Mr. Speaker, I move that the first report of the Standing Committee on Access to Information, Privacy and Ethics, presented on Wednesday, February 2, 2022, be concurred in.
Last week, the committee tabled its report, which included a motion that was unanimously adopted by all committee members, including four Liberals, four Conservatives, one New Democrat and one Bloc Québécois member, me. I will read the motion for everyone to hear:
That the committee call upon the government to suspend the Public Health Agency of Canada's cellular data tender upon adoption of this motion, and that the tender shall not be re-offered until it the committee reports to the House that it is satisfied that the privacy of Canadians will not be affected, and that the committee report the adoption of this motion to the House at the earliest opportunity.
Let me repeat that this motion passed unanimously. This is important, because protecting Canadians' personal information and data is an issue that crosses partisan divides.
Last Tuesday, February 1, I walked across the floor of this House and handed the a letter asking him to comply with the motion adopted unanimously, I repeat, by the committee.
On Thursday, during question period here in the House, I twice asked the Minister of Health if he was prepared to suspend the RFP or at least comply with the motion put forward by the committee. Twice, the Minister of Health avoided responding.
A little later that day, I put the same question to him during his appearance before the Standing Committee on Access to Information, Privacy and Ethics, which met an hour later, and he once again avoided answering. As we all know, no answer is an answer.
On that occasion, the Minister of Health told us that the data he was using had been de-identified and was acceptable from a privacy protection point of view. When we asked him questions about where the data were from, things were less clear. The Minister of Health just repeated that the data were properly de-identified.
This morning, the Privacy Commissioner of Canada, Daniel Therrien, appeared before the committee. Members asked him if the Public Health Agency of Canada had consulted him. He said the agency informed him of its plans. The agency did not seek his advice; it informed him. The commissioner offered to provide advisory services to the Public Health Agency, but his services were not retained. As is the agency's prerogative, it chose to use external legal advice. It was the agency's choice not to get involved, but the commissioner did seem a little rankled this morning. Given that the Privacy Commissioner represents an institution created by the government, one might think his advice would be welcomed by government entities. Not in this case.
For the purposes of the discussion, let us look at the facts. In March 2020, a private contract was concluded between the Public Health Agency of Canada and Telus, more specifically with its Data for Good program, a part of the organization that manages Telus data and offers that data to such entities as the Government of Canada. A private contract was signed—without a tendering process to be clear—to obtain tracked data.
In 2020, 33 million cell phones were monitored. That represents 87% of Canadians' cell phones in this case. No one knew about it. This was done with a total lack of transparency. On December 17, 2021, the Public Health Agency of Canada issued a request for proposals to select a data tracking provider. That RFP was brought to our attention by the National Post and Radio-Canada between December 18 and 22, with both news outlets questioning the ethics of this endeavour.
We took the time to do our homework, do some reading and take a look at what was happening. On December 23, the Bloc Québécois issued a press release to express its concerns about the RFP to renew an existing three-year contract allowing the data to be used beyond the pandemic.
It is funny, because last week I asked Canada's Chief Public Health Officer, Dr. Theresa Tam, when the pandemic would end. She obviously did not have an answer. I also asked her who would decide when the pandemic was over. She also did not have an answer to that and was surprised by the question.
Given this lack of answers, we realized that the tender could allow the data to be used indefinitely, since no one knew when the pandemic would end. Obviously I am still concerned. I want to note that I have no preconceived notions on the matter, but I really wanted to continue with this work.
During the Christmas break, the Bloc Québécois members of the Standing Committee on Access to Information, Privacy and Ethics requested that a meeting be held, and our request was agreed to. In the new year, the committee met to evaluate the use of data and unanimously agreed to undertake a study. This study began last week with a view to determining whether there was a privacy breach. The and Dr. Tam appeared before the committee, and the study continued this morning with the appearance of the Privacy Commissioner of Canada, Daniel Therrien, and a renowned researcher in this field. The work will continue until April.
The committee also adopted a motion, which I read out earlier, calling for the suspension of the RFP until the committee can examine the situation. I should note that the RFP deadline was January 22. As soon as the committee began its study, this deadline was extended to February 2. After another meeting to determine the committee's future business, it was extended to February 4. Last week, the minister announced that the RFP deadline would be extended to February 18.
The health crisis was often invoked as as a reason the the RFP cannot be suspended, but Dr. Tam nevertheless told the committee that the delay had little effect on the information obtained from the data in question, since the data would be retrospectively looked at. She did not seem concerned about the possibility of suspending the RFP, and she was not against it. We therefore moved a motion to suspend the RFP and this motion was passed unanimously so that the committee could get to the bottom of this matter.
That brings us to the meetings with the minister. I remind members that the only response to the committee members' many questions was that the data had been de-identified. When members asked questions about where the data had been obtained and who had had access to it, the only answers we got were vague and evasive, which I find demonstrates the minister's lack of accountability.
There is an old saying in philosophy that what cannot be done directly cannot be done indirectly. If the data used by the Public Health Agency of Canada was de-identified, we had to wonder who had access to the data and what kinds of protocols were used, if any. The committee did not get an answer.
Dr. Tam said that the data being used would not be very useful and that it would not be the end of the world if the RFP were suspended while the study is carried out.
Privacy is basically a question of ethics. Ethics is essentially about trying to figure out what to do in difficult circumstances, what the right thing to do is, what to do when you do not have all the information and you are not quite sure where you stand. The precautionary principle applies, obviously.
In its hearings so far, the committee has noted that the government is avoiding the issue, as it would prefer not to deal with it.
Facts are facts. The motion, which was adopted unanimously, called for the RFP to be suspended while the committee conducts its study. Here I am in the House a week later, seeking the House's consent to implement the motion.
I might be a little naive on this subject, but it seems to me that governments should set an example. I know the interpreters hate it when I do this, but when we look at the Latin roots of the word “example”, it translates as “being able to do as I do”. In other words, the government should be able to do what all of us would do, namely make a reasonable decision.
Opaqueness, non-transparency, and layers of secrecy hiding behind every detail are the antithesis of transparency. The Privacy Commissioner told us this morning that there were best practices in this area. There is no reason to believe that they were violated. Beyond best practices, however, there was also transparency and the desire to do the right thing. These two aspects should have been demonstrated but are still missing here.
I have asked various experts, including the Privacy Commissioner, about this, and what really bothers me is that we all know it is impossible to obtain consent from 33 million people in this kind of situation. The government says this condition is fulfilled when people click on the “I agree” button, yet everyone knows as well as I do that it pretty much takes a master of laws degree to understand what we are actually agreeing to. It is also reasonable to believe that cellphone users did not consent to their data being used for purposes other than those required by the cellphone company to provide a service. It is impossible to conclude that presumed consent is the same as consent. Presumed consent is not consent.
This morning, the commissioner told us about the concept of “meaningful consent”. Meaningful consent is impossible to obtain. It may be impossible to obtain, but there is a spectrum between doing nothing and doing something impossible. All kinds of elements can be put into play so that at least things are out in the open. The government did not implement or put forward any of those elements.
What is the crux of this matter? When we talk about privacy, we expect that people will be able to provide information in good faith, believing in good faith that it will be used for the stated purposes. We are talking about trust. We are talking about a person's ability to trust their cellular service provider, let alone their government.
Properly defined, trust is the action of delegating one's future to someone else. When we delegate our future to the government, we expect it to act responsibly. We do not expect the government to potentially hide behind some obscure legal provision stating that, once the data is disaggregated, anonymized or any other such term that is incomprehensible to lay people, it can wash its hands of it. That is not right.
In such cases, opaqueness leads not to trust, but to distrust. Members know as well as I do that, in the end, distrust leads to defiance, the kind of defiance we can see outside Parliament.
I believe that the government is not being transparent, and that is the reason for our request. I believe that opacity reigns and that if we want to make sense of the government's actions, we have to be able to go further. Making sense of it means clearing the air, throwing light on the matter, but right now, we are lost in the fog.
Failing to suspend the RFP is to maintain all this opaqueness. Failing to suspend the RFP would be to perpetuate the mistake, or at the very least, the appearance of a mistake. Failing to suspend the RFP is, above all, to show contempt for the committee's work. Failing to suspend the RFP is to disregard the unanimity of the committee. The government cannot simply wash its hands of such a situation by ignoring questions or trying to do indirectly what it cannot do directly.
It was disturbing to hear the Privacy Commissioner say this morning that he was informed but not consulted. He did not provide his opinion. In fact, he is investigating the matter now.
It is troubling that one of the most powerful officers of Parliament is not being asked to contribute. On the contrary, he has been sidelined. I therefore ask hon. members to support the committee's motion.
Let me reveal another small detail. A member of the committee asked me the other day, when I moved the motion, whether it was meant to undermine this. The answer is obviously no. It is not to undermine anything. Are we asking to suspend the RFP forever? The answer is no, it is not forever either.
The RFP needs to be suspended until the committee can shed light on the situation and bring the matter out of obscurity. What we are asking for is not malicious. On the contrary, it is to allow the government to demonstrate its good faith, if necessary, or to correct the situation, if necessary.
Ultimately, I will ask my colleagues to please support the motion at the end of the debate.
Madam Speaker, I am grateful for the opportunity to rise in the House to talk about how the Government of Canada started using mobility data and the reasons why a request for proposal was issued.
Our government has seen that using health data to support an effective pandemic response has been a constant challenge. Stakeholders and experts have repeatedly stated that there is a data deficit needing to be filled to make evidence-based decisions in the public health system. They also state that public health data is “fragmented, outdated, not disaggregated, and not timely”. The lack of a common, coherent approach for our health data across the country is contributing to lagging health outcomes for people in Canada, escalating sector costs, expanding health inequities and slowing innovation in Canada's health sector.
The ethical use of mobility data is one element needed to address this problem. During this pandemic, our researchers and infectious disease modellers have used the aggregated data to track the existing spread of the virus and estimate where it is most likely to surge. This has helped to inform our policy and public health responses in a positive way. We as a government are not unique in using de-identified population-level mobility data for this purpose. Countries around the world, and even local governments in Canada, are using mobility data to help guide their response to the pandemic.
The mobility data that our government uses does not include any personal information. It cannot identify individuals and the data cannot be re-engineered to identify any person. I want to be clear: We do not ask for, nor do we receive, any personal information as part of the mobility data we use. We contract for commercially available data that is de-identified and aggregated only. With only de-identified data, we have absolutely no way of knowing or following the actions of individual Canadians.
When people turn on or use their mobile or cellular phone, their phone connects with the closest cellphone tower. When a cellphone is moved, the tower is connecting with it and that can change. Their phone will always look for the closest tower to connect with. Telecommunications companies, as part of their day-to-day business operations, manage and collect this information in order to monitor and maintain their services for their customers. Telecommunications companies also have the ability to take this private business information and remove the information that would connect a phone to a person or to a personal address. The cellular companies' data is stripped down to only the signal or a signal location when moving. There is no personal data included. The data has been de-identified.
These de-identification and aggregation steps protect the privacy of individual Canadians. Companies sell this de-identified data to governments, scientists and researchers to support research and knowledge of how policies, trends and environmental changes impact people. Similarly, some companies make data collected from smart phone applications commercially available. Once again, every effort is made to make sure that the data is de-identified and aggregated so that users cannot be identified.
Once again, I would like to stress that when we purchase this data, it is de-identified and aggregated. We do not ask for and do not accept personal mobility information. The data we receive is in the form of a report. It is a table with percentages and proportions for geographic areas over a time period of 24 hours or more. There is no way to trace this back to individuals.
The Public Health Agency of Canada purchases this data to better understand how people are reacting to public health measures and how population-level movements affect the spread of COVID-19. Mobility data is a complementary data source that works alongside health, case and epidemiological data to support situational awareness. For example, when we analyze mobility data and outbreak data together, the agency can see trends of higher or lower mobility that can help us to predict future COVID cases. This helps us to evaluate the effectiveness of public health measures.
The Public Health Agency of Canada generates reports and summaries from this data, and we share them with Canadians and with provincial and territorial governments to empower everyone to make the best possible decisions during this very trying time. The Government of Canada has been transparently publishing mobility information as part of the COVIDTrends web page since December 2020. The site has seen more than 1.7 million visits and is easily accessed through the popular WeatherCAN app.
COVIDTrends data gives Canadians information they need to best manage their personal lives during the pandemic. It also gives them the ability to know what is happening where they live with respect to COVID-19. The Public Health Agency of Canada has also made announcements about this work on social media, such as Facebook and Twitter, throughout the pandemic. Mobility data on the site shows changes in population movement from one week to the next in the selected area. This change in movement may help us understand the risks associated with COVID-19 transmission.
There are limitations to using this data, as it cannot determine if public health measures such as wearing a mask were followed while someone was moving. As I mentioned, the data, because it is completely de-identified, cannot consider population differences such as age, gender or income level.
Before I conclude, I want to take a minute to talk about the importance of privacy. The Government of Canada is committed to protecting the privacy of individuals with respect to the personal information that is under their control. We recognize that this is an essential element in maintaining public trust. The Public Health Agency of Canada requested data with no personal or identifying information. To further protect privacy, the agency also used a multibarrier approach with regard to the source of the data, along with the data pipeline, and prior to it being received. The Public Health Agency of Canada requires mobility data vendors to apply robust data and aggregation controls to ensure anonymity prior to them sending data so that the agency does not receive any identifying information. Any company selling data within Canada is subject to the Personal Information Protection and Electronic Documents Act, which is consent-based legislation.
In this day and age, we are creating data every time we use our smart phones. It is only natural for people to be concerned about who is accessing that data and what they are using it for.
I want to assure Canadians that the mobility data the Public Health Agency of Canada is using does not contain their personal information or any personal information. The agency cannot link the data to any individuals.
Mobility data is one of the many tools we are using to fill the data deficit that exists in Canada. It has helped us improve our response to COVID-19, saved the lives of Canadians and protected our health care system.
Madam Speaker, before I begin, I would like to thank my colleague from Trois‑Rivières for moving this motion in the House today.
Before the Standing Committee on Access to Information, Privacy and Ethics did its study, I texted my colleague to say I was looking forward to hearing what he had to say about this because he had a lot of experience and knew the subject matter well. I would like to thank him.
We are really seized with this issue, as Canadians have been, since it was first identified in the month of December that the RFP had been issued. The RFP was to continue a practice that many Canadians, in the distraction of a pandemic, had no idea was going on. It was that their mobility data was being collected, in this case by Telus, without their consent or implied consent, and was being utilized to determine a public health response to the COVID-19 crisis.
We have, for the last several days, been studying the impacts of this at the ethics committee. I will say that there have been some very serious concerns that have been brought up by the experts we have been hearing from, including the Privacy Commissioner. That is why this is such an issue as it relates to the motion that we are dealing with today. We have not gotten to the bottom of the fact of whether this data has been protected in the manner that would be the gold standard for protecting the privacy and security of the data of Canadians. This is why we are focused on this study. During a pandemic, with all of the distractions that are going on, it would be very easy for this information to be utilized in a way that does not protect the privacy of Canadians. The RFP was originally to be finalized by January 21. It got pushed back to February 4, and now it has been pushed back even further.
At committee, when we dealt with the motion that was presented by my Bloc colleague, there were very solid arguments made as to why this RFP should be pushed back. In fact, the entire committee voted 10 to nothing to push this RFP off until we completed this study, so that not only parliamentarians but Canadians can be assured that the information that was gathered was, in fact, protecting the privacy of Canadians.
We heard at committee from members of the Liberal Party that the came out in 2020 or 2021 and talked about this information being gathered. It is not an issue of whether the information was gathered. There are governments around the world using data and information to inform their response to the COVID-19 pandemic, but this one speaks to the fundamental tenet of democracy to make sure that we protect the privacy rights of Canadians. Parliamentarians wanted to get to the bottom of this to make sure that we were protecting those privacy rights.
The story came out in December that this RFP was being proposed to be extended, and not just in the way it was designed in the first place, which was really for a couple of months, where it was a sole-source contract that was given to, as we found out, Telus. It was going to be extended for up to another five years and collect even more mobility data to determine, as they said in the RFP, the public health response and to determine trends to deal with public health issues going forward.
It was disturbing not only that this was happening without really the knowledge of Canadians who were distracted during this pandemic, without the consent of Canadians to have their mobility data tracked, but that this was going to go on for another five years. That is why it is important that we get to the bottom of this issue to really be sure and determine whether that mobility data was being protected on behalf of Canadians.
My colleague from the Bloc was talking about his initial concern when he saw the RFP. I saw the RFP just a couple of days before Christmas because it was reported in Blacklock's, which, by the way, does great work digging into government contracts. I know that maybe the government does not like the work that it does, but it does great work digging into these contracts. I would hope that if Conservatives were in government, we would be held to the same account on these types of contracts.
I saw the story and we had discussions among ourselves. As we were heading to the Christmas break, it was awfully difficult, because Canadians were distracted by Christmas, to really push this issue. I determined, as the newly appointed critic for ethics and accountable government, that we were going to wait until after Christmas before we called an emergency meeting of the ethics committee.
We did, the meeting was granted and, subsequent to that, the study was supported by all members of the committee to make sure that it looked at not just the RFP but another part of this too, which was an update to privacy laws. We heard from the Privacy Commissioner this morning that there does need to be an enhancement of privacy laws. We heard from an expert from the University of Ottawa as well that, as this data is collected, an enhancement of those privacy laws is needed to protect the privacy of Canadians for this data, which can be very useful but comes with some significant pitfalls and risks as well.
The issue that we are really dealing with is how this information was de-identified and aggregated. The was at committee last week and if we were playing the de-identified and aggregated drinking game, we would have been drunk very quickly because that was all we heard from the minister. We did not get any evidence of how this information was de-identified and aggregated. All we got were assurances. Assurances are not enough for the committee. This is why we are asking today that this RFP be cancelled until we find out exactly what is going on.
We have requested that the telecom companies come in, particularly Telus, to discuss how this information is de-identified and what security measures and protocols are put in place to assure us, as MPs, and Canadians that their information and privacy is being protected. I am looking forward to hearing from the telecom companies, including Telus through its data for good program, how that is done. I am learning a lot about this, as members can imagine, but the information that they collect, as I understand it now, is definitely identifiable. The question that we have is what happens to that information when it is identified and what is the process to de-identify it.
I have heard from security experts and read reports from around the world. A New York Times report, whose reporters we have asked to come and speak to the ethics committee, talked about being one to two to four points of data away from having that information reidentified. It really is a fascinating subject, but, more importantly, it is important to find out and determine whether that information is being properly protected from the point that it is collected to the hands that it is being passed through.
We also found out in the course of our study, and it was the who wrote us a letter to tell us, no pun intended, just so I am clear, that there was a company that was consolidating all of this data and presenting that information to the government. The company is called BlueDot. My understanding is that it is coming to committee on Thursday and we are going to have a lot of interesting questions to ask.
As we can see, the information is being collected, de-identified, aggregated and passed on to other hands. If those security measures and protocols are not put in place, and again I am not an expert on this but I have been listening to experts, there is a real risk that information can be commercialized, monetized, reidentified and that personal identifiers and information from that data can be known. It is fairly simple to do.
Proposing, as the motion did, to suspend the RFP in my opinion is the right move to make until we find out more. I did not get any comfort from the presentation of the Privacy Commissioner when he appeared at committee today. If anything came out of that meeting today, it is that it really informs the need for us to do a deeper dive on this and suspend the RFP.
I pulled off some of the questions that were asked of the Privacy Commissioner, and if what the Privacy Commissioner said this morning does not concern the tin-foil hats on this side of the House, as the members of the government like to call us, or the conspiracy theorists, it should be worrisome to members of the government. I will read it into the record, because I think it is important for us to inform our decision in this debate as we vote on this motion when it does come to a vote. Daniel Therrien, who is the Privacy Commissioner of Canada, and the de facto standard by which privacy protection is utilized in this country, said today that:
In the case of PHAC's use of mobility data, we were informed of their intent to use data in a de-identified and aggregated way.
Okay, he was informed. He went on to say that:
We offered to review the technical means used to de-identify data and to provide advice, which PHAC declined.
PHAC declined the offer by the Privacy Commissioner of Canada to look at the methodology and to provide advice on how this data was being utilized or protected. He went on to say that:
The government relied on other experts to that end, which is their prerogative.
It is their prerogative, there is no question about it. My view, and I know the view of the members of our committee, because we spoke afterwards, is that regarding the de facto standard by which privacy legislation is defended and protected, the Privacy Commissioner of Canada should have at least been included in the process so that PHAC, which was accepting this data, and perhaps Telus and BlueDot would have known what proper privacy measures, protocols and security should have been put in place. It may cause a level of concern that his office was merely notified, “Oh, by the way, we're going to be doing this.” “Do you want any help?” “No, we don't want any help.” That is effectively what PHAC was telling the Privacy Commissioner.
I am not surprised that he also went on to say the following, given the reaction among Canadians and just how troubling this information is as it has become publicly known and people's attention has been given to it:
Now that we have received complaints alleging violations of privacy, we will turn our attention to the means chosen for de-identification and whether they were appropriate to safeguard against reidentification.
Since this is under investigation, he obviously was not able to provide us with intimate details of where that investigation lies at this point, but the Privacy Commissioner of Canada was not even notified. The government relied on other security experts and privacy experts. Who were they? I think that is a fair question. What qualifications do they have that are greater than the Privacy Commissioner of Canada's? It was really concerning.
The Privacy Commissioner went on to say, in this line of questioning from our committee, that, “This practice raises legitimate concerns by consumers, particularly when their personal information is used without their knowledge for purposes other than they expect.”
We have heard from members on the other side about the ways of all the different apps, but the difference between that and what we are talking about is that the users provide consent to those applications to use the tracking of their mobility. In the case that we are talking about today, which involves anywhere from 14 million to 33 million users, it would be a hard argument to suggest that every one of those users provided consent. In fact, the Privacy Commissioner said today that it would be impossible for 33 million users to provide consent so that collection of their data could be used for the purposes that PHAC was dealing with. The issue of meaningful consent becomes a critical component of this.
I received a letter from OpenMedia.org talking about the ethics committee looking into this issue. The company suggested three fundamental questions, which we are trying to get to the bottom of, that are extremely important in this case.
Number one: How did Telus obtain meaningful consent for the collection, use and disclosure of this mobility data? I spoke about the importance of that earlier. OpenMedia suggested that when Telus comes to the committee, it needs to answer questions such as whether an individual who agreed to the sharing of their mobility data understood this use by the Public Health Agency of Canada. I suggest it would be impossible for 33 million people or fewer to really understand that this was being used by the Public Health Agency of Canada.
The second most important question that needs to be asked is this. Does the consent that Telus relied upon extend to the context in which the Public Health Agency of Canada used this data? Privacy and consent, it says, are highly contextual. If we, as users, give limited permission to Telus to collect, use in a limited way, and disclose some of our mobility data, that cannot and should not be an open-ended carte blanche for Telus to be able to provide this data to other people, including the Public Health Agency of Canada.
The next is the most important question of all. I heard universally from security and privacy experts, not just here in Canada but around the world. They asked how exactly this data had been securely de-identified. There are really two issues here: first, de-identification and the risk associated with reidentifying this data; and second, user consent.
My office has received correspondence. We have heard from experts, and as I said earlier we heard from a University of Ottawa expert this morning, about the risks of de-identifying data. I want to read out what some of the security experts are saying in the context of this RFP, and why it is so important that the government hold off on it until we get the answers to the questions.
Dr. Ann Cavoukian, the former Ontario privacy commissioner, said that without a strong de-identification framework and without de-identification protocols one can reidentify this data. There is a whole collected literature on de-identification of data and the way to easily reidentify it. One has to go to great lengths to de-identify, and I am sure the government has not done this.
I go back to what we heard from the Privacy Commissioner today, who said that he was merely informed and not consulted, despite the fact that the last week said that the government were having biweekly meetings with the Privacy Commissioner on this issue. We found out this morning these were not related to the gathering of mobility data, but related to other things happening in the context of the pandemic response.
Dr. Cavoukian went on to say that the government should be the greatest concern. Its ability to usurp our information, to tell us what to do and expect us to accept that, in my view, is due to the fact that it is seeking greater control.
If we want to connect the dots, and look at some of the patterns created as a result of this pandemic, Canadians are becoming increasingly concerned, and I would say they are concerned at this point, about the expansive overreach by the government. It is using the pandemic to curtail the rights and freedoms of Canadians. We saw the government, at the beginning of the pandemic and through the initial build, try to seize control and get spending and taxing power without parliamentary approval. We have seen this and other sole-sourced contracts that have gone out throughout the course of the pandemic to who I would call well-connected Liberal insiders and friends.
I am not suggesting that in this case, but when one starts connecting the dots with this expansive overreach, we can see a pattern with the government. It is causing me great concern, as it is many Canadians.
Madam Speaker, I join the debate this afternoon in support of the concurrence motion moved by my hon. Bloc colleague from .
Our Standing Committee on Access to Information, Privacy and Ethics unanimously adopted this motion:
That the committee call upon the government to suspend the Public Health Agency of Canada's cellular data tender upon adoption of this motion, and that the tender shall not be re-offered until the committee reports to the House that it is satisfied that the privacy of Canadians will not be affected, and that the committee report the adoption of this motion to the House at the earliest opportunity.
When we are dealing with issues of privacy, I believe it is critical that parliamentarians have the opportunity to be clear on what is being collected, how it is being utilized and what safeguards are in place. Not doing this would be an abdication of our responsibilities as legislators.
I believe the government members of our committee were acting in good faith with our committee's request to suspend the procurement under this contract. With the news that the government had tendered a contract for the collection of mobility data as a part of its COVID-19 response, many Canadians were rightly concerned about the protections in place to protect their privacy. The fact that many people learned about this program from news articles sets off alarm bells, and even if the process was unintentional, it demonstrates a lack of government transparency.
To make matters worse, a PHAC spokesperson stated that the agency had consulted with the Office of the Privacy Commissioner before starting to collect mobility data, but the Office of the Privacy Commissioner stated that it was not consulted and had only been informed of the program in 2020. This discrepancy between “consulted” and “informed” is stark, and I believe it is prudent of the ethics committee to ask the government to press “pause” on any future requests for proposals for mobility data projects until parliamentarians have an opportunity to provide oversight.
Our committee has had an opportunity to hear from PHAC, departmental officials and the Privacy Commissioner, but it is very important that we have telecom industry representatives, and Telus in particular, appear before our committee to discuss how they are going to use our personal information and what steps they have taken to protect our privacy.
I look forward to these representatives appearing before our committee in the near future to explain how they obtain meaningful consent for the collection, use and disclosure of this mobility data; how the data is de-identified; and what the risk is of reidentification.
I think the study is also an opportunity to educate the public about the pervasiveness of the mobility data economy and, by updating our Canadian privacy laws, make meaningful progress towards reforming the actors that operate in this sector. I can only hope that this opportunity to bring Canada's law into the digital era and restore trust to Canadian citizens and consumers alike is not lost.
There has also been little discussion of PHAC's collection and use of data from these kinds of third parties, which tend to be advertising and data surveillance companies that consumers have no idea are collecting, repackaging and monetizing their personal information. The repurposing of Canadian cellular networks for things like pandemic mobility tracking without the knowledge of subscribers, though ostensibly with their consent vis-à-vis the largely unread terms of service, is a big deal.
The data that was provided to PHAC lacks demographic information and, as we have heard, provides crude assessments of population mobility. While the data might be of some value, there is still a question about whether or not Canadians are comfortable with their cellphone data being used in this way. I know many of my residents in Hamilton Centre have shared their deep concerns about the overall commodification of the tracking and sale of their personal information. This is not the only example of cellphone data being used for purposes that are wholly unrelated to the provision or management of cellular services. Cellphone companies themselves have developed surveillance tools, selling them on the basis that cellphones are trackable devices and warning customers who use their service that they should not expect cellphone privacy. In fact, I believe we heard that clearly from the government members of this debate this evening.
Given the massive amounts of cellphone data that are available through our cell towers, our cellphones and our cell service providers, the ability to track cellphones across time and space is completely unchecked.
Cellphone companies' refusal to encrypt important information about subscribers' locations has made it easier for cell sites and their owners to provide law enforcement authorities with cellphone data. Cellphone companies have made it possible for cellphones to be tracked even when they are turned off by means of cell-tower logs that track the cell numbers and locations of subscribers without their knowledge. By triangulating a cellphone user's geographical location, cell towers can enable the construction of a kind of cellphone user profile.
I think of the use by police of technologies such as stingrays and I cannot help but recall the revelations this past summer about major government overreach utilizing the private Israeli Pegasus spyware used to hack cellphones of journalists, activists and worldwide agencies through the NSO Group's spyware, which has been licensed by governments.
However, cellphone tracking capabilities are not the domain of only law enforcement or intelligence agencies; they can also be tracked by the cell tower owners, as we have discussed. This access could be used to determine where these phones go in the evening and leave cellphone providers with an ongoing level of pervasive tracking. This is problematic, because users are charged by cellphone providers based on their location data and where these phones spend their time. This is how they generate large amounts of their ad revenue.
Within the Canadian context, as is the case in the study for our Standing Committee on Ethics for which this concurrence debate has been called, cellphones are used to track cellphone users' and potentially citizens' mobilities for reasons having nothing whatsoever to do with their cellphone service provision.
The Privacy Commissioner was at the ethics committee earlier today. His brief stated that “this data sharing initiative is an example of the movement of data between the private and public sectors and demonstrates the need for both to be governed by common principles and rules. With these two sectors interacting ever more frequently it is imperative that they be held to similar standards. Ideally, our two federal privacy laws should also be updated concurrently.”
I agree, and I believe that Canadians all expect a certain level of privacy, especially when it comes to their cellphones. We need to take a closer look to see if our current laws and regulations are sufficient in our current age of big data. I plan to continue this work at the ethics committee to ensure that Canada has the gold standard for protecting people's data and their privacy.