Industry Committee on Oct. 24th, 2023

Evidence of meeting #91 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

Bill C-27

MPs speaking

Also speaking

David Fraser Partner, McInnes Cooper, As an Individual

Éloïse Gratton Partner and National Leader, Privacy and Data Protection, BLG, As an Individual

Daniel Therrien Lawyer and Former Privacy Commissioner of Canada, As an Individual

Adam Kardash Partner, Canadian Anonymization Network

Khaled El Emam Professor, Canadian Anonymization Network

5 p.m.

Lawyer and Former Privacy Commissioner of Canada, As an Individual

Daniel Therrien

In brief, my point there is that it is extremely difficult, if not impossible, for individual consumers to understand how their data is used. It is even difficult for the regulator to understand how data is used.

How will violations be identified if we rely mostly on individual consumers to make complaints? There are provisions, I know, for commissioner-initiated complaints, but the model we have is premised mostly on the basis that individual consumers will complain.

In many situations, they don't know there's a violation. Proactive audits exist in other jurisdictions I've mentioned in my document, whereby the regulator can audit the practices of a company, not because there is belief that there's been a violation already but simply to reassure consumers that this new practice actually does comply with the law and therefore, yes, you can have confidence that it is privacy-protected, or no, it is not, and then the company will have to amend its practices.

I think proactivity is extremely important.

5:05 p.m.

Liberal

Tony Van Bynen Liberal Newmarket—Aurora, ON

Thank you.

5:05 p.m.

Liberal

The Chair Liberal Joël Lightbound

Thank you very much, Mr. Van Bynen.

Mr. Lemire, the floor is yours.

5:05 p.m.

Bloc

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

Thank you, Mr. Chair.

Mr. Therrien, I would like to talk about subsection 4(a) and the right of children to exercise their own recourses, without a parent or a guardian. Should we consider going further on children's rights by recognizing the UN Convention on the Rights of the Child? Should children be given the right to exercise recourses and to be heard, either directly or through representatives, in any proceedings that concerns them?

5:05 p.m.

Lawyer and Former Privacy Commissioner of Canada, As an Individual

Daniel Therrien

Part of the reason I am recommending that section 12 be amended to take into account the best interests of the child is because of the Convention on the Rights of the Child.

However, I am not an expert in Canadian constitutional law when it comes to the division of powers. What rights should a child have under the various proceedings? Is this something that can be done in federal legislation or is it more within the purview of provincial legislation? I wouldn't comment on that.

5:05 p.m.

Bloc

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

Would anyone like to comment?

Ms. Gratton, do you want to comment?

5:05 p.m.

Partner and National Leader, Privacy and Data Protection, BLG, As an Individual

Éloïse Gratton

The discussion has evolved. What was your question?

5:05 p.m.

Bloc

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

In the context of the Convention on the Rights of the Child, should children be given the right to have access to recourses and complaint procedures and the right to be heard, particularly if they have experienced abuse or harmful situations?

5:05 p.m.

Partner and National Leader, Privacy and Data Protection, BLG, As an Individual

Éloïse Gratton

Mr. Therrien is reluctant to speak because this involves the division of powers. Many of these issues fall under provincial jurisdiction. In Quebec, for example, the Civil Code governs the rights of the child.

I don't think those laws need to go beyond dealing with consent and protecting the data of children held by private sector organizations. That's really what these laws are designed to protect.

A little earlier, we talked about the age of consent. The bill could be more specific in some respects about the type of consent of the child, depending on their age. In Quebec, that distinction is made, but, again, in the rest of the world, it often varies. There is the age of majority and there are young children. Between the two, there are young people between the ages of 13 and 18 or 19, the age of majority.

In Quebec, the age of consent has been set at 14. This creates a lot of operational problems for organizations that want to put safeguards and measures in place to protect children. We should just keep that in mind.

5:05 p.m.

Bloc

Sébastien Lemire Bloc Abitibi—Témiscamingue, QC

Thank you very much.

5:05 p.m.

Liberal

The Chair Liberal Joël Lightbound

Thank you.

Mr. Masse, go ahead.

5:05 p.m.

NDP

Brian Masse NDP Windsor West, ON

Thank you, Mr. Chair.

I want to touch on something we don't get a lot of questions on from this side, but I think it's important for you, Mr. Therrien, to highlight this.

For a political party, privacy laws apply in several jurisdictions, including Europe, British Columbia and now Quebec. The same should be true federally.

I would like you to expand on that point. It's something we don't seem to get a lot of questions on from this side of the table, but I think it is important to consider that potential.

5:05 p.m.

Lawyer and Former Privacy Commissioner of Canada, As an Individual

Daniel Therrien

Again, interoperability was mentioned previously. There are laws in many other jurisdictions in Europe and within Canada—there's British Columbia and now Quebec—that provide that privacy laws actually do apply to political parties. That is a recognition of the fact that information held by political parties is almost always sensitive information. It goes to the political views of political parties, and under privacy law, sensitive information is normally entitled to greater protection.

Right now we have no protection federally, except what political parties choose to put in their own privacy policies without any legal requirements, so I think it would be a very good thing for political parties to be subject to privacy laws.

For instance, with the CPPA, it could be possible to add a provision that would extend the CPPA to political parties, recognizing the sensitive nature of that information.

5:10 p.m.

NDP

Brian Masse NDP Windsor West, ON

That's great.

Mr. Kardash, you have whatever time is left.

5:10 p.m.

Partner, Canadian Anonymization Network

Adam Kardash

I'll be brief.

My view—and we've thought about this quite carefully—is that there is no public policy rationale for the political parties' processing of personal information not to be subject to a privacy legislative regime. The only question that I think is open is what the appropriate instrument would be and whether that would that go into the CPPA. I think there's some validity to the proposition that it might be a separate instrument. My personal view is that it was something that was missing in Bill C-27. It could have been in there.

Right now, if you compare the privacy protections that are set out in Bill C-27 under the CPPA to the current protections afforded to individuals in respect to the processing of personal information by political parties, you see that they're not even in the same universe. You would just have to post a privacy statement. There's no security breach notification requirement. There are no access rights and no consent rules. It goes on and on. There are no rights of express redress. There's no independent ombudsman who would oversee and take complaints, investigate, etc.

I think this is something that is incredibly important and I'm very thankful to you, Mr. Masse, for bringing that up.

5:10 p.m.

NDP

Brian Masse NDP Windsor West, ON

Thank you.

Thank you, Mr. Chair.

5:10 p.m.

Liberal

The Chair Liberal Joël Lightbound

Thank you, Mr. Masse.

I'll now turn the floor over to Mr. Perkins.

5:10 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

Thank you, Mr. Chair.

This has been very interesting testimony.

Mr. Therrien, I'd like to follow up on MP Vis's initial questions on the issue of minors. The only place in the bill where “minor” is mentioned is in the “Interpretation” section at the beginning.

It doesn't define a minor, and I think a lot of us are in agreement that this bill should define the age of a minor, but it also says in this act that “the personal information of minors is considered to be sensitive information”. For the life of me, when I look through this act, I don't see any definition of “sensitive information”.

5:10 p.m.

Lawyer and Former Privacy Commissioner of Canada, As an Individual

Daniel Therrien

Indeed, the concept of sensitive information is currently undefined under the current law and would be under the proposed law. That normally leads to what is called the “contextual application” of what is sensitive: It's what kind of information is at play. Is it financial? Does it concern children or health? That would be generally sensitive information under “Interpretation”, but there's no definition in the law itself.

Is it a flaw that there is no definition? At the end of the day, the definition will always be contextual. I think it is possible, though, to have a definition that would be non-exhaustive and refer to certain factors—financial, health, children, etc.—as factors that would be defined is normally sensitive information, leaving an out clause, a residual clause, for what is not defined. I think that would be an improvement.

5:10 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

As a person who has spent most of his career as a marketer, I love data, and I would go to the edge as much as possible with what I was aware of and what I could do with that data, but I'll tell you that this bill and those aspects would make me nervous. I just don't see, as a marketer, any guidelines that help me to figure that out, and I suspect that most marketers would push the envelope, as they do, and might end up in trouble for their company. I appreciate that there should be more definition.

I'd like to go back to my earlier question.

Mr. Therrien, proposed subsection 15(5) outlines that “implied consent” is okay. Personally, I don't think implied consent is ever okay. Do you see it as an issue in this bill that implied consent is allowed?

5:10 p.m.

Lawyer and Former Privacy Commissioner of Canada, As an Individual

Daniel Therrien

Implied consent is certainly open to broad interpretation and is sometimes abused, but it is a concept that exists under most, if not all, privacy laws that I know of. It is a recognition of the fact that in today's technological environment, you cannot realistically ask people to consent explicitly to every use of information that will be made.

On the issue of what amendments to make to the consent regime, I would maintain my recommendation to align the language of proposed section 15—not subsection (5), but another provision—to the current section 6.1 of PIPEDA.

5:15 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

The problem with the proposed subsection 15(5), which also ties to proposed subsection15(6), which also ties to proposed subsection 18(1) and proposed subsection 18(2), is that the implied consent is allowed on a wide variety of things, including “any other prescribed activity”— whatever that is. It leaves it wide open.

Earlier in the bill, in the consent section, it says that if express consent is required and if there is a new provision or a new use of that person's data, the express consent needs to be given again.

It seems to me that this is contradictory, in saying, “Well, I can apply it anyway. I don't have to pay attention to the earlier part of the bill that says I have to get express consent for a new purpose, except when I look at proposed subsections 15(5), 15(6), 18(1) and 18(2).”

5:15 p.m.

Lawyer and Former Privacy Commissioner of Canada, As an Individual

Daniel Therrien

My answer to that would be pay attention to the provisions that define purposes for which businesses can use information. Right now, I think it is fairly open-ended. There are not many, if any, limitations, except under proposed section 12.

If the provisions that define original purposes or new purposes were to say that only specific and explicit purposes are lawful, then I think that would be a step forward.

5:15 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

I have one last question.

Who should own a person's data, me or the organization?

5:15 p.m.

Lawyer and Former Privacy Commissioner of Canada, As an Individual

Daniel Therrien

Certainly that's the six-million-dollar question currently. It goes to the history of technology and legislation, the fact that many decades ago, the consent model was seen to be the best model—which assumes a lot of control.

I think we've not left that world. There is still value in people controlling their information to the extent possible, but realistically, we know that we're no longer in that world. It is simply not realistic to think that citizens can provide consent in each and every case when information is used. We need to accommodate a world where consent is not required, but, I maintain, within a model that protects privacy as a fundamental right, including the four provisions that I mentioned earlier.