Last week, I appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics as part of its study on government services and privacy. The discussion touched on a wide range of issues, including outdated privacy rules and the policy complexity of smart cities. I concluded by noting:
“we need rules that foster public confidence in government services by ensuring there are adequate safeguards, transparency and reporting mechanisms to give the public the information it needs about the status of their data, and appropriate levels of access so that the benefits of government services can be maximized. That is not new. What is new is that this needs to happen in an environment of changing technologies, global information flows, and an increasingly blurry line between public and private in service delivery.”
My full opening remarks are posted below.
Appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics, January 29, 2019
Good afternoon. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law, and I am a member of the Centre for Law, Technology, and Society.
My areas of speciality include digital policy, intellectual property, and privacy. I served for many years on the Privacy Commissioner of Canada’s External Advisory Board and I have been privileged to appear before multiple committees on privacy issues, including PIPEDA, Bill S-4, Bill C-13, the Privacy Act, and this committee’s review of social and media privacy.
I am also the chair of Waterfront Toronto’s Digital Strategy Advisory Panel, which is actively engaged in the smart city process in Toronto involving Sidewalk Labs.
As always, I appear in a personal capacity as an independent academic representing only my own views.
This committee’s study on government services and privacy provides an exceptional opportunity to tackle many of the challenges surrounding government services, privacy and technology today. Indeed, I believe that what makes this issue so compelling is that it represents the confluence of public sector privacy law, private sector privacy law, data governance, and emerging technologies.
The Sidewalk Labs issue is a case in point. While it is not about federal government services – it is a municipal project – the debates are fundamentally about the role of the private sector in the delivery of government services, the collection of public data, and the oversight or engagement of governments at all levels. For example, the applicable law to the project remains somewhat uncertain: is it PIPEDA? Provincial privacy law? Both? How do we grapple with new challenges when even determining the applicable law is not a straightforward issue.
My core message today is that looking at government services and privacy requires more than just a narrow examination of what the federal government is doing to deliver services, assessing the privacy implications, and identifying what rules or regulations could be amended or introduced to better facilitate services that meet the needs of Canadians and provide them with the privacy and security safeguards that they rightly expect.
I believe that the government services of tomorrow will engage a far more complex ecosystem that involves not just the conventional questions surrounding the suitability of the Privacy Act in the digital age. Rather, given the overlap between public and private, federal, provincial, and local, domestic and foreign, we need a more holistic assessment that recognizes that service delivery in the digital age necessarily implicates more than just one law.
Those services will involve questions about the sharing of information across government, the location of data storage, the transfer of information across borders, and the use of information by governments and the private sector for data analytics, artificial intelligence, and other uses.
In other words, we are talking about the Privacy Act, PIPEDA, trade agreements that feature data localization and data transfer rules, the GDPR, international treaties such as the forthcoming work at the WTO on e-commerce, community data trusts, open government policies, crown copyright, private sector standards, and emerging technologies.
It is a complex, challenging, and exciting space. I’d be happy to touch on any of these issues during questions, but in the interests of time, I will limit my slightly deeper dive to the Privacy Act, which as you know is the foundational statute for government collection and use of personal information.
There have been multiple studies and successive federal privacy commissioners who have tried to sound the alarm on the legislation that is viewed as outdated and inadequate. Canadians understandably expect that the privacy rules that govern the collection, use, and disclosure of their personal information by the federal government will meet the highest standards. For decades, we have failed to meet that standard. As pressure mounts for new uses of data collected by the federal government, the necessity of a law fit-for-purpose increases.
I’d like to point to three issues in particular with the federal rules governing privacy and their implications:
i. Reporting Power
The failure to engage in meaningful Privacy Act reform may be attributable in part to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important role in educating the public about PIPEDA and broader privacy concerns. The Privacy Act desperately needs to include a similar mandate for public education and research.
Moreover, the notion of limiting reporting to an annual report reflects a by-gone era. In our current 24 hour, social media driven news cycle, restrictions on the ability to disseminate information – particularly information that touches on the privacy of millions of Canadians – cannot be permitted to remain out of the public eye until an annual report can be tabled. Where the Commissioner deems it in the public interest, the Office must surely have the power to disclose in a timely manner.
ii. Limiting Collection
The committee has heard repeatedly that the Privacy Act falls woefully short in meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be the model, it instead requires less of itself than it does of the private sector. A key reform in my view is the limiting collection principle. A hallmark of private sector privacy law, the government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities.
This is particularly relevant with respect to emerging technologies and artificial intelligence. The Office of the Privacy Commissioner of Canada recently reported on the use of data analytics and AI in delivering certain programs. For example, it cited:
• the Immigration, Refugees and Citizenship Canada (IRCC) Temporary Resident Visa Predictive Analytics Pilot Project which uses predictive analytics and automated decision-making as part of the visa approval processes
• the CBSA’s use of advanced analytics in its National Targeting Program to evaluate the passenger data of all air travelers arriving in Canada, as well as its planned expanded use of analytics in risk assessing individuals;
• the Canada Revenue Agency’s (CRA’s) increasing use of advanced analytics to sort, categorize and match taxpayer information against perceived indicators of risk of fraud and non-compliance.
These technologies offer great potential, but they also may also encourage greater collection, sharing and linkage of data. This requires robust privacy impact assessments and considerations of the privacy cost-benefits.
iii. Data Breaches and Transparency
Breach disclosure legislation has become commonplace in the private sector privacy world and it has long been clear that similar disclosure requirements are needed within the Privacy Act. Despite its importance, it took more than a decade for Canada to pass and implement data breach rules for the private sector. As long as that took, we are still waiting for equivalent legislation at the federal government level.
As this committee knows, the data indicates that hundreds of thousands of Canadians have been affected by breaches of their private information. The rate of reporting these breaches remains low. If the public is to trust the safety and security of their personal information, there is a clear need for mandated breach disclosure rules within government.
Closely related to the issue of data breaches are broader rules and policies around transparency. In a sense, the policy objective is to foster public confidence in the collection, use, and disclosure of their information by adopting a transparent, open approach about policies, safeguards, and instances where we fall short.
Recent emphasis has been on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports and they have been joined by some of Canada’s leading communications companies such as Rogers and Telus. Remarkably, there are still some holdouts – notably Bell – that do not release transparency reports.
However, these reports represent just one side of the picture. Public awareness of the world of requests and disclosures would be far more informed if government also released transparency reports. These need not implicate active investigations, but there is little reason that government not be subject to the same expectations on transparency as the private sector.
Ultimately, we need rules that foster public confidence in government services by ensuring there are adequate safeguards, transparency and reporting mechanisms to give the public the information it needs about the status of their data, and appropriate levels of access so that the benefits of government services can be maximized. That is not new. What is new is that this needs to happen in an environment of changing technologies, global information flows, and an increasingly blurry line between public and private in service delivery.
I look forward to your questions.