Industry Committee on Oct. 24th, 2023

In common parlance, when people post personal information on a social media platform and allow certain other people to see it, one might think that this information becomes public. Importantly in this context, one might also think that companies and commercial organizations could use this information as public, rather than personal, information. However, the current law provides that this information remains personal and cannot be used by companies, except in accordance with the law.

I think this is a good aspect of the current law, and the fact that nothing in the current text of Bill C‑27 changes this is a good thing.

I'll start, if that's okay.

The Privacy Commissioner's office has been working so far as an ombudsman model, and it also has an advisory branch. That's quite useful.

This means that when there's an investigation, there's a conversation. There's a dialogue. In some cases, businesses can go knocking on their door and say: “Hey, what do you think about this business model? We want your input.” I'm just concerned that if there's a tribunal, will that relationship potentially be impacted? I guess that's concern number one.

My other concern is the fact that a lot of these privacy principles are quite flexible, and we need that in our privacy law. On the notion of consent, sometimes it's expressed and sometimes it's implied. It's subject to the reasonable expectation of the individual. Security measures have to be adequate in light of the content. There is so much in grey zones and uncertainty. Now it's in the law. It's no longer principles. Adding the tribunal is just perhaps a layer of risk for businesses that have to navigate with a lot of grey zones in the law.

I'll just add one quick point: Reducing uncertainty is always beneficial. To the extent that any additional requirements increase uncertainty or add additional hoops for organizations to know what they have to do, it generally results, in some places, in paralysis or important decisions not being made.

I will try to be brief.

The goal of these provisions should provide quick and effective remedies for citizens. In no other jurisdiction that I know of is there a tribunal such as that proposed in this legislation. In all other privacy jurisdictions, the original decision-maker, including with the power to make orders and set fines, is the data protection authority that is the equivalent of the Office of the Privacy Commissioner.

I hear concerns about the difficulty for the OPC to work with different roles. That is not a problem in other jurisdictions. It is well known in law that it is possible for an administrative tribunal to have investigative, advisory and adjudicative functions. This needs to be managed and it can be managed. There is no problem there.

I think the tribunal will create delays and will simply be duplicative of the expert work of the Office of the Privacy Commissioner. Again, there is no precedent internationally for this.

I personally am fully in favour of the tribunal.

I think it's important to start the conversation with looking at the sheer quantum of the potential penalties for contravention of the act, which, comparatively speaking with any other statutory framework, is a mess. With larger corporations, it's hundreds of millions of dollars.

As Mr. Fraser mentioned in his opening remarks, it's absolutely imperative in a circumstance when you're introducing a regime with that level of penalty, which could be potentially impactful for businesses in every constituency here, that you just have a procedural fairness piece on that and that everyone agrees with that. This will add to that procedural fairness piece and it will allow for, in my view, an appropriate articulation of whatever the penalty is or should be in a particular circumstance.

It's a good question. These are technical terms, and they often cause confusion.

CANON was established to help demystify this terminology, because that ambiguity creates uncertainty and uncertainty creates reticence risk. It's an issue.

Simply put, de-identifying data is the removal of direct identifiers. The language is quite elegant within current language in the CPPA. When you remove direct identifiers, you still have indirect identifiers. In other words, the data is still potentially identifiable. De-identified data is still regulated by the statutory framework.

Anonymized data, which was the subject of my opening remarks, has a more exact definition that sets the standard for the application of the statute. I think it's really important to go through, given how technical these terms are. The current definition talks about irreversible and permanent modification in accordance with generally accepted best practices to ensure that an individual cannot be identified from the information, directly or indirectly.

Our view and the view supported by our extensive consultations and jurisdictional analysis, etc., is that it doesn't work. You need the contextual piece of the reasonably foreseeable risk in the circumstances, which is embedded in Law 25 and which is embedded in PHIPA. You'll see in the briefs that we provide you with these other regimes.

Anonymized data means there's no foreseeable risk, in the circumstances, to identify the individual.

Yes, the essence is.... It's even broader than that. I think it's important to note that de-identified information is subject to all the protections within the statute.

Yes, there has to be a recognition of how you de-identify. I think you're referring to clause 74 with proportionality, and it has to be brought in. That's right.

The requirements for consent in the regime apply to personal information. It could be de-identified data, which is just the removal of direct identifiers. They don't apply to personal information where, as the statute is currently drafted, it's “reasonably foreseeable”.

The Office of the Privacy Commissioner of Canada did an excellent job in that investigation. I know it well; I acted in that investigation. In their careful analysis, they determined that the data that was received by the Public Health Agency of Canada was not identifiable in the context of the disclosures that took place. Therefore, if the data was not identifiable, it's not personal information. If it's not personal information, it wouldn't be subject to the consent requirements or to the statutory regime.

Our surgical amendments make no difference to that. In fact, it reflects the current law, etc.

Again, I can't overstate the exceptionally high standard for what is personal information right now. You have to look contextually at the circumstances and you have to look at the technical methods for de-identifying, which are wrapped in administrative controls, security controls and physical controls. That suite of controls was implemented on top of some very sophisticated methods to ensure that the Public Health Agency of Canada, as determined by the Office of the Privacy Commissioner of Canada, did not receive any identifiable data.

I would agree in large part with Mr. Kardash.

When I was commissioner and we were seized with this matter, we had not seen the measures taken by companies to anonymize the information. In short, de-identified information is still personal information and requires consent.

Do the consent provisions need to be improved in the CPPA? Yes, they do, but that's in the scenario of de-identified information. If the information is truly anonymized, it is no longer personal. It is no longer at risk and can be shared more freely.