Bill C-27

Thank you very much.

Good afternoon, Chair.

Good afternoon, committee members and Madam Clerk.

Thank you for the invitation to appear before you today. Hopefully my input will benefit the committee's important work.

I speak from decades of experience as a privacy professional and from 15 years as an information rights regulator in four jurisdictions. My ongoing work takes place really on the international stage, but it's backed by long-standing familiarity with our own federal and provincial privacy laws.

When I became the information commissioner for the United Kingdom in 2016, that role really brought me into the EU's oversight board that administered the GDPR implementation. That brought me into direct collaboration with all EU member states, and that experience greatly expanded my view of data protection and privacy that was first cultivated at the federal level in Canada, in Alberta and British Columbia.

During my five years as the U.K. information commissioner, I also served three years as the chair of the Global Privacy Assembly. That position greatly expanded my horizons once again and enhanced my knowledge of other laws and other cultures, including the global south, the Middle East and the Asia-Pacific. To this day, the work I do spans continents.

The issues of pressing concern are largely the same, and those are children's privacy and safety and the regulation of artificial intelligence.

Looking first at Canada's CPPA from a global perspective, I see a big missing piece, and the legislation's language, in my view, needs adjusting so that it explicitly declares privacy as a fundamental right for Canadians. Its absence really puts us behind nations who lead the way in privacy and data protection.

The legislative package goes some way towards establishing expectations for AI governance, but it lacks specific and much-needed protections for children and youth. In a study I conducted through my work with an international law firm, Baker McKenzie, which surveyed 1,000 policy influencers across five jurisdictions, we found that all those surveyed came to a single point of agreement: The Internet was not created and not designed with children in mind.

All those policy influencers felt that we need to do better to protect children and youth online. Canada is a signatory to the United Nations Convention on the Rights of the Child, and I think Canada owes it to our young people to enshrine the right for them to learn and to play, to explore, to develop their agency and to be protected from harms online.

In the U.K., I oversaw the creation of a children's age-appropriate design code, which is a statutory enforceable code, and the design of that code has influenced laws, guidance and codes around the world. I'd be happy to answer more questions about that.

Additionally, I believe the legislature should go further than it does to provide the Privacy Commissioner with robust enforcement powers. I exported my career from Canada to the U.K. in large part because I wanted to gain hands-on experience administering laws with real powers and meaningful sanctions.

In Britain, privacy harms are treated as real harms ever since the GDPR came into effect. One result was the leap in the U.K. information commissioner's fining authority, but other enforcement powers were equally powerful: stop processing orders, orders to destroy data, streamlined search and seizure powers, mandatory audit powers and so on.

These enforcement powers were mandated by a comprehensive law that covers all types of organizations, not just digital services but a business of any kind, a charity or a political party. By comparison with the GDPR, Bill C-27 lacks broad scope. It doesn't cover charitable organizations, which are not above misusing personal data in the name of their worthy causes. Neither does Bill C-27 cover political parties. It leaves data and data-driven campaigns off the table for regulatory oversight.

Serving as a privacy commissioner at the federal and provincial levels in Canada exposed me to towering figures in my field. I think of Jennifer Stoddart, the former federal privacy commissioner, and David Flaherty, the former B.C. information and privacy commissioner. Their names recall a time when Canadian regulators and Canadian law were deeply respected internationally, when our laws and our regulators really served the world as a bridge between the U.S. and Europe. Although commissioners who followed, Daniel Therrien and Philippe Dufresne, have continued to contribute internationally, Canada’s laws have fallen behind any global benchmark.

I think we can recover some ground by returning to fundamental Canadian values, by remembering that our laws once led the way for installing accountability as the cornerstone of the law. Enforceable accountability means companies taking responsibility and standing ready to demonstrate that the risks they are creating for others are being mitigated. That's increasingly part of reformed laws around the world, including AI regulation. The current draft of the CPPA does not have enforceable accountability. Neither does it require mandatory privacy impact assessments. That puts us alarmingly behind peer nations when it comes to governing emerging technologies like AI and quantum.

My last point is that Bill C-27 creates a tribunal that would review recommendations from the Privacy Commissioner, such as the amount of an administrative fine, and it inserts a new administrative layer between the commissioner and the courts. It limits the independence and the order-making powers of the commissioner. Many witnesses have spoken against this development, but a similar arrangement does function in the U.K.

Companies can appeal commissioner decisions, assessment notices and sanctions to what is called the first-tier tribunal. That tribunal is not there to mark the commissioner’s homework or to conduct de novo hearings. I would suggest that, if Parliament proceeds with a tribunal, it has to be structured appropriately, according to the standard of review and with independence and political neutrality baked in.

As a witness before you today, I have a strong sense of what Canada can learn from other countries and what we can bring to the world. Today, Canada needs to do more to protect its citizens’ data. Bill C-27 may bring us into the present, but it seems to me inadequate for limiting, controlling or making sure we have responsible emerging technologies.

Thank you for hearing my perspective this afternoon. I very much look forward to your questions.

Thank you, Mr. Chair.

Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I'm here in a personal capacity, representing only my own views.

I've appeared before this committee many times, yet it seems necessary to expand on my standard opening by stating that I have never been compensated or otherwise received a benefit from any tech company in conjunction with any of my appearances, submissions or statements on any legislative or regulatory issue. I don't think I should have to say this, but given the tendency of some to defame critics of Bill C-11 and Bill C-18 as shills, I should be absolutely clear that my views are not for sale.

Further, I should also be clear that criticism of Bill C-11 and Bill C-18 was not opposition to tech regulation. There are real harms, and we need regulation. I recently appeared before the INDU committee, calling for the strengthening of Bill C-27 on privacy and AI regulation. I have to say that I have spent much of my time, in the aftermath of the events of October 7, focused on the alarming rise of anti-Semitism and the urgent need for action both off-line and online, which could include the much-delayed online harms bill.

Since this study is about tech efforts to influence policy, I'll focus on that.

There have been important studies and reports that chronicle tech sector efforts to influence policy. For example, the Tech Transparency Project reported on Google-supported research. It identified many papers and work by academics with links to, or financial backing from, that company. However, the investigations identified virtually no Canadian examples. In fact, a search for any articles or reports from the project, since its inception across multiple tech companies, reveals very little involving Canada.

If we consider efforts to influence Bill C-11 and Bill C-18 through lobbyist meetings—we just heard about lobbying—one organization leads the way. It isn't Meta, which had relatively few meetings on these bills—in fact, fewer than CAB, ACTRA, CDCE or CMPA. It isn't Google, which ranked second for the meetings. Rather, the organization with the most registered lobbyist meetings on these bills is News Media Canada.

It's important to state that, if this hearing is about retribution for the blocking of news links in response to Bill C-18, I think that's misguided. Companies and many experts warned repeatedly that the legislation was deeply flawed. Now that news-link blocking has gone on for months on Facebook and Instagram without any apparent interest from that company in regulatory reform, I think that's pretty clear evidence that this is a consequence of the legislation and not a tactic to influence it. It was not a bluff, as many kept insisting. Indeed, I would argue that, frankly, both companies were pretty consistent from day one in their statements about the legislation.

In many respects—we just heard about threats to remove or stop investment—it's no different from Bell's recent announcement, in which it threatened to cut capital investment by a billion dollars in response to a CRTC wholesale Internet access ruling, or Stellantis putting its investment on hold earlier this year in Canada with the announcement of the Volkswagen deal. Simply put, legislation and regulation have consequences.

If this is actually about addressing concerns around regulatory or legislative influence, however, the real issue isn't tactics. It's regulatory capture. On that front, there is cause for concern in Canada. With Bill C-11, there was ample evidence of regulatory capture, as a handful of legacy culture groups dominated meetings with officials and time with this committee. The voices of Canadian digital creators were often dismissed or sidelined, including those from indigenous and BIPOC communities, some of whom reported feeling disrespected or intimidated by department or ministry officials.

The situation was even more pronounced with Bill C-18. Members of this committee indicated they were ready to move to clause-by-clause review without even hearing from Meta. During that review, someone stated that online news organizations were not even news. This form of regulatory capture was particularly damaging. Online news outlets were sounding the alarm over the risks of the bill and took the biggest hit with news-link blocking. They too were ignored. Some have now stopped hiring or been forced to suspend operations, yet News Media Canada somehow managed, in the span of five years, to obtain a $600-million bailout, the swift enactment of Bill C-18 and now an expansion of the labour journalism tax credit, in which their demands were met down to the last penny. Now that is influence.

Cultural policy is the bedrock of this committee, but culture isn't static. It's essential this committee and the department ensure they avoid regulatory capture and provide a forum for all voices. Failure to do so makes for bad policy and raises the risk of intimidation, in which—inadvertent or not—it may be the government, or this committee, that does some of the intimidating.

Thank you for your attention. I look forward to your questions.

When we think about technology and technological change, information technology is capital, so the owners of that capital have done better and better. This whole literature on the decreasing labour share and the increasing capital share of the economy is partly related to the ability to scale through information technology.

The impact of these particular data-driven technologies on market power is more subtle. The reason is that, in a Stats 101 sense—and I don't know if and when you took statistics—there are decreasing returns to scale and data in a formal technical sense. It's like this: If you have 10 people and you get an eleventh, you learn a lot; if you have a million people and you get one more, you don't learn that much. In an explicit technical sense, there are no economies of scale in data.

On data-driven and machine-learning technologies, there are reasons not to expect monopolization. There are, importantly, other forces going in the other direction, and those are the things that we should keep an eye on and regulate. The forces going in the other direction are things like.... The ability to use data requires certain other technologies or can benefit from certain other markets where there is dominance. The ability to use data, and use it well, requires computing, so if the cloud services market is monopolized or has strong market power, that's going to impede innovation and be a real competition worry. Also, if media, in some ways, are monopolized, and therefore the ability to understand users as they interact with media becomes monopolized, that's another way that could [Technical difficulty—Editor] in terms of competition.

In my view, those are related, but only tangentially related, to most of the content of Bill C-27.

My view is that, in many ways, the most important thing about a policy—and, to some extent, a privacy policy—is to ensure that we protect competition.

At the same time, I don't know what an amendment to this act would look like in terms of protecting competition for the next generation of technology. A vigorous antitrust enforcement by the Competition Bureau and the continued vigilance on how large tech companies and others are potentially using their existing dominance in some markets to connect to and take advantage of new markets is worth protecting.

I'm not sure that belongs in Bill C-27, in the sense that things like ensuring interoperability between existing systems and new technologies are very valuable.

Maybe I can give you a very simple example regarding cookies. We've all heard about cookies on websites, and 10 years ago cookies were very new, something that people didn't understand. Now, 10 years later—or more like 15 to 20 years later, actually—I think this is something that is well known by reasonable persons. Just to be clear, the fact that it's evolving is not bad. I think our laws are built on a notion like this, that essentially we are making things evolve.

What I see in proposed section 18, to be frank, is the assessment. The assessment makes me feel more comfortable in being able to say that this is rational and it's been explained. It's been detailed, and it's not just somebody saying, “You know what? I think I have a legitimate interest.”

Again, I understand that those are valid concerns. I hear you, but at the same time the world is changing fast. I think we can do tremendous work, and I think Bill C-27 is full of potential, but we need to accept as well that technology is going so fast that those kinds of concepts need to be embedded in the law.

That's my position.