Industry Committee on Oct. 31st, 2023

I would like to thank the committee for the opportunity to speak on Bill C-27, the consumer privacy protection act, or CPPA.

My name is Lorraine Krugel, and I am vice-president of privacy and data for the Canadian Bankers Association. The CBA is the voice of more than 60 banks operating in Canada, employing more than 280,000 Canadians and helping to drive Canada’s economic growth and prosperity.

Banks have long been entrusted with significant amounts of personal information, and privacy and trust are paramount to our banks' customer relationships. As global data flows and technological advances have continued to increase, Canadian banks have been able to responsibly innovate to meet consumer demand for even more convenience, value and simplification. The CPPA reflects a unique, made-in-Canada approach that aims to address the needs of consumers and organizations in our evolving digital world.

We need to get this right. Some of the proposed provisions in the CPPA need to be better tailored for the Canadian context. We are concerned that there is a real risk of significant adverse consequences if the scope of certain provisions is not better defined and necessary exceptions are not included.

In particular, we would like to avoid situations where organizations would be required to provide too much information in order to be transparent. For example, certain transparency provisions could end up replicating the equivalent of consent fatigue or cookie banner fatigue, with no meaningful value to the consumer. Transparency obligations also require appropriate limits so that they cannot be abused or leveraged by criminals to circumvent processes designed to protect against fraud, money laundering or cyber-threats. In addition, we need to take care so that any requirements that are highly complex or operationally onerous would, in fact, address the right underlying risks and policy intent without negatively impacting legitimate operations, product and service delivery or the safeguarding of information.

The CBA is supportive of many of the key foundations of the CPPA. The CPPA is principles-based, scalable and technology-neutral and requires organizations to comply with a collection of interconnected provisions that provide a solid privacy foundation based on accountability, reasonability and proportionality; however, we see the need for targeted amendments in the following key areas: de-identification and anonymization, disposal requests and retention, and automated decision systems.

Relating to consent, we recommend an important technical amendment that will ensure continued alignment with provincial approaches while preserving policy intent and avoiding unintended consequences regarding consent obligations. In addition, we recommend an amendment to the CPPA to legally allow certain organizations to share personal information to combat money laundering and terrorist financing as part of a legislative framework that would be further defined through the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Done in the right way, such sharing could increase privacy protections for Canadians by reducing unnecessary reporting to the government on low-risk transactions and simultaneously increase the effectiveness of Canada’s anti-money laundering regime through targeted and more effective reporting.

Finally, we believe that a minimum two-year implementation period is necessary to accommodate the scope of change and the development of regulations and guidance associated with the CPPA.

Regarding the artificial intelligence and data act, or AIDA, we are in the process of evaluating the minister’s recent proposals and will be submitting comments and recommendations to the committee when the study focuses on the AI portions of the bill.

We have provided the committee with written comments and recommendations on the CPPA and look forward to your questions.

Thank you.

Chairman Lightbound and honourable members, thank you for the opportunity to share my views on Bill C-27, legislation that will have profound consequences on Canada's economic prosperity, freedom, democracy, consumer protection and child well-being.

The Digital Charter Implementation Act prioritizes the interests of large data monopolies and their ecosystem of traffickers. It sets a dangerous precedent by allowing corporations to allocate to individuals, children and vulnerable groups the harmful economic, political and social consequences of the data-driven economy. It normalizes and expands surveillance, treating human rights as an obstacle to corporate profits.

Bill C-27 requires a wholesale redo, and my written submission includes comprehensive proposed amendments.

A high-level perspective of some of the foundational flaws with the bill as tabled include the following: one, use of a notice and consent framework, which creates a pseudo-compliance system that enables personal data harvesting and intrusive profiling while spamming users with misleading consent barriers; two, a legitimate business interest carve-out that allows corporations to put the pursuit of profits above the interests of consumers, where businesses are allowed to privately self-determine what constitutes legitimate surveillance and behavioural modification to trample on fundamental rights but are under no obligation to notify consumers how they are tracking and profiling them; three, a diminishment of protections for children and vulnerable persons and an omission of meaningful measures that curtail insidious surveillance and behavioural manipulation practices that are driving the current youth mental health crisis; and four, an artificial intelligence and data act that doesn't include an independent and expert regulator for automated decision systems and excludes the right to contest decisions made with AI, such as insurance, school admissions and credit scoring. AIDA needs to be scrapped completely.

There are many more flawed parts of this legislation, all detailed in my submission.

The recent letter by Minister Champagne indicating willingness to make some unspecified amendments is a woefully inadequate approach to dealing with the serious flaws in this bill. It joins the long list of bad governance practices, which is how we ended up with this untenable bill in the first place.

There has been much gaslighting from industry lobbyists and self-interested parties whose profits depend on mass surveillance, arguing that meaningful AI privacy regulations limit innovation. Privacy and AI regulations are not impediments to innovation. As innovation economists and digital policy experts have shown, the unique features of the data-driven economy—specifically, data's network effects alongside economies of scope, scale and information asymmetry—mean that the more data a company gathers, the more value it gains from it. Every new dataset makes all pre-existing datasets in the hands of the same few companies more valuable, disproportionately enhancing the power of established data giants and their vested assets. This is why, in less than a decade of the data-driven economy, we have seen the greatest market and wealth concentrations in economic history, a reduced rate of entrepreneurship, innovation and business dynamism and, also, lowered wages.

Properly regulating insidious data collection and trafficking, as other jurisdictions are doing, would not only address concentrated economic power, but also force business to compete on the level of quality and innovation, not surveillance and manipulation, as is currently the case.

I am an entrepreneur, investor, co-founder of the Council of Canadian Innovators, and a vocal advocate for Canadian technological and innovation success in global markets. It's deeply troubling to hear the government talk about advancing Canadian innovation, because earlier this year the government admitted that it has no AI strategy. We are merely funding basic research that principally supports the growth of foreign data monopolies.

This lack of capacity to understand and regulate the digital economy has real consequences, chief among them a steady decline in the standard of living and prosperity for the average Canadian, particularly in Ontario and Quebec, which used to drive our national prosperity. Because Canada is unable to create policies to harness the potential of IP, data and AI, the OECD recently projected that Canada's economy will be the worst-performing advanced economy of 2020-30 and the three decades thereafter.

The choice you have is to adopt Bill C-27, a deeply flawed attempt at privacy regulation, or to create new legislation that builds trust in the digital economy, supports Canadian prosperity and innovation and protects Canadians not only as consumers but as citizens. The choice is a continued erosion of Canadian prosperity, emboldening surveillance and manipulation and deepening the mental health crisis of our youth, or a healthy democracy, long-term prosperity, robust freedoms and the protection of our children.

Thank you.

Thank you very much, Chair, and good afternoon.

I am the executive director of the Financial Data and Technology Association of North America, or FDATA. We're the leading trade association advocating for consumer-permissioned access to financial data in both Canada and the United States.

Our members include firms with a variety of different business models, which collectively provide more than six million Canadian consumers and SMEs with access to vital financial services and products. Utilizing these products, services and tools, Canadian consumers can, for example, access more competitive banking services, including more affordable credit. They could utilize more efficient payment options and benefit from technology to better manage their finances and grow their wealth. Canadian SMEs depend on FDATA North America member companies to manage their accounting and credit needs and more easily send and receive payments.

We are strong advocates of Canada's implementation of an open finance regime, which was first outlined as a government priority in budget 2018. The core idea of open finance is this: A Canadian consumer or SME should be able to safely and securely share access to their data held at one provider with another provider that offers a better financial product, service or tool. Whether it's a chequing, savings, business, brokerage, pension, mortgage, or auto loan account, or data held by a payroll or benefits provider, open finance is the straightforward notion that the customer should have the right to use that data for their own benefit.

Once built, open finance in Canada will put consumers and SMEs in full control of their financial data, facilitating a more transparent and competitive Canadian financial services marketplace that provides safe and secure data portability. The data portability right and data privacy framework included in Bill C-27 are fundamental cornerstones of this modernized approach to financial services.

A survey of Canadians commissioned last year by FDATA North America and Fintechs Canada found that half of Canadians feel stress when interacting with Canada's existing financial services sector and more than two-thirds of Canadians believe that more competition in the financial services marketplace would lead to a greater choice in products and lower financial services fees. Ninety per cent of Canadians indicated that they found fintech products easy to use, with more than 80% reporting they paid lower fees to fintechs than to their banks for similar services or products. Canadians deserve access to these alternatives.

Canada lags behind virtually every other G20 country with regard to open finance, data portability and data privacy. The U.K., Australia, New Zealand, Singapore, Brazil, the European Union and other jurisdictions have all enacted some version of government-led open finance, under which consumers and SMEs have legally binding data access rights and privacy protections afforded to them.

In contrast, today Canadian consumers and SMEs have no legal right to access or share access to their financial data. Unlike the overwhelming majority of other countries, in Canada, a consumer's or SME's bank is empowered to determine whether their customer may share elements of their data with a third party to get a better deal, access a new product or tool or avoid paying exorbitant fees. To the extent that a bank may allow its customers to do so, there are generally onerous and, in some cases, restrictive terms dictating the limitations under which their customers are able to do so.

While Canada has taken important steps towards such a regime since budget 2018, significant work remains to reach implementation.

Meanwhile, the rest of the world advances. Earlier this month, the United States formally launched its own open finance regime with a CFPB rule-making. Recognizing that incumbents in the financial services market will not, on their own, deliver a more competitive, customer-centric ecosystem, the director of the CFPB noted in his announcement that the rule will “supercharge competition, improve financial products and services, and discourage junk fees”. Like Bill C-27, the CFPB rule would provide data portability rights to consumers and will require those firms that access—with their express consent—end-users’ data to abide by strict data privacy and security provisions.

To advance its open finance regulations, the U.S. had an advantage that the Department of Finance and the Department of Innovation, Science and Economic Development currently do not: strong statutory authority to do so. Finance Canada has been studying how to deliver open finance in Canada for the better part of five years. FDATA views enactment of Bill C-27 as a critical element of the transition from open finance ideation to implementation. Once consumer and SME data portability has been enshrined in law, ISED and Finance Canada will have the statutory tools required to finally deliver open finance.

Consumers and SMEs in Canada are being left behind as the rest of the G20 build and deploy open finance frameworks that facilitate competition, enable greater access to and inclusion within the financial services marketplace and provide their citizens with appropriate data protections. The data portability and privacy provisions included in Bill C-27 represent integrally important statutory tools for ISED and Finance Canada that will help Canada catch up.

Thank you. I would be pleased to answer any questions.

Good afternoon, Chair and members of the committee.

Thank you for inviting us to appear and for prioritizing privacy law reform. Your work is critically important to Canadians and to the future of our economy.

I cannot overstate how reliant Canadians are on data and the digital economy or how significant the proposed law is to Canada's future economic growth and to the protection of consumers.

The CPPA will enable small and medium-sized Canadian businesses to compete in the global marketplace. It will protect consumers through new consumer rights, greater transparency and accountability requirements for organizations, and the strongest financial penalties in the G7. It will help protect children. It will provide some support to the more than 80% of Canadians who are concerned about rising costs. It will foster innovation and allow Canadians to enjoy the enormous social and economic benefits of data.

The Canadian Marketing Association is the voice of the marketing profession. Our 450 members are small and medium-sized businesses, large brands, not-for-profits, and public and post-secondary institutions and organizations representing virtually all sectors of the economy.

We urge the speedy adoption of the CPPA. Consumers deserve modernized protections, and the businesses fuelling our economy need more regulatory certainty.

Consumer trust is critical to a successful business. Most organizations operating in Canada are responsible and are committed to building and maintaining a trusted relationship with their customers. They dedicate significant attention and resources to protect personal information, including substantial investments in cybersecurity.

Canada's privacy law must protect consumers in a manner that does not create an unnecessary administrative burden for companies, including SMEs, which make up more than 90% of Canadian businesses. Canadian consumers expect organizations to intuitively deliver the products and services that they need and want. They are demanding faster and better, more relevant information from companies to help them make informed purchase decisions.

We are living in challenging economic times. Ninety per cent of consumers say that one of the most important reasons for sharing their data with companies is to receive discounts on products and services. With more than 80% of Canadians concerned about the rising cost of living, the personalization that comes from data usage provides some relief through relevant offers and sales that save them time and money.

To ensure that the CPPA meets its objectives while avoiding unintended consequences, we are proposing some limited amendments. Our first amendment calls for a more targeted and effective approach to protecting the personal information of minors. The CMA unequivocally supports the protection of minors. For decades, we have been the leader in setting standards for marketing to children and youth through the Canadian marketing code of ethics and standards.

We are concerned that the minors provision in the CPPA would result in an overcollection of data. Organizations that have no need to know whether their customers are minors should not be required to collect and retain people's birthdays, which is highly sensitive information, simply for the purpose of complying with the act. We propose that the provision for children in the CPPA be targeted to organizations whose business is directed to minors and to organizations that know or should know that they are processing the personal information of minors.

We also recommend that the law allow for different treatment of mature minors, who bear many of the responsibilities and enjoy many of the privileges of adulthood. These recommendations align with laws in the U.S. and Europe.

We have a handful of amendments in other areas, including consent provisions and the definition of ADS. We support the amendments by the Canadian Anonymization Network regarding de-identified and anonymized data, and we recommend a phased implementation period similar to that in Quebec. Our specific amendments are attached to our statement, and we are submitting a written brief outlining our views in more detail.

I'd like to close my remarks by emphasizing what this legislation is about and what it is not. The CPPA is intended to govern commercial activities. It would apply not only to large businesses and digital players, but also to very small organizations and to non-digital business activities. It would govern the ability of not-for-profits and charities to find and retain donors. The CPPA is not meant to address all aspects of the digital economy: for example, competition issues regarding data monopolies, the use of AI, which falls under AIDA, and protecting children from online harms. These are all critically important issues but do not fit within the scope of the CPPA.

Chair and members, our current law, PIPEDA, was the international gold standard for the protection of personal information for more than a decade. The CPPA builds on a strong legacy that Parliament can be proud of. Your speedy passage of this law can once again ensure that Canada leads the world in protecting privacy and fostering innovation.

I would like to thank the members of the committee for your leadership and service to Canadians.

Thank you.

Good afternoon.

I am pleased to appear before you on behalf of the Canadian Chamber of Commerce alongside my colleague, Ulrike Bahr-Gedalia.

The Canadian Chamber of Commerce represents more than 400 chambers of commerce and more than 200,000 businesses of all sizes, from coast to coast.

From the outset, we would like to state our support for modernizing privacy laws and for introducing guardrails regarding AI. We welcome the government's efforts to strengthen data protection for all Canadians, particularly children. CPPA must move forward to provide business certainty as soon as possible, while allowing for some amendments. There is concern about Canada's equivalency with the EU, and the patchwork of provincial privacy legislation that is emerging in the interim.

Regarding AIDA, we believe that a more robust consultation process is required to properly address AI regulation needs in Canada. It's critical that our AI regulations are precise enough to provide important guardrails for safety, while allowing for our businesses to harness AI's full potential responsibly. This is especially relevant in the face of cross-sectoral skills shortages and SMEs that have dealt with one challenge after another.

Through Mr. Champagne's letter of October 20, we were pleased to hear that the government would address some major concerns related to the Artificial Intelligence and Data Act through their amendments, but we cannot substantially comment on these until they are made public and we've had time to consult with members.

Given the House Speaker's 2022 ruling that voting on parts 1 and 2 would be separate from part 3, AIDA, we urge the committee to contemplate how this avenue could allow for CPPA to move forward without delay, while making way for more in-depth consultations and input on the AI act to take place.

AI policy is indeed complex. Having the committee attempt to study privacy elements at the same time as quickly-changing AI elements doesn't provide the conditions for good policy to materialize. It's impossible to deny that AI regulations have become a global issue that's evolving rapidly. It's imperative that Canada not regulate in a vacuum. With major AI policy developments happening weekly, including the White House executive order on AI just yesterday, Canada must ensure we're taking steps to align our regulations accordingly. If not, organizations will have to contend with unique laws, making our country a less attractive destination for business.

I'll now turn it over to Ulrike.

Good afternoon, everyone.

Yes, indeed, we have received a long list of Bill C-27 recommendations from our members. A detailed brief was submitted to INDU in September and is available on the committee page, just so you're all aware. Please note that our analysis of the bill is ongoing as new material becomes available, such as the eight government amendments. Therefore, we are working with members to produce additional feedback to complement our earlier submission.

I’d like to take the opportunity to underscore a few key recommendations. First, a core position of the Canadian Chamber of Commerce is that there need to be amendments to better define many of the principles and concepts in Bill C-27 and to harmonize the bill with the norms and standards found in existing provincial and international law. Interoperability is paramount.

Among our recommendations on the CPPA, we are suggesting that the following elements align with Quebec’s law 25: that the term “minor” be defined to include an age, that the definition of “anonymize” be in line with industry standards, and that the scope of the private right of action be narrowed. We also want to underscore the importance of legitimate interest exceptions in the current bill.

On AIDA, we were encouraged to see that government amendments would be forthcoming with respect to defining high-impact systems, creating clearer obligations along the AI value chain, and ensuring alignment with the EU AI act and those in other advanced economies. We look forward to seeing the text of these amendments to provide more specific feedback.

However, other matters remain unaddressed thus far, such as better defining the use of the term “harm”. Our members have also raised serious concerns around the criminal liability element of AIDA, noting that Canada is the only jurisdiction in the world with such penalties. There is a belief that this provision might discourage businesses developing or deploying AI from setting up operations in Canada or even force some to leave, based on risk assessment.

Finally, in terms of coming into force, it’s important that our businesses, especially SMEs—because small business is big business in Canada—have adequate time to adapt to new environments and requirements. We therefore recommend a phased implementation of CPPA and AIDA over a period of 36 months.

Thank you very much.

Thank you for that question.

A fundamental right should be inalienable, not balanced. In Europe, where you have the ability...it's the very narrowest of special circumstances, but this idea that it's some kind of balanced proportionality does not make it fundamental and does not make it inalienable. It's a fundamental flaw in the approach to it. It's either an important right or it's not.

That's correct. Absolutely.

Not at all.

I have a bit of an advantage over everyone here in that I was in the small meeting where then Minister Bains and then deputy minister Knubley presented the original Bill C-11. They said that they were approaching this as some kind of balance, and I said, “Who concocted this concept of a trade-off between the two?” They, in fact, re-enforce each other. It's a false dichotomy.

Absolutely.

No, it doesn't—and it should, because when you make a decision, you affect those around you, who are affected by the nature of the digital footprint that we collectively leave. Also, if you opt out but are part of a group that has agreed to these things, you are profiled in that, even though you have pulled yourself out of it.

Understanding both the individual effects and the collective effects needs to be a central aspect of this bill.