cyber Security offers excellent resources and advice to everyone. Some measures are inexpensive and can be quite effective. Other measures, however, may require considerable investments.
In this context, the committee may wish to consider the need in the future for parties to receive a special subsidy to help them upgrade and improve the security of their IT systems and explore ways in which such a subsidy could be fairly achieved. I recognize from my own investments at Elections Canada the cost of these investments. I believe it is a matter of public interest, not personal or private interest of the parties, to have the resources as the cost to ensure cybersecurity increases.
The last point I want to address is the issue of privacy. This committee has recommended that political parties be made subject to basic privacy rules and oversight by the Privacy Commissioner of Canada. This is a recommendation that I also support and have made in the context of Bill . I was disappointed that it was not accepted at committee.
Parties, as you know, increasingly rely on voter data to support fundraising and campaigning activities. This data may include, in addition to the information that we provide to parties and candidates, information about a person's political affiliation or support, volunteer activities, or other information that the party believes to be relevant to its purposes.
Bill is also silent on whether a party's policy should include a mechanism allowing Canadians to validate and correct any information that the parties hold on them. Of course, nothing prevents parties from doing so, or from taking other steps to reassure Canadians about the collection, use and protection of their information.
It has been observed that parties have much to gain in having robust privacy policies and practices, and I believe that to be the case. Above all, more importantly, I believe that electoral democracy has much to gain.
Mr. Chair, I would like to conclude by emphasizing the importance of the work undertaken by the committee. I would be happy to answer any questions the members may have.
Thank you, Mr. Chair, for this opportunity to participate in the committee's valuable examination of how to better protect the private data of Canadians.
I will spare you the introductions, to save a bit of time.
As the committee members know, the CRTC derives its mandate from various pieces of legislation. The Broadcasting Act authorizes the CRTC to regulate the industry in pursuit of specific objectives, including to encourage the creation and promotion of content made by Canadians and that reflects Canadians in all their facets.
Similarly, the Telecommunications Act assigns the CRTC the mandate to regulate the telecommunications industry in pursuit of particular goals. For instance, ensuring that Canadians in urban and rural areas have access to reliable, affordable and high-quality telecommunications services.
The Telecommunications Act also gives the CRTC the authority to regulate unsolicited telecommunications and to take enforcement action against non-compliant telemarketers.
For its part, Canada’s anti-spam legislation authorizes the CRTC to regulate specific types of electronic communications. These include the transmission of commercial electronic messages, the alteration of transmission data in electronic messages and the installation of programs on another person’s computer system.
Of course, the CRTC, like all other federal departments and agencies, abides by Canada’s Privacy Act.
Moreover, the Telecommunications Act requires that the telecommunications sector contribute to the protection of the privacy of individuals. The CRTC’s policies in this area are limited to the protection of confidential consumer information held by telecommunications service providers.
The CRTC appreciates the committee's work on digital platforms. Earlier this year, we published a report titled “Harnessing Change: The Future of Programming Distribution in Canada”. The report's perspective is informed by CRTC's mandate, of course. As such, much of the report focuses on the creation, distribution and promotion of Canadian audiovisual content.
In a digital age, users can now access a growing wealth of content and platforms. As a result, the traditional regulatory approach is less and less able to obtain the objectives set out in legislation such as the Broadcasting Act. To address this reality, the report suggests innovative approaches to policy and regulation, approaches that would engage digital platforms that provide audiovisual content to Canadians.
We proposed that three principles should guide any new approaches.
First, future policy approaches should not only focus on the production and promotion of high-quality content made by Canadians, but also on its discoverability.
Secondly, all players that benefit from participation in the broadcasting system should contribute in an appropriate and equitable manner. New policies and regulations must recognize that the social and cultural responsibilities that come with operating in Canada extend to digital platforms.
And finally, future legislation and regulation must be nimble and capable of easily adapting to ever-changing consumer behaviour and technologies.
The report also identifies some of the opportunities created by the evolution of digital technologies. For example, data on how people find, select and interact with content could inform how to develop and distribute content in ways that support Canada’s broader policy objectives.
That being said, we recognize that digital communications technologies pose particular risks to the protection of personal information. The report describes the problem as follows:
||The development of these online services has also given rise to new ways of misusing data—for example, to infringe on the privacy of Canadians—particularly when services collect data without users’ knowledge or informed consent. Data can also be used to misinform and manipulate through fake [news] or misleading news and information, affecting democratic processes, relationships with others and the way Canadians view the world.
The CRTC firmly believes that protecting the personal data of Canadians and preventing abuses must remain the overriding consideration. The legislative and regulatory frameworks that govern the protection of privacy and the use of personal data, however, are not part of CRTC's mandate on the broadcasting side.
We'll do our best to answer your questions.
Thank you, Mr. Chair and members of the committee. Thank you for the invitation to appear before you today.
Last week, I attended the 40th international conference of data protection and privacy commissioners, in Brussels. The conference confirmed what I had explained in my last annual report: There is a crisis in the collection and processing of personal information online. Even tech giants, attending the conference in person or through video, are recognizing that the status quo cannot continue.
Apple CEO Tim Cook spoke of “a data industrial complex” and warned that “[o]ur own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency”. He added, “This is surveillance.” Facebook's Mark Zuckerberg admitted that his company committed a serious breach of trust in the Cambridge Analytica matter. Both companies expressed support for a new U.S. law that would be similar to Europe's General Data Protection Regulation or GDPR.
When the tech giants have become outspoken supporters of serious regulation, then you know that the ground has shifted and we have reached a crisis point.
Your committee clearly senses this ground shift and has supported our recommendations for legislative change. The government, however, has been slow to act, thereby putting at continued risk the trust that Canadians have in the digital economy, in our democratic processes and in other fundamental values.
Let's examine, for a moment, the impact of online platforms on privacy and the integrity of elections.
As Canadian artificial intelligence researcher Yoshua Bengio recently said in Le Monde
||Our data fuels systems that learn how to make us press buttons to buy products or choose a candidate. Organizations that master these systems can influence people against their own interest, with grave consequences for democracy and humanity....The only way to restore balance is to ensure that individuals are not left alone when interacting with businesses. What is the role of governments if not to protect individuals. Nothing prevents regulating against excess and the concentration of power in certain sectors.
In my opinion, these are not uniquely Canadian threats, but global ones.
Aside from the misuse of personal information to influence elections, we have also seen hostile states interfering in elections by deliberately targeting personal data.
ln the words of Giovanni Buttarelli, the EU Data Protection Supervisor:
||Never before has democracy been so clearly dependent on the lawful and fair processing of personal data.
Recent investigations in various countries have demonstrated that political parties are harvesting significant amounts of personal information on voters and adopting new and intrusive targeting techniques.
ln July, the UK Information Commissioner released her interim report on Facebook/Cambridge Analytica which found very serious shortcomings in the way digital players are operating.
For example, despite significant privacy information and controls on Facebook, they found users were not told about political uses of their personal information.
The UK Commissioner also raised concerns about the availability and transparency of the controls offered to users over what ads and messages they receive.
Significantly, the UK office found that political parties are at the centre of these data collection and micro-targeting activities. These activities would not take place without political parties.
None of this is encouraging for voters; when we last polled Canadians on this issue, 92% wanted political parties to be subject to privacy law. That's as close to unanimity that one can get in such polling.
ln September, privacy commissioners from across Canada put forward a resolution calling on governments to ensure that political parties are subject to privacy law.
Academic experts, civil society and the Canadian public all agreed with this position; and so does the Chief Electoral Officer.
The government, on the other hand, maintains that while the application of privacy laws to political parties is an issue that deserves study, the next federal elections can take place without them.
Canadian political parties' lack of oversight is unfortunately becoming an exception compared to other countries, and it leaves Canadian elections open to the misuse of personal information and manipulation.
The bottom line is that without proper data regulation, there are important risks to a fair electoral process; and this applies to the next federal election in Canada.
This brings me to updating you on our investigative action. I will be quick here, because I'm conscious of time.
As you are aware, we are proceeding—with our colleagues in British Columbia—with an investigation of Facebook and AggregateIQ. The work is advancing well, but we have not yet made our determinations. We continue to gather and analyze information.
For obvious reasons, I'm limited in what I can report due to confidentiality obligations under PIPEDA. I will remind you that we are investigating, among other things, the access to personal information provided to third parties by Facebook, in particular sharing friends' information with app developers. This was an issue we raised with Facebook in 2009. Since May, we've had many extensive requests for information. We received submissions from Facebook, and we will engage in another round of discussions very shortly.
Our investigation of AIQ focuses on whether it collected or used personal information without consent, or for purposes other than those identified or evident to individuals. Since my last appearance, OPC investigators have issued additional requests for information. They've conducted a site visit. They've undertaken sworn interviews with both Mr. Massingham and Mr. Silvester, and they have reviewed hundreds of internal records from AIQ, including AIQ electronic devices.
In order to make our conclusions public as soon as possible, our plan is to proceed in two phases: one at the end of this calendar year—next month—and a second phase in the spring.
The time for industry and political party self-regulation is over. The government can delay no longer. Absent comprehensive reform, Parliament should ensure the application of meaningful privacy laws to political parties. It should also give my office the same inspection and enforcement powers that most of Canada's trading partners enjoy.
Individual privacy is not a right we simply trade off for innovation, efficiency or commercial gain. No one has freely consented to having their personal information weaponized against them, to use Tim Cook's term. Similarly, we cannot allow Canadian democracy to be disrupted, nor can we permit our institutions to be undermined in a race to digitize everything and everyone simply because technology makes this possible.
Here, we go to the heart of the issue. Technology must serve humankind—that is, all individuals. Without individuality and privacy, it is a philosophical and practical truism that we cannot have a public democratic life, nor can we enjoy other fundamental rights we cherish, including equality, autonomy and freedom. Privacy is the prior condition for the enjoyment of other rights, including democratic rights. Without privacy, the social environment we have in Canada—democracy, political harmony and national independence— is also at real risk, including risks posed by hostile states.
As to the specifics of the legislative amendments that, in my view, might be required, while there are several excellent elements in the GDPR of the European Union, we should seek to develop an approach that reflects the Canadian context and values, including our close trading relationships within North America, with Europe, and with the Asia-Pacific region. A new Canadian law should reserve an important place for meaningful consent. It should also consider other ways to protect privacy where consent may not work, for instance in the development of artificial intelligence. The GDPR concept of legitimate interest may be considered in that regard.
Our law should probably continue to be principles-based and technologically neutral. It should also be rights-based, and drafted not as an industry code of conduct, but as a statute that confers rights while allowing for responsible innovation. It should empower a public authority—it could be my office or another public authority—to issue binding guidance on how to apply general principles in specific circumstances, so that the general principles do not remain pious wishes but receive practical application.
A new law should also allow different regulators to share information.
Thank you, Commissioner, for appearing before us again today.
Earlier this year, we learned in our study of the scandal with Cambridge Analytica, Facebook and AggregateIQ—as you did in your investigation, and as did the Privacy Commissioner of B.C. and the Privacy Commissioner of the United Kingdom—that millions of pieces of personal data, including that of hundreds of thousands, perhaps more, Canadians, was improperly harvested from Facebook, handled by a number of bodies, and moved back and forth in the digital world across national borders, and we have no assurance that this original improperly harvested data, this mass of data, has been destroyed.
We learned just in the last few weeks that your former Ontario counterpart, Ann Cavoukian, resigned from a Google sibling in Toronto, Sidewalk Labs, because Google could not assure her that highly personal data within Toronto could be effectively de-identified, which Google said was their objective.
Just in the last few days, a Conservative Order Paper question was responded to by the Liberal government regarding recent hacks of the Canadian government: 800 pages, representing perhaps 10,000 hacks or improper access to various government departments and agencies' websites.
This week we learned that you have launched an investigation into Stats Canada's demand or request to Canadian financial institutions for deeply personal information on at least 500,000 Canadians without their knowledge or consent—again, I know that consent is a major concern of yours—to develop a new institutional personal information bank. The claim here by Statistics Canada is that it would be anonymized.
Certainly, after seeing Cambridge Analytica, Facebook and AggregateIQ, and after hearing the very legitimate concerns of a well-recognized authority like Ann Cavoukian over the impossibility or the unlikelihood of de-identification being achieved, I'm also deeply skeptical about Statistics Canada's ability to guarantee that all of the information they're harvesting will be anonymized.
I know you've just begun your investigation, but is consent a paramount consideration in situations like this? Could we have your comments, please?
Good afternoon, Mr. Therrien.
We understand that you're seeking better oversight, better control and greater powers. I'm frankly not opposed to the idea. I think we need to keep an eye on what's going on. However, I don't get the impression we're seeing what needs to be changed or controlled. It's fine to want better control and the resources you need in taking more radical action to address a problem, but first you have to define that problem. I'm not sure we've properly done that. I think we've been spreading ourselves a bit too thin for some time now. I'm going to outline a scenario for you, and then I'd like you to comment on it.
Companies request information from a client. The client provides it, starting with his name. The number of details that are then requested vary from one company to the next. As my colleague said, if, as a client, I fail to provide a minimum amount of information, I won't have access to services. I also can't do much about criminal behaviour from the outside. If I'm hacked, that's not necessarily attributable to bad faith or inappropriate policies. You can always fall victim to some internal or external deficiency, and there are some things I can't control. However, when I register for a service, I expect to receive most of what the supplier is willing to provide me. So that's a relationship between two parties.
I don't think the problem is to determine what information I provide. We're told that, for reasons of transparency, we need to know what businesses do with that information. However, if they start telling us what they do, that is to say, exactly what they were previously doing without our knowledge, that won't change their professional practices much. We won't be any further ahead even if they're very transparent.
The issue isn't to determine what's going on. The problem we have to address, and which may goad us into finding better ways of proceeding, is that we lose all control of the situation when a third party enters a transaction.
Rather than try to control everything that happens, wouldn't it be preferable to establish in actual fact that the information provided to a service provider—and that includes a person's name—is private and must not be communicated, regardless of what type of information it is? So, if I do business with a third party and it wants to use my information to send me ads, so be it, but my personal information would never be disclosed to others, even if I provided it.
Should we focus on transactions involving a third party? In your efforts, you could cooperate with the Competition Bureau, for example.