Appearance before the Standing Committee on Transport, Infrastructure and Communities (TRAN) in relation to its study of Automated and Connected Vehicles in Canada
May 9, 2018
Opening Statement by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Good morning Honourable Members.
I would like to thank the Committee for the invitation to appear before you today in the context of your study of automated and connected vehicles in Canada.
Types of Data in Autonomous and Connected Vehicles
Modern Cars are more than simply vehicles. They have become smartphones on wheels — mobile sensor networks, capable of gathering information about, and communicating with, their internal systems, other vehicles on the road, and local infrastructure. This information is not strictly about the car; it can be associated with the car’s driver and occupants, and used to expose patterns or make inferences about those people for a number of purposes not all related to the functioning of the vehicle or safe transportation. For instance, these vehicles collect information about driver habits and behaviour, biometric and health data, location data, personal contacts, schedules and communications, and entertainment content, which could be used for marketing, usage-based insurance, navigation, and so on.
Most of these data flows in the connected car are very complex and not transparent. Individuals are accustomed to simply getting in a car and driving, and may have little awareness about how the data captured by a connected car may be used in the background, let alone the implications of those uses, or of any options available to limit, disable or otherwise control them.
The benefits available to Canadians through the arrival of connected and autonomous cars may be significant. However, consumers’ trust in these technologies will only take hold when the appropriate balance is reached between information flow and privacy protection.
Meaningful Consent and Demonstrable Accountability
Over the past several years, my Office has set out to identify improvements to the current consent model under federal private-sector privacy law. What became clear to us throughout this work is that individuals want to retain the ability to make decisions about their data, and organizations still need to do a better job of explaining what they propose to do with the personal information they collect. In an attempt to improve this situation, we have updated our Guidelines for Online Consent, which now outline seven underlying principles for obtaining meaningful consent.
In the context of the connected car, there may be certain scenarios where it would be inappropriate for the driver to control how the information is used, for instance, when the data is necessary for road safety or proper functioning of the vehicle. However, many others should be subject to individual choice. In that respect, we think our guidelines for consent will be useful.
While we believe meaningful informed consent continues to have an important role in protecting privacy, it is also clear that the consent model is challenged in this new world of increasingly complex data flows and business models.
In these situations, as is clearly the case with the connected car, consent needs to be supported by other mechanisms, including industry codes of practice, Privacy by Design, and strong organizational accountability and respect for privacy rights.
Likewise, proactive enforcement is required to ensure independent review of compliance with these requirements and to hold organizations to account. The time has come for more modern privacy laws, which are urgently needed to protect us, as both citizens and consumers. I am calling for amendments to the law to allow my Office to go into an organization to independently confirm that the principles in our privacy laws are being respected – without necessarily suspecting a violation of the law. These are not extraordinary powers but rather authorities that have been exercised for a long time by other regulators.
This shift towards stronger accountability of organizations and more proactive enforcement of privacy laws is necessary to achieve truly meaningful privacy protection in a technologically complex world.
To conclude I would like to acknowledge the study by the Standing Senate Committee on Transportation and Communication on this very topic. I was encouraged by the Senate Committee’s report which gave significant weight to the privacy issues we raised during its study and made four privacy-focused recommendations. I note in particular its Recommendation #8, which reiterates my recommendation that the law be amended to empower my Office to proactively investigate and enforce industry compliance with PIPEDA,Footnote 1 as well as its Recommendation #10 to bring together relevant stakeholders to develop a coordinated framework for connected vehicles, with privacy protection as one of the key drivers.Footnote 2 I look forward to Government’s response to this report, and in playing a key role in future developments.
Engaging and informing consumers so that they can make reasonable choices, empowering the regulator, and setting in motion a coordinated approach to connected vehicles clearly resonates with how my Office envisions dealing with issues of consent and the privacy challenges associated with connected vehicles.
Thank you Mr. Chair and members of the Committee for the opportunity to present my views today. I look forward to your questions.
- Date modified: