Industry Committee on Dec. 12th, 2023

Thank you, Mr. Chair.

I'd like to thank all the members of the committee for inviting me to participate in this study.

As you know, Quebec has undertaken a major reform of its privacy laws to make them more responsive to the new challenges posed by the current digital and technological environment. An Act to modernize legislative provisions of personal information, better known as Bill 25, was passed in September 2021. Its provisions have come into force or will come into force gradually over a three‑year period.

The changes made by Bill 25 can be grouped into three categories. The first involves new obligations for provincial businesses, organizations and political parties. The second contains new rights for citizens. Lastly, the third includes new powers for the Commission d'accès à l'information du Québec.

Among the new obligations of businesses is the addition of the principle of responsibility for the personal information they hold. It implies that each company has a privacy officer and that it establishes governance policies and practices. When a confidentiality incident occurs, businesses are also subject to new obligations, which are similar to those found in Bill C‑27.

Bill 25 also introduces enhanced transparency obligations about what companies do with personal information.

To give citizens greater control over their information, new consent requirements are provided, such as for obtaining express consent when the information is sensitive. To be valid, the consent must also meet certain conditions, be requested in simple and clear terms, for each of the purposes pursued and separately from any other information.

The legislation also provides for measures to prevent privacy breaches, such as the requirement to conduct a privacy impact assessment at the design of products or technological systems that involve personal information. This type of screening must also be carried out before personal information is shared outside Quebec to ensure that it is adequately protected.

If an organization collects personal information by offering a product or a technology service, the privacy parameters must, by default, be addressed to those who provide the highest level of protection.

The act also provides a framework for the collection and use of particularly sensitive information and certain situations with a higher potential for intrusion, such as profiling, geolocation, biometrics, and information about minors.

New rights for individuals include the right to be forgotten, the right to portability of information and certain rights when a fully automated decision is made about a person by an AI system.

Finally, the commission is being given new powers. It's the organization responsible for overseeing the enforcement of laws relating to access to documents and the protection of personal information, and for promoting those rights in Quebec. It has had order‑making powers since its inception. It may also, on the authorization of a judge, initiate a criminal prosecution for an offence under the acts it is responsible for overseeing.

Bill 25 significantly increased the amount of penalties that can be imposed and lengthened the time frame for such prosecutions.

The commission now also has the authority to impose administrative monetary penalties of up to several million dollars. It can adopt guidelines, and it has enhanced investigative powers.

Bill C‑27 has similar objectives to those that motivated the reform in Quebec. For businesses, the consistency of the rules in the various jurisdictions in which they operate helps to reduce their regulatory burden.

The adoption of similar and interoperable rules facilitates the essential work of collaboration between the various control authorities across the country, but also internationally. At the end of the day, it also respects people's fundamental rights and increases their confidence in the digital economy and in the use of new technologies such as artificial intelligence, which promotes responsible innovation.

In closing, I would like to point out that a collective, non‑partisan, transparent and inclusive reflection on the framework for artificial intelligence has taken place in recent months in Quebec. More than 200 experts, including the commission, looked at six topics, and a call for public contributions complemented that thinking. The preliminary direction of this work was discussed at a public forum last month.

Recommendations on regulating artificial intelligence will be submitted to the Government of Quebec by the end of the year.

Thank you. I look forward to your questions.

Good afternoon. I would first like to thank the committee for inviting us here today as witnesses to your proceedings on Bill C-27.

This bill is an important step in modernizing Canada’s private sector privacy law. It would support responsible innovation and development of innovative technologies while adequately protecting privacy rights.

Innovation is occurring in all sectors. These activities benefit Canadians, but there are also risks. This law would play a key role in establishing a foundation of trust amongst Canadians, which would foster the growth of our digital economy.

Alberta's Personal Information Protection Act, PIPA, has been declared substantially similar to the Personal Information Protection and Electronic Documents Act, PIPEDA. The objective of PIPA is essentially the same as that of PIPEDA, and both acts are consent-driven with certain exceptions. Given these similarities, I will not go through PIPA in detail. Instead, I will focus on an aspect of PIPA that may be of interest as you consider the Consumer Privacy Protection Act portion of Bill C-27, and that is specifically our order-making power.

Most reviews and complaints, about 85%, are settled by our informal case resolution team. If settlement fails, the commissioner may conduct an inquiry, a quasi-judicial process, which involves formal submissions to an adjudicator, who then issues an order to remedy any non-compliance.

Our informal case resolution team operates separately from our adjudication team. When a file moves to inquiry, our adjudicators conduct a de novo hearing. They do not have access to what occurred in mediation. Orders are final, binding and not appealable, but they are subject to judicial review by the Alberta Court of King’s Bench.

The majority of our orders are complied with. We have sought a court order to enforce compliance in only a few cases.

This structure brings finality to allegations of non-compliance in a cost-effective, predictive and relatively timely manner. Finality serves several purposes. It creates certainty around the interpretation of PIPA, which serves the interests of both organizations and individuals. It encourages settlement. Because our services are free, our office is fully independent from government, and the majority of our orders are complied with. This reduces the time it takes to remedy non-compliance.

PIPA is scheduled for review by our Standing Committee on Resource Stewardship likely to begin in early in 2024.

Given this, we’ve been paying close attention to what is happening with Bill C-27, specifically the CPPA, as it may influence amendments to PIPA due to PIPA's substantially similar status. We are also considering the impact of Bill C-27 on Albertans when their personal information flows across borders.

In the CPPA, there are positive new privacy protections for Canadians. There is the right to request disposal of personal information, also known as the right to be forgotten; rights regarding the use of automated decision-making systems; and rights regarding data portability. Other improvements include clarification of service providers' role and accountability, administrative monetary penalties to deter non-compliance, proactive auditing, better protection for minors, and the inclusion of privacy as a fundamental right, as well as proposed amendments on the special interests of minors.

However, we have some concerns regarding a few provisions. We are concerned about individuals' loss of control over their personal information resulting from new authorities in section 18 regarding business activities and legitimate interests. We are concerned about how the provisions on de-identification and anonymization would be used, and whether more controls would be required to mitigate potential risks to individuals. We are concerned about whether the inclusion of the tribunal as an appeal body to the Privacy Commissioner's orders would impact our ability to conduct joint investigations.

In addition, there are areas in the bill that could be enhanced. Stronger protections for children, such as those provided for in California and the United Kingdom, could be built in, as could requiring the use of privacy impact assessments in specific circumstances where there are higher risks, and requiring increased rights for the use of automated decision-making systems, and expanding the definition of sensitive information to mitigate the risks of harm that may flow from the processing of certain kinds of personal information.

I thank you for your time. I look forward to further discussion.

Thank you, Chair and members of the committee.

I'd first like to acknowledge that I'm presenting to you today from the traditional territories of the Lekwungen-speaking people of the Songhees and the Esquimalt first nations.

Given my brief time this afternoon, I want to focus my comments on the practical matter of how the privacy rights of Canadians ought to be considered and, where events dictate, enforced.

A common theme of these proceedings is the need to harmonize, to the greatest extent possible, the substantive privacy rights of Canadians across federal and provincial jurisdictions. The principle of harmony or substantial similarity should also apply to the processes that determine and enforce privacy rights.

Why is this so important? Data most often knows no borders. Many significant privacy rights cases impact citizens across the country.

It is therefore incumbent upon us, as privacy regulators with oversight over the private sector in Alberta, British Columbia, Quebec and Canada, to act, to the greatest extent permitted by law, in a coordinated manner. This ensures that concerned individuals are addressed in a consistent way and that affected businesses are not queried by overlapping demands. In short, coordination builds the trust of Canadians in our privacy oversight system.

The coordinated actions I speak about will be enhanced considerably if the avenues for processing and enforcing those privacy rights are as consistent as the law permits across jurisdictions. In concrete terms, this means the federal Privacy Commissioner should certainly be granted order-making powers, which the three provincial authorities now have, and which Bill C-27 recommends.

I would go a step further. The proposed federal order-making powers should be reviewable in the same manner as that applicable to provincial authorities. That is to say that the federal Privacy Commissioner's powers should be directly subject to review by the courts. That has proven to be more than sufficient to protect the rights of all parties at a provincial level. Bill C-27's proposal to add a layer of administrative bureaucracy in between the commissioner's orders and the court review adds an unnecessary level of expense and time to distance Canadians further from the ultimate disposition of their privacy concerns.

The same considerations of federal and provincial harmonization should be applied to the matter of administrative monetary penalties. Quebec—as my colleague has just pointed out—is the first jurisdiction in Canada to authorize the regulator to administer such penalties where circumstances warrant. I have called for British Columbia's government to do the same.

The authority to levy fines—a last resort for regulators—protects the rights of Canadians and the vast majority of businesses from bad actors. It is critical that privacy regulators are able to ensure that when fines are necessary for multi-jurisdictional violations, they are levied in a coordinated, proportionate and non-overlapping way.

That is simply not possible under Bill C-27, which strips power away from the federal Privacy Commissioner to levy fines, and instead puts it in the hands of a third party that would not be in a position to coordinate matters with other authorities. This again creates federal-provincial asymmetries, which in no way benefit Canadians. It bears repeating that if a party is concerned about an imposed fine, a direct referral to the court system is more than adequate to ensure administrative oversight of the system.

In summary, while Bill C-27 goes some ways to strengthen the privacy rights of Canadians, the bill must be improved to ensure that those rights can be fairly, effectively and economically adjudicated and enforced.

Along with my colleagues, of course, I welcome any questions you may have.

Yes, specific consultations were held by a commission of the National Assembly of Quebec. A number of stakeholders, both private sector representatives and citizens' representatives, were able to express their views. The Commission d'accès à l'information du Québec, of course, took part in those consultations.

The consultations I just mentioned, which are the most recent, focused on how to frame AI.

I certainly share my colleagues' concerns about the interoperability of the act in a context where the obligations would not be exactly the same. The fact that similar protection applies across the country is important for Canadian citizens, but also for businesses. They can operate in Quebec, but a number of them can do so across the country.

The fact that the process can be very costly is a concern we've heard very often in Quebec. At the time, under Bill C‑11, there was concern about the harmonization of the rules. Without harmonization, companies feared that they would have to comply with two sets of rules, and operating would become very expensive.

I don't know if that answers your question.

Thank you for the question.

Commissioner Dufresne made some excellent recommendations around harmonization and so on.

As for anonymized and de‑identified information, I know that many stakeholders have told you that the definition of anonymization was very restrictive in Bill C‑27. In Quebec, following discussions and exchanges with stakeholders, parliamentarians included some flexibility in the legislation. According to Quebec law, information is anonymized “if it is, at all times, reasonably foreseeable … [for] the person to be identified directly or indirectly”.

However, they were concerned that this might open up too big a loophole. At the same time, it was stipulated that government regulations could impose terms and criteria on how anonymization is done.

De‑identification is also an important issue because of the potential for the use of de‑identified information. Bill C‑27 provides that, at times, de‑identified information is no longer personal information, which means that protection for that information is lost. That is a concern.

My colleague Mr. McEvoy did a good job of presenting the concern about administrative monetary penalties, but also the scope of the penalties. The situations in which the federal commissioner can recommend to the tribunal the imposition of administrative monetary penalties are very limited in Bill C‑27.

Bill 25 provides for this obligation, which has been in effect since last September. It's not called

privacy management programs.

It's called an obligation to adopt governance policies and practices, but it amounts to the same thing. The content corresponds to what we see at the federal level or in British Columbia. Those two levels of government have the same type of obligation.

I'm sorry, but I didn't understand the question.

In fact, this is the basis for developing a culture of privacy. It can be adapted throughout the company or the types of personal information that need to be dealt with.

Since its inception as a start‑up company, Clearview AI, a very small company, has used a significant amount of sensitive personal information. This is also the case for other companies of a similar nature. So the obligation isn't adjusted based on the size of the business. It can be adjusted based on the use or sensitivity of the information to be processed.

Yes, I would just second what Commissioner Poitras has said. In British Columbia, we have a similar provision that requires organizations to develop and follow policies and practices that ensure they are consistent with our legal framework.

We describe that requirement and obligation as being scalable. We wouldn't expect, obviously, the same thing of a mom-and-pop corner store as we would from a significant corporation with thousands of employees. These things would be scaled.

That's not to say, by the way, that smaller entities, nowadays, couldn't handle vast amounts of information, and very sensitive information, so our expectations, obviously, would be higher.

However, the obligations are scalable. All companies, now, need to be thinking about these issues, because Canadians—customers, patients, all kinds of people—are concerned about how their data is handled, and trust, on the part of those individuals in companies and others who they deal with, is fundamental to, I think, any business.