Information & Ethics Committee on Oct. 25th, 2023

I think you should never waive your privacy because it's a fundamental right. We have to remind people that privacy has no transactional or commercial value that can be sold and that, if you get something exciting enough in return, such as innovation, that's worth it. It's a fundamental right that defines us as individuals and that other rights are based on, rights that enable us, for example, to be free, to have democratic systems and equality and to be free from discrimination. It's an extremely important right. People and institutions must be reminded how important it is.

The idea isn't to say there'll be no innovation. When I was appointed to my position, I said that the right to privacy was a fundamental right but that it also had to support innovation and the public interest, and that that was possible. Sometimes it requires a little more work, as is the case with equality, but it requires less work if you act right away.

We absolutely must tell people that the toothpaste isn't out of the tube and that, if some of it is, we'll put it right back in because it's important that we do so. We'll get there by working together.

I think it's absolutely essential to modernize this act. We also need to modernize the part of the Privacy Act that deals with the private sector. This law is 20 years old, so it's older than Facebook and social media. It is positive that Bill C‑27 aims to modernize the act with respect to the private sector. I look forward to seeing this bill move forward.

In addition, I hope that a bill to modernize the act for the public sector will soon follow. The Minister of Justice had said, when Bill C‑27 was tabled, that the public sector privacy bill would follow. Consultations were held with first nations and indigenous peoples on certain implications. The Department of Justice published a report on these consultations—I believe it was in September. The work is ongoing. In my opinion, the solution is to move forward with Bill C‑27. The model passed in this legislation can then be adapted to the public sector, as needed. That could be beneficial.

Among our proposals, we suggest that there should be an increasing number of public-private partnerships and that the government should work hand in hand with the industry. At present, we have two laws with different requirements for government and the private sector. This is not optimal, and it creates problems in terms of interoperability. I entirely agree with you that this is becoming important.

In the meantime, the law applies, and our office will continue to implement it to the best of our ability. In fact, this is a message that my counterparts from the G7 countries and I conveyed when we were in Tokyo last summer. At that meeting, we talked about artificial intelligence. To address people's concerns, we said we needed laws on artificial intelligence. There are already some—privacy laws, for instance. They exist and they are enforced.

I've also launched an investigation into ChatGPT, to confirm whether or not it is compliant with the legislation. Tools do exist, but they absolutely must be modernized. We will be there to support Parliament.

The power to issue orders is very important. In my view, the ideal scenario is not having to use that power, but its mere existence will encourage good decision-making. I say this as commissioner, but also as a senior corporate executive and as an employer: When there are a lot of priorities and a lot of pressure but little time and few resources, organizations prioritize binding legal obligations over recommendations. That is standard.

I don't want a right as fundamental as privacy to be treated as if it were nothing more than an asset. That said, organizations often do treat it that way.

I can use my power to make recommendations, but it would also be very important for me to have the power to issue orders.

Certainly. There are sometimes discussions about that.

As for the cases you're referring to, sometimes a department tells us it's already doing what we recommend. In the case of the pandemic, we also carried out an assessment of proportionality and necessity, which is not mandatory under the Privacy Act, but which we feel should be. We put forward that analysis.

It's a dialogue. We are always given the reasons for refusal, and dialogue is established.

Some breaches are more serious than others. The really worrying situations are those where there has actually been a major breach or a major consequence, combined with a complete refusal to follow our recommendation. That can undermine trust.

I feel the power to issue orders is important. When an officer of Parliament makes a recommendation to an organization and the latter refuses to implement it, the situation is not satisfactory. I believe there must be sufficient justifications given. If we had the power to issue orders, this wouldn't be a problem. We'd issue them when necessary. With that said, in my opinion, they should only ever be used exceptionally.

The same applies to fines. In Bill C‑27, we would add the possibility of imposing significant financial penalties on organizations. I think this is very important, for the same reason again: to create incentives. The idea is not to use them often, but...

That's right.

Yes, Quebec's law 25 definitely has more teeth than existing federal laws, simply because it grants the power to issue orders. Quebec's access to information authority, the Commission d'accès à l'information, or CAI, can issue binding orders and impose heavy fines, similar to the European model under the General Data Protection Regulation. That makes it a more robust piece of legislation on that front. It lays out proactive obligations.

Hopefully, Bill C‑27 will make its way successfully through Parliament and bring federal laws more up to date in that regard. It's not exactly the same as law 25, but it comes close with the power to issue orders, and to impose fines as well as proactive obligations on companies. I think it's a good model, following in the footsteps of Europe and Quebec. I think, federally, we can get there.

To answer your question about working with the CAI, I can report that we do indeed work very closely with Quebec and all the provinces and territories.

I was in Quebec City in September for the annual gathering of federal, provincial and territorial privacy commissioners, which the CAI hosted. We had some very important and useful conversations. We put out two resolutions, including on the protection of young people's privacy. They are joint statements reflecting principles that all the commissioners have agreed upon, despite the legislative differences between the jurisdictions. In this way, the commissioners are trying to make things easier for companies by flagging common elements across the different regimes. My office carries out joint investigations with provinces that have regimes similar to the federal government's, so Quebec, Alberta and British Columbia. We worked together on the investigations into TikTok, ChatGPT and Tim Hortons.

Our collaborative work is not only extensive, but also very useful. We are able to make sure that we are on the same page across the country.

Federal privacy laws apply everywhere in Canada, except in provinces whose legislation is similar to the federal government's, which is the case in Quebec.

Any activity taking place solely in Quebec is governed by Quebec's legislation, but many issues have an impact beyond Quebec's borders, especially those involving the Internet and social media. That's why we work together so closely and often conduct joint investigations. We're able to cover everything that way.

That illustrates why it's important for the organizations making those ads appear to be more transparent, to comply with proactive obligations and to say why they are doing what they're doing. You should have the right to ask the organization why that ad showed up for you.

You bring to mind something important, Mr. Gourde. Just because information is publicly available online doesn't mean it's not personal information that is supposed to be protected. I think there's a misunderstanding about that. The thinking is that it's not personal information because it's on the Internet, but the law still applies. There is an exception for public information, but it's very limited and it has to be defined in the regulations.

Generally speaking, you're still protected in that regard.

We explicitly recommended that the term “profiling” be included in the definitions. When organizations use an algorithm, when they infer things from your personal information and, then, use that to build profiles, there are consequences, and they need to be taken into account and regulated. Both Quebec's law and the European regulation refer to the term “profiling”. My office recommended it be explicitly included in Bill C-27.

There has been progress. It is making its way through the Federal Court of Appeal process. We have filed our factums, our written representations, to the Federal Court of Appeal. Facebook has filed its written representation. Next steps will be to wait for the court to set a hearing date, which we hope will take place in the coming months and, following that, oral arguments and then a decision.