Skip to main content
Start of content

ETHI Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content

House of Commons Emblem

Standing Committee on Access to Information, Privacy and Ethics



Monday, June 21, 2021

[Recorded by Electronic Apparatus]



     Colleagues, I'm calling to order this meeting.
    This is the 41st meeting of the House of Commons Standing Committee on Access to Information, Privacy and Ethics. Today, we are considering the certificate of nomination for Daniel Therrien as the Privacy Commissioner, pursuant to the standing orders that provide for that. As you know, Mr. Therrien's term has been extended for a further year.
    I'd like to remind members that today's meeting is televised and will be available via the House of Commons website.
    Commissioner, thank you so much for joining us. I believe you have some opening remarks to begin the meeting, and then we'll have some questions for you.
    We'll turn it over to you, Commissioner.
    Thank you very much, Mr. Chair and members of the committee, for having me today.


     I have not prepared an opening statement, but I will say a few words as an introduction.
     First, I would like to say that I am honoured that parliamentarians have placed their trust in me and that they have renewed my mandate for the coming year. I will try to be worthy of that trust.


    This will be an important year of transition for privacy law in Canada and for the Office of the Privacy Commissioner. What I intend to do in the next year, obviously, will be to continue to comment on—


    A point of order, Mr. Chair.
    [Technical difficulty—Editor]
     Unfortunately, there is no interpretation.


    Recognizing the point of order, we'll verify that our interpretation is available.
    Can we have a test?
    Commissioner, if you will continue, I'm hopeful it was just a minor technicality. We'll let you continue.
    As I was saying, this will be an important year of transition for privacy law in Canada, and for—
    I do apologize, Commissioner, I'm going to be speaking here. Can members indicate to me whether they hear the translation of my voice into French? Is it currently being translated?
    There, I think Madame Gaudreau now has translation. I'm getting a thumbs-up.
    I do apologize, Commissioner. We'll turn back to you. I believe the issue has been resolved.
     Thank you very much.
    The next year will be an important year of transition for privacy law in Canada and for the Office of the Privacy Commissioner. I intend, during the next year, to continue to comment on legislative proposals that are being made, or may be made, both in private sector privacy law and possibly in public sector privacy law. Indeed, there was a consultation paper published by the Department of Justice in the fall of 2020 that outlined a good plan to reform the public sector Privacy Act. Therefore, first and foremost, I intend in the next year to continue to provide comment and advice to parliamentarians on the legislative proposals.
    In addition, although we don't yet have, of course, the precise content of these laws that will eventually be enforced in the private and public sector, we were starting to have a good idea of some of the new roles that the Office of the Privacy Commissioner might have under reformed laws. Although this is early days, what I intend to do in the next year, given the fact that I know the Office of the Privacy Commissioner a little bit, is to prepare the office to inherit these new responsibilities. By that, I mean the order-making authority that is found in Bill C-11 and that is also mentioned in the justice department's consultation paper for the Privacy Act.
    What does that mean in terms of structure and the OPC? How separate should adjudicators be from investigators? I ask this because we currently do not have adjudicators making [Technical difficulty—Editor]? What should be the profile and competency profile of adjudicators once we inherit these responsibilities, if we do?
    I'll mention one other element in terms of organizational structure. Bill C-11 speaks to a greater role for the OPC in engaging with stakeholders. We have already in the past engaged with stakeholders on many policy documents. I'm thinking of the consent guidelines that we published a few years ago. I'm thinking of the proposals we made for artificial intelligence more recently. We're not foreign to the idea of consulting stakeholders before publishing important documents, but Bill C-11 certainly sends the signal that there should be more of that, and we welcome that. We want to give some thought in the next year to how we will proceed to engage with stakeholders once new legislation is enforced.
    Beyond legislative reform, I'll mention very briefly, as you know, that we published a special report a week or two ago on the issue of facial recognition, which includes draft guidance for the police. We intend to engage with the police, and also civil society and other stakeholders, on that document. In the next year, we hope to be able to finalize it jointly with our provincial colleagues, because this is obviously a very important privacy issue.



     Let me stop here.
     I will try to answer your questions.


    Commissioner, thanks so much. You are no stranger to our committee. Thank you for always being willing to attend our meetings. We sure appreciate your being here today.
    We're going to turn to Mr. Barrett for the first number of questions.
    Thank you, Commissioner, for joining us this morning.
    This morning, the government announced that the ArriveCAN app will be used to verify the validity of foreign vaccine records and for Canadians and permanent resident to upload domestic vaccine records as well.
    Were you consulted in the process that produced the decision by the government to use the ArriveCAN app for travellers to upload their medical information?
     We have not seen the precise details that you mentioned this morning, but there have been a number of conversations with the government—and particularly health authorities, obviously—on how proof of vaccination could be required at the border for returning Canadians or people seeking to enter the country.
    We have been consulted by the government on these general notions. We have not yet heard the precise details, but there will be a meeting later this week, where we will hear more formally from health officials and will be able to provide more precise [Technical difficulty—Editor]
    Can you tell us what privacy concerns are raised when Canadians' medical records and information are being transmitted and uploaded as a condition of post-re-entry regulations?
    The first point, of course, is that it is exceptional that either the public or private sector would require proof of vaccination or of medical status before providing a service, but these are not normal times. The pandemic is an exceptional situation, so we have issued, along with our provincial colleagues, certain guidelines or parameters as to when governments or private sector organizations may require the presentation of this proof of vaccination.
    The first principle is that there should be authority in law for this. I think there will be authority in law for border officials to require some proof of vaccination or at least health status before travellers can enter the country. That's the first point—legal authority.
    Then there are issues about the protection of that information. It's one thing to upload it in a government app such as ArriveCAN, but we need to look at the security safeguards around that application. We have not yet done that. There also need to be rules for disclosure of that information. I think it's legitimate for the government to see that information for the precise purpose of allowing a person to enter its territory, but then there need to be rules around limiting further disclosures for other purposes, and that too, we need to look at in greater detail.
    That would be my response in general, but I would refer you and the government and the private sector to the parameters we issued along with our provincial colleagues a few weeks ago.


    You said these are exceptional times, and so exceptional measures may be undertaken. Would you acknowledge that these types of travel documents do encroach on civil liberties?
    They do. It is not normal, again, that organizations, public or private, would require proof of a health status or vaccination status. There have been exceptions. School children, for instance, need to provide proof of vaccination in order to enrol in school. In travel situations, there have been exceptions as well, but the rule is that this is confidential health information that should not be required except for very precise purposes.
    Would you say that it is essential, or would it be your advice, in the development of the implementation of these measures that they be specifically sunsetted, with criteria that would require their use to be discontinued, and that measures be established for the destruction of the information that was collected?
    Furthermore, just because I have less than a minute for your reply, I would also ask this. Does the PEI Pass, as an example for interprovincial travel—we're not talking about international travel—present the same concerns that the ArriveCAN app does?
    In a word, yes. It should be time-limited because it is an exceptional measure, and it should only last when required for the specific purpose of dealing with the pandemic.
     And on the provincial programs as well, should they—
    It's similar. Certainly in terms of the characteristic, they should be time limited, absolutely, and the same general rules would apply.
    Thank you, Mr. Barrett.
    Ms. Lattanzio, we'll turn to you for the next round of questions.
    Thank you, Monsieur Therrien, for being with us once again today.
    Some of my questions are with regard to the possible enactment of Bill C-11, which would significantly increase the power of your office in terms of the fines that you can recommend be levied and your ability to certify the data protection codes of practice of companies or organizations as compliant. I understand that you're concerned about a new panel that would in fact levy the fines you recommend and that would be appealable, but given that you have been calling for stronger enforcement laws for years, isn't Bill C-11 a positive step in that direction?
    Bill C-11 includes the authority to make orders and, as you say, to recommend fines. Is it a step in the right direction? I think the overall goal should be to ensure that Canadian consumers have access to quick and effective remedies when their privacy rights are breached or violated, and as we tried to explain in our submission, in most cases we think that the imposition of administrative penalties would result, on average, seven years after the violation has occurred. Is that a step forward?
    Personally, I don't think so, particularly when the list of violations that can result in fines is extremely limited, contrary to the laws of other countries, and excludes the most central provisions in privacy law, which are obtaining consent meaningfully and for organizations to be accountable in the way they handle information. The extreme narrowness of the scope for offences and violations and the extremely long period leading to the potential imposition of a fine makes me say that this needs to be reconsidered completely.


    What would be your recommendation?
    First of all, it would be that most if not all contraventions of the law should be eligible—let's put it that way—for administrative penalties, as is the situation in most other countries that have penalties. There are modalities that we can discuss if we have time, but the rule should be such that essentially all violations lead to fines if the proper authority determines that the law has been violated.
    In terms of who decides between the OPC and the appeal tribunal that is proposed in Bill C-11, it is certainly possible for Parliament to create an appeals tribunal, but in privacy matters this would be, to our knowledge, exceptional. We do not know of any other jurisdiction that has such a tribunal, which is not to say that I am not concerned, obviously, about the fairness of the process under which companies would have to pay fines. If the OPC had that authority and there were no administrative appeal as proposed, the courts could intervene and control the legality and fairness of the process undertaken by the OPC. That system of the privacy regulator being authorized to impose fines subject to judicial review by the judicial courts is the normal structure in privacy laws, and we would recommend that it be adopted.
     Would you not say that our fines are among the highest in the world? That would be a subsequent question I have for you.
    More importantly, I would also like to ask you the following question. You've called for Bill C-11 to be grounded as a law in human rights. Should Parliament wish to amend it to do this, how can it best do so without infringing on provincial jurisdiction and the risk of constitutional challenges?
    In the submission that we presented to your committee about a month ago, we addressed that important issue. We recommend the addition of preamble and purpose clauses in a new law that would firmly ground the federal legislation in trade and commerce. This could be done by having explicit language in a preamble or purpose clause to indicate that the purpose of the federal private sector law—Bill C-11 at this point—is to ensure viable and sustainable digital commerce by protecting privacy.
    That would set the purpose of the federal law squarely in the jurisdiction that Parliament has under trade and commerce. Once that is done, then Parliament can legislate to protect privacy in the best way that it feels should be part of that law. If Parliament so decides, that could include, without infringing on provincial jurisdiction, a rights-based law.


    Is there any aspect of your reappointment we have not covered and that you wish to bring to the attention of this committee?
    No. I think my task for the next year would be to continue to comment on legislation and try to prepare the OPC for what comes next.
    If you—
    Thank you, Ms. Lattanzio.
    I apologize, but your time is up.
    Thank you.
    There will be other rounds.
    We'll turn to Madame Gaudreau for six minutes.


    Thank you, Mr. Chair.
     Mr. Therrien, let's continue in French. I have a few comments to start with.
     First, I would like to thank you for your impartiality and to congratulate you on your role as commissioner. We need your input to do our work. I am very grateful for that.
     I am also grateful for your co‑operation with our counterparts in other provinces, for going to see what is going on elsewhere and also for seeking to understand legislation in other countries.
     In 2019, I did hear your request about fundamental reform. As a committee, we clearly had to adjust.
     However, I am very concerned. Yes, [Technical difficulty—Editor] in the first part of the session, my motion had been clear that we need to stop checking people's social security numbers and make sure that we use other means to check identity. Many private companies are already doing this.
     We didn't get to see Bill C‑11 go through, but how would that bill have contributed to your desire for reform? At the same time, how do you see the coming months, as your precious time is running out in the coming year?
     Those are the first questions I want to ask you.
    With respect to Bill C‑11, I would refer you to the brief we submitted a month ago.
     The current Personal Information Protection and Electronic Documents Act (PIPEDA) is essentially an act that originally incorporated into federal legislation an industry code of practice that was created a little over 20 years ago. So the current wording of PIPEDA is very much a repeat of that code. A code of practice is a code that is intended to improve business practices, but it is not written like a law. Bill C-11 is certainly a step forward. The structure of the bill is adequate, in terms of its content, to raise the appropriate questions.
     That being said, we clearly have a lot of concerns about the content and the answers that the bill gives to those questions.
     For example, what should the rules be on consent? What should the rules be on corporate responsibility? What should the powers of the commissioner's office be?
     The starting point of the structure of the act is good, but a lot of work remains to be done. Looking at it broadly, I would say that the work before you, and before us, is to protect the right to privacy as a human right, as it should be. That's my view.
     Beyond that, we need to find the right methods to help Canada ensure that data, including personal data, can be used in the public interest while protecting privacy. I think that's the overall goal. Public authorities have a responsibility to ensure that, in the 21st century, laws are drafted in such a way that we, as a society, can enjoy the benefits of the digital age, but in a way that protects privacy. That's how—


    With respect to Bill C‑11, my understanding is that we cannot be against motherhood and apple pie, because steps need to be taken. Clearly, we, as legislators, should quickly put forward the reform. We see reports from other countries that have moved forward, and we are a little behind. What I understand is that, regardless of current events or partisanship, if we are concerned about fundamental rights, we should make this a priority.
     There is also the issue of facial recognition, the data and images that are used. I am very concerned as an individual, but also as a legislator. When I'm asked about what we have done to properly protect people, I'm a little embarrassed.
     Do you agree?
     I certainly agree that it is urgent to better regulate the issue, both in terms of human rights and in terms of having a solid framework regulating the use of data in order to protect privacy. It is urgent.
    Since this is the last year of your mandate, what would you like to leave behind? What is your greatest wish as commissioner?
    Ideally, I would like to see new legislation in the private and public sector.
     I would like, at least, to see proposed legislation, in both sectors, that gives a clear indication that, in the near future, Canada will be moving to adopt rules that achieve the objectives I have just stated, namely the protection of rights and an assurance that data is used in a responsible manner.
     If no new legislation is adopted, there should at least be clear proposals to that effect that can be adopted and implemented right away.
    Thank you, Mr. Therrien.
     We will see each other again soon.


     Thank you, Madame Gaudreau.
    We're going to turn to Mr. Angus for six minutes.
    Thank you so much, Mr. Therrien, for joining us again.
    In early 2020, I wrote to you requesting an investigation into Clearview AI, the facial recognition technology, on whether or not they had breached Canadian law. Your finding was that “What Clearview does is mass surveillance illegal.”
    Throughout that time, the RCMP made a number of false statements to the public about their use of Clearview AI, and I asked you to investigate whether or not the RCMP had been using this illegal technology. Your office reached out to the RCMP, and they said they weren't. Is that correct?
    Initially they said they were not, and later they acknowledged that in some parts of the organization they did.
    Okay. They changed their tune when the Clearview AI client list was hacked and made public. I'm concerned that Canada's top police force lied to an officer of Parliament and had to come clean because their client list was hacked and we knew the RCMP was using that technology.
    Does it concern you they were misrepresenting their use of Clearview AI to you?
    That's an issue we gave some consideration to when we were writing our report of finding. We did not conclude, actually, that they had misrepresented the situation. They told us at first that they were not using the technology. Ultimately they essentially said that because they did not have the systems in place to ensure that the use of new technologies was reported higher up in the hierarchy, when they found out that the technology was used in part by some individual officers to test it and in part by a group of people concerned with child disappearances, then they told us that, indeed, they were using the technology.
    These are the facts, I think, as well as they can be summarized.


    I guess what concerns me is that it doesn't seem as though it was just a few individuals. There were five RCMP divisions, plus national headquarters, where the technology was being used, and there were also 17 unpaid trial licences in various detachments. When they were asked why they used this, they said they used it only in child exploitation cases, but those represented only 6% of the uses. Again, I find that troubling. Of course, we want to help children and to help in cases of child exploitation, but what were the other 94% of the searches being used for? Didn't they keep track? Were they not able to explain that to you?
    They did not and they were not, and the only finding was that the RCMP was using technology that we found violated privacy. That was the first main conclusion. The second was that the RCMP did not appropriately account for and assess—importantly assess—new technologies that its officers were using. The second part is what will be the main focus of our engagement with the RCMP in the next few months.
    In the RCMP documents on Project Wide Awake, they have a [Technical difficulty—Editor] their officers, “You have zero privacy anyway, get over it.” It suggests to me a disregard for the law. As well, the RCMP took the position that they weren't responsible for the fact that Clearview AI, as a private sector partner, broke the law. If they were using it, it wasn't their problem. You stated, “In our view, a government institution simply cannot collect personal information from a third party agent if that third party's collection was unlawful in the first place.” That would seem to me to be a pretty clear reading of what Canadian law should be, and yet they seem to think they weren't obligated.
    We have this new law, Bill C-11, which is supposed to clarify the uses of technology, but Minister Bill Blair, when I asked him about this, said they were certainly looking to give the police tools to use. Are you concerned that Bill C-11 would allow the RCMP to ignore these basic principles of privacy law and would allow them to contract with third party operators like Clearview AI?
     I would answer with respect to the two relevant clauses.
    In terms of the RCMP, to the extent that the principle that we outlined, i.e., that a federal department or institution should not rely on information that was obtained illegally by a third party partner, if that's not clear and the RCMP argue that it is not clear, then what needs to be changed is the public sector Privacy Act. That's point number one.
    In terms of the particular use of the Clearview technology, Clearview also was, and I think still is, arguing that its database was created to assist the police and other institutions in law enforcement against crime. The company sees that as a legitimate purpose. There's no question that to develop some tools to assist the police to enforce the law is legitimate, but neither the police nor the private sector can or should do anything they like, regardless of privacy protection. That's point number two.
    In our submission on Bill C-11, we ask that Parliament does make clear, with a technology like Clearview, which in our view constituted mass surveillance, that the law be extremely explicit, and that this is contrary to private sector privacy law as well.


    Thank you, Mr. Angus.
    We're going to turn to Mr. Carrie now, for the next five minutes.
    Thank you, Mr. Chair.
    Mr. Therrien, I want to thank you for a number of things.
    First of all, thank you for accepting an extension of your term. I think your institutionalized knowledge right now is extremely important. One of the things I'm getting a lot of emails about is trust—Canadians trusting the government. I think some of it's warranted, and some of it may not be warranted. I see you as somebody who is standing up for Canadian privacy rights. You mentioned privacy as a human right. Constituents of mine are concerned about that.
    I would like to address a couple of those concerns with you now.
    Mr. Barrett brought up the vaccination passport and whatever that's going to be in Canada. I was a little disturbed to hear that though you've been consulted, you really haven't been brought in on whatever it will turn out to be. There are meetings later in the week, you said, but the government is already making announcements on it today.
    I'm going to be doing a survey in Oshawa on it, because I'm getting emails from some people who think the idea of some type of a vaccine passport is reasonable and sensible. Others say it's a bad precedent and are concerned about civil liberties and their privacy. With the whole thing about censorship and Bill C-10, people seem to be concerned.
    Do you have some advice about what we could put in place to make sure that we talk about the Canadians who do have privacy issues or perhaps religious, health or conscience issues as we move forward with this type of vaccine passport?
    There are a number of considerations that are relevant.
    The first one is whether there is authority for this. I think there likely is.
    With Mr. Barrett, I discussed a number of other issues, including the fact that this exceptional measure should be time-limited. That's an important consideration.
    You mentioned religious or other rights that might explain why someone has not been vaccinated. That certainly needs to be one of the considerations. The “vaccine passport”—lets call it that—or proof of vaccination in ArriveCAN can probably be used as the rule. It should accommodate exceptions, particularly exceptions founded on the exercise of fundamental rights like freedom of religion. There need to be exceptions.
    The last thing I would say is that the use of a measure like this—which again is exceptional and does impact civil rights—needs to be based on good science. There needs to be good evidence that vaccination actually protects people who would be in contact with a vaccinated person. It's entirely conceivable that such evidence exists, but we have not been shown it yet. That's another consideration.
    I will leave it at that.
     Thank you very much.
    It seems to be an era where we have censorship, and different opinions on YouTube and things like that. I'm hearing from all different sides. As I said earlier on, I really appreciate that you, with your record and your institutional knowledge, are standing up for Canadians' civil liberties.
    One thing I've had brought to my attention is a concern about precedent, particularly with regard to interprovincial passes. Mr. Barrett brought up PEI Pass in this regard. It was brought to my attention that Canadians apparently have the right to travel within our own country, but there seems to be a movement in some provinces toward some restrictions on that.
    Do you have any red flags or concerns about freedom of movement within our country domestically, as opposed to internationally? I know that internationally we don't have control over what other countries do, but we do have control internally—interprovincially.


    Health issues are certainly within provincial jurisdiction, and provinces have the jurisdiction to legislate to protect the health of their citizens. Canada, federally, has the authority to protect the health of its citizens when people try to cross the international border.
    There is a role for provincial governments and legislatures to regulate in that area, but subject to the same considerations, it is exceptional. It does affect civil rights. It should be science based and time limited.
    All federal or provincial governments should have in mind that if these proofs of vaccinations are required given the exceptional times that we're in, then in addition to being time limited, let's narrow the scope of these exceptional measures as much as possible, because there is a risk that what is accepted as possible under normal circumstances will become normal afterwards. It is a concern.
    Thank you, Mr. Carrie.
    We'll return to Mr. Dong now for five minutes.
    Thank you very much, Chair.
    I too would like to congratulate the commissioner for the extension of his appointment.
    It's good to see you again here at the committee.
    I've been listening carefully, especially when my opposition colleagues brought up the concerns around the vaccine passport being announced. The fact is, it's a measure to better protect Canadians at the border itself.
    Naturally I would think that it has a time limit that is sensitive to the pandemic. In fact, the emergency response, if I'm not mistaken, has a timeline on it. As this is part of the emergency measures, I think there's a time limit to it.
    However, I take your advice to heart and I'll bring this up with my colleagues. I encourage all members to survey their constituents on their feedback on this measure, as I will do in my constituency.
    One of the things that I've been hearing in my constituency are that people are really frustrated by the increase of online and phone scams, especially during the pandemic. People are really worried that these continued attempts on their privacy will result in someday an intrusion into their private information, or even their identity.
    Does your office do any work with the Canada Anti-Fraud Centre in an effort to address these concerns? They're actually looking at parliamentarians and federal offices to help in this situation.
    We do some, perhaps less than we should or could.
    Certainly our role with respect to attempts by ill-intentioned people to access personal information of Canadians mostly has to do with ensuring that government and the private sector have the right security measures in place to protect against these attempts. However, when the level of the attempt reaches a criminal law level, we certainly refer individuals to the authorities, including the fraud centre.
     The fact that they've been around for a long time and there's been an increase in the number of attempts tells me that they are having reasonable success at it, which is a really terrible thing for the public. We've resourced broader and wider public education in terms of prevention, but do you have any advice on what additional measures we collectively should recommend that the government do to combat this phenomenon?


    It's a multi-faceted issue. It requires action by a number of actors. Not that long ago, there was an important impetus for advice to individual consumers: Be careful; do not put too much information on the Internet; use strong passwords.
    That's all very true. People should be prudent. They should use rigorous passwords. However, I think it would be wrong to put too much responsibility on individual consumers in protecting their data.
    An important part of the solution, I think, clearly lies in ensuring that government departments and private sector entities have the right security safeguards to protect their consumers or citizens from these attempts. We have seen many, many privacy breaches in the past years in Canada and elsewhere. I can think of Desjardins being a recent case in point, and other companies, which suggests that although companies, particularly large companies, take measures to protect information, it is not the priority that it should be.
    My final point is that in order for companies to pay sufficient attention to this, having a law that provides for significant penalties, so that companies that profit from personal information protect it as they should, is part of the solution too.
    Thank you. I hope to hear from from you beyond the public education aspect to solve this problem.
    Thank you, Mr. Dong.
    Madame Gaudreau, we'll turn back to you.


    Good afternoon again, Commissioner.
     It is good to hear about reform and the intention to reframe offences that are difficult to tolerate.
     Even before I was elected, there had been many reports looking specifically at the models found in European countries.
     I have already heard you say that people have little confidence in what is being done to protect their identity. I am concerned about that. I have given myself the challenge and the mandate to come up with legislation to prevent this, and I hope that we will all work on it. It is not right that private companies have protection models with biometrics, voice recognition, and so on, while the government is faced with so much ongoing fraud.
     People keep calling my office, and that worries me. So I'm really glad to see that your concern and your recommendations are actually going to move forward.
     With another year in your role, do you plan to do a knowledge transfer in the next Parliament?
     I know you have a great team. However, the question must be asked. Do you have a window of opportunity to ensure that your successor has everything they need so that we don't waste any time and can do our job properly?
    As you say, my team is extremely talented and knowledgeable about privacy issues.
     I inherited a group that was already excellent when I took office. I hope to leave my successor with a group that is just as good. As for a transfer of knowledge to a successor, plenty of people in Canada already very knowledgeable about privacy issues. I'm not sure it's a matter of transferring knowledge from one person to another as such.
     I think my role over the next year will be to continue to make comments that I hope will be helpful not only in terms of the principles—remember that privacy is a human right—but also in terms of how to articulate those concepts in a way that protects citizens and allows the use of data for public purposes or even private, but still legitimate, purposes. I think that's what my role will be in the coming year.
     It will then be up to the government and Parliament to find—


    However, you agree that, when we receive hundreds of calls from victims of fraud, our position and the decisions we have made are not appropriate to ensure that these people are protected from identity theft.
    Could I ask one last question, Mr. Chair?


     No. I do apologize, Madame Gaudreau. I was on mute there. I was going to cut you off before—it's a very short round—so I do apologize.
    Mr. Angus, we'll turn to you for the next two and a half minutes.
    Thank you, Chair.
    We've all dreamed of the lockdowns ending and being able to get back to our lives. One thing that has become clear, though, with the border reopening and people starting to try to recover is what we're going to do on the issue of people who don't get vaccinated. I've talked to many small businesses who have been frustrated throughout the lockdown with militant anti-maskers. Militant anti-maskers are pretty easy to spot, because they're not wearing a mask. Militant anti-vaxxers are a different story. I've talked with labour lawyers who are starting to talk about what they're going to do in workplaces. A broadway show, Springsteen on Broadway, is already limiting who can attend by the type of vaccinations they have.
    The need to get on this very quickly, I think, is the issue of the day. I'd like to know what stage your negotiations are at with the government in terms of discussions about how we're going to identify a vaccine passport, what that would look like, and how we can make sure that this is done right so that we can protect the public, and protect theatres and musical events that reopen, but also not overly infringe on privacy rights. Have you been actively engaged in these discussions with government?
    On the use of the proof of vaccination at the border, I think we'll be able to come up with a solution that works and that is privacy sensitive and protected.
    You raise the issue of people who refuse to be vaccinated and the position that puts private companies or employers in. The discussions that we've been involved in are largely with our provincial colleagues, our provincial commissioners of privacy, to develop the guidance that we issued a month or so ago. I think the nub of the issue you're raising with respect to the private sector is that all of these issues are issues of public health. Our federal private sector law is such that private companies can decide to have certain data collection practices provided they meet certain criteria, but I am uncomfortable, to say the least, I would say, with the fact that measures that are intended to enhance public health would be left to private companies, in part because they don't have any expertise in public health matters and in part because the absence of rules will make it difficult for these companies to decide what to do.
     Well that's my concern. What is your role? This is a public health issue, so how do we keep it within the realm of public policy-making?


    The statement that we have issued with our provincial colleagues makes clear that it is desirable that the best solution would be for governments, federal and provincial, to set rules. The law is such that governments could decide to give a role for private companies, but my advice certainly is that governments, federal and provincial, should take this on and regulate for public health purposes. They have the expertise. They should regulate.
    Thanks so much.
    We'll turn to Monsieur Gourde, for the next five minutes.


    Thank you very much, Mr. Chair.
    My thanks also go to Commissioner Therrien. I join my colleagues in congratulating him for his seven years of service to our country. Congratulations. It has certainly gone by very quickly.
     You have seen the challenges evolve or change over those seven years. Earlier, you talked about what we should be looking out for in the future.
     Can you give us a little review of what has happened in seven years? How do you see the next 10 years?
    How many hours do we have to answer that question?
    You have four minutes left.
    At the beginning of my mandate, there was a lot of emphasis on public and national security issues, and on measures that followed the events of September 11.
     The Snowden phenomenon highlighted certain government practices. It's not all perfect, but we have made progress on those issues. Legislation has been passed to raise the bar on which departments [Technical difficulty—Editor] for national security purposes. Most importantly, independent oversight bodies have been established and are now in place within the public service and within Parliament. As I mentioned, not everything is perfect, but significant progress has been made.
     In recent years, with Facebook, Cambridge Analytica and all the rest, there has been a lot of focus on what some call surveillance capitalism, where companies collect, process and disclose a lot of information about their consumers to provide services, but also to make money, of course. That is where we are at now, which is why it is extremely important that these issues be properly regulated through Bill C‑11 or its successor.
     I have to say that recently we are seeing more and more public‑private partnerships. Clearview AI and the RCMP are just one example among many. This leads me to suggest that you think seriously about the relationship between the public sector and the private sector in terms of sharing personal information, and the idea of the same legislation governing both sectors, which we think would be extremely desirable. If two laws are used, it would be best if they had very similar principles, because data has no geographic borders and no boundaries between the public and private sectors. It is important that similar rules govern both sectors.
     I would add that, to maintain the confidence of the public and consumers, it is essential that [Technical difficulty—Editor] result in penalties that are proportionate to the magnitude of the impact of the privacy breach on privacy. Order powers and consequent fines are therefore crucial. The reason for recommending substantial fines is not to be punitive. Rather, it is to ensure that the consequences for people whose privacy has been breached are proportionate to the consequences for the companies involved, so that, over time, imposing such a regime will result in governments, departments and companies properly protecting the personal information of the public and consumers.


    Thank you, Mr. Therrien.
     Mr. Chair, do I have any time left?


     You have about 30 seconds if you'd like it.


    Then I'm done.
     Thank you, Mr. Chair.


    Thank you, Monsieur Gourde.
    Mrs. Shanahan, we'll turn to you now for the final questions.


    I saw that Mr. Therrien might have something to add.


    I'm sorry. I do apologize.


    I'll be brief. It's about the concept of privacy as a human right.
     The issues we are talking about are extremely complex from a technical point of view, as everyone agrees. Despite the complexity of the technology and the privacy rules, it is clear to me that the goal should be for our Canadian values to be reflected in our laws. One of those values is to treat privacy as a fundamental right, and that is an important principle no matter how complex the technology is. If our goal is to ensure that our values in privacy or other areas are reflected in our laws on digital, I think we can't go wrong.
    Thank you, Mr. Therrien. I will continue along those lines.
     It's true that it's a principle that we all understand, but how do we implement it? It's very technical. As my colleagues have already mentioned, we are really in the wild west. Our committee has learned things in the last few months that we didn't think were possible, and we have to make decisions about them.
    In your view, is it possible to come up with legislation that respects this principle but has clear and specific regulations, especially if it includes fines?
    For more details, let me refer you to my submission.
     Generally speaking, I would say that the principles can be clear and unambiguous, but not the rules. I agree with many of the speakers who speak favourably of the importance of having principle‑based privacy laws, such as the principle of corporate social responsibility. That principle needs to be defined broadly. Since technology is constantly and exponentially changing, I think it would be wishful thinking to believe that it is possible to have very precise, clear and permanent rules.
     I agree that we must aim at the principle of transposing our values into our legislation. You are clearly asking the right question in asking how to do this in practice. There is a need for general principles, defined flexibly enough to accommodate the evolution of technology, but not so specific as to be detrimental to it, with the aim of both protecting privacy and allowing the use of data for the benefit of society.
    That's excellent.
     Thank you again for your dedication, Mr. Therrien. We needed your expertise and we are glad you are staying on for another year.
     I know my colleague Mr. Sorbara has a question for you.


    Thank you to my honourable colleague, MP Shanahan. It's very kind of you to share your time.
    Mr. Therrien, again, congratulations on your reappointment for a year. It is actually a really learning experience for me to listen to you and to read the articles and pronouncements that you put out. This is a subject matter that's only growing in ever-increasing importance with this digital world that we continue to adopt at a very fast pace.
    The one question I did have, Mr. Therrien, is about ensuring that Canada is competitive in the way we look at our privacy and interact in certain aspects with the Competition Bureau, that is, balancing it with the Competition Bureau of Canada's competitiveness and then keeping privacy in check. I know that it's a sort of holistic question, but it's just so important that we get that balance correct, versus what the Europeans are doing and have done, and versus what our neighbours to the south have done and are doing. Can you comment on that, please?


     Yes. We think that for Canada to be competitive—and the government underlined this in Bill C-11, and I would completely agree.... We have a confidence problem, a trust problem. Consistently Canadians, at the level of 90% or so, have expressed their concerns that privacy is not currently respected. They continue to use the Internet, because frankly you cannot live outside of the digital world in 2021. However, they still have important concerns, so we have a trust issue.
    In order to deal with the trust issue, you need to have laws that enhance trust. That means ensuring that with regard to privacy laws, rights and values, consumers and citizens see that the legislation is apt to protect rights and values and produces proportional consequences, penalties, if these rights and values are not respected.
    The law should provide for flexibility for companies to use data for legitimate commercial purposes, and our submissions I think go in that vein. There is no opposition really between privacy protection and economic development or innovation. As far as our relationship with the Competition Bureau and other regulators is concerned, it's extremely important that digital regulators are able to co-operate and share information so as to have an effective regulatory framework across all sectors. We have a good relationship with the Competition Bureau.
    Thank you, Mr. Sorbara.
    Commissioner, we want to thank you for coming today. We appreciate your work, your continued effort to protect the privacy of Canadians and ensure that parliamentarians and Canadians are aware and informed of concerns that you and your office bring. We believe that to be an important service to Canadians. We look forward to continuing to work with you over the next year and look forward to where that takes us.
    Commissioner, we know that the House has already approved your extension, so today we don't need to do that. We just thought it was important for committee members to follow our usual practice, which is to consider where you will head, and the relationship between the committee and you over the duration of your appointment.
    We don't have anything further to add in terms of process. The House has already approved your appointment. We concur with that. I think I speak on behalf of all committee members in thanking you for your service and commending you for continuing to do what you have done so well over the last number of years.


    Thank you.


    Again, thanks so much for being flexible in terms of time. We apologize for any confusion that brought.
    Ms. Shanahan, I see your hand is raised. Is that specifically....? I was just going to thank the commissioner and allow him to leave the committee.
    Thank you, Commissioner, on behalf of all committee members.
    Ms. Shanahan, I believe your hand is raised. I suspect it has to do with committee business.
    We will turn now to Ms. Shanahan.
     Thank you, Chair.
    I thank you and the clerk for inviting the Privacy Commissioner today. I know that it was on short notice. Clearly, everybody's agendas are quite full in these last few days. I don't know what's on the agenda there now, but I want to say publicly just how much the members on our side appreciate the work that the clerk, the analysts, the interpreters and, of course, our IT people have done in making sure that this committee could operate to the fullest during this really extraordinary period, and especially that this committee was able to bring to fruition two reports. I know we were joking about it before the committee started, but there have been two fulsome reports. One was on the pandemic spending and the other was on the Pornhub issue, which I know is an issue that many of my constituents have spoken to me about.
    Again, my thanks to everyone, and to fellow members of the committee here, it really has been quite an education and quite an adventure to be working together in all the different modalities that we had to go through.
    On that note, I move that we adjourn this meeting.


    That puts us in a spot. That's a non-debatable motion. I'm taking the chair's prerogative to not engage in debate but simply to say on behalf of all committees, I believe we concur with Ms. Shanahan's sentiments in thanking the clerk, the analysts, the interpreters and all members.
     It's a non-debatable motion, so we'll move to the vote with regard to adjournment.
    Madam Clerk, will you go through the roll call?
    Thank you, Mr. Chair.
    (Motion agreed to: yeas 10; nays 0)


    Thank you, committee members. I look forward to seeing you over the next number of months, but we don't have any formal meetings planned—at least nothing that we're aware of at this point. Therefore, I want to thank you all for your diligence in your work and wish you all a good summer.
    The meeting is adjourned.
Publication Explorer
Publication Explorer