Industry Committee on Dec. 12th, 2023

I think you're quite right. In some instances, it would be seen as a licence to continue doing what companies are doing.

I think the most effective remedy that the government can provide in legislation for its regulator is order-making power. The three of us here today have the power to say to a company or an organization, "Stop doing what you're doing", which is a far more effective remedy in some instances where that action or conduct on the part of an organization may be harming a Quebecer, a British Columbian, Albertans or Canadians. That remedy is the most effective.

I know that Bill C-27 would put that order-making authority in the hands of the commissioner, which is a very positive step. As we've indicated, if there's going to be any appeal, that should be directly to the courts, as we have faced them over the years as a means of oversight over what we do.

Thank you for the question.

This goes a little bit to what we were discussing, that is, the issue of interoperability. As I was saying, a company may have to comply with two sets of rules. The two acts may apply at the same time in certain situations. It's happening right now, and I understand that it will happen in the future as well.

There will be situations where a business will have to comply with both the rules of Bill 25 and the rules of a future bill resulting from Bill C‑27, if it's passed. It can certainly be difficult to comply with two sets of rules if the rules aren't similar. In addition, human beings being what they are, there may be a tendency to want to comply with the least restrictive rule.

It's also important to be able to monitor, control and collaborate in our respective actions across Canada.

That said, the scope of the Quebec legislation is quite broad. A business that carries on business and that, in the course of its economic activities, collects, holds, uses, discloses and retains personal information must comply with Quebec law.

I'm concerned about all the provisions of Bill C‑27 dealing with anonymized and de‑identified information, particularly with regard to interoperability. There's also the issue of administrative monetary penalties and the scope of those penalties that could be imposed under the bill.

In addition, there's the absence of certain preventive measures for the use of technology. Before implementing an application or technology, an important preventive measure is to conduct assessments in advance to ensure that it complies with the law and does not constitute an inappropriate intrusion into privacy.

The commissioner also recommended measures against profiling or, at the very least, more transparency, so that people know they have a right to refuse. These are elements that are in the Quebec legislation for these new technologies. I think Bill C‑27 could be improved in that regard.

Our organization, the Commission d'accès à l'information du Québec, has a mission to promote the rights of access to documents and the protection of personal information. I think that all my colleagues across Canada feel it's their duty to do so, even if it isn't written in their respective legislation.

It might be a good idea to add that aspect to the bill. What is very important is that the commissioner be able to have the necessary funds to promote those rights, because informing citizens of their rights and businesses of their obligations is a means of prevention.

The Government of Quebec has mandated the Conseil de l'innovation du Québec to conduct collective reflection and advise it on how to regulate artificial intelligence. Among the questions is whether it should be regulated and, if so, how it should be done.

As I mentioned, the Conseil de l'innovation du Québec has put together expert groups on six topics. There have been workshops to draw conclusions on each of them. One of them, which the commission was involved in, was the AI governance framework. Then there was a call for public contributions. The public as a whole could submit their comments.

There was a public forum recently, on November 2, I believe. The objective was to test the preliminary findings and recommendations of each of the expert groups and to receive feedback in order to improve them. By the end of the year, a report prepared by the Conseil de l'innovation du Québec must be submitted to the Government of Quebec on the framework for artificial intelligence.

On the point of the public sector being covered, in British Columbia, the public sector is covered. That's everything from the Crown corporations, which you talked about, to school boards, municipalities—all the functions, basically, of the public sector.

The British Columbia government recently made changes to our Freedom of Information and Protection of Privacy Act that require public bodies now to produce privacy management programs, the thing that we just talked about in the private sector. We believe that's a very positive development. It means that every single public body in the province has to focus on what personal information they have about all of us and how they're going to deal with it if things go wrong—what the emergency plan is in place. As well, in the public sector now, there's mandatory breach notification; when breaches happen, individuals are notified.

Of course, in the public sector, it's not a consent-based model. We, as citizens, really don't have much of a choice, in most cases, about giving over our information to public bodies to get the services that we require. Therefore, it's very important that the law carefully authorize that collection and that it be regulated. We certainly believe that, in British Columbia, it is done in a very effective way.

Thank you, yes.

We here in Alberta have three privacy laws, actually. We have the private sector privacy law that covers everything except for aspects of our non-profit sector. We have our public sector privacy law that operates similar to what Mr. McEvoy just explained, and we also have the health information law that governs the health sector in our province.

We here in Alberta are looking at harmonizing our own laws as we are looking at advancing our digital economy here and using technology to innovate. We're looking not only in Alberta but also, of course, at Bill C-27 as we consider what the landscape needs to look like.

Maybe I could start on that one, if I may.

It happens that British Columbia.... It is not the only jurisdiction—because there's some application of the law in Quebec, which Ms. Poitras can talk about—but essentially, the full application of our Personal Information Protection Act applies to political parties, and we've utilized that aspect of the law to review political parties in this province and to collect, use and disclose information about voters, which we think is really important.

The short answer to your question is that, yes, in my view the federal law should apply to federal political parties. The basic reason is that it will enhance the trust between voters and all of our parties and the candidates seeking information from citizens. Citizens will know that, when they exchanges views with their political parties and communicate their views or whatever information they give over, this information is going to be properly dealt with. They will also know that, if there is an issue, there's going to be an independent oversight authority that can basically adjudicate any disputes.

That can do nothing but enhance the trust that Canadians will have in federal political parties, in my view.

I think it's possible to adopt a number of approaches to an AI framework. However, a consensus is emerging—in Quebec at least—that artificial intelligence must be regulated and that, as we have seen so far, self‑regulation has its limits. Quebec's position, or the position of the Commission d'accès à l'information du Québec—I can speak more to the commission's position—is that we must at least have framework legislation with principles.

In Quebec, we had considered developing an approach to the issue of artificial intelligence. A few years ago, in Quebec, we adopted the Montreal declaration, which is a declaration of principles on the responsible use and development of artificial intelligence, but it is on a voluntary basis. We saw that this had its limits, and the expert panel on which I was a member recognized that, from now on, more stringent frameworks and obligations are needed to ensure the responsible and prudent development of artificial intelligence.