I call this meeting to order.
This is meeting number 34 of the House of Commons Standing Committee on Access to Information, Privacy and Ethics. I'd like to remind committee members and those who have joined us that today's meeting will be televised and will be made available on the House of Commons website.
For the first hour of our meeting today, pursuant to Standing Order 81(4), we are examining the main estimates 2021-22, votes 1 and 5 under the offices of the Information Commissioner and the Privacy Commissioner of Canada.
Today, some witnesses for the first hour will be joining us for the second hour. They will remain here for the second hour for what is technically our second meeting today. For our first hour, from the Office of the Privacy Commissioner of Canada, we have Daniel Therrien, who is the Privacy Commissioner of Canada; Brent Homan, who is the deputy commissioner of the compliance sector; Daniel Nadeau, who is the deputy commissioner of the corporate management sector; and Gregory Smolynec, who is the deputy commissioner of the policy and promotion sector. He wasn't here moments ago but may have joined us. If he hasn't yet, he will be joining us.
Commissioner, I'll turn it over to you for your opening statement.
Good morning, Mr. Chair and members of the committee.
I am pleased to meet with you for the next two hours to discuss our 2021–22 Main Estimates, our activities in general, and then the fundamental issue of facial recognition. All of this, of course, in a context where a very important bill, Bill , has been introduced in the House of Commons.
Last year was one of transition for many organizations, and our office was no exception. We quickly shifted to adapting our processes to continue serving Canadians during the pandemic.
It was also a year of transition on the budgetary and legislative fronts. Our office received a permanent increase of 15% in the 2019 federal budget to address the most urgent needs of the OPC pending legislative reform. This allowed our office to expand our policy and guidance functions, to enhance our advisory services for organizations and to address pressures resulting from new mandatory breach reporting requirements in the private sector.
We also received temporary funding to help us reduce a very large part of our investigative backlog of complaints older than a year. We met and even surpassed our target and reduced the overall backlog of complaints by 91%. We are very proud of that.
Over the past year, our work has included the publication of guidance on protecting privacy during a pandemic, as well as a contextual framework for government institutions to protect privacy in the context of COVID-19 initiatives. Consistent with this framework, we reviewed and advised the government on the COVID Alert app. Following a public consultation, we released key recommendations for regulating artificial intelligence.
We also completed our first breach records inspections report—again, this is about data leaks. In addition, we analyzed and provided recommendations on several legislative initiatives. This included a submission on the statutory review of the Access to Information Act, another submission on the modernization of the public sector Privacy Act, which was the subject of a consultation by the Department of Justice.
Finally, after a detailed analysis of Bill , we completed another brief. All these documents, with the exception of our brief on Bill C-11, are available on our website.
While the injection of funds in the 2019 budget helped us to reduce our backlog and to increase our capacity, there is still a very significant gap. Given the marked acceleration of digitization caused by the pandemic, we continue to struggle meeting the demand in guidance, guidelines and advisory work, and to assist our investigators to address complaints filed by concerned Canadians.
In the government's fall economic update, funds were allocated to support the implementation and enforcement of Bill . This is clearly a good thing. However, now that we know the extent of our new responsibilities under this legislation, we believe additional funding will be required.
Bill imposes several new responsibilities on the OPC, including the obligation to review codes of practice and certification programs and give advice to individual organizations on their privacy management programs. It should be noted that these are non-discretionary activities, meaning that every time an entity or organization seeks our advice or approval, we will be required to provide our considered opinion.
We welcome the opportunity to work with business. In recent years, I have restructured my office towards a greater proactive approach to guide and engage with organizations toward compliance with the law. We created two new directorates to engage proactively with private and public sector organizations, on a voluntary basis, on privacy risks of a high-impact nature. These activities have increased during the pandemic. Actually, they've been very popular.
As you know, another role we play is to investigate complaints alleging violations of the act. However, it is not our only role. In order to be an effective regulator, we must be able to be strategic in our enforcement and advisory activities, applying a risk-based approach.
As we explain more fully in our submission on Bill , we are concerned that with the non-discretionary nature of our responsibilities under that bill, we will not be able to both serve complainants and organizations and focus on harms to Canadians in general. The issue here is not primarily financial, although in our view additional resources will be required. The OPC should have the legal discretion to manage its caseload, respond to the requests of organizations and complaints of consumers in the most effective and efficient way possible, and reserve a portion of our time for activities we initiate, based on our assessment of risks for Canadians. Such discretion is enjoyed broadly by domestic and international regulatory partners, both within and outside the privacy protection sphere.
Another option to balance our various activities could be ensuring that the OPC's role of approving codes of practice and certification programs under the proposed Bill be conditional on the payment of a cost recovery fee to ensure that we have the capacity for that task as well as for our other priorities. No regulator, ultimately, has enough resources to handle all the requests it receives from citizens and regulated entities. It is important that my office have the flexibility to allocate resources in ways that will offer the most benefits for Canadians and adjust activities to address new and emerging trends.
In addition to changes brought by , proposals made by the Department of Justice in its recent consultation on modernizing the Privacy Act, the public sector act, would also see significant changes to our role in the public sector, of which we are largely supportive. This includes a new public education mandate, the power to issue guidance to government institutions, a role in issuing advance opinions and overseeing pilot projects, and greater discretion to publish compliance outcomes, among others. Justice's proposals also include an enhanced compliance role for our office, such as expanded proactive audit powers and a form of order-making. We have already begun to plan for these eventualities.
In closing, I would like to point out the fact that, as we look to the future, it will be important that modern privacy laws allow us to act as an effective regulator. Our office should also be provided with the financial resources necessary to implement these laws.
I look forward to working with Parliament on improving the legislative proposals to ensure our modern privacy laws adequately protect the privacy rights of Canadians, while promoting responsible innovation.
Thank you for your attention.
I welcome your questions.
As I mentioned in my statement.... First of all, I need to acknowledge that in the economic statement of last fall, I believe something in the order of $18 million annually was set aside in that quasi-budgetary document. However, this was not only for the OPC, but for all of the government institutions that will be called upon to implement Bill . We will have a share of it.
That amount was arrived at after consultation with our office before we saw Bill . Now that we see Bill C-11, we see, in particular, our role in approving codes of practice by industry and giving advice upon request to companies about their privacy programs. We did not know that when we gave our estimates to the government, but now that we do, increased funding will be required.
Beyond increased funding—and I'll repeat the point that I made in my statement—we are totally welcoming of the role given to us by Bill on codes and advice to companies. However, frankly, we cannot do that for each and every request that we will receive. It's why I think we want to engage with business in that regard. Some additional funds will be required, but we also need discretion to manage our workload and to continue what we have done until now, which is to offer our services but not have to answer each and every request. We deal with those that seem to raise the higher privacy risks, for instance.
This is in part about money and in part about discretion for us to say yes to most requests but no to others if our budget cannot accommodate this.
There is no shortage of topics that could be investigated. So we need to use our resources to investigate the topics that pose the most risk. For example, we started an investigation into the use of artificial intelligence in employment. This seemed to me to be a particularly important issue because of the serious risks it poses for job applicants.
The challenges lead us to make choices. For all departments, financial resources are not unlimited, and we are not asking for an unlimited budget either. It's normal that our financial capacities have limits. We try to allocate our activities based on a risk analysis. Among our activities are investigations, which we take the initiative on, as opposed to complaints. People come to us with complaints that we have to respond to. It's important to respond to them because, for them, we are a mechanism for access to justice for citizens. However, they will not necessarily be aware of the practices that are the most risky for privacy, hence the need to be able to start investigations ourselves. We need to be able to do both.
Furthermore, we also need to play a proactive role, for example, by providing advice to companies and government departments and issuing guidelines. Bill will give us an approval role in codes of practice and allow us to advise companies. All of this is great, but because of the accelerating digital revolution, we need more funding. We are in the process of quantitatively assessing our needs. Unfortunately, some requests will have to be denied because we can't do everything.
Our assessment of risk based on what we observe in various settings is what determines it. In this context, the current and future legislation, as part of Bill , requires us to investigate when complaints are referred to us.
Except in very rare cases, when a complaint is filed by an individual, the legislation requires us to investigate. This is a real constraint. Again, there are advantages to this system, particularly in terms of access to justice. We're an ombudsman with a relatively expedited process, one that is simpler than judicial tribunals.
I understand all of that, but the fact remains that it creates a real constraint because we have to investigate every complaint that comes in. We believe that, like other privacy regulators, we should have more flexibility. The question is what recourse there would be if the office were unable to investigate a complaint. One of the things Bill C-11 talks about is a private right of action before the courts.
These are sensitive issues, but having to investigate every complaint we receive is a real constraint.
Good morning, everyone, and welcome, Privacy Commissioner.
In my time today.... I know we're focusing on the main estimates, but what's crucial for me is that your office has the pertinent resources for you to effectively undertake your job and your mandate. That's what's important to me, so on that level those are my thoughts.
I want to move on to something in terms of.... I've read about and followed your office very closely since joining this committee late last year. We just listened to the study that Mr. Angus referred to. When it comes to meaningful consent, this document from May 2018 says:
Meaningful consent is an essential element of Canadian private sector privacy legislation. Under privacy laws, organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information. However, advances in technology and the use of lengthy, legalistic privacy policies have too often served to make the control—and personal autonomy—that should be enabled by consent nothing more than illusory. Consent should remain central, but it is necessary to breathe life into the ways in which it is obtained.
Can you comment on that introductory paragraph?
I read your March 25, 2021 speech, and I read the Clearview AI information put forward. I still can't believe it stated that “Canadian privacy laws do not apply to its activities because the company does not have a 'real and substantial connection' to Canada”, even though it collected three billion images of Canadians and came up with that data.
Can you elaborate on meaningful consent, and how we need to balance that between consumer objectives, business objectives and individual objectives?
Obviously, it's a very broad question. I will try to do justice to it in a few seconds or minutes.
Consent is a fundamental aspect of the current law, PIPEDA, and it will continue to have a central role under the CPPA under Bill , so there is a place for consent in privacy in 2021. There need to be some rules to make sure that when consent does work, it is obtained in a meaningful way. In my view, that means, in part, to ensure that the consumers who provide consent have a good idea of what they are consenting to, which is not obvious. That's where consent does work.
As I was saying in the documents you were referring to, given where we are with digital developments, there are many situations, a growing list of situations, where consent does not really work, particularly when you think of artificial intelligence, for instance, where the purpose of the technology is to use information for purposes other than that for which it was obtained. That's not really conducive to consent being an adequate means to protect privacy.
Given where we are in 2021, and the following years, there is a role for consent, but we also need to have laws that acknowledge that consent will not always work. Then we need to find an adequate means of protecting privacy absent consent. That's where the real difficulty, I think, lies in the discussion of these issues, particularly with Bill .
Bill has many more exceptions to consent, some appropriate, others too broad in our view. How do you protect privacy if consent is not the preferred means of protecting it? We propose a human rights approach to privacy protection. Other models are proposed, such as the fiduciary model that Mr. Angus was referring to.
The extremely difficult challenge ahead of Parliament in the next few months is to determine where consent does not work—and it does not always work—and what would be a good model to continue to protect privacy adequately absent consent.
I want to begin by saying that I am in complete agreement with my colleague, Mr. Sorbara, on the importance of getting Bill right, because it is about the rights of 38 million Canadians, and we all have that obligation.
Our committee previously brought forward a number of recommendations about the order-making powers of the Privacy Commissioner as well as the need to be able to levy huge fines. The vast majority of infringements on privacy we believe are accidental or without malice, but we do have some bad operators. We had Facebook say they didn't feel they had to follow Canadian law. We certainly see the same instance with Clearview AI, so the need to give you more tools was clear.
What concerns me, when I look at Bill , is this idea of creating this regulatory tribunal that these companies could then go to about a decision.
I'd like to ask you, number one, whether we have any example of this kind of regulatory tribunal that can override a privacy commissioner's decision in any other jurisdiction, and how you feel about it. You state you believe that this tribunal would encourage companies to choose a route of appeal rather than finding common ground with the Privacy Commissioner's decisions, and it would actually delay and obstruct justice for consumers and privacy rights.
Could you give your thoughts on this regulatory tribunal balloon that has been floated by the government?
I'm calling this meeting back to order.
For the second hour of this meeting, we're launching our study on facial recognition software and concerns related to it. Today we have the commissioner, who has agreed to remain here for an additional hour so that he can answer some questions as we launch into the investigation of this matter.
Thank you, Commissioner, for remaining with us.
We also have Mr. Homan, who is remaining with us as well, and Lara Ives, who is the executive director of the policy, research and parliamentary affairs directorate. Thank you so much for being here. Finally, we have Regan Morris, who is joining us as legal counsel.
Thank you as well for being here, Commissioner.
I'll turn it back to you for an opening statement to allow you to begin the discussion. Then we'll have questions for you.
Thank you again, Mr. Chair.
Facial recognition technology has become an extremely powerful tool that, as we saw in the case involving Clearview AI, can identify a person in a bank of billions of photos or even among thousands of protesters. If used responsibly and in appropriate situations, it can provide significant benefits to society.
In law enforcement, for example, it can enable police to solve crimes or find missing persons. However, it requires the collection of sensitive personal information that is unique to each individual and permanent in nature. Facial recognition technology can be extremely privacy invasive. In addition to promoting widespread surveillance, it can produce biased results and undermine other human rights.
The recent Clearview AI investigation, conducted jointly with my counterparts in three provinces, demonstrated how facial recognition technology can lead to mass surveillance and help treat billions of innocent people as potential suspects. Despite our findings that Clearview AI's activities violated Canadian privacy laws, the company refused to follow our recommendations, such as destroying the photos of Canadians.
In addition, our office is currently investigating the Royal Canadian Mounted Police, or RCMP, use of Clearview AI technology. This investigation is nearing completion. We are also working with our colleagues in all provinces and territories to develop a guidance document on the use of facial recognition by police forces. We expect to release a draft of this document for consultation in the coming weeks.
The Clearview case demonstrates how citizens are vulnerable to mass surveillance facilitated by the use of facial recognition technology. This is not the kind of society we want to live in. The freedom to live and develop free from surveillance is a fundamental human right. Individuals do not forgo their rights merely by participating in the world in ways that may reveal their face to others or enable their image to be captured on camera.
The right to privacy is a prior condition to the exercise of other rights in our society. Poorly regulated uses of facial recognition technology, therefore, not only pose serious risks to privacy rights but also impact the ability to exercise such other rights as freedom of expression and association, equality and democracy. We must ensure that our laws are up to par and that they impose limits to ensure respect for fundamental rights when this technology is used.
To effectively regulate facial recognition technologies, we need stronger protections in our privacy laws, including, among other things, a rights-based approach to privacy, meaningful accountability measures and stronger enforcement powers. The federal government recently introduced two proposals to modernize our privacy laws. These are important opportunities to better regulate the use of facial recognition and other new technologies.
Last November, the Department of Justice released a comprehensive and promising consultation paper that outlined numerous proposals to improve privacy legislation in the federal public sector. It proposes enhanced accountability requirements and measures aimed at providing meaningful oversight and quick and effective remedies. It also proposes a stronger collection threshold, which would require institutions to consider a number of factors to determine if the collection of personal information is “reasonably required” to achieve a specific purpose, such as ensuring that the expected benefits are balanced against the privacy intrusiveness, so that collection is fair, not arbitrary and proportionate in scope.
In the private sector, Bill would introduce the consumer privacy protection act. In my view, as I stated in the last hearing, that bill requires significant amendments to reduce the risks of facial recognition technology. The significant risks posed by facial recognition technology make it abundantly clear that the rights and values of citizens must be protected by a strong, rights-based legislative framework. The Department of Justice proposes adding a purpose clause to the Privacy Act that specifies that one of the key objectives of the legislation is “protecting individuals' human dignity, personal autonomy, and self-determination”, recognizing the broad scope of the right to privacy as a human right.
Conversely, Bill maintains that privacy and commercial interests are competing interests that must be balanced. In fact, compared with the current law in the private sector, PIPEDA, the bill gives more weight to commercial interests by adding new commercial factors to be considered in the balance without adding any reference to the lessons of the past 20 years on technology's disruption of rights.
Clearview was able to rely on the language of the current federal act, PIPEDA, to argue that its purposes were appropriate and the balance should favour the company's interests rather than privacy. Although we rejected these arguments in our decision, some legal commentators have suggested that our findings would be a way to circumvent PIPEDA's purpose clause by not giving sufficient weight to commercial interests. Even though we found that Clearview breached PIPEDA, a number of commentators, including the company but not limited to the company, are saying that we actually misapplied the current purpose clause.
If Bill were passed in its current form, Clearview and these commentators could still make these arguments, buttressed by a purpose clause that gives more weight to commercial factors. I urge you to make clear in Bill C-11 that where there is a conflict between commercial objectives and privacy protection, Canadians' privacy rights should prevail. Our submission analyzing this bill makes specific recommendations on the text that would achieve this goal.
Demonstrable accountability measures are another fundamental mechanism to protect Canadians from the risks posed by facial recognition. Obligations to protect privacy by design, conduct privacy impact assessments, and ensure traceability with respect to automated decision-making are key elements of a meaningful accountability framework. While most of these accountability measures are part of the Department of Justice's proposals for modernizing public sector law, they are all absent from Bill .
Efforts to regulate facial recognition technologies must also include robust compliance mechanisms that provide quick and effective remedies for individuals.
Our investigation into Clearview AI revealed that the organization had contravened two obligations under Canadian privacy law. On the one hand, it collected, used and disclosed biometric information without consent, and for an inappropriate purpose.
Remarkably—and shockingly—the new administrative penalty regime created by Bill would not apply to these and other important violations of the legislation. Such a penalty regime renders meaningless laws that are supposed to protect citizens.
I therefore urge you to amend the bill to remedy this fundamental flaw.
In conclusion, I would say that the nature of the risks posed by facial recognition technology calls for collective reflection on the limits of acceptable use of this technology. These limits should not be defined only by the risks associated with specific facial recognition initiatives, but by taking into account the aggregate social effects of all such initiatives over time.
In the face of ever-increasing technological capabilities to intrude on our private lives, we need to ask ourselves what are the expectations we should be setting now for the future of privacy protection.
I thank you again for your attention.
I welcome any questions you may have.
Thank you very much, Mr. Chair.
Monsieur Therrien, I want to thank you for your wisdom. With Bill coming down the pipe, it's so important that we lean one way versus the other way.
I know with facial recognition, when you first see it, it's so cool. We all heard about the issue with Cadillac Fairview, the shopping mall issue. Maybe we'll get to that today, but even sites like Facebook, they have these tag suggestions and they insert them as default settings. Theses sites are collecting our data, our faces, and many times people are totally unaware of it. That's where I want to start our conversation today.
I come from Oshawa. Oshawa is one of those communities that historically built cars and sent people back and forth across the border, things along those lines. I want to talk to you a little bit about the international utilization of facial recognition. I've heard that border efficiencies could be improved. I was wondering if you could comment on the opportunity, perhaps, for these opt-in, opt-out options if we're going back and forth across borders for business or as individuals.
Are there any international conversations about the right to delete and destroy information that may be gathered from Canadians as they cross borders into other countries?
Mr. Therrien, the more I listen to you, the more I realize that studying Bill is quite a chore. The privacy situation is really concerning. It's something that everyone is concerned about, here in Quebec at least, and I'm sure it's the same in the rest of Canada, if not the entire planet.
I'm a little concerned about what you're telling us with respect to Bill , which might not cover all the angles, some of which would be quite important. I note, among other things, your caveat about facial recognition data being immutable. Once we have that data, it will be there for life. I also note the issue of exchanges between countries, where we must be even more careful, because the protections are not the same in all countries. In this day and age, with more and more trade between countries, I guess you have to be more and more careful, and put more time and effort into it. Those are some of the concerns we have.
When Bill was being developed, did you intervene? Was the Conflict of Interest and Ethics Commissioner called in to advise the minister, and did he try to include the various safeguards that you feel are missing from the current version of the bill? Have you prepared a report or other document?
Mr. Therrien, when we first learned of the Clearview AI case, it seemed to be the worst possible scenario. Here we had this company that scraped millions of photos of Canadians without their consent—our kids' birthday parties, our backyard barbecues, us at work—and then created a database that they were selling to all manner of organizations.
They claim it was for police, but we know that individual police officers had it without oversight. We know that a billionaire, John Catsimatidis, used it to target his daughter's boyfriend. You launched an investigation. Clearview AI's attitude was “Too bad, so sad. You're just Canadians and we don't even feel obligated to follow the law.”
We had a new law, Bill , come in. My understanding, my gut feeling, was that Bill C-11 would fix these things so that we would have more powers and we'd be able to target these companies to make them respect the law. Are you telling us that under Bill the weight of support would actually go to rogue outliers like Clearview AI over the rights of citizens?
Are you saying that, on the monetary penalties we've been told about that would ensure compliance, a company like Clearview AI would be completely exempt from that? Is that what we're seeing under this new law?
Two main mechanisms are relevant to Clearview's situation under CPPA.
The first one is the purpose clause—proposed section 5—of the CPPA, which confirms the PIPEDA's approach to balance commercial interests with privacy considerations. That clause does not say that privacy is a human right. That clause adds a number of commercial factors compared to the current law. There would be a balancing exercise, with the likelihood of greater weight given to commercial factors than under the current PIPEDA. That's point one.
Point two is that assuming it would be inconsistent with the CPPA for Clearview to do what they did, there's an administrative penalty scheme under Bill and a criminal penalty scheme under Bill C-11. The administrative penalty scheme is limited to an extremely narrow slice of violations of the CPPA. These violations have to do with a form of consent with the understanding requirement that I referred to before—with whether Clearview had the right balance between commercial interests and human rights. All of that cannot be the subject of administrative penalties under the CPPA.
In order for penalties to apply, the office would have to first make a finding, which would take about two years. Secondly, they would make an order. The penalty would be excluded. The tribunal would sit in appeal of our order, assuming the company would still not comply with the order. If the company would not comply with an order several years after it has been made, then it would be the subject of criminal penalties and the criminal courts would be involved.
The process that leads to penalties is very protracted. We think it's something like seven years after the fact, as opposed to what should be happening, which is that we should be able to impose penalties—of course subject to court review for fairness considerations vis-à-vis companies. We think the delay would be roughly two years in that model compared with the model in Bill .
We've seen an example of this with Clearview AI. To socialize with friends and family, users innocently use social media with no idea that the information they provide, including their photos, may be collated by a company like Clearview AI, which uses the data for so-called police investigations or, as mentioned, to conduct private investigations of individuals.
You mentioned that the presence of surveillance cameras in some public places also poses a significant risk. I would add, again, that facial recognition can play an important role, particularly in providing security in relation to certain events. The use of facial recognition in public places is a sensitive matter, but I wouldn't say it should be banned altogether.
I strongly encourage you to ask other witnesses to come where they think the problems lie. For my part, I would answer that it is in several places. I don't think you can regulate the whole situation. You have to look at it from a values perspective, and that again brings me back to the question of anchoring legislation in a human rights framework. This is more apparent in the case of the Department of Justice proposals than in the case of Bill . Values are important. Respect for human rights is important. Second, there should be mechanisms to balance commercial interests and human rights, and these mechanisms should be better than those in Bill C-11. We will forward our recommendations to you in this regard.
I would add as a final point that right now our laws in Canada and in many countries—it's not the case everywhere—are said to be technology neutral. That means that the principles apply equally across the board, regardless of the type of technology, including biometrics and facial recognition. There are great advantages to this, and I am not suggesting that this aspect of our laws should be set aside. I think one of the things that you should be looking at is—and your question is very relevant to this—whether there is a need to circumscribe facial recognition activities. This would mean either prohibiting them or subjecting some of them to particularly strict regulation. In this regard, I refer you to a draft regulation on artificial intelligence, published in April by the European Commission. In it, certain prohibited practices are defined, including the use of live facial recognition in certain public places, except for exceptional cases, such as the investigation of major crimes or acts of terrorism.
This is a mixture of general principles about how to balance commercial or governmental interests and human rights on the one hand, and laws of general application on the other. In my view, we need to ask ourselves if there is a case to be made for some specific rules that would either prohibit or strictly regulate this technology; it presents particular risks, because biometric data is permanent.
Thank you, Mr. Therrien, for your testimony this morning. It was quite informative.
What I'm drawing from it is that there's a constant need of striking a balance between individual human rights, public confidence and economic growth. It's going to be quite a difficult task, because technology is forever evolving and it's going at a very fast pace. In my opinion, a restudy is more than warranted as we do not know when we will get Bill .
On the question of cross-border data, that's of interest to me because given the nature of cross-border data, as it flows, it adheres to international best practices and standards, which will be instrumental for ensuring Canadian competitiveness.
Is it correct to say—and I want to go back to that European notion you were talking about earlier—that the EU data protection regulation remains the international gold standard? How can Canada ensure equivalency with this regulation? That would be my first question.
Why is it in Canada's interests to retain the equivalency with the EU?
The government certainly cited the desirability of Canada maintaining adequacy status in the EU as one impetus for Bill . Indeed, maintaining adequacy is important. It allows data flows between Canada and the EU without specific mechanisms, like special contracts and the like.
Clearly, for Canada maintaining adequacy is helpful in order to maintain a freer flow of data between Canada and the EU. Beyond the EU, as I've said, we live in an interconnected world, and obviously, we have a neighbour to the south with whom we have very significant fundamental commercial relations, so data also needs to flow there.
I think that's all good, but we need to.... Hopefully, in the context of the review of Bill , we can look at ways to allow these data flows, but in a way that recognizes that when data leaves Canada, the risks are higher.
I'm not advocating for ways to prevent these data flows, but certainly, in the submission you will now be able to read, we make certain recommendations on how to enhance the protection of personal information when it does leave Canada, while still allowing that.
Mr. Therrien, one thing I thought was really profound in your findings against Clearview AI was that you said it would essentially subject the citizens of this country to a perpetual police lineup.
What we're talking about is not dystopian science fiction. We should know, as citizens, that when our children go to the mall, they aren't being photographed and put into a database; that racialized citizens are not being targeted on the streets where they walk; and that the right to go into a public place is a public right and we should not be profiled, targeted or put into some form of database for collection.
The Clearview AI case was a really good opportunity for Canada to get this right, because it was so egregious. What you're telling us is that the laws were written, in a way, to protect these outlier companies, ignoring the growing awareness that's happening internationally.
With Bill , if the government is refusing to make the necessary changes to put a human rights frame on the rights of privacy, and if it is going to insist on protecting the interests of corporations that may not have the best interests of our citizens at heart, would we be better off with the status quo than putting more weight on the side of companies and outliers like Clearview AI?
Colleagues, we will move to adjourn shortly, but I just want to inform colleagues that we have two witnesses for the upcoming meeting. This Friday, we have—I'm just reminding myself, so I don't get it wrong—the Information Commissioner as well as the Commissioner of Lobbying confirmed, each for one hour.
Commissioner, thank you so much for joining us on these two important meetings, first on estimates, and then, of course, as we launch into the study on facial recognition technologies. We certainly appreciate your willingness to come and to be prepared to answer questions on both of those issues, as well as the willingness of our additional witnesses.
Colleagues, there are a few minutes left before the bells end, but I want to adjourn this meeting to allow members to be prepared to vote and to be logged in when that happens.
Again, Commissioner, thanks so much.