Bill C-27

If I may, I'll answer in three parts.

First, there is Bill C‑27 in and of itself. I grant you, in my humble opinion, that part 3 and parts 1 and 2 are probably unrelated. That's a real problem. I won't hide the fact that, when I talk about the aspect of Bill C‑27 that I like—it's always like that in a relationship, we like or we like less—I'm talking about parts 1 and 2, to be quite honest with you. That's the first thing. I think part 1 is a very good start. There are gaps. As I told you, it's not perfect in terms of compensation and the flexibility of consent, among other things. However, in my opinion, the bill is a very good foundation.

Second—and I go back to my earlier comment—I think there's a common sense rule with respect to this piece of legislation. It's just a matter of looking at the obligations in a very cold way. We have to ask ourselves some questions. I would like to come back to the example of the famous La Tuque convenience store, which, by the way, is being well advertised. I don't know if there are two, though. In any case, if I were the owner of this famous convenience store and I saw this text, I would wonder if it would help me in how I operate. Is this piece of legislation really going to change the way I do things? That is the objective. We really have to show businesses that we don't want to create problems for them for the sake of creating problems for them. We have to tell them that we want to help them focus their attention on the right things.

I gave you the example of the privacy officer. I don't personally believe that our convenience store needs a privacy officer. I think it's that kind of analysis that could really help small and medium-sized businesses. We have to put ourselves in their shoes and ask ourselves whether, based on what we see, based on non-sensitive data…. Again, I think this is an important element, because small and medium-sized businesses have a voice that is heard, obviously, but it will depend on the data. Data is really the key. However, I think you have to look at some of those things, and obviously that has been taken into account in some provisions and not in others.

Perhaps we need to make an effort to be consistent and to ensure that this aspect is truly taken into account. That could help, I think.

Yes. I think there are two sub-aspects from my perspective.

The first aspect is the transition period. I think we should not undermine the fact that, even though there are already processes in place with PIPEDA and potentially with law 25, it does take time to have something that is meaningful.

I'm a lawyer, so I wish I could tell you that it's only a question of the papering aspect and just giving some policies and moving on. The fact is that privacy is much more than only legal professionals. I think there's an understanding internally in any organization to understand what is going on in terms of data flows and what we do to protect the information we have.

That's the reason why I tend to think that 36 months is the bare minimum. As a matter of fact, when we look around the world, that's what we are seeing. We saw with law 25 that 24 months was not sufficient. At the moment, companies are struggling very much to comply even with law 25, most of which came into force.

On the second aspect of your question, regarding what we can change, I will give you a simple example. If we go to proposed section 8 of the CPPA, it says, “An organization must designate one or more individuals to be responsible for matters related to its obligations under this Act.” I'll go back to my example of the convenience store in La Tuque. They have very little personal information. Their first question when they come to me would be, “Whom do I appoint? Who is my privacy officer?”

I think this is where it is problematic. It's not based on the size of the company; it's more a question of the volume and sensitivity of the information, the good news being that this threshold is present in Bill C-27 in some disposition. In particular, when I look at the privacy management program in proposed section 9, there is a caveat: depending on the “volume and sensitivity” of the information. I think the key aspect would be just to look at those absolute requirements and say, do we have a threshold based on the volume and sensitivity of the information? I think this could be a good exercise in the full version of the CPPA at least.

That's a really good question.

I generally support the new exceptions to consent in Bill C-27 , which are similar—slightly different—to the GDPR. I agree that the application of the legitimate interest exception, whether as a stand-alone right or as an exception to applied consent, will help a contextual analysis and will help nurture innovation and allow for a difference between...how organizations look at their programs and at accountability and transparency.

In terms of aligning with the European Union, I must say that it will require an analysis that may take years. Japan recently received a suitability decision and is considered a good country for the transfer of personal information. This is the result of years of work by the European Commission.

I think Bill C‑27 is a very good bill in terms of complying with European standards, in this case the European Union's General Data Protection Regulation. There are a lot of “Canadianized” concepts, if I may say so. It's worded a little differently, particularly when it comes to sensitive data. I still think that Bill C‑27 is a good bill in that regard, apart from certain aspects on anonymization and the legal basis for handling personal information, as I mentioned.

I'd first like to mention that our federal legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA, is a quality piece of legislation. I wouldn't say that there's an urgent need to act, but that's a very personal opinion. There are fairly broad concepts in PIPEDA that already allow companies to do very good things. We aren't in a vacuum at the moment.

That said, Bill C‑27 is very ambitious. I'm talking about the part that deals with the protection of personal information. We shouldn't underestimate the time it will take to adjust the processes. Let's not forget that companies had to grapple with Quebec's Bill 25 a few months ago and complied with it last September. It was a real in-house effort.

I think there's an interest in avoiding a duplication of resources, at the risk of creating a kind of fatigue on the part of companies with regard to requirements. Businesses will no longer understand the message being sent to them. I think it's important to keep in mind the significant transition period.

I don't think there's an urgent need to act, but that's my very personal opinion.

There's a fairly fundamental difference. As you know, when it comes to privacy, the notion of consent is central. It's all about consent. We're talking about either express consent implicitly or an exception to consent. That's how Bill C‑27, the current federal act and the Quebec act are built.

Currently, Quebec's approach is very different from the rest of Canada. In fact, it decided to enshrine in law that, when it comes to the collection of personal information, consent isn't always required, provided that the reasons for collecting, using or communicating personal information are disclosed. This was recently confirmed in the guidelines of the Commission d'accès à l'information du Québec.

What does that mean in concrete terms? It's very theoretical, but it's not that theoretical. When you visit a website, you are “attacked” by various methods of consent. That's what we want to impose on children. As adults, our ability to concentrate is very limited. Personally, I have a full-time interest in this, and I don't read everything.

Quebec has decided to take a different approach: we don't force people to give express consent, to click, we just give them the information, and then they can continue with the process. This aspect of transparency is unique to Quebec.

At the moment, the federal legislation, as drafted, seems to indicate that a positive gesture should always be made in certain cases. I think that's a pretty significant difference. Again, not a bad thing. In fact, we're a different approach to the problem. We're providing a little more transparency, a little more control, instead of forcing people to consent in an almost fictitious way.

At the moment, conceptually, Bill C‑27 is quite compatible with Bill 25. I would even say that, in many respects, Bill 25 is stricter than Bill C‑27. I'll go further than that: Bill 25 is one of the strictest laws in the world. That has to be recognized.

In my practice, I work with international clients, whether they are based in the United States, Europe or Latin America, and today, they look at Bill 25 and say that it's really one of the most complicated laws to implement and that it's difficult to comply with it. That's not a good thing.

My position today, quite frankly, is that the two pieces of legislation are compatible. However, I think there are lessons to be learned from Bill 25. I took the liberty of quoting the European Union's General Data Protection Regulation, the GDPR, and I think that's a very interesting model for Bill C‑27 to look at. That's really my position.

There are some very good things in Bill C‑27. It should be noted that, from a legislative standpoint, it makes a very different change. Bill 25 amended existing legislation by patching things up a little. We tried to add an act dating back to 1994. The beauty of Bill C‑27 is that it's unified. There really is a collective understanding.

So my comment on this is to say that looking at Bill 25 as a yardstick may not be the best approach, in my humble opinion.