Evidence of meeting #21 for Industry and Technology in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was need.
A recording is available from Parliament.
Liberal
Parm Bains Liberal Richmond East—Steveston, BC
Can you expand on some of the other departments we have to work with? You talked about the CRTC and others. Does the information sharing among the different departments need more improvement? Can you expand on how that's working?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Sharing information among departments is an issue that would fall under the public sector privacy law, and that also needs to be amended. Departments need to be able to share information among each other. If it's personal information, there should be safeguards, but departments should talk to one another when they're dealing with breaches, because that helps with prevention and helps to remedy them.
Liberal
The Chair Liberal Ben Carr
I forgot to mention something at the beginning.
If you're not in the midst of using your interpretation earpiece, put it on the sticker in front of you to protect the well-being of our interpreters.
I'm reminding you because I'm pretty sure we will continue in French.
Mr. Ste‑Marie, you have the floor for six minutes.
Gabriel Ste-Marie Bloc Joliette—Manawan, QC
Thank you, Mr. hair.
Greetings to all my colleagues, including our new colleague.
I'd like to extend a special welcome to the witnesses, Mr. Dufresne and Mr. Chénier.
Thank you very much for your presentation, Mr. Dufresne. You've already given us a lot of information in your answers. In my questions, I'm going to cover a hodgepodge of topics.
I'll start with the open finance part of Bill C‑15. If you've looked at it, what do you have to say about the responsibility of the various players in the event of a data breach?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
There are some good things in the bill. It requires immediate notification, which is very positive. The act that governs my duties, the Privacy Act, mentions sending a notice as soon as possible. I already recommended that it be strengthened, for example by saying that it must be sent within a maximum of seven business days. Here, we're talking about immediate notification. That's positive, and it also raises a question.
For example, if the Bank of Canada or other entities were involved, I could also receive a notification, because those entities would also be subject to the privacy regime. Therefore, we need to be able to work together. One of the themes I've been focusing on for a long time is that regulators should be able to share information among themselves when it helps them fulfill their respective mandates. The same theme arises when departments are victims of privacy breaches. Often, there is a slowdown because of the time it takes for the various sections to talk to each other, and it's the same thing for private businesses.
This is very important, and I think the bill is going in the right direction in that regard.
Bloc
Gabriel Ste-Marie Bloc Joliette—Manawan, QC
Okay. Thank you.
I'll move on to another topic. Once again, this concerns data portability, and hence the authorization to transfer personal data from one institution to another. Bill C‑15 concerns businesses under federal jurisdiction, but some businesses may be under provincial jurisdiction.
From your perspective, has the government consulted with its provincial counterparts on this to ensure alignment? Are the provinces, including Quebec, ready for harmonization?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I have nothing to provide about discussions or consultations between governments and between departments, because I'm not one of them. I can only assume they have taken place. I would be very surprised if there were no consultations between federal departments and provincial departments on these issues. That is certainly the standard practice in my area, which is regulatory bodies. I have a very special relationship with the Commission d'accès à l'information du Québec. This is exactly what we're talking about, because these are issues that will affect both levels of government.
Quebec has regulations on data mobility and portability. We also made a comparison when evaluating the bill. Some provincially regulated entities might want to be subject to the regime. Correct me if I'm wrong, but I believe it is also possible to recognize entities under provincial jurisdiction within the meaning of the framework.
However, ensuring coordination and interoperability with the provinces, including Quebec, will also be important for consumers and organizations.
Bloc
Gabriel Ste-Marie Bloc Joliette—Manawan, QC
Thank you very much. Let's move on to another topic.
In your presentation and in your exchanges with one of my colleagues, you said that, in the divisions we're looking at, many parts of the bill would be implemented through regulations to be defined later. For us, as legislators, that's a leap of faith in the government. We put our trust in the government because regulations aren't voted on in the House of Commons.
You said that you assumed the government would consult you in developing the regulations, but I'd like to check something with you. Has the government made that commitment publicly, or does Bill C‑15 state that the government will consult you and that you will be there to develop the regulations?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
It's not written in the bill, which doesn't provide for a duty to consult us. It has not been the standard in other countries with similar legislation to provide for consultation with the Privacy Commissioner for that purpose. Australia is doing it, and I think it's a good thing, but it's not necessarily always done.
For my part, as I've said publicly in my testimony to the Senate and in other contexts, particularly when I talk to government officials, I believe that everyone stands to gain from planning this consultation, because it prevents certain situations. Ultimately, I'm accountable to you, as parliamentarians. If you ask me if I was consulted and I say no, that will raise all kinds of questions. Therefore, I say to the government that this is to everyone's benefit, that we are willing to be consulted and that Parliament can require it if it wishes to do so.
I set my expectations and I will continue to do so. If it's not in the legislation and the government doesn't do it, I will voice my concerns through annual reports and so on. However, I'm optimistic about it.
Bloc
Gabriel Ste-Marie Bloc Joliette—Manawan, QC
Despite the optimism you've shown every time you've raised this issue so far, the government has never committed to systematically including you in the development of regulations.
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
I haven't heard any opposition either. It may not have been stated that there would be a commitment to do it, but I haven't heard anyone object to it either.
Also, I must say that, in the context of the potential legislative reform of the Privacy Act, for example, we had some good discussions with senior officials at the Department of Industry. So I think those relationships are going to get better.
Liberal
The Chair Liberal Ben Carr
Thank you, Mr. Ste‑Marie.
Ms. Borrelli, the floor is yours for five minutes.
Conservative
Kathy Borrelli Conservative Windsor—Tecumseh—Lakeshore, ON
Thank you, Commissioner, for being here today. I appreciate you answering our questions.
The new data mobility framework is meant to make it easier for people to switch services and increase competition. There isn't an outline for how this will work, and details like which industries are included, what data can be transferred, how it will be protected and who is responsible if something goes wrong will be decided later by the government.
It will be important for your office to be consulted by the government in the development of those regulations. Do you have faith that you will actually be consulted?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
As I indicated to your colleague Mr. Ste-Marie, I am optimistic. I'm publicly setting out my expectations. I've done this in the other place, and I'm doing it here.
There is precedent, I would say, from the standpoint that Parliament amended the legislation on financial crimes and FINTRAC to allow more personal-to-personal information to be shared by banks among each other to identify fraud and terrorism financing. This led to the creation of a code of practice regime that is reviewed and approved by my office.
There is a precedent for positive, constructive exchanges. I'm optimistic that is going to happen, but I will certainly monitor it. If it does not happen, you will hear from me on it because I think it would be a disservice to the institutions, to the industry and ultimately to Canadians.
Conservative
Kathy Borrelli Conservative Windsor—Tecumseh—Lakeshore, ON
Thank you, sir.
We are seeing more and more attacks. We're hearing about more and more hacking, and consumers are left on their own to fight for themselves, with maybe a “sorry”.
Loss of financial data has far more dramatic effects on people's lives, especially if it gets into the wrong hands of criminals. When the breaches happen, what are the penalties, or what should the penalties be for those who do the breaching?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
When we look at breaches, we're always looking at what measures were put in place, what should have been put in place, what lessons were learned and if there was inappropriate care for the personal information of Canadians, given the sensitivity, the risk and the attractiveness. Right now, there are no penalties, and that's the concern. In Canadian privacy law, there are no penalties at all.
This becomes evident when we compare ourselves to other regulators, including within Canada—my counterparts in Quebec now have the ability to issue fines—and internationally as well. When I investigated 23andMe for a massive breach of genetic data, my U.K. counterpart issued a major fine on the organization, because this was a situation where they had significant shortcomings and it led to terrible harms for individuals.
You're absolutely right that we should not be treating this as a technical matter. This harms real people in a real, significant way, sometimes forever, and it's difficult to chase that information.
There needs to be strong enforcement and strong consequences in appropriate cases. At the same time, we also need to help and work with industry. It's challenging. There are bad actors, and they're using AI and fast-evolving technology.
It's something we all have to work together on, but the gap in enforcement makes us weaker in that respect, and I think this can and should be changed.
Conservative
Kathy Borrelli Conservative Windsor—Tecumseh—Lakeshore, ON
The system for sharing data outside of Canada, as you say, is not as rigorous as it should be. Do you believe we need stronger legislation in that regard?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Sharing data outside of Canada is an area of my recommended amendments to privacy legislation. Right now, we have a general sense that if you're sharing data outside, you have to make sure, by contracts or other means, that you have an equivalent level of protection, but this could be more robust.
There are other jurisdictions that will call for a review of the entire legal system and where it's going and say, “Is there rule of law there?” Government access to private data is always a concern, because you can't have a contract that's going to prevent another government from taking information, so we need to strengthen that.
Conservative
Kathy Borrelli Conservative Windsor—Tecumseh—Lakeshore, ON
I need time for another question.
These things happen really quickly. Data mobility produces real-time risk. Is a complaints-based model sufficient for this kind of program, or can we do better?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Well, it's not sufficient, and that's why we need multiple tools. My preference is to take proactive action: to educate, to have frameworks, to have good regulation that is going to help industry do what's necessary, to have quick reporting if there's a breach and to have early compliance letters. I dealt with a big breach of information at PowerSchool, and we got the organization to commit very quickly early on to fixing it without the need for a long investigation.
You're going to need investigation in some cases, but it's a spectrum of tools. I agree with you that we should not always be reactive. We have to try to anticipate things, prevent things, create a culture of privacy and work with the good actors, but for the bad actors, we need more enforcement.
Liberal
The Chair Liberal Ben Carr
Thank you very much, Ms. Borrelli.
Mr. Bardeesy, the floor is yours for five minutes.
Liberal
Karim Bardeesy Liberal Taiaiako'n—Parkdale—High Park, ON
Thank you so much, Chair.
There are a lot of important roles for your office in this legislation and these amendments. Do you feel you have sufficient resources to be responsive to the possibility of more public requests for your office to get involved in these issues?
Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
We're monitoring all the potential new roles. In this instance, in this legislation, I'm setting out the need to be consulted in the regulations and to work closely with the other entities. I would not anticipate that will require many more resources.
However, overall, we have resource concerns at the OPC. We are in a time of restraint, as you know, with departments reducing their resources. We are in a situation where privacy challenges are growing and where the impacts of technology and the impacts of breaches—all those things—are growing.
My concern would be more about making sure that, even in a period of budgetary reduction, we are mindful of the context of privacy, where breaches, as a new mandate...and we have that as an increase. We are seeing the technology evolve and the data uses increase, so there are opportunities for Canadians. We're going to continue to monitor the situation to make sure we can deliver.