That's interesting. In other words, you can issue guidance, just not necessarily the government. It's the Privacy Commissioner.
This brings me to the document that MP Vis referenced, which was issued on October 4 and 5, 2023, at a conference and signed by the federal and provincial privacy commissioners. It's on the website of the Office of the Privacy Commissioner of Canada.
I know there are a lot of people watching this, because we get emails, texts and phone calls after every meeting about what we got right or wrong. There seems to be a lot of lawyers. Hi to all the lawyers watching this.
I'll start.
The opening of it is called “Context”. It says, “Canada ratified the United Nations Convention on the Rights of the Child...in 1991.” There's a long URL that links to it. That would have been by the Mulroney government. It goes on:
The UNCRC affirms children’s rights, including the right to privacy, and introduces the concept of the best interests of the child.
This concept implies that young people's well-being and rights be primary considerations in decisions or actions concerning them directly or indirectly. As a guiding principle, this concept can be applied in a variety of contexts to help assess and balance the interests of young people against others.
In over 30 years, the UNCRC has had a tremendous influence on young peoples rights around the world, including privacy. Many jurisdictions have recognized that young people may be impacted by technologies differently than adults, be at greater risk of being affected by privacy-related issues, and therefore require special protections.
Some of the most authoritative and current policy and legal instruments that focus on or include provisions for young people’s right to privacy are....
There's a list of them here. I won't go into the URLs, but they are as follows:
The UN General comment No. 25 on children's rights in the digital environment, which supplements the UNCRC;
The OECD—
I think my colleague referenced the Organisation for Economic Co-operation and Development, of which Canada is a member.
—Council Recommendation on Children in the Digital Environment....
There's a URL link. It goes on:
The OECD Guidelines for Digital Service Providers;
The Age Appropriate Design Code, or Children's Code, created by the U.K.'s Information Commissioner's Office;
The resolution by data protection authorities from around the world on children's digital rights;
France's Commission nationale de l'informatique et des libertés's—
Excuse my French. I'm working on it.
—recommendations to enhance the protection of children online;
Ireland's Data Protection Commission's Fundamentals for a Child-Oriented Approach to Data Processing....
My colleague Mr. Vis mentioned the following:
The G20 Digital Ministers' call for actors involved in the digital environment to uphold the child's best interests;
The California Age-Appropriate Design Code Act; and
The EU's Digital Services Act.
It goes on to say the following:
These initiatives and many others recognize that the digital environment presents many opportunities for young people, but they are also a necessary response to the well-documented harms to young people, such as mental health related harms.
These initiatives are promising, but the signatories believe that there is still work to be done in Canada to ensure that young people are protected from these harms through legislative measures to make their best interests a primary consideration in the design of products and services that concern or impact them.
Therefore
Canada’s Privacy Commissioners and Ombuds with responsibility for privacy oversight call on their respective governments to put the best interests of young people first by taking immediate action as necessary to....
There's a series of bullets:
protect young people from commercial exploitation and the use of their personal information to negatively influence their behaviour or to cause them harm;
promote the privacy rights of young people;
review, amend or adopt relevant privacy legislation to be consistent with internationally recognized policy and legal instruments to ensure adequate protection of the privacy rights of young people; and
require private sector organizations that collect, use and disclose the personal information of young people to:
implement strong safeguards;
be transparent about these practices;
enhance access to effective remedies for young people.
The signatories recognize that the privacy rights of a young person are their own rights. Any limitation to their exercise (e.g. vis-à-vis parents/guardians or public bodies) must start from that principle, be specific and limited to the particular circumstances, and be consistent with the best interests of the young person.
The signatories also recognize that privacy rights apply both within and outside of the digital environment. While this resolution mainly focuses on the digital environment, its principles should be applied broadly.
The signatories highlight that young people's personal information is particularly sensitive.
The bill addresses that with the definition.
Any collection, use or disclosure of such information must be done with this in mind.
The signatories recommend that public and private sector organizations...adopt the following practices, which also reflect principles that should guide legislative reforms:
1. Build in young people’s privacy and best interests by design
Digital privacy risks to young people should be identified and minimized as early as possible. Organizations should ensure that privacy and the best interests of young people are built into the product or service right from the design stage.
Organizations should:
conduct privacy impact assessments...for projects involving the data of young people or to examine the specific potential impacts on them;
adapt their traditional PIA process to think specifically about the perspectives and experiences of young people (as individuals and as a group) before collecting, using or disclosing their information;
I know the officials are very familiar with this, but I'm not sure that everyone who's watching is, so the next point is what organizations should do:
actively involve young people, their parents/guardians, teachers, or child advocates in this assessment process;
conduct an intersectional analysis to consider the specific privacy risks to vulnerable groups of young people (e.g. those with disabilities, First Nations, 2SLGBTQI+).
That means two-spirit, lesbian, gay, bisexual, transgender, queer, intersex and others.
2. Be transparent
Transparency is necessary for informed decision-making and consent.
Organizations must:
provide privacy information to young people (and their parents/guardians as appropriate) in a concise, prominent and clear manner suited to the maturity of the young person;
inform young people of who to contact if they have questions about the information presented;
be transparent about the privacy risks associated with using their product or service. This could include information on their special efforts to protect young people from those risks...
3. Set privacy protective settings by default, and turn off tracking and profiling....
There's a whole list of things there.
4. Reject deceptive practices
Young people must not be influenced or coerced into making privacy-related decisions contrary to their interests.
Organizations must not:
incorporate into products and services manipulative or deceptive design or behavioral incentives that influence young people to make poor privacy decisions or to engage in harmful behaviours;
encourage young people to provide more information than what is necessary to use the product or service or to turn off protective privacy settings.
Organizations should:
design products and services intended to empower young people to make informed, privacy protective choices and take assertive action to advance their privacy and transparency rights.
5. Limit the disclosure of personal information....
There's some more guidance for organizations:
6. Allow for deletion or deindexing and limiting retention....
7. Facilitate access to and correction of personal information
Young people have a right of access to their personal information. This right is fundamental to ensuring that the information held is accurate, up to date, and retained for appropriate purposes. The right of access also serves to hold organizations accountable.
All organizations have a general legal responsibility to provide timely and complete access to a young person’s personal information upon request from that person, and in most cases, upon request from their parent/guardian. It is recognized that a parent/guardian’s access to information may be limited by a young person’s privacy rights as is qualified by the individual’s best interests and dependent upon the particular facts of each case.
It goes on to describe more responsibilities for an organization and has a number of footnotes and references. You can see the logos of all the various privacy commissioners in there.
You said you expect the Privacy Commissioner might issue guidance, that he or she has the ability under the act to do this and that this would probably be the appropriate route. However, the Privacy Commissioner has already done that. This looks pretty specific to me. He could reissue it under his power, I guess, once this bill goes through, but it's pretty specific guidance right now.
I don't know how an organization in Canada wouldn't understand the guide-posts that have been set out. They are very detailed and clear. Perhaps the Privacy Commissioner would provide even more detail if this provision on the best interests of the child is passed, but I'm struggling, as my colleague MP Vis is, to claim that it's subjective. It doesn't look subjective to me. It looks very specific. Privacy experts have defined this very well, so we struggle with the idea that the removal of that term is something the government wants to do, rather than provide that term in legislation, not only for the courts to interpret but also, as you pointed out, to allow the Privacy Commissioner to give very specific guidance if he needs things to be more detailed than this under the act.
Without the term “best interests of the child” in the act, it's difficult for the Privacy Commissioner to provide that legal guidance, which you said he has the power to do with that terminology. Is it not?