Industry and Technology Committee on Jan. 26th, 2026

Evidence of meeting #21 for Industry and Technology in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was need.

A recording is available from Parliament.

On the agenda

Canada's Underlying Productivity Gaps and Capital Outflow
Subject Matter of Bill C-15, Budget 2025 Implementation Act, No. 1

Members speaking

Ben Carr
Ted Falk
Michael Guglielmin
Parm Bains
Gabriel Ste-Marie
Kathy Borrelli
Karim Bardeesy
Michael Ma

Before the committee

Dufresne  Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

4:20 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

There is no requirement that it reside in Canada. That is not required here. It could be added through regulations, and it's something that I believe Parliament should be reflecting on in the context of privacy legislation overall.

I don't think you can have an absolute requirement that nothing leaves Canada from a trade standpoint, as that would significantly limit innovation and trade, but there are certain areas—national security or otherwise—where there is a need for greater rigour. That issue is very important.

Express consent with respect to the open banking part of the legislation is there. That is necessary, and indeed, there's good language that makes it understandable for consumers.

On the more general provision, this would be in regulation. It's something that I look forward to seeing be developed. It has certainly been a key part of our recommendations and the advice we give on privacy. Canadians need to understand what's going to happen. They need to be able to agree. Otherwise, they're not going to buy in and the system is not going to succeed.

4:20 p.m.

Liberal

Michael Ma Liberal Markham—Unionville, ON

On the topic of data mobility, are there regulations now or in the proposed legislation to have data be encrypted in residency, as well as in transit, so that the data is always protected?

4:20 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

I believe these aspects are going to be defined in the regulations in terms of the extent of the safeguarding and the types of requirements you want to see. This is an area where you want the right balance: not making it too onerous for organizations, but at the same time and depending on the sensitivity of information.... The more sensitive the information is, the stronger the safeguards should be, and this has been a theme in our work dealing with privacy breaches. The more the risk and the more the consequences, the more the safeguards. It's important to get that right.

In fact, to help SMEs in particular, we've developed an online tool whereby individuals can provide us with a description of what happened in a breach. It will give them a tentative sense of whether it is serious enough to warrant notification to the regulator. It will help them, because it's not always easy when you're in this situation. I think something similar could be done in the context of the regulation.

4:25 p.m.

Liberal

Michael Ma Liberal Markham—Unionville, ON

We know that a lot of websites, when including corporate requirements, tend to ask a lot of questions beyond the business transactions they're involved with. Is there legislation to mandate that you can allow only the collection of data that is relevant to a transaction?

4:25 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

That's one of the principles of private sector privacy legislation in terms of appropriate purposes: not going for more than what you need.

There's a specific example of this in the open banking legislation: the prohibition of what's called “screen scraping”. It indicates that you cannot for the purposes of providing a consumer in Canada with a product or service, use an interface or application to gain direct access to their data using their authentication.

This is an example of where you have that information for the purpose of authentication, but you shouldn't use it for another purpose. That's a good practice overall. If you want to use it for something different that's beyond the reasonable expectations of individuals, you should seek separate consent or make it clear in your policies.

January 26th, 2026 / 4:25 p.m.

Liberal

Michael Ma Liberal Markham—Unionville, ON

I have experience with screen scraping, from over 20 years ago. The challenge there is that when open banking allows this type of activity, it exposes seniors to more risk. Right now, if they're exposed through one banking account, that's a limitation, but once you get into open banking, criminals can access more than just a single account.

What provision is being included to help protect people from further exploitation?

4:25 p.m.

Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada

Philippe Dufresne

I would point to the provisions on express consent in open banking that talk about how it's important that this be done and that it be understandable. There, too, there will be some specific regulations, and I think this is a great example of something we need to get right.

In a lot of our work.... For example, we're going to be in the Supreme Court in March for a case against Facebook where a big disagreement we have is, how clear is the consent provision? How clear is the privacy policy? Often, they're very complex. They're very complex even for lawyers and experts, let alone individuals who are busy and who are not experts in the field.

We need to do better across the board on this, in my view, but particularly, as you point out, for seniors, and also for children. For TikTok, we recommended specifically that the policies for children be described in a different way. For some of our own statements we've done with the provinces on the privacy of young people, we've published them in a more user-friendly way. I think that's always a good exercise.

4:25 p.m.

Liberal

Michael Ma Liberal Markham—Unionville, ON

To go back to the beginning, you talked about—

4:25 p.m.

Liberal

The Chair Liberal Ben Carr

Mr. Ma, I'm sorry to cut you off. We're a bit over time.

4:25 p.m.

Liberal

Michael Ma Liberal Markham—Unionville, ON

Okay. I'm so excited.

4:25 p.m.

Voices

Oh, oh!

4:25 p.m.

Liberal

The Chair Liberal Ben Carr

We appreciate the testimony.

Thank you, sir, for being here. Thank you to both of you.

Colleagues, we're going to move to our in camera round in a moment, although while we are in public I did want to share some very sad news that I just received. Our former colleague and member of Parliament Kirsty Duncan has passed away.

Many of you worked with Kirsty over the course of the past number of years. She was a former minister who was responsible for science and innovation and was a wonderful individual with a great spirit. While we were together here publicly, I wanted to share that. It's certainly sad for colleagues in the Liberal Party, but beyond that, it's sad for all parliamentarians when we lose someone with whom we served or who served the country.

I just want to take a moment to send condolences to Kirsty's family and thank them and to acknowledge our debt of gratitude for the time that loved ones spend away from their families to serve the country. Certainly, at a time of loss, it's important to recognize how precious that time is.

I wanted to share that before we break to go in camera. We will come back here in a few moments to pick up on the rest of our business.

[Proceedings continue in camera]