François-Philippe Champagne Liberal
In committee (House), as of April 24, 2023
Subscribe to a feed (what's a feed?) of speeches and votes in the House related to Bill C-27.
This is from the published bill. The Library of Parliament has also written a full legislative summary of the bill.
Part 1 enacts the Consumer Privacy Protection Act to govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities. In consequence, it repeals Part 1 of the Personal Information Protection and Electronic Documents Act and changes the short title of that Act to the Electronic Documents Act . It also makes consequential and related amendments to other Acts.
Part 2 enacts the Personal Information and Data Protection Tribunal Act , which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the Consumer Privacy Protection Act and to impose penalties for the contravention of certain provisions of that Act. It also makes a related amendment to the Administrative Tribunals Support Service of Canada Act .
Part 3 enacts the Artificial Intelligence and Data Act to regulate international and interprovincial trade and commerce in artificial intelligence systems by requiring that certain persons adopt measures to mitigate risks of harm and biased output related to high-impact artificial intelligence systems. That Act provides for public reporting and authorizes the Minister to order the production of records related to artificial intelligence systems. That Act also establishes prohibitions related to the possession or use of illegally obtained personal information for the purpose of designing, developing, using or making available for use an artificial intelligence system and to the making available for use of an artificial intelligence system if its use causes serious harm to individuals.
All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
In the 2022-23 annual report of the Office of the Information and Privacy Commissioner, you highlight the importance of modernizing British Columbia's Personal Information Protection Act, which has not been updated since it came into force in 2003.
What do you think are the most important elements of a modernized Personal Information Protection Act? Could any of your recommendations to modernize it apply to Bill C-27 and, if so, which ones?
December 12th, 2023 / 4:25 p.m.
Information and Privacy Commissioner, Office of the Information and Privacy Commissioner of Alberta
Thank you, yes.
We here in Alberta have three privacy laws, actually. We have the private sector privacy law that covers everything except for aspects of our non-profit sector. We have our public sector privacy law that operates similar to what Mr. McEvoy just explained, and we also have the health information law that governs the health sector in our province.
We here in Alberta are looking at harmonizing our own laws as we are looking at advancing our digital economy here and using technology to innovate. We're looking not only in Alberta but also, of course, at Bill C-27 as we consider what the landscape needs to look like.
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
In your opening remarks, you alluded to the new powers of the commission, and I'm not sure if those were human rights. As I understand it, the act provides funding for the promotion of rights, as well as binding powers.
Do you think that Bill C‑27 could have a similar mechanism to protect Canadians from the disclosure of their personal information and to raise awareness with them?
I'm concerned about all the provisions of Bill C‑27 dealing with anonymized and de‑identified information, particularly with regard to interoperability. There's also the issue of administrative monetary penalties and the scope of those penalties that could be imposed under the bill.
In addition, there's the absence of certain preventive measures for the use of technology. Before implementing an application or technology, an important preventive measure is to conduct assessments in advance to ensure that it complies with the law and does not constitute an inappropriate intrusion into privacy.
The commissioner also recommended measures against profiling or, at the very least, more transparency, so that people know they have a right to refuse. These are elements that are in the Quebec legislation for these new technologies. I think Bill C‑27 could be improved in that regard.
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
What provisions should be included in Bill C‑27 to bring it closer to the standards established by Quebec's Bill 25?
How can we be more interoperable? As you said, it would be to the advantage of entrepreneurs, since there would be less bureaucracy, among other things.
Thank you for the question.
This goes a little bit to what we were discussing, that is, the issue of interoperability. As I was saying, a company may have to comply with two sets of rules. The two acts may apply at the same time in certain situations. It's happening right now, and I understand that it will happen in the future as well.
There will be situations where a business will have to comply with both the rules of Bill 25 and the rules of a future bill resulting from Bill C‑27, if it's passed. It can certainly be difficult to comply with two sets of rules if the rules aren't similar. In addition, human beings being what they are, there may be a tendency to want to comply with the least restrictive rule.
It's also important to be able to monitor, control and collaborate in our respective actions across Canada.
That said, the scope of the Quebec legislation is quite broad. A business that carries on business and that, in the course of its economic activities, collects, holds, uses, discloses and retains personal information must comply with Quebec law.
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Thank you, Mr. Chair.
Thank you, Mrs. Poitras, for your comments this afternoon.
I would also like to highlight the innovation and rigour shown by the Government of Quebec in this area.
Although the minister assures in his letter that the Quebec law will prevail in Quebec, concerns have nevertheless been expressed to this committee, particularly by Jim Balsillie. For example, it has been raised that, if Bill C‑27 sets standards that are lower than those in Quebec's Bill 25, that could hinder innovation and jeopardize investments in the Quebec economy.
With that in mind, how do you assess the potential consequences of Bill C‑27 on Quebec's economic landscape, particularly in terms of innovation and investment?
December 12th, 2023 / 4:15 p.m.
Information and Privacy Commissioner, Office of the Information and Privacy Commissioner for British Columbia
I think you're quite right. In some instances, it would be seen as a licence to continue doing what companies are doing.
I think the most effective remedy that the government can provide in legislation for its regulator is order-making power. The three of us here today have the power to say to a company or an organization, "Stop doing what you're doing", which is a far more effective remedy in some instances where that action or conduct on the part of an organization may be harming a Quebecer, a British Columbian, Albertans or Canadians. That remedy is the most effective.
I know that Bill C-27 would put that order-making authority in the hands of the commissioner, which is a very positive step. As we've indicated, if there's going to be any appeal, that should be directly to the courts, as we have faced them over the years as a means of oversight over what we do.
Thank you for the question.
Commissioner Dufresne made some excellent recommendations around harmonization and so on.
As for anonymized and de‑identified information, I know that many stakeholders have told you that the definition of anonymization was very restrictive in Bill C‑27. In Quebec, following discussions and exchanges with stakeholders, parliamentarians included some flexibility in the legislation. According to Quebec law, information is anonymized “if it is, at all times, reasonably foreseeable … [for] the person to be identified directly or indirectly”.
However, they were concerned that this might open up too big a loophole. At the same time, it was stipulated that government regulations could impose terms and criteria on how anonymization is done.
De‑identification is also an important issue because of the potential for the use of de‑identified information. Bill C‑27 provides that, at times, de‑identified information is no longer personal information, which means that protection for that information is lost. That is a concern.
My colleague Mr. McEvoy did a good job of presenting the concern about administrative monetary penalties, but also the scope of the penalties. The situations in which the federal commissioner can recommend to the tribunal the imposition of administrative monetary penalties are very limited in Bill C‑27.
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
What are the most important recommendations you would make to amend Bill C‑27 to allow for interoperability across all provinces? I know that there are also reserves in British Columbia. I'm sure that my colleagues will ask Ms. McLeod or Mr. McEvoy questions about this.
We're trying to see how the bill can be improved so that it's interoperable across the country and so that everyone can easily implement it. This is a concern that has been expressed by all the stakeholders and witnesses who have appeared before the committee.
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
Yes, thank you.
I'm an entrepreneur myself. Since I'm not in my business full time, I don't know whether I have to comply with rules or whether my compliance is adequate. I think we train people in my business. After all, I'm in the communications business.
Are we talking about a minimum number of employees? How is it determined in Quebec that companies have to comply with certain rules?
My questions are still about what Bill C‑27 does and doesn't include.
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
There was a process that led to the adoption of the bill in Quebec, which unfortunately was not the case here. You were able to compare Bill C‑27 to what was passed in Quebec. We hear a lot about what will be a priority in the bill, for example, with regard to justice and law enforcement.
What is your analysis of the situation? I ask because I just heard Ms. McLeod express some reservations about certain aspects of Bill C‑27. Do you have some as well?
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
Thank you, Mr. Chair.
Thank you to all the witnesses for being with us today.
Mrs. Poitras, I'm delighted to meet you. First of all, I would like to congratulate the Government of Quebec and your organization for the work that has been done. Since we began our study of Bill C‑27, many have cited the Quebec legislation as a model. So I commend you for that.
From what I understood earlier, you are currently holding consultations on the six themes you mentioned.
Before the bill was passed, were consultations held in Quebec?
Michael McEvoy Information and Privacy Commissioner, Office of the Information and Privacy Commissioner for British Columbia
Thank you, Chair and members of the committee.
I'd first like to acknowledge that I'm presenting to you today from the traditional territories of the Lekwungen-speaking people of the Songhees and the Esquimalt first nations.
Given my brief time this afternoon, I want to focus my comments on the practical matter of how the privacy rights of Canadians ought to be considered and, where events dictate, enforced.
A common theme of these proceedings is the need to harmonize, to the greatest extent possible, the substantive privacy rights of Canadians across federal and provincial jurisdictions. The principle of harmony or substantial similarity should also apply to the processes that determine and enforce privacy rights.
Why is this so important? Data most often knows no borders. Many significant privacy rights cases impact citizens across the country.
It is therefore incumbent upon us, as privacy regulators with oversight over the private sector in Alberta, British Columbia, Quebec and Canada, to act, to the greatest extent permitted by law, in a coordinated manner. This ensures that concerned individuals are addressed in a consistent way and that affected businesses are not queried by overlapping demands. In short, coordination builds the trust of Canadians in our privacy oversight system.
The coordinated actions I speak about will be enhanced considerably if the avenues for processing and enforcing those privacy rights are as consistent as the law permits across jurisdictions. In concrete terms, this means the federal Privacy Commissioner should certainly be granted order-making powers, which the three provincial authorities now have, and which Bill C-27 recommends.
I would go a step further. The proposed federal order-making powers should be reviewable in the same manner as that applicable to provincial authorities. That is to say that the federal Privacy Commissioner's powers should be directly subject to review by the courts. That has proven to be more than sufficient to protect the rights of all parties at a provincial level. Bill C-27's proposal to add a layer of administrative bureaucracy in between the commissioner's orders and the court review adds an unnecessary level of expense and time to distance Canadians further from the ultimate disposition of their privacy concerns.
The same considerations of federal and provincial harmonization should be applied to the matter of administrative monetary penalties. Quebec—as my colleague has just pointed out—is the first jurisdiction in Canada to authorize the regulator to administer such penalties where circumstances warrant. I have called for British Columbia's government to do the same.
The authority to levy fines—a last resort for regulators—protects the rights of Canadians and the vast majority of businesses from bad actors. It is critical that privacy regulators are able to ensure that when fines are necessary for multi-jurisdictional violations, they are levied in a coordinated, proportionate and non-overlapping way.
That is simply not possible under Bill C-27, which strips power away from the federal Privacy Commissioner to levy fines, and instead puts it in the hands of a third party that would not be in a position to coordinate matters with other authorities. This again creates federal-provincial asymmetries, which in no way benefit Canadians. It bears repeating that if a party is concerned about an imposed fine, a direct referral to the court system is more than adequate to ensure administrative oversight of the system.
In summary, while Bill C-27 goes some ways to strengthen the privacy rights of Canadians, the bill must be improved to ensure that those rights can be fairly, effectively and economically adjudicated and enforced.
Along with my colleagues, of course, I welcome any questions you may have.
Diane McLeod Information and Privacy Commissioner, Office of the Information and Privacy Commissioner of Alberta
Good afternoon. I would first like to thank the committee for inviting us here today as witnesses to your proceedings on Bill C-27.
This bill is an important step in modernizing Canada’s private sector privacy law. It would support responsible innovation and development of innovative technologies while adequately protecting privacy rights.
Innovation is occurring in all sectors. These activities benefit Canadians, but there are also risks. This law would play a key role in establishing a foundation of trust amongst Canadians, which would foster the growth of our digital economy.
Alberta's Personal Information Protection Act, PIPA, has been declared substantially similar to the Personal Information Protection and Electronic Documents Act, PIPEDA. The objective of PIPA is essentially the same as that of PIPEDA, and both acts are consent-driven with certain exceptions. Given these similarities, I will not go through PIPA in detail. Instead, I will focus on an aspect of PIPA that may be of interest as you consider the Consumer Privacy Protection Act portion of Bill C-27, and that is specifically our order-making power.
Most reviews and complaints, about 85%, are settled by our informal case resolution team. If settlement fails, the commissioner may conduct an inquiry, a quasi-judicial process, which involves formal submissions to an adjudicator, who then issues an order to remedy any non-compliance.
Our informal case resolution team operates separately from our adjudication team. When a file moves to inquiry, our adjudicators conduct a de novo hearing. They do not have access to what occurred in mediation. Orders are final, binding and not appealable, but they are subject to judicial review by the Alberta Court of King’s Bench.
The majority of our orders are complied with. We have sought a court order to enforce compliance in only a few cases.
This structure brings finality to allegations of non-compliance in a cost-effective, predictive and relatively timely manner. Finality serves several purposes. It creates certainty around the interpretation of PIPA, which serves the interests of both organizations and individuals. It encourages settlement. Because our services are free, our office is fully independent from government, and the majority of our orders are complied with. This reduces the time it takes to remedy non-compliance.
PIPA is scheduled for review by our Standing Committee on Resource Stewardship likely to begin in early in 2024.
Given this, we’ve been paying close attention to what is happening with Bill C-27, specifically the CPPA, as it may influence amendments to PIPA due to PIPA's substantially similar status. We are also considering the impact of Bill C-27 on Albertans when their personal information flows across borders.
In the CPPA, there are positive new privacy protections for Canadians. There is the right to request disposal of personal information, also known as the right to be forgotten; rights regarding the use of automated decision-making systems; and rights regarding data portability. Other improvements include clarification of service providers' role and accountability, administrative monetary penalties to deter non-compliance, proactive auditing, better protection for minors, and the inclusion of privacy as a fundamental right, as well as proposed amendments on the special interests of minors.
However, we have some concerns regarding a few provisions. We are concerned about individuals' loss of control over their personal information resulting from new authorities in section 18 regarding business activities and legitimate interests. We are concerned about how the provisions on de-identification and anonymization would be used, and whether more controls would be required to mitigate potential risks to individuals. We are concerned about whether the inclusion of the tribunal as an appeal body to the Privacy Commissioner's orders would impact our ability to conduct joint investigations.
In addition, there are areas in the bill that could be enhanced. Stronger protections for children, such as those provided for in California and the United Kingdom, could be built in, as could requiring the use of privacy impact assessments in specific circumstances where there are higher risks, and requiring increased rights for the use of automated decision-making systems, and expanding the definition of sensitive information to mitigate the risks of harm that may flow from the processing of certain kinds of personal information.
I thank you for your time. I look forward to further discussion.