Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the study of the breach of personal information involving Cambridge Analytica and Facebook
November 1, 2018
Opening Statement by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Good afternoon, members of the Committee.
Thank you for the invitation to appear before you today.
With me today are Brent Homan, Deputy Commissioner, Compliance, Gregory Smolynec, Deputy Commissioner, Policy & Promotion, and Julia Barss, General Counsel to my Office.
Last week I attended the 40th International Conference of Data Protection and Privacy Commissioners in Brussels.
The conference confirmed what I explained in my last annual report: there is a crisis in the collection and processing of personal information online.
Even tech giants, attending the conference in person or through video, are recognizing that the status quo cannot continue.
Warnings from industry
Apple Chief Executive Tim Cook spoke of a “data industrial complex” and warned that: “Our own information, from the everyday to the deeply personal, is being weaponised against us with military efficiency.” He added: “This is surveillance.”
Facebook’s Mark Zuckerberg admitted his company committed a “serious breach of trust” in the Cambridge Analytica matter.
Both companies expressed support for a new US law, similar to Europe’s General Data Protection Regulation.
When the Tech Giants have become outspoken supporters of serious regulation, then you know that the ground has shifted and that we have reached a crisis point.
Your committee clearly senses this ground shift and has supported our recommendations for legislative change.
The government, however, has been slow to act, putting at continued risk the trust Canadians have in the digital economy, in our democratic processes and other fundamental values.
Let’s examine, for a moment, the impact of online platforms on privacy and the integrity of elections.
As Canadian Artificial Intelligence researcher, Yoshua Bengio recently said in Le Monde:
“Our data fuels systems that learn how to make us press buttons to buy products or choose a candidate. Organizations that master these systems can influence people against their own interest, with grave consequences for democracy and humanity.”
“… The only way to restore balance is to ensure that individuals are not left alone when interacting with businesses. What is the role of governments if not to protect individuals. Nothing prevents regulating against excess and the concentration of power in certain sectors.” [Free translation]
These are not uniquely Canadian threats, but global ones.
Aside from the misuse of personal information to influence elections, we have also seen hostile states interfering in elections by deliberately targeting personal data.
In the words of Giovanni Buttarelli, the EU Data Protection Supervisor: “Never before has democracy been so clearly dependent on the lawful and fair processing of personal data.”
Recent investigations in various countries have demonstrated that political parties are harvesting significant amounts of personal information on voters and adopting new and intrusive targeting techniques.
In July, the UK Information Commissioner released her interim report on Facebook/Cambridge Analytica which found very serious shortcomings in the way digital players are operating.
For example, despite significant privacy information and controls on Facebook, they found users were not told about political uses of their personal information.
The UK Commissioner also raised concerns about the availability and transparency of the controls offered to users over what ads and messages they receive.
Significantly, the UK office found that political parties are at the centre of these data collection and micro-targeting activities.
Coverage of privacy law in Canada
None of this is encouraging for voters; when we last polled Canadians on this issue, 92% wanted political parties to be subject to privacy law. That’s as close to unanimity that one can get in such polling.
In September, privacy commissioners from across Canada put forward a resolution calling on governments to ensure that political parties are subject to privacy law.
Academic experts, civil society and the Canadian public all agreed with this position; and so does the Chief Electoral Officer.
The government, on the other hand, maintains that while the application of privacy laws to political parties is an issue that deserves study, the next federal elections can take place without them.
Canadian political parties’ lack of oversight is unfortunately becoming an exception compared to other countries, and it leaves Canadian elections open to the misuse of personal information and manipulation.
The bottom line is that without proper data regulation, there are important risks to a fair electoral process; and this applies to the next federal election in Canada.
This brings me to updating you on our investigative actions.
As you are aware, my Office and the Office of the Information and Privacy Commissioner of British Columbia are currently investigating the allegations made about Facebook and Aggregate IQ, which were brought to light last spring.
This work is advancing; but we have not yet made our determinations. We continue to gather and analyse information.
Due to confidentiality obligations under the law, I am limited in what I can report. I can however offer the following:
Our investigation focuses on the access to personal information provided to third parties by Facebook – in particular, sharing “friends” information with app developers. This was a serious issue in 2009 and we flagged it to Facebook as a serious issue then, nearly a decade ago.
Since May, investigators have issued three separate extensive requests for information and received and reviewed several sets of representations from Facebook in response, and we’ve asked Facebook to detail its policies and procedures from 2013 onwards.
We’ve also sought detailed information about its safeguards and internal “app review” process, and adherence to commitments made to the OPC in 2009 and 2010.
Aggregate IQ investigation
Our investigation into AIQ focuses on whether it collected or used personal information without consent, or for purposes other than those identified or evident to individuals.
Since my last appearance, OPC investigators have issued additional requests for information, conducted a site visit, undertaken sworn interviews with both Mr. Massingham and Mr. Silvester, and have reviewed hundreds of internal records from AIQ, including from AIQ electronic devices.
In order to make our findings public as soon as possible, our plan is to complete the investigations and release the reports in phases. We are targeting end of this year for the first phase, with the second phase to be completed in the spring.
Privacy as a prerequisite
The time for industry and political party self-regulation is over. The government can delay no longer.
Absent comprehensive reform, Parliament should ensure the application of meaningful privacy laws to political parties.
It should also give my Office the same inspection and enforcement powers that most of Canada’s trading partners enjoy.
Individual privacy is not a right we simply trade-off for innovation, efficiency or commercial gain. No one has freely consented to having their personal information weaponized against them.
Similarly, we cannot allow Canadian democracy to be disrupted, nor can we permit our institutions to be undermined in a race to digitize everything and everyone, simply because technology makes this possible.
Technology must serve humankind, that is all individuals.
Without individuality and privacy, it is a philosophical and practical truism that we cannot have a public, democratic life; nor can we enjoy other fundamental rights we cherish, including autonomy, equality and freedom.
Without privacy, the social environment we have in Canada - democracy, political harmony and national independence – is also at real risk, including those posed by hostile states.
It is not an exaggeration to say that the digitization of so much of our lives is reshaping humanity.
If we are not careful, it will be reshaped in ways that do not accord with our most fundamental rights and values.
The human and democratic rights of Canadians, as well as our national interests, must be protected.
Finally, as to specifics, while there are several excellent elements in the EU’s GDPR, we should seek to develop an approach that reflects the Canadian context and values, including our close trading relationships within North America, with Europe and the Asia Pacific region.
A new Canadian law should reserve an important place for meaningful consent but it should also consider other ways to protect privacy where consent may not work, for instance in the development of artificial intelligence.
The GDPR concept of legitimate interest may be considered in this regard.
Our law should probably continue to be principles based and technologically neutral, but it should also be rights based and drafted not as an industry code of conduct but as a statute that confers rights, while allowing for responsible innovation.
And it should empower a public authority to issue binding guidance on how to apply general principles in specific circumstances, so that the general principles receive practical application.
It should also allow different regulators to share information. Meaningful protection of consumers and citizens online must involve several regulators, and they must be able to better coordinate their work.
And it is absolutely imperative for privacy laws to be applied to Canadian political parties.
Thank you for your important work on this issue; I welcome your questions.
- Date modified: