Industry Committee on Oct. 24th, 2023

I think that proposed section 15 on consent does need to be amended, and I speak to this in the document that I left with you.

On the concept of “legitimate interest”, I would give the following advice. This is a concept that exists in European law, which is considered to be the gold standard internationally. I think it is possible to have a “legitimate interest” type of exception to consent, provided that the sum total of proposed sections 2, 5, 12 and 94 actually do protect privacy as a fundamental right. There's no inconsistency between “legitimate interest” and considering privacy as a fundamental right.

Yes, we have a problem.

I think the bill is acceptable in that it really seeks to balance privacy protection and the interests of organizations that collect personal information for legitimate purposes. That said, the bill doesn't go as far as Europe's regulation, which is clearly more robust in a number of ways.

I should probably start by clarifying that statement.

One of the underlying principles of privacy is that individuals retain control over their personal information. That idea goes back to the early 1970s, before the Internet came along. Things have obviously changed since then. Today, we are dealing with huge amounts of information and complex business models, not to mention partnerships. On top of that, privacy policies are very long, complex and detailed to ensure that individuals have all the information. However, they don't take the time to read all that information because it's so complex and burdensome.

Keeping that in mind, I think it's worthwhile to try to reduce the need for consent and to focus on situations that require the individual's consent, while introducing other legal grounds for protecting the individual, a bit like what Europe did with the GDPR. In that respect, with the exceptions to consent, I think the bill is definitely a step in the right direction.

Clearly, other safeguards are needed. For instance, in order for the legitimate interest exception to apply, the company has to document why it considers the collection or use of the information acceptable and carry out a risk assessment. There are safeguards. Companies have to do a bit more work to make sure that they are protecting individuals' right, and they are subject to penalties. Companies want to be compliant and good corporate citizens, of course, but they also want to avoid penalties. With the penalties, which are in line with what we see in Europe, the bill provides that incentive.

Are you talking about security?

There aren't that many changes, in the sense that the article dealing with protection and adequate security measures will still be technology-neutral. We're referring to current standards. As lawyers practising in this field, we will often rely on decisions handed down by privacy commissioners, who will cite the type of measures that were expected to be in place at the time, in the context and according to the given technology. I think it's right to keep that flexibility, to make sure we're relying on the security standards of the day, which are constantly evolving.

At the moment, clause 39 introduces an exception, but it goes in one direction only. Private sector companies can share information without restriction, but with public sector bodies. In my submission, I point this out and say that there should be protections in place, even if they are public sector bodies. My reasoning is that if it's good for the public sector, maybe it's also acceptable between private sector companies.

Obviously, there have to be security measures. For example, in Quebec, there may be exchanges in certain cases. You have to do a privacy risk assessment first, and then you have to file an agreement that has to include certain clauses. In my opinion, there's a way to strike a balance.

However, I think excluding private sector companies from the application of clause 39 here is shooting ourselves in the foot. Private sector companies have a lot of resources, ideas and data. Why deprive ourselves of this if we want to favour innovation?

As I told you, there could be a privacy impact assessment. Risks would be identified and how to reduce them. Organizations wishing to exchange data could be required to provide this assessment to the Office of the Privacy Commissioner of Canada, allowing oversight of projects where data is exchanged. These organizations could also be required to enter into contracts that include minimum requirements for the implementation of security measures.

If we notify the commissioner, assess the risks, provide contractual clauses and ensure that data is properly secured and de‑identified in certain situations, I think we could strike an acceptable balance.

The Quebec and federal provisions are certainly similar. Those in Quebec are probably a little more stringent in some respects and include additional requirements, such as profiling in section 8.1 of the Quebec law, as well as the need to perform risk factor assessments before transferring data outside Quebec.

The analysis you mention is therefore certainly acceptable: if we compare the new Quebec requirements with the provisions of Bill C‑27, there is no doubt in my mind that Quebec would pass the test.