SoVote

Decentralized Democracy

House Hansard - 25

44th Parl. 1st Sess.
February 7, 2022 11:00AM
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard (Barrie—Innisfil, CPC)
  • Feb/7/22 2:33:44 p.m.
  • Watch
Mr. Speaker, January job numbers came out and they were really bad. They show 200,000 Canadian jobs gone, higher unemployment and an inflation rate that is out of control. This has turned into a disaster, and Canadians are paying the price. Will the minister finally admit that her plan is not working and come up with a plan that includes dealing with the costs of gas, home heating, groceries and life becoming unaffordable for Canadian families and seniors?
79 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard (Barrie—Innisfil, CPC)
  • Feb/7/22 2:34:55 p.m.
  • Watch
Mr. Speaker, it is cold comfort for Canadians who are losing their jobs and seeing the prices of everything go up. Prices are skyrocketing, yet the Liberals keep pretending that everything is fine. Let us be clear: Things are not fine. Canadians are struggling and it is getting almost impossible for many families to put gas in their cars, to put food on their tables or to heat their homes. Will the minister own up to her mistakes and apologize to the 200,000 Canadians who saw their jobs disappear last month?
92 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard (Barrie—Innisfil, CPC)
  • Feb/7/22 4:08:01 p.m.
  • Watch
Madam Speaker, there are a couple of issues we are dealing with here today, not the least of which is the request to put off the RFP. However, the real challenge is in this de-identified data being collected by telecom companies and the transfer of that information. It may be that when the Public Health Agency of Canada gets that information, it is aggregated and de-identified, but the challenge exists when those companies collect that data. There is another challenge with this, and that is the consent of the users. There was no consent given by users to allow the telecom companies to collect this data. It is a challenge that we heard from the Privacy Commissioner this morning. There is a real risk to de-identifying this data. Given that consent was not given, we have to get to the bottom of what security measures and what protocols were put in place to ensure this data was protected. Does the parliamentary secretary not see that as a concern, and not see it as a reason to hold off on the RFP until the ethics committee does its work and can be assured that the privacy of Canadians was protected?
202 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard
  • Feb/7/22 4:14:47 p.m.
  • Watch
Madam Speaker, I seek guidance from you on whether accusing a member of Parliament of being a conspiracy theorist is unparliamentary language.
22 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard (Barrie—Innisfil, CPC)
  • Feb/7/22 4:18:52 p.m.
  • Watch
Madam Speaker, before I begin, I would like to thank my colleague from Trois‑Rivières for moving this motion in the House today. Before the Standing Committee on Access to Information, Privacy and Ethics did its study, I texted my colleague to say I was looking forward to hearing what he had to say about this because he had a lot of experience and knew the subject matter well. I would like to thank him. We are really seized with this issue, as Canadians have been, since it was first identified in the month of December that the RFP had been issued. The RFP was to continue a practice that many Canadians, in the distraction of a pandemic, had no idea was going on. It was that their mobility data was being collected, in this case by Telus, without their consent or implied consent, and was being utilized to determine a public health response to the COVID-19 crisis. We have, for the last several days, been studying the impacts of this at the ethics committee. I will say that there have been some very serious concerns that have been brought up by the experts we have been hearing from, including the Privacy Commissioner. That is why this is such an issue as it relates to the motion that we are dealing with today. We have not gotten to the bottom of the fact of whether this data has been protected in the manner that would be the gold standard for protecting the privacy and security of the data of Canadians. This is why we are focused on this study. During a pandemic, with all of the distractions that are going on, it would be very easy for this information to be utilized in a way that does not protect the privacy of Canadians. The RFP was originally to be finalized by January 21. It got pushed back to February 4, and now it has been pushed back even further. At committee, when we dealt with the motion that was presented by my Bloc colleague, there were very solid arguments made as to why this RFP should be pushed back. In fact, the entire committee voted 10 to nothing to push this RFP off until we completed this study, so that not only parliamentarians but Canadians can be assured that the information that was gathered was, in fact, protecting the privacy of Canadians. We heard at committee from members of the Liberal Party that the Prime Minister came out in 2020 or 2021 and talked about this information being gathered. It is not an issue of whether the information was gathered. There are governments around the world using data and information to inform their response to the COVID-19 pandemic, but this one speaks to the fundamental tenet of democracy to make sure that we protect the privacy rights of Canadians. Parliamentarians wanted to get to the bottom of this to make sure that we were protecting those privacy rights. The story came out in December that this RFP was being proposed to be extended, and not just in the way it was designed in the first place, which was really for a couple of months, where it was a sole-source contract that was given to, as we found out, Telus. It was going to be extended for up to another five years and collect even more mobility data to determine, as they said in the RFP, the public health response and to determine trends to deal with public health issues going forward. It was disturbing not only that this was happening without really the knowledge of Canadians who were distracted during this pandemic, without the consent of Canadians to have their mobility data tracked, but that this was going to go on for another five years. That is why it is important that we get to the bottom of this issue to really be sure and determine whether that mobility data was being protected on behalf of Canadians. My colleague from the Bloc was talking about his initial concern when he saw the RFP. I saw the RFP just a couple of days before Christmas because it was reported in Blacklock's, which, by the way, does great work digging into government contracts. I know that maybe the government does not like the work that it does, but it does great work digging into these contracts. I would hope that if Conservatives were in government, we would be held to the same account on these types of contracts. I saw the story and we had discussions among ourselves. As we were heading to the Christmas break, it was awfully difficult, because Canadians were distracted by Christmas, to really push this issue. I determined, as the newly appointed critic for ethics and accountable government, that we were going to wait until after Christmas before we called an emergency meeting of the ethics committee. We did, the meeting was granted and, subsequent to that, the study was supported by all members of the committee to make sure that it looked at not just the RFP but another part of this too, which was an update to privacy laws. We heard from the Privacy Commissioner this morning that there does need to be an enhancement of privacy laws. We heard from an expert from the University of Ottawa as well that, as this data is collected, an enhancement of those privacy laws is needed to protect the privacy of Canadians for this data, which can be very useful but comes with some significant pitfalls and risks as well. The issue that we are really dealing with is how this information was de-identified and aggregated. The minister was at committee last week and if we were playing the de-identified and aggregated drinking game, we would have been drunk very quickly because that was all we heard from the minister. We did not get any evidence of how this information was de-identified and aggregated. All we got were assurances. Assurances are not enough for the committee. This is why we are asking today that this RFP be cancelled until we find out exactly what is going on. We have requested that the telecom companies come in, particularly Telus, to discuss how this information is de-identified and what security measures and protocols are put in place to assure us, as MPs, and Canadians that their information and privacy is being protected. I am looking forward to hearing from the telecom companies, including Telus through its data for good program, how that is done. I am learning a lot about this, as members can imagine, but the information that they collect, as I understand it now, is definitely identifiable. The question that we have is what happens to that information when it is identified and what is the process to de-identify it. I have heard from security experts and read reports from around the world. A New York Times report, whose reporters we have asked to come and speak to the ethics committee, talked about being one to two to four points of data away from having that information reidentified. It really is a fascinating subject, but, more importantly, it is important to find out and determine whether that information is being properly protected from the point that it is collected to the hands that it is being passed through. We also found out in the course of our study, and it was the parliamentary secretary who wrote us a letter to tell us, no pun intended, just so I am clear, that there was a company that was consolidating all of this data and presenting that information to the government. The company is called BlueDot. My understanding is that it is coming to committee on Thursday and we are going to have a lot of interesting questions to ask. As we can see, the information is being collected, de-identified, aggregated and passed on to other hands. If those security measures and protocols are not put in place, and again I am not an expert on this but I have been listening to experts, there is a real risk that information can be commercialized, monetized, reidentified and that personal identifiers and information from that data can be known. It is fairly simple to do. Proposing, as the motion did, to suspend the RFP in my opinion is the right move to make until we find out more. I did not get any comfort from the presentation of the Privacy Commissioner when he appeared at committee today. If anything came out of that meeting today, it is that it really informs the need for us to do a deeper dive on this and suspend the RFP. I pulled off some of the questions that were asked of the Privacy Commissioner, and if what the Privacy Commissioner said this morning does not concern the tin-foil hats on this side of the House, as the members of the government like to call us, or the conspiracy theorists, it should be worrisome to members of the government. I will read it into the record, because I think it is important for us to inform our decision in this debate as we vote on this motion when it does come to a vote. Daniel Therrien, who is the Privacy Commissioner of Canada, and the de facto standard by which privacy protection is utilized in this country, said today that: In the case of PHAC's use of mobility data, we were informed of their intent to use data in a de-identified and aggregated way. Okay, he was informed. He went on to say that: We offered to review the technical means used to de-identify data and to provide advice, which PHAC declined. PHAC declined the offer by the Privacy Commissioner of Canada to look at the methodology and to provide advice on how this data was being utilized or protected. He went on to say that: The government relied on other experts to that end, which is their prerogative. It is their prerogative, there is no question about it. My view, and I know the view of the members of our committee, because we spoke afterwards, is that regarding the de facto standard by which privacy legislation is defended and protected, the Privacy Commissioner of Canada should have at least been included in the process so that PHAC, which was accepting this data, and perhaps Telus and BlueDot would have known what proper privacy measures, protocols and security should have been put in place. It may cause a level of concern that his office was merely notified, “Oh, by the way, we're going to be doing this.” “Do you want any help?” “No, we don't want any help.” That is effectively what PHAC was telling the Privacy Commissioner. I am not surprised that he also went on to say the following, given the reaction among Canadians and just how troubling this information is as it has become publicly known and people's attention has been given to it: Now that we have received complaints alleging violations of privacy, we will turn our attention to the means chosen for de-identification and whether they were appropriate to safeguard against reidentification. Since this is under investigation, he obviously was not able to provide us with intimate details of where that investigation lies at this point, but the Privacy Commissioner of Canada was not even notified. The government relied on other security experts and privacy experts. Who were they? I think that is a fair question. What qualifications do they have that are greater than the Privacy Commissioner of Canada's? It was really concerning. The Privacy Commissioner went on to say, in this line of questioning from our committee, that, “This practice raises legitimate concerns by consumers, particularly when their personal information is used without their knowledge for purposes other than they expect.” We have heard from members on the other side about the ways of all the different apps, but the difference between that and what we are talking about is that the users provide consent to those applications to use the tracking of their mobility. In the case that we are talking about today, which involves anywhere from 14 million to 33 million users, it would be a hard argument to suggest that every one of those users provided consent. In fact, the Privacy Commissioner said today that it would be impossible for 33 million users to provide consent so that collection of their data could be used for the purposes that PHAC was dealing with. The issue of meaningful consent becomes a critical component of this. I received a letter from OpenMedia.org talking about the ethics committee looking into this issue. The company suggested three fundamental questions, which we are trying to get to the bottom of, that are extremely important in this case. Number one: How did Telus obtain meaningful consent for the collection, use and disclosure of this mobility data? I spoke about the importance of that earlier. OpenMedia suggested that when Telus comes to the committee, it needs to answer questions such as whether an individual who agreed to the sharing of their mobility data understood this use by the Public Health Agency of Canada. I suggest it would be impossible for 33 million people or fewer to really understand that this was being used by the Public Health Agency of Canada. The second most important question that needs to be asked is this. Does the consent that Telus relied upon extend to the context in which the Public Health Agency of Canada used this data? Privacy and consent, it says, are highly contextual. If we, as users, give limited permission to Telus to collect, use in a limited way, and disclose some of our mobility data, that cannot and should not be an open-ended carte blanche for Telus to be able to provide this data to other people, including the Public Health Agency of Canada. The next is the most important question of all. I heard universally from security and privacy experts, not just here in Canada but around the world. They asked how exactly this data had been securely de-identified. There are really two issues here: first, de-identification and the risk associated with reidentifying this data; and second, user consent. My office has received correspondence. We have heard from experts, and as I said earlier we heard from a University of Ottawa expert this morning, about the risks of de-identifying data. I want to read out what some of the security experts are saying in the context of this RFP, and why it is so important that the government hold off on it until we get the answers to the questions. Dr. Ann Cavoukian, the former Ontario privacy commissioner, said that without a strong de-identification framework and without de-identification protocols one can reidentify this data. There is a whole collected literature on de-identification of data and the way to easily reidentify it. One has to go to great lengths to de-identify, and I am sure the government has not done this. I go back to what we heard from the Privacy Commissioner today, who said that he was merely informed and not consulted, despite the fact that the Minister of Health last week said that the government were having biweekly meetings with the Privacy Commissioner on this issue. We found out this morning these were not related to the gathering of mobility data, but related to other things happening in the context of the pandemic response. Dr. Cavoukian went on to say that the government should be the greatest concern. Its ability to usurp our information, to tell us what to do and expect us to accept that, in my view, is due to the fact that it is seeking greater control. If we want to connect the dots, and look at some of the patterns created as a result of this pandemic, Canadians are becoming increasingly concerned, and I would say they are concerned at this point, about the expansive overreach by the government. It is using the pandemic to curtail the rights and freedoms of Canadians. We saw the government, at the beginning of the pandemic and through the initial build, try to seize control and get spending and taxing power without parliamentary approval. We have seen this and other sole-sourced contracts that have gone out throughout the course of the pandemic to who I would call well-connected Liberal insiders and friends. I am not suggesting that in this case, but when one starts connecting the dots with this expansive overreach, we can see a pattern with the government. It is causing me great concern, as it is many Canadians.
2831 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard
  • Feb/7/22 4:40:05 p.m.
  • Watch
Madam Speaker, I cannot speak to that because we are simply not at the point of understanding how this data was collected, whether it was properly de-identified, what the risks of reidentification are, and why the Privacy Commissioner was not involved in the process and providing guidance to PHAC. The Privacy Commissioner would have provided guidance to Telus as well. I have trouble understanding the actual risk, in the collection of this data, to the privacy rights of Canadians. The reason I am troubled by that is because there are other programs in place that the Public Health Agency of Canada could have utilized if it wanted to determine public health response, or even the future of public health response. It has access to data within its public health networks, provincially, territorially and municipally. It has hospitalization data. It could have used other government resources without risk to the privacy protections of Canadians by using this as a means, especially without enhanced privacy laws.
165 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard
  • Feb/7/22 4:42:15 p.m.
  • Watch
Madam Speaker, my colleague posed a very important question. We heard members at committee say that the Prime Minister made people aware this was going on and that the government was transparent about it, but it really boils down to the issue of consent. It can be as transparent as it wants, but the bottom line is that if users and Telus customers did not provide their consent for this information to be utilized in the manner in which PHAC did, that calls into question not an issue of transparency, but an issue of whether I am confident in my privacy rights being protected at a time when I should be consenting to that information. We heard from the Privacy Commissioner that there may be other circumstances that allow for privacy to be determined, but we have to increase those privacy laws. We have to enhance privacy laws in order to protect for the purposes that PHAC determined.
158 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard
  • Feb/7/22 4:44:09 p.m.
  • Watch
Madam Speaker, I want to thank my hon. colleague for her kind words. Everybody was saying that this new position as opposition House leader is like drinking water from a fire hose, and as a former firefighter, I never drank water out of a firehose in the way I am today. It has been quite a day. It is an important question, because what we want to be focusing on is not just how the data was collected and what security protocols and privacy protections were put in place; we also, as a committee, determined that we need to move forward, and the Privacy Commissioner was a very important part of this process this morning about enhancing privacy laws. In fact, at the beginning of this pandemic, the Privacy Commissioner wrote to the government and said that in the context of a pandemic, we not only have to make sure that our privacy laws are upgraded, for lack of a better term, but also that there has to be that enhancement in protecting privacy. I am looking forward to the report of the committee, because I think we can present some forward-looking things to the government so that it can enhance those privacy laws in what is becoming an increasingly important part of data collection to determine health responses, but we have to be assured that privacy rights are upheld in the context of that information being gathered.
239 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard
  • Feb/7/22 4:46:50 p.m.
  • Watch
Madam Speaker, I believe the information and the data that are collected do have to be destroyed, but I need assurance and members of the committee need assurance—and this is why we are here today—that the data is being collected in an appropriate manner, a secure manner, with proper security protocols in place, but more importantly, that the information is protected. I would not go so far as to say that it needs to be destroyed. Without looking at that, we have to step back and ask if this was done in a proper manner with proper securities and protocols in place to protect the privacy of Canadians. In the context of the vaccine passports, I have seen the same studies and reports as the hon. member has, and the Privacy Commissioner was quite clear in his statements that this information must be destroyed. We have to make sure that it is not commercialized, not monetized, and, more importantly, that it is not de-identified in a manner that offends the privacy rights of Canadians, which are a fundamental tenet of democracy.
186 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 25 - Feb/7/22
Mr. John Brassard
  • Feb/7/22 4:49:03 p.m.
  • Watch
Madam Speaker, it certainly is unbelievable. They informed him, but they did not utilize his expertise in guiding them on how to properly do this. On the issue of the parliamentary secretary, he is full of bluster. He stands up and he criticizes us, and we accept that. We know where it is coming from.
55 words
All Topics
  • Hear!
  • Rabble!
  • star_border