Bill C-11 (Historical)

Thank you, Mr. Chair.

Thank you for the invitation to address this committee on this important issue.

The use of mobility data and the reaction to it highlights some of the particular challenges of our digital and data society. It confirms that people are genuinely concerned about how their data are used, and it also shows that they struggle to keep abreast of the volume of collection, the multiple actors engaged in collection and processing, and the ways in which their data are shared with and used by others. In this context, consent alone is insufficient to protect individuals.

The situation also makes clear that data are collected and curated for purposes that go well beyond maintaining consumer or customer relationships. Data are the fuel of analytics, profiling and AI. Some of these uses are desirable and socially beneficial while others are harmful or deeply exploitative. The challenge is to facilitate the positive uses and to stop the harmful and exploitative ones.

The situation also illustrates how easily data now flow from the private sector to the public sector in Canada. Our current legal framework governs public and private sector uses of personal data separately. Our laws need to be better adapted to address the flow of data across sectors. Governments have always collected data and used it to inform decision-making. Today, they have access to some of the same tools for big data analytics and AI that the private sector has, and they have access to vast quantities of data to feed those analytics. We want governments to make informed decisions based on the best available data, but we also want to prevent excessive intrusions upon privacy.

Both PIPEDA and the Privacy Act must be modernized so they can provide appropriate rules and principles to govern the use of data in a transformed and transforming digital environment. The work of this committee on the mobility data issue could inform this modernization process.

As you've already heard from other witnesses, PIPEDA and the Privacy Act currently apply only to data about identifiable individuals. This circumstance creates an uncomfortable grey zone for de-identified data. The Privacy Commissioner must have some capacity to oversee the use of de-identified data, at the very least to ensure that reidentification does not take place. For example, the Province of Ontario addressed this issue in 2019 amendments to its public sector data protection law, amendments that defined de-identified information for the purposes of use by government, required the development of data standards for de-identified data and provided specific penalties for the reidentification of de-identified personal data. The discussion paper on the modernization of the Privacy Act speaks about the need for a new framework to facilitate the use of de-identified personal information by government, but we await a bill to know what form that might take.

The former bill C-11, the bill to amend the Personal Information Protection and Electronic Documents Act, which died on the Order Paper last fall, specifically defined de-identified personal information. It also created exceptions to the requirements of knowledge and consent to enable organizations to de-identify personal information in their possession and to use or disclose it in some circumstances, also without knowledge and consent. It would have required de-identification measures proportional to the sensitivity of the information and would have prohibited the reidentification of de-identified personal information and imposed stiff penalties.

The former bill C-11 would also have allowed private sector organizations to share de-identified data, without knowledge or consent, with certain entities, particularly government actors, for socially beneficial purposes. This provision would have applied to the specific situation before this committee right now. It would have permitted this kind of data sharing and without the knowledge or consent of the individuals whose data were de-identified and shared. The same provision, or a revised version of it, will likely be in the next bill to reform PIPEDA introduced into Parliament. When that happens, some important questions need to be considered. What is the scope of this provision? How should socially beneficial purposes be defined? What degree of transparency should be required on the part of organizations that share our de-identified information? How will private sector organizations' sharing of information with the government for socially beneficial purposes dovetail with any new obligations for the public sector? Should there be any prior review or approval of plans to acquire and/or use the data, and what degree of transparency is required?

I hope the work of this committee on the mobility data issue will help to inform these important discussions.

Thank you.

Yes. We think that for Canada to be competitive—and the government underlined this in Bill C-11, and I would completely agree.... We have a confidence problem, a trust problem. Consistently Canadians, at the level of 90% or so, have expressed their concerns that privacy is not currently respected. They continue to use the Internet, because frankly you cannot live outside of the digital world in 2021. However, they still have important concerns, so we have a trust issue.

In order to deal with the trust issue, you need to have laws that enhance trust. That means ensuring that with regard to privacy laws, rights and values, consumers and citizens see that the legislation is apt to protect rights and values and produces proportional consequences, penalties, if these rights and values are not respected.

The law should provide for flexibility for companies to use data for legitimate commercial purposes, and our submissions I think go in that vein. There is no opposition really between privacy protection and economic development or innovation. As far as our relationship with the Competition Bureau and other regulators is concerned, it's extremely important that digital regulators are able to co-operate and share information so as to have an effective regulatory framework across all sectors. We have a good relationship with the Competition Bureau.

At the beginning of my mandate, there was a lot of emphasis on public and national security issues, and on measures that followed the events of September 11.

The Snowden phenomenon highlighted certain government practices. It's not all perfect, but we have made progress on those issues. Legislation has been passed to raise the bar on which departments [Technical difficulty—Editor] for national security purposes. Most importantly, independent oversight bodies have been established and are now in place within the public service and within Parliament. As I mentioned, not everything is perfect, but significant progress has been made.

In recent years, with Facebook, Cambridge Analytica and all the rest, there has been a lot of focus on what some call surveillance capitalism, where companies collect, process and disclose a lot of information about their consumers to provide services, but also to make money, of course. That is where we are at now, which is why it is extremely important that these issues be properly regulated through Bill C‑11 or its successor.

I have to say that recently we are seeing more and more public‑private partnerships. Clearview AI and the RCMP are just one example among many. This leads me to suggest that you think seriously about the relationship between the public sector and the private sector in terms of sharing personal information, and the idea of the same legislation governing both sectors, which we think would be extremely desirable. If two laws are used, it would be best if they had very similar principles, because data has no geographic borders and no boundaries between the public and private sectors. It is important that similar rules govern both sectors.

I would add that, to maintain the confidence of the public and consumers, it is essential that [Technical difficulty—Editor] result in penalties that are proportionate to the magnitude of the impact of the privacy breach on privacy. Order powers and consequent fines are therefore crucial. The reason for recommending substantial fines is not to be punitive. Rather, it is to ensure that the consequences for people whose privacy has been breached are proportionate to the consequences for the companies involved, so that, over time, imposing such a regime will result in governments, departments and companies properly protecting the personal information of the public and consumers.

I would answer with respect to the two relevant clauses.

In terms of the RCMP, to the extent that the principle that we outlined, i.e., that a federal department or institution should not rely on information that was obtained illegally by a third party partner, if that's not clear and the RCMP argue that it is not clear, then what needs to be changed is the public sector Privacy Act. That's point number one.

In terms of the particular use of the Clearview technology, Clearview also was, and I think still is, arguing that its database was created to assist the police and other institutions in law enforcement against crime. The company sees that as a legitimate purpose. There's no question that to develop some tools to assist the police to enforce the law is legitimate, but neither the police nor the private sector can or should do anything they like, regardless of privacy protection. That's point number two.

In our submission on Bill C-11, we ask that Parliament does make clear, with a technology like Clearview, which in our view constituted mass surveillance, that the law be extremely explicit, and that this is contrary to private sector privacy law as well.

With respect to Bill C‑11, I would refer you to the brief we submitted a month ago.

The current Personal Information Protection and Electronic Documents Act (PIPEDA) is essentially an act that originally incorporated into federal legislation an industry code of practice that was created a little over 20 years ago. So the current wording of PIPEDA is very much a repeat of that code. A code of practice is a code that is intended to improve business practices, but it is not written like a law. Bill C-11 is certainly a step forward. The structure of the bill is adequate, in terms of its content, to raise the appropriate questions.

That being said, we clearly have a lot of concerns about the content and the answers that the bill gives to those questions.

For example, what should the rules be on consent? What should the rules be on corporate responsibility? What should the powers of the commissioner's office be?

The starting point of the structure of the act is good, but a lot of work remains to be done. Looking at it broadly, I would say that the work before you, and before us, is to protect the right to privacy as a human right, as it should be. That's my view.

Beyond that, we need to find the right methods to help Canada ensure that data, including personal data, can be used in the public interest while protecting privacy. I think that's the overall goal. Public authorities have a responsibility to ensure that, in the 21st century, laws are drafted in such a way that we, as a society, can enjoy the benefits of the digital age, but in a way that protects privacy. That's how—

In the submission that we presented to your committee about a month ago, we addressed that important issue. We recommend the addition of preamble and purpose clauses in a new law that would firmly ground the federal legislation in trade and commerce. This could be done by having explicit language in a preamble or purpose clause to indicate that the purpose of the federal private sector law—Bill C-11 at this point—is to ensure viable and sustainable digital commerce by protecting privacy.

That would set the purpose of the federal law squarely in the jurisdiction that Parliament has under trade and commerce. Once that is done, then Parliament can legislate to protect privacy in the best way that it feels should be part of that law. If Parliament so decides, that could include, without infringing on provincial jurisdiction, a rights-based law.

First of all, it would be that most if not all contraventions of the law should be eligible—let's put it that way—for administrative penalties, as is the situation in most other countries that have penalties. There are modalities that we can discuss if we have time, but the rule should be such that essentially all violations lead to fines if the proper authority determines that the law has been violated.

In terms of who decides between the OPC and the appeal tribunal that is proposed in Bill C-11, it is certainly possible for Parliament to create an appeals tribunal, but in privacy matters this would be, to our knowledge, exceptional. We do not know of any other jurisdiction that has such a tribunal, which is not to say that I am not concerned, obviously, about the fairness of the process under which companies would have to pay fines. If the OPC had that authority and there were no administrative appeal as proposed, the courts could intervene and control the legality and fairness of the process undertaken by the OPC. That system of the privacy regulator being authorized to impose fines subject to judicial review by the judicial courts is the normal structure in privacy laws, and we would recommend that it be adopted.

Bill C-11 includes the authority to make orders and, as you say, to recommend fines. Is it a step in the right direction? I think the overall goal should be to ensure that Canadian consumers have access to quick and effective remedies when their privacy rights are breached or violated, and as we tried to explain in our submission, in most cases we think that the imposition of administrative penalties would result, on average, seven years after the violation has occurred. Is that a step forward?

Personally, I don't think so, particularly when the list of violations that can result in fines is extremely limited, contrary to the laws of other countries, and excludes the most central provisions in privacy law, which are obtaining consent meaningfully and for organizations to be accountable in the way they handle information. The extreme narrowness of the scope for offences and violations and the extremely long period leading to the potential imposition of a fine makes me say that this needs to be reconsidered completely.