Evidence of meeting #91 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
4:45 p.m.
Liberal
4:45 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Thank you, Chair.
I just want to say thank you to the witnesses for appearing before the committee and for their useful testimony.
My questions are playing off what Mr. Vis said. I wanted to talk about socially beneficial purpose as well. My questions are for Mr. Kardash.
We know that according to proposed section 39 of the consumer privacy protection act, an organization has the right to disclose to certain entities de-identified personal information without the knowledge or the consent of the individual if the disclosure is made for a socially beneficial purpose. That is defined in the bill. It means “related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.”
Do you think that this definition of “socially beneficial purpose” is enough to protect the privacy interests of Canadians, in addition to the fact that this is already de-identified information, which, as you said in your opening testimony, is already a pretty high bar? It's an exacting standard.
4:45 p.m.
Partner, Canadian Anonymization Network
This provision was the subject of extensive discussion in CANON's consultations. In our brief, which was submitted to INDU, you'll see some specific provisions we are suggesting to enhance privacy protection with respect to the personal information that would be subject to these disclosures. Éloïse Gratton mentioned elements of these.
We indicated, in addition to personal information being de-identified, notification to the Office of the Privacy Commissioner of Canada and entering into a specific agreement that binds the recipient. Then we added—in order to ensure we stay temporal with this and current—that the organization must comply with any other prescribed requirement. It gives the government an opportunity to reassess and then introduce regulations to further add even more requirements for perhaps the recipients of the data or the disclosing entity.
We think disclosure for socially beneficial purposes is excellent, because of the good. It's “data for good”. However, we strongly believe, and we've made specific recommendations to this end, that there should be additional privacy protections implemented with respect to that provision in order to help strike this balance.
4:45 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
When I hear that testimony.... You said you have already identified that it's a pretty high standard, an exacting standard. You actually want to lower that bar for information that's de-identified and that can also serve a socially beneficial purpose.
Do you feel that strikes a balance already, or would you go even further?
4:45 p.m.
Partner, Canadian Anonymization Network
Our sense—again, this is based on extensive consultations—is that, as the bill is drafted, and taking into account that you can't look at any exception to consent in a vacuum, all of those disclosures are subject to many statutory provisions in the act, if you are relying on an exception to consent to disclosure. However, with respect to this provision, we believe it would strike the necessary balance if you enhance the privacy protections with our suggested amendments, together with—as mentioned by other witnesses in today's hearing—a prescribed requirement for additional protections over time being introduced by the government, if it feels it's necessary to do so.
“Data for good” is something that could be extraordinarily helpful. There's a wealth of unknown benefits to all Canadians. When we saw this provision initially, there was broad-based support. However, we fully recognize some of the concerns, and we address them with our suggested revisions. We think that with our suggested revisions, it's a good balance.
4:50 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Thank you. I support your proposals. I just wanted the testimony to come out.
My other question is regarding disclosure of personal information without the knowledge or consent of the individual, if it's made for a business activity.
That definition is also given, where “(a) a reasonable person would expect the collection or use for such an activity” and “(b) the personal information is not collected or used for the purpose of influencing the individual's behaviour”.
What do you think about this definition and how it's being narrowed?
4:50 p.m.
Partner, Canadian Anonymization Network
I welcome others to comment.
My sense is that the government did an excellent job articulating some circumstances in which it's expected organizations would be using the data. These are not particularly controversial types of uses. Again, it's just exception to consent. It doesn't mean you're not subject to all the other requirements that are applicable in the circumstances. I think that's something often overlooked in the discussion.
Our careful review of that is.... Those were welcomed, and the government did an excellent job with them.
4:50 p.m.
Liberal
4:50 p.m.
Conservative
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
Thank you, Mr. Chair.
I also thank the witnesses.
Mr. Therrien, you were the Privacy Commissioner when former bill C‑11 was tabled. You had proposed amendments and stated that the bill was a step backwards from what existed at the time.
Your successor proposed 15 amendments, which you say you agree with. However, the government only retained five of them. Of the 10 it did not keep, which ones do you think should fundamentally be included in the current bill?
4:50 p.m.
Lawyer and Former Privacy Commissioner of Canada, As an Individual
The recommendations are all important, and I presented others in my brief, particularly on the issue of proactive audits. If I had to pick just one, I'd choose the obligation to carry out a risk assessment, which I think should become a legal requirement.
There's also another point, which is less often discussed. In the current bill, organizations would have very wide latitude in defining the purposes for which they can use personal information. As I did when I was commissioner, Commissioner Dufresne recommended that the purposes for which information can be used be explicit and precise. These words are important. At present, companies can define these purposes pretty much as they please. Forcing them to define these purposes a little more narrowly would be one way of ensuring a better balance. Moreover, such a provision would be in line with European legislation.
4:50 p.m.
Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, CPC
Earlier, Mr. Fraser said that, in his view, the tribunal should be an independent body of the commissioner's office, not an internal body managed or promoted by the commissioner under the law. What is the fundamental difference? I understand there are two visions in relation to this: Mr. Fraser wants the tribunal to be completely separate from the commissioner's office, but I think you're suggesting that the tribunal should be an internal body of it.
If we give broad powers to the commissioner so that he's both judge and party, promoting the right to privacy, and also deciding disputes under the bill, isn't there a risk that he'll be put in a conflict of interest situation?
4:55 p.m.
Lawyer and Former Privacy Commissioner of Canada, As an Individual
It's a possibility, but I wouldn't call it a risk. It's a possibility that the law routinely provides for, incidentally. There are a large number of administrative tribunals that are capable of conducting investigations and providing advice as well as having adjudicative powers. Obviously, these powers must be kept separate within the organization. The same would be true if the Office of the Privacy Commissioner of Canada had these powers without a tribunal. The decision, for example an order made by the Office of the Privacy Commissioner, must be subject to judicial review to ensure that it has been fair to business. Often, this kind of potential conflict is handled smoothly by administrative tribunals.
4:55 p.m.
Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, CPC
Mr. Fraser, do you have anything to add?
October 24th, 2023 / 4:55 p.m.
Partner, McInnes Cooper, As an Individual
Certainly I agree that it's two different models. We also have, for example, a human rights commission and a human rights tribunal, a competition commissioner and a competition tribunal. There are other scenarios in Canada in which that particular model is applicable. There is the possibility for conflicts, and one would have to have controls and procedural safeguards within the Office of the Privacy Commissioner of Canada to make sure that those conflicts did not arise.
Given the stakes that this legislation presents, with multi-million-dollar penalties, even multi-billion-dollar penalties when you look at percentage of a company's global turnover, it raises the requirement for additional procedural safeguards. You can think of it as a scenario in which a police officer can write a ticket, and you could pay the ticket and plead guilty and go on your way, or you can dispute it, and the police officer has the burden of proving in front of an impartial decision-maker whether or not the facts alleged in that ticket are borne out. That would be the model that I would advocate.
Otherwise, maybe we can split the difference, and when it comes to anything that has a significant penalty over a certain threshold, it would require those additional safeguards. Those are going to be important.
I would also note that we're seeing more and more multi-jurisdictional investigations taking place simultaneously, so organizations are going to be subject to multiple penalties in multiple places arising from the exact same investigation. The fine threshold in Quebec is similar to the fine threshold here. You could find those to be doubly levelled, which again, at least to me, raises the stakes higher.
4:55 p.m.
Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, CPC
Mr. Therrien, I don't want you to quarrel, but what do you think of his answer?
4:55 p.m.
Lawyer and Former Privacy Commissioner of Canada, As an Individual
It's obvious that the penalties provided for in the law are extremely significant. This is also the case in Europe and other countries, as well as in Quebec with Bill 25. In all these models, without exception, the court of first instance, the equivalent of the privacy commissioner's office, is able to make these rulings.
As I was saying to Mr. Masse, if the federal office doesn't have the same tools as its counterparts, it risks creating significant complexities in joint investigations with other jurisdictions.
4:55 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you very much.
I'll now turn the floor over to MP Van Bynen.
4:55 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
I am wondering if this legislation reflects the current state that we're in. For example, if we were 10 years back, with the legislation we're proposing now, would we be in a different situation? I'm thinking of Facebook, ChatGPT and social media.
Anyone who doesn't think their privacy already has an intrusion doesn't have a cellphone or a social media account. How can we change that, or is the intent to control that? How can we best do that?
I'll start with Mr. Fraser.
4:55 p.m.
Partner, McInnes Cooper, As an Individual
I guess I would start with wondering whether you think that we should have a world without Facebook, ChatGPT and things like that.
In my view, this legislation takes what we have existing in PIPEDA and largely, as I said, turns it up to 11, so it puts a greater requirement of diligence on the part of organizations in order to, for example, justify their decision-making, document risks and do those sorts of things, and then it has those substantial penalties.
Had this been implemented 10 years ago, I'm not sure that the universe would be all that different, because I think it's still based on the 10 principles from the Canadian Standards Association's code for the protection of personal information, which are very Canadian principles with respect to privacy.
I am very curious to hear from Mr. Therrien in terms of how he thinks it would have been different had he entered office with the CPPA at his disposal.
5 p.m.
Lawyer and Former Privacy Commissioner of Canada, As an Individual
I think that the CPPA brings us much closer to where we ought to be in 2023. With the new implementation of artificial intelligence, part 2 of Bill C-27 is an attempt to align Canada's legislation to that new technology.
There's no perfect solution in all of these situations. There are people who think that the artificial intelligence act is so skeletal as to be meaningless, and there's some merit to this. I think it's okay for where we are today.
One virtue of the legislation before you is that it continues with the consent model in many circumstances in which consent can possibly be given, but it also recognizes that there are important limits to the consent model, such as legitimate interests and socially beneficial purposes, but I think the missing piece is that these additional flexibilities that reflect the current use of technology have to be implemented within a rights protection framework.
Although the minister's latest amendments bring us a bit closer, we are still quite a way from where we ought to be, and that is why I recommended that proposed sections 12 and 94 on penalties, particularly on penalties, are important, because what's the value of having a recognition of privacy as a fundamental right if there is no penalty when you breach that principle?
5 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Do you think that what we're introducing now is going to change the behaviour and uses of data currently in the hands of some of these organizations?
5 p.m.
Lawyer and Former Privacy Commissioner of Canada, As an Individual
I hope, with time, with not only penalties but including penalties, that it starts with companies acting responsibly and regulators working with businesses to ensure that the law is being implemented. There are advisory roles to the OPC that are important, but penalties should also be there so that the right set of incentives will be there for behaviour to change.
5 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
This comes back to your suggestion that there should be proactive audits by the Privacy Commissioner to ensure that whatever additional responsibilities are being created through this legislation are being adhered to.