Evidence of meeting #122 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was sensitive.
A video is available from Parliament.
11:55 a.m.
Liberal
11:55 a.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Thank you very much.
I agree that this has been a good discussion all around.
I think we may have to back it up a bit. When we look at the difference between personal information and sensitive information, the difference with sensitive information is that the potential harm or discrimination is greater. What we're doing is ensuring that there's an extra layer of protection when we're looking at these examples.
I'm one of the members who disagree with not having financial data on there. I think there's a higher degree of identity theft and fraud. It's the same with a driver's licence. Increasingly, through and through, we're seeing that Canadians are under threat of having their identity stolen. As technology gets better and we see Canadians using more apps and more technology, they're finding their privacy is under threat. I think listing these items as sensitive, especially when we see increased vulnerability from Canadians, is really important.
Mr. Schaan, where are we using “sensitive” in this bill as a whole? When we're talking about sensitive information, where are we using it generally?
11:55 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I'll start, and then I'll turn to Mr. Chhabra.
As Mr. Chhabra noted, “sensitive” comes up in a number of places in the bill, the most important of which notes what you can't rely on as a use of information if the information is deemed sensitive, which is the example he just went through with Mr. Vis. We've cited a two-part test, essentially, for things like implied consent, and you can't rely on implied consent if the information is deemed sensitive, which means that it requires express consent.
Just to go back to last week's discussion, that's not to suggest that things like your driver's licence number or your personal information of a financial nature have zero protections. They have considerable protections, and by allowing, through guidance-making powers, the OPC to opine on these issues, you can get to effective oversight of that information without necessarily suggesting that in every instance, they require express consent, which is the most important part of what happens when you deem something sensitive.
I'll turn to Mr. Chhabra just to lay out again where “sensitive” comes up in the bill.
Noon
Conservative
Ryan Williams Conservative Bay of Quinte, ON
I'm sorry, but I'd like one more piece of context, Mr. Chhabra, when you're answering.
We use the word “generally” when we're identifying what's sensitive. Would the legalese for “generally” not imply that it's requiring an offer of acceptance or consideration without putting too much emphasis...? Are there ways that “generally”, used in this context, also allows a bit more flexibility?
Noon
Director General, Strategy and Innovation Policy Sector, Department of Industry
I would agree that the way it's formulated is intended to rely on the context-based assessment that would be undertaken. When you say something would “generally” be considered sensitive, you're giving an indication of direction. You're setting a policy framework parameter that allows for interpretation to occur effectively.
What is being contemplated before the committee now is to lock in a definition of “sensitivity” in the definitions section and then attempt to rely on it meaning generally sensitive. That becomes a law that is full of ambiguity and is very difficult to interpret and apply. It's not what the OPC has asked for, which is to have a context-specific determination with an indication, potentially, of some areas that could be considered sensitive.
To your earlier question on sensitive information, it's referenced 17 times in the act. I'm happy to reference each, if that would be helpful.
Noon
Conservative
Ryan Williams Conservative Bay of Quinte, ON
It's not in the definition, but it is implied that this has a greater potential for harm and discrimination against individuals. We've looked at this whole bill from the outset, and it's not yet in the purpose statement that privacy is a fundamental right.
We're looking around the corner, and I'm looking to add an amendment. I'm going to add one piece that isn't in here that I think is really important, given where technology is going to be in the next 10 years or so, which is on location data. When we look at that piece of information, location data is everything we have on our phones, our watches and our cars that identifies who we are and where we are.
Going backwards on that, when we look at financial data, it is also evolving. We have open banking in front of the government right now. We've been pushing for that. Open banking is about ensuring that customers have control of their financial data with their consent. That's very much the wording of what we've listed. Customers then have control of that.
If it's not sensitive data, then what are we doing with consent and how we're giving it? I think it's a form of control for Canadians and for people that, when we're looking at privacy as a fundamental right, it is listed most of the time that on your consent, you can move your information somewhere. If your data is being recorded and tracked, it has to be with your consent. To me, that, by its very nature, when it comes to harm or discrimination, is sensitive. Further along in the bill—because we're only on the definitions side of this—we can take that context and debate how that's used or what's going to happen. However, I don't think we should be taking that out of what we deem to be sensitive.
If we go to the potential for harm or discrimination, obviously we're looking at an extra layer of protection for security PIAs, but I think we're really, as a committee, just defining information that is exceedingly being used in identity theft, fraud, stigmatization and discrimination. I think all we're doing is listing that as something we want to protect, and I think what we've been trying to identify are those things.
Mr. Chair, I'm going to talk about it first, but I'd like to add paragraph (i), which would be location data. I'll note why that's important really quickly.
Location data is considered sensitive for several reasons. We have personal security and safety. Location data can reveal where a person lives, works and frequently travels—
Noon
Liberal
Noon
Conservative
Ryan Williams Conservative Bay of Quinte, ON
I don't think we have a chair for the point of order.
We can take a recess, Mr. Chair. What is the soup today?
Noon
Liberal
The Chair Liberal Joël Lightbound
I was inspired by Mr. Perkins.
Mr. Turnbull, go ahead on the point of order.
Noon
Liberal
Ryan Turnbull Liberal Whitby, ON
I just wanted to check whether you can introduce an amendment to a subamendment. I don't think you can. I think Mr. Williams is sub-subamending something, which is not procedurally correct.
12:05 p.m.
Liberal
The Chair Liberal Joël Lightbound
That is correct, Mr. Turnbull; you can't amend a subamendment. We are now debating a subamendment.
Mr. Williams, perhaps, should this subamendment by Mr. Garon be passed, you can amend the amended amendment.
12:05 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Yes, okay. Then I will summarize it.
I'm not making the amendment now, but in relation to my argument about sensitive data, location data is certainly an addition. Going back to my original argument on this, I think when it comes to what we're looking at for consent, this is not the section in which to debate that. I think we're debating what is sensitive data, what can be used for potential harm or discrimination and what needs an extra layer of protection. Certainly, I think the items that have been listed are all part of that, and I believe that Mr. Garon's subamendment is a good one.
12:05 p.m.
Liberal
May 6th, 2024 / 12:05 p.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
I think it's important to note we're at an impasse. There's a philosophical argument here more than a technical one with regard to the bill. For me, the use of data in the system that financial institutions currently employ is inefficient for the economy. It is certainly to the disadvantage of the consumer, and that's one of the things I'm looking to change with this bill.
I joked about automobiles when Mr. Williams mentioned some of the location issues that he referenced. He's actually very astute in saying that, because the value of automobiles in the future will be as much about gathering information as it will be about producing, manufacturing and distributing them back into society. It's going to be about the value of the consumer, who needs to have some choice.
This rights a social injustice and an economic dependence model we have when it comes to financial institutions. That basically puts consumers and small and medium-sized businesses at a disadvantage in our economy. It's pretty abhorrent that some of the information gathered right now by credit card companies is routinely distributed and sold to give a financial institution leverage to use against its own customers.
What I want to see this amendment do, from where I'm standing at this point in time, is strengthen the path forward so people have a calculated ability to use their information to quantify that, even economically if they want, by consent. I think some of the fear coming out of this is that if you do anything on your phone, you're going to be crippled, because we've gone ahead with this type of amendment. However, it can be quantified so that if you, for example, want to sell or give access to your information in an empowerment model, it can be for reduced fees and costs or for financial incentives, which could be granted to you through the changed system of information.
I don't really have a question at this point in time. I'm not sure how far the government wants to go down this road if they don't have support from other parties for their particular position. I understand where it comes from. I understand some of the arguments that have been made. It really comes down to a determination of how long they want to prolong this bill and prolong this process, because I'm not moving off the spot. It's of definite benefit to the social and working class to have empowerment models for their financial information and otherwise. It's up to businesses to come forward with a model that works for them. It comes at the expense of having better supports for the consumers and supporting their customers.
Where we go at this point, I'm not sure. I think there's a philosophical impasse at the moment, and we can continue to have more questions and comments. However, I would like to see the privacy component of this bill move quickly. At the same time, I'm looking for a philosophical change. That's where the NDP is at this moment. We're using the leverage we have at this point in time as an opportunity to turn the financial institutions back to where they should have been historically, which is serving customers. Information is everything in this day and age, so taking more opportunities to leverage it for the working class is what we should be doing, because the fees, the costs and the financial way this country has been endorsing these policies are very inefficient for productivity.
I'll conclude with that because it's very important to understand that our money management and information systems are very much tied at the hip. Why would we undermine consumers or individuals being able to exercise their rights? That would be a mistake.
12:10 p.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
Thank you, Mr. Chair.
Many things have been said about this amendment.
First, the government doesn't want it. The government doesn't want our extremely sensitive financial data, which can be stolen and used, subjected to a fairly high level of consent.
It's deplorable. I can't repeat it enough. We don't know who the minister consulted before tabling Bill C‑27, which ended up generating a ton of amendments because it was poorly drafted in the first place.
We don't even know which banks, which financial institutions, which insurance companies or which private interest groups were consulted. Perhaps consumer groups were involved. We don't know. However, clearly, if we're to again believe the advocates of this bill, we seem to be hearing from people in the industry.
My subamendment has been worded to include the contextual component. When we say that “the individual generally has a high expectation of privacy”, this implies that the Privacy Commissioner can incorporate the contextual component. There's absolutely no ambiguity here.
In Quebec, Law 25 provides some protection for financial data. However, we would like to remind the government that most financial institutions are federally regulated.
Mr. Chair, I would like to share the following quote from a Supreme Court ruling: “… I agree with the Privacy Commissioner that financial information is generally extremely sensitive.” I repeat: “… I agree with the Privacy Commissioner that financial information is generally extremely sensitive.”
This ruling is found in the Trang case. The Supreme Court recognizes that, in some circumstances and business relationships, a certain amount of consent is implied and the courts have leeway when it comes to interpreting that consent.
My subamendment doesn't say that financial information is always sensitive. Nevertheless, generally speaking, that's what it says for cases where the circumstances point to a high expectation. This fully aligns with the Supreme Court ruling in the Trang case. The subamendment was written with this in mind.
I also really want to emphasize that I share my colleague Mr. Masse's view that not including financial information would mean a step backwards from current law.
Once again, we stand by our position.
I also want to quickly address the comments made by my colleague, Mr. Williams.
We're saying that sensitive information isn't limited to the information on the list. Geolocation data is an example of information that could be considered sensitive, if the individual generally has a high expectation of privacy in this area and if the information is read in context.
This shows the importance of providing a certain amount of leeway given that five‑year reviews don't always take place after five years. In some cases, they take place after 8, 10 or 12 years.
I think that the amendment should be passed.
Lastly, consent fatigue must be taken into account. We're told that people will become tired of having to consent to the use of their information. Given this sociological phenomenon, we should refrain from including a person's financial information in their sensitive information.
I have no doubt about the scientific training of the officials here today. However, I took the liberty of consulting the scientific literature to find out about consent fatigue. That's what I read.
I understand that people may ultimately become tired of having to give their consent when alerts pop up every five seconds on their Apple watch—like my colleague Mr. Turnbull's watch—each time a bank wants to use their personal information.
However, apart from the office of the Minister of Innovation, Science and Industry, the fact remains that no one is currently talking to us about consent fatigue.
People are afraid that their data will be stolen and used.
People are afraid of being located. We know that devices, especially cell phones, contain a great deal of information. People talk to us about it. However, I have never heard anyone ask me to be careful that we don't wear them out when we legislate to protect their personal information. That has never happened to me. I don't accept that argument.
12:15 p.m.
Liberal
12:15 p.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
I'm hearing out all my colleagues here, but I really feel like this is going to have a negative impact. The officials have said to us numerous times when I've asked them questions that this subamendment deems everything on that list, even though you can add to the list, as sensitive, and therefore requires express consent every time the data is collected, used or disclosed. Just imagine the impact that might have.
This is not to argue against the points that have been made. Ideologically, yes, I agree. All of the information is important information that needs to be protected and should come with some pretty stringent requirements. That's part of the construction of this bill, as I understand it. That doesn't mean that every single piece of personal data should be deemed sensitive. I know that's a bit of an overstatement, but I think we've argued numerous times that this list includes things that are not in the EU's GDPR.
I have the EU's GDPR right here. I'll give you the very specific information that's included in it. I'm surprised that members are arguing that this list is included in the GDPR. It's not, as far as I can tell. When I type in what personal data is considered sensitive in the EU's GDPR, it lists this:
...personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation....
That's it.
I also understand, from asking officials, that the list that's here.... We have paragraphs (f), (g) and (h), and Mr. Williams wants to add (i), which is location data, if we ever get to that point. I would argue that this list would put us out of alignment with both the EU and Quebec's Law 25.
Can I clarify that, Mr. Schaan, and get you to state that again? Is it the case that we would be out of alignment if we had all of paragraphs (f), (g) and (h)? If they're included successfully and this subamendment gets passed, that will put us out of alignment. In other words, Canada would have a law that is more stringent than Quebec when it comes to deeming personal information sensitive. Is that correct?
12:15 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
By the drafting of the list currently and including these broad concepts, yes, it would extend well beyond what is currently deemed sensitive under both Quebec's law and the GDPR.
12:15 p.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
Would this harm commerce in the country? Would this have a really harmful impact on the general flow of commerce? We walk into grocery stores. We buy things. We use our Interac cards all over the place.
What impact would this have on the average Canadian? I think it would have a pretty significant impact.
12:15 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I'll let my colleagues weigh in as well.
The value chain for the processing of financial information in particular is a multi-stage value chain. It involves multiple players outside the initial collector because there are people in the value chain for financial services who do very different things.
There's the initial piece about the payment, transaction and point of sale, which potentially collects the initial information. It then needs to continue along the value chain to ultimately allow the funds to come out of your bank account and get paid to the people who are supposed to receive them. By suggesting that this is generally sensitive information, it will require express consent, which means that you need to expressly consent for every single step along that value chain, because each one of those things is considered a disclosure. At minimum, that upends a significant number of current business processes, but it will create a significant amount of responsibility for the individual to allow for the movement of their financial data and allow for the continued fulfillment of their economic needs.
I'll turn to the team to see if they want to add anything.
12:20 p.m.
Director General, Strategy and Innovation Policy Sector, Department of Industry
Just briefly, to echo what Mr. Schaan said and amplify it a bit, you can think about this in terms of the impacts that it will have on commerce on a day-to-day basis. You can also think about it in the context of interoperability of systems. A big discussion at this committee over several different meetings was about the degree to which Canadian businesses are incentivized, the degree to which the competition framework drives innovation and the delivery of new and effective services, and the degree to which our systems are able to attract investment.
I believe committee members this morning referenced open banking or consumer-driven banking, which is an ecosystem that relies entirely on data-driven innovation to create new competitors and to shake up the legacy system. In that context, having a different rule set or approach to the sensitivity of information could have an impact on the degree of investment attraction and the new services and offerings that are developed and put on the market. Again, an important piece to consider is whether there's actually a significant enough value-add from adding financial data to outweigh those other considerations.
12:20 p.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
Is this what the OPC asked for? It sounds to me like the Privacy Commissioner is not asking for this particular approach. The Privacy Commissioner wants some categories of sensitive information to be identified, but wants to be able to use discretion and consider context in identifying how sensitive certain personal information is. Is that not correct? What would the Privacy Commissioner say about this particular subamendment if he were here today?
12:20 p.m.
Liberal
The Chair Liberal Joël Lightbound
Before we get to an answer, Mr. Turnbull, I'd appreciate it, colleagues, if you waited until the end of the meeting to have discussions, or you can ask for the chair to suspend the meeting. Out of respect, please, I ask everyone to listen to the discussion we're having. It's an important one.
Go ahead, Mr. Schaan.
12:20 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
The commissioner indicated in previous fora that he believes it's important that we have a definition of “sensitive”, that it list the categories that are likely to be sensitive and that it include context for collection, use or disclosure to allow for context to be laid out through his guidance. The categories that he's listed do not include those that are currently in paragraphs (f) through (i).
I'll turn to my colleagues to further confirm that.