Appearance before the Senate Standing Committee on Legal and Constitutional Affairs on Bill S-203, An Act to restrict young persons’ online access to sexually explicit material

June 2, 2021
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Thank you for the invitation to speak with you today. With me is Martyn Turcotte, Director of the Technology Analysis Directorate at the Office.

Protecting children in a digital environment is of the utmost importance. As you know, the UN Committee on the Rights of the Child has recently emphasized that the rights of every child must be respected, protected and fulfilled in the digital environment, and this includes the right to privacy. We support efforts to incorporate special consideration for children’s rights in the digital environment, including through implementing privacy safeguards that specifically address their interests.

Bill S-203, An Act to restrict young persons’ online access to sexually explicit material, raises a number of privacy-related issues primarily to do with the age-verification scheme and the protection of the personal information that is required to be collected to facilitate the process. It is on these issues that I will focus my remarks today.

Age-verification methods

Based on the current text of the Bill, the Governor in Council may make regulations prescribing the age-verification methods referred to in subsection 7(1). Because these methods have yet to be determined, I will provide you with a number of considerations.

Technical safeguards

This Committee has suggested encryption and the use of third parties specializing in age-verification services as a way to reduce risks of privacy violations. You have also discussed some challenges around the use of biometrics, in particular facial recognition technology.

Canada’s private-sector privacy law, PIPEDA, applies to private-sector companies implementing age-verification technologies in a commercial context.

Current digital age verification systems use diverse technologies, analytical methods, and safeguards.  No two systems are identical: the design, implementation and potential for vulnerabilities may differ from one system to another. Moreover, the risks are constantly evolving. In our opinion, the key is to ensure that there are several lines of defense.

Regardless of the mechanism chosen, the user will ultimately be required to provide some amount of personal information. However, in any digital age verification system, the principle of data minimization should be applied to reduce data matching and surveillance of individuals. There should also be strict controls on access to user data.

It is also possible to use a system of tokens to substitute sensitive information with a random string of characters that have no value.

Encryption is a process used to ensure the privacy and security of data. When data is encrypted, it can be sent over the Internet and generally be stored without fear of its confidentiality being compromised. However, inappropriate, outdated encryption technology or flaws in its implementation can render it less effective or even useless.  In this context, encryption is not a foolproof method to eliminate the risk of user re-identification.

On the other hand, the use of biometrics or facial recognition to verify or estimate a user's age raises unique privacy concerns. Biometric technologies are generally very intrusive. In addition, their effectiveness in accurately verifying age remains to be demonstrated.

Other methods of age verification that do not require the digital storage of personal information could also be considered. For example, an individual could have their government-issued ID card visually verified at a point-of-service location to have their age confirmed, and then receive a verified key or code that can be used online in a way that cannot be traced back to them. 

Reputational Harm

The age-verification process will also apply to adults. In the absence of proper privacy measures, it could increase the risk of revealing adults’ private browsing habits.

The adoption of clear practices on how to verify the age of users will help reduce the risk of breaches, unauthorized use, or reputational harm. 

Conclusion

Due to the nature of the risks associated with the collection and use of data needed for age verification, there must be clear requirements for privacy, including technical safeguards. It will be important that the chosen age-verification method be designed and implemented with sufficient privacy protections so that Canadians feel secure in providing their personal information.

With that, Mr. Turcotte and I welcome any questions you may have.