Per the notice of meeting this is meeting 133 of the Standing Committee on Access to Information, Privacy and Ethics. The study is on the privacy of digital government services.
Today we have with us somebody we've had several times before, Daniel Therrien, Privacy Commissioner of Canada. We also have Gregory Smolynec, deputy commissioner, policy and promotion sector, and Lara Ives, executive director, policy, research and parliamentary affairs directorate.
Before I go to Mr. Therrien, I want to go to Mr. Kent quickly.
Members of the committee, thank you for inviting me to provide my views in the context of your study of the privacy implications and potential legal barriers relating to the implementation of digital government services in Canada.
A good starting point for this study, given that it defines the government's approach, is the government data strategy roadmap, published in November 2018, which was shared with us late last year.
In that document, the government indicates:
Data have the power to enable the government to make better decisions, design better programs and deliver more effective services. But, for this to occur, we need to refresh our approach.
Today, individual departments and agencies generate and hold a vast, diverse and ever-expanding array of data. These data are often collected in ways, based on informal principles and practices, that make it difficult to share with other departments or Canadians. Their use is inconsistent across the government and their value sub-optimized in the decision-making process and in day-to-day operations.
We of course support the use of technology to improve government decision-making and service-delivery but, as mentioned in your mandate, this must be done while protecting Canadians' privacy. In that regard, it is important to remember that privacy is a fundamental human right and that it is also a prior condition to the exercise of other fundamental rights, such as freedom, equality and democracy.
The government's roadmap underlines the difficulty of sharing data across departments and attributes this either to informal principles and practices or, in other circumstances, to legal barriers. I understand that there is in fact an exercise within government to identify these legal barriers with a view to potentially eliminating those found inconsistent with the new approach that the government feels is required to extract value from data.
I would say that what is a legal barrier to some may be seen as a privacy safeguard by others. The terminology that the government or other interveners use in this debate is not neutral. Many of the presumed barriers are found in sections 4 to 8 of the current Privacy Act. Should these rules be re-examined with an eye to improved government services in a digital age? Certainly. Should some of these rules be amended? Probably.
But, as you go about your study, I would ask you to remember that, while adjustments may be desirable, any new legislation designed to facilitate digital government services must respect privacy as a fundamental human right. I can elaborate on this point in the question period, if you wish. In other words, modalities may change but the foundation must be solid and must respect the rights to privacy. The foundation must be underpinned by a strengthened privacy law. As you know, we made recommendations to that effect in 2016. I would add a new recommendation here: that the public sector adopt the concept of protecting privacy from the design stage.
I reviewed with interest the testimony before you by officials from Estonia at the launch of your study. While the Estonian model is often discussed for its technological architecture, I was struck by the fact that officials emphasized the greater importance, in their view, of attitudinal factors, including the need to overcome silos in state administration leading to reuse of personal information for purposes other than those for which it was collected.
This could be seen as validation of the view that our Privacy Act needs to be re-examined and that—quote, unquote—“legal barriers” should be eliminated. I would note, however, that in Estonia the elimination of silos did not lead to a borderless, horizontal management of personal data across government. Rather, in the Estonian model, reuse, or what we would call sharing of information, appears to be based on legislation that sets conditions generally consistent with internationally recognized fair information practice principles and with the GDPR, although I would encourage you to follow up with Estonia as to what these legal conditions actually are.
As to the technological aspects of the Estonian model, our understanding is that there is an absence of a centralized database. Rather, access is granted through the ability to link individual servers through encrypted pathways with access or reuse permitted for specific lawful purposes. This purpose-specific access by government agencies likely reduces the risk of profiling.
We understand that further privacy and security safeguards are attained through encryption and the use of blockchain. This is in line with one of our recommendations for revisions of the Privacy Act in 2016, namely, to create a legal obligation for government institutions to safeguard personal information.
I note that the Estonian model is based in part on a strong role for their data protection authority, which includes an explicit proactive role as well as powers to issue binding orders, apply for commencement of criminal proceedings and impose fines where data is processed in an unlawful manner or for violations of the requirements for managing or securing data. Similarly, the OPC should have a strong oversight and proactive role in line with our Privacy Act reform recommendations.
I'd like to conclude with some questions for you to consider as you take a deeper dive into the Estonian model or discuss its applications in a Canadian context.
First, we've heard officials say that the success of the system is based on strong trust, which requires strong safeguards. But no system, as you know, is totally safe. What mitigation measures are in place in Estonia when, and not if, there is a breach?
Second, Canada's data strategy road map posits that one of the valued propositions of a model such as Estonia's is the intelligence to be gathered from data analytics, but it is unclear to us how, given the segregated set-up of the data sets and the legislative regime in which it operates, providing for specific reuse for specific purposes, this could be accomplished. You may wish to explore this issue further.
Finally, we would suggest that obtaining clarity from Estonian officials on the legal conditions for reuse of data would help, because that's an important safeguard to ensure there is no overall profiling and what I refer to as borderless, horizontal data sharing.
Thank you for your attention. I'll be glad to answer your questions.
My first question is about the Estonian model and legal pathways.
When Michael Geist was before us, he said that technological measures put in place sound great, but we couldn't trust in those measures and we needed to revisit the Privacy Act. I take it you are of the same view.
Revisiting the Privacy Act and the clarity of pathways for sharing of information, I understand in Estonia, yes, they have a tell-us-once model, but you require specific statutory authorities for that reuse, so your point about our clarifying what the Estonian legislation says is important.
With respect to the Privacy Act, it's also your view, I suppose, that we should clarify the pathways of sharing information here in Canada as well.
It's good to see you again, Commissioner, and your partners today at the table.
Given the significant differences between the Estonian model and Canada today.... The digital identity in Estonia covers literally a person's entire lifetime, not just their health and tax information but their education.... It covers just about every aspect of their daily life.
From reading your remarks, you seem to see the first stage of digital government, should it come to Canada, as beginning at the federal government level alone. Is there any practicality in trying to get into those areas where there is a sharp divide and no overlap with provincial and municipal jurisdictions?
I'll put it in my terms.
I think the Estonian model is interesting in that the risk of digitized government services based on a common digital identifier, in the worst-case scenario, would be that the government, whether only the federal government or governments generally, would have a single profile of that individual. That is, of course, very difficult to reconcile with privacy.
One of the apparent virtues of the Estonian model is that the data is not centralized. It continues to reside in a large number of institutions, and there's a technological pathway with appropriate legal authority authorizing the information to be reused from one department to another. The decentralized aspect of the Estonian model, I think, at first blush, seems a positive feature that reduces what would otherwise be a risk.
You mentioned concerns that were expressed.
Mr. Therrien, it's always a pleasure to have you at our committee.
I want to follow up on your final statement about the question of trust and whether or not Canadians should be expected to trust a system such as this.
On my beat in this file over the years, I've seen that every year we have data breaches. Some are extremely significant data breaches, such as the loan information of a quarter million or more students, and recently, 80,000 individuals compromised through CRA.
In your work, is the number of breaches changing because technology is changing? Is it a standard...? Year in and year out, are we seeing some pretty significant, plus smaller, breaches? In terms of government departments, are you seeing much of a change?
I would not say that we're seeing significant improvement in these matters. It's a huge challenge to build that trust; there's no question.
I'll use an example, because I think it's telling on many levels. As you know, the government implemented a pay system called Phoenix that was criticized on a number of levels. We, the OPC, investigated the security and privacy safeguards that were in place, or not, with respect to the Phoenix system. One of the very concerning things we found during that investigation was that there was a deliberate decision by government officials not to put in place strong monitoring of who had access to personal information in the system, because it would be costly, would delay the system, and so on and so forth.
Directly to your question, I don't see many improvements. I would say it is absolutely essential that before these systems are implemented more broadly—to go back to attitudes—that government officials have an attitude of ensuring that safeguards are in place before the systems are implemented.
I thank you very much for that response. It leads me into where I was concerned.
I've been here 15 years. I see my colleagues on the other side and they're flush with the hope of new believers that we have finally come to the kingdom of salvation and government will work; whereas, over the years I've become a skeptic, an agnostic.
Some hon. members: Oh, oh!
Mr. Charlie Angus: I'm like the St. Thomas of government operations. I've sat on committee after committee where we were sure that bigger was better, that government always.... Whenever they were looking for who was going to get the contracts, they wanted to go as big as possible. Bigger was not better. Bigger was much more expensive. Bigger was always tied with deals, and the deputy ministers and who got the deals and who didn't.
Then we had Phoenix. I guess I would turn around to citizens in my riding and say, “Look at Phoenix. Do you trust?” In terms of the safeguards that need to be in place, would you not think it would be an extremely complex set of safeguards, that we would be able to assure Canadians that they can trust all their financial information, all their personal information, their life history with a department or a government that has, year in and year out, serious breaches in many and almost all of the serious, major departments?
Certainly, I know the people I deal with would prefer to have people actually answering phones if they had questions as opposed to getting their digital data quicker. We will always see them go with digital solutions as opposed to having people answer the phones.
I'm concerned about whether this is a one-way path or a two-way path. If I want to find my CRA information and I have a digital card, I can find that. It was suggested by one of my Liberal colleagues that it would be a great way for government to contact citizens.
To me, that's very concerning. If I am obligated to do everything online, if I have to give all this information online, there's the necessity, I think, of saying that this is so I can obtain services I want, but not necessarily for government to be able to contact me about what they want.
Do you see that if we have a two-way communication, it changes the nature of this, and the privacy rights of citizens become much more at risk from potential abuse?
Good afternoon, Mr. Therrien. It's always a pleasure to have you here. I think you're the witness who visits this committee the most so that's great.
You made a submission to ISED dated November 23. I read it through. It was very interesting. One thing you did write was, “It is not an exaggeration to say that the digitization of so much of our lives is reshaping humanity.” I would go even further that once that march towards technology has started, it's very difficult for anybody to stop it. Eventually it will succeed.
I know the model we have been using is Estonia, but if you look at Estonia right now, you see there are 1.3 million people, four million hectares of land, and half of it is forest, so broadband connectivity is not really a big issue there. When we look at Canada right now and the latest UN survey on leading countries in e-government development, we see that we rank 23rd, so eventually the world is moving in this direction.
You indicated in the notes I have read that privacy is a big concern for you. There has to be a point as to where we start from and what the objective is. The majority of countries, especially advanced countries, are moving towards more digitization of government. Let's leave Estonia aside for a second. Where do we start from?
I'm going to frame this in two ways. The one frame I had is because in Estonia you have two levels of government. In some cases, we have four levels of government. How do we protect privacy? As Mr. Angus said, people want to have security of their data, but different governments do different roles. It's not one government that's a repository. The provincial government deals with health. The federal government has the CRA. How do we protect the privacy of Canadians going through different levels of government? How do we make the system interoperable among different departments within one level of government?
I don't think I've said that Canadians are concerned with the use of technology.
I did not say that they distrust technology.
Studies consistently show that Canadians are concerned that their privacy is not being protected, in both the public and the private sectors, and that they do not have control over their information. That is not to say that they do not use technology or that they distrust it. It is rather that they believe that their privacy is not being sufficiently protected, by the public or the private sectors.
Services have to be digitized, but with the use of different means, legal, technological or whatever, to make completely sure that the information is secure.
Commissioner, this committee has tabled three reports with the government over the past year or so recommending in each of those reports that your powers be expanded, that you have order-making powers, that there be more serious and significant penalties for violations, that in terms of the act itself, the government consider the GDPR and upgrade, renovate, and stiffen Canadian privacy regulations from the very barely acceptable level we're at today.
Would you recommend that your office be a direct participant, a hand on the pen at the table, as the design of digital government is considered and written? In other words, do you think it's essential that the Privacy Commissioner be a key partner in any project going ahead, either in the early stages or certainly in later stages of digital government?
Good afternoon, Mr. Therrien.
Let me put something to you; I would like to know your opinion.
I am not criticizing the work we have done at all. I have thought for a long time that the committee has been doing valuable, excellent work. However, I want to suggest to you another way of looking at things.
We have been studying the protection of personal data for six or eight months. But I feel that we are spinning our wheels and getting nowhere, because we have not managed to define the problem we are trying to fix, by which I mean defining what personal information is. Let me explain.
People panic at the idea that a licence plate can be read, pretending that it is private. But all that plate can do is identify the vehicle on which it is mounted, not the person at the wheel. In the same way, an IP address does not reveal the identity of the person at the computer keyboard, just where the computer is located.
People gladly provide a lot of personal information. For example, you may remember when, in the first video clubs, we did not hesitate to provide our driving license numbers so that we could rent movies.
The reason why I feel that we do not want to touch the problem of defining personal information is that most of the witnesses we have heard from for almost a year have replied that the best way to protect our personal information was not through technology, but through transparency. Companies understand that people are ready to give them almost any personal information but, in return, they have to commit to telling them what they are going to do with it. So that means that the range of the data that you are ready to provide to anyone at all is not defined. As a result, if we are not able to define the problem that we want to fix, it will be difficult to define the measures that we want to take. Why not just simply stop right there and prevent any data transactions? If someone wants to conduct such a transaction, they would have to communicate with you to find out how to manage the information that is being communicated. That is the first part of my question.
In law, I am afraid I must tell you that you are wrong when you suggest that IP addresses are not personal information. The Supreme Court decided otherwise in a judgment some years ago. Since an IP address can be linked to an individual, it is personal information that must be protected as such.
With licence plates, the issue is somewhat not quite the same. After all, 800 people do not drive my vehicle, just my wife and I. Perhaps that is personal information as well.
So personal information is defined. It is pretty simple; it is any information, including a number, that can be linked to an identifiable person. We can discuss it, but I am inclined not to accept your premise.
Is transparency part of the solution in protecting privacy? Yes, it is part of the solution but it is far from the entire solution. You can be transparent, but you can still damage someone's reputation. However, transparency is part of the solution.
This certainly is a complex question, and if we are having difficulty moving forward, it is because it is complex on a number of levels, including conceptual and technological. That is why, more recently, I have focused on privacy as a human right. So let's start with basic principles.
When I say that privacy is a fundamental right, it is a concept that should be recognized, not only in the law, but also by government bodies that, day after day, implement technological and other systems to collect data and to administer public programs, including by technology. That brings us back to the importance of protecting privacy from the design stage, a concept that we should always keep in mind. If we have a choice between providing a service in a way that endangers privacy and providing the same service differently, but just as effectively, in a way that protects privacy, the concept of protecting privacy from the design stage tells us that we should choose the latter option.
All these privacy issues may seem nebulous, but, in law, what constitutes personal information is quite clear. We have to keep in mind which aspects of privacy we want to protect, so that we make sure that it is protected in government activities and in legislation.
Thank you, Mr. Therrien.
We began a study much earlier in this Parliament on a data breach with Cambridge Analytica and Facebook. Since then, I sometimes feel we've become the parliamentary committee on Facebook. We followed them halfway around the world trying to get answers, and we're still being buffaloed, and I think we'll invite half the world to come here to meet with us again in Ottawa when it's a little warmer to maybe get some more answers from Facebook. But it seems we go week in, week out with new questions and seemingly a continual lack of accountability.
I want to ask you a specific question, though, whether or not you've looked into it. We had the explosive article in The New York Times about the privileges given to certain Facebook users, to be able to read the personal, private messages of Facebook users. They mentioned that RBC was one of them. We've heard from RBC. They said they never had those privileges, that they never did that. The Tyee is now reporting that Facebook has told them that RBC had the capacity to read, write and delete private messages of Facebook users who were using the banking app.
Have you looked into that? Do you think that requires follow-up? Should we take RBC's word for it? Should we, as a committee, be considering this as some of our unfinished business on the Facebook file?
Thank you, Mr. Chair, for your indulgence on my getting the last question. It's very important and interesting testimony.
I'd like to pick up on this idea of ownership and consent in the context of government. If I go on Air Canada, and they ask me for my email and cellphone number so they'll text me when my flight is delayed or anything, I have a choice to do that. However, there are things in government where you don't have a choice. You have to provide information. Your taxes are required. The idea of consent immediately has a different implication when something has to be provided.
In that context, how do you see consent, or even who owns that data? If I go to Air Canada, I can take my profile off. I have a choice. But with government, if there's a criminal record, you can't say you want to delete this or change that. The information no longer really belongs to the person.
Where does ownership and consent go when you're dealing with government?
In a tax context, there is information that CRA obtains directly from the taxpayer. It is possible that the CRA looks at social media and other environmental information to gather intelligence and may put all of this information towards artificial intelligence. It's important. Data analytics is a new reality and it has many advantages.
However, AI systems need to be implemented in a way such that the information that feeds the system is reliable and has been lawfully obtained, so that leads to certain consequences. If CRA looks at information on social media, and let's assume for a second that it is truly publicly available, that says nothing about the reliability of the information.
To answer your question, in an AI context, privacy by design ensures that AI is implemented in such a way that the information that feeds the system, first, has been lawfully obtained, second, is reliable, and third, does not discriminate on the basis of prohibited grounds of discrimination, but is based on objective factors of analysis.