Evidence of meeting #117 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was child.
A recording is available from Parliament.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you for that.
Based on your knowledge and having done a lot of consultation on this bill, do privacy experts generally want this notion to be kept in the bill? What's your perspective on that? Have they advocated for or expressed any desire for “generally accepted best practices” to be included in the bill?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
First, there's a desire for a high bar as it relates to the construct of anonymizing, and “generally accepted best practices”, as it relates to the obligation for anonymizing, is seen by many to be a high bar.
Second, I think there is a desire for consistency of application of the construct, which is why “generally accepted best practices” ensures there are standardized approaches, as opposed to a potential patchwork or highly diverse attempts at trying to get to the anonymization of information that may introduce other vulnerabilities because people are doing it very differently.
Liberal
Ryan Turnbull Liberal Whitby, ON
As you said, this would put our bill out of alignment with Quebec's privacy law.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Quebec's privacy law specifically requires information to be anonymized according to generally accepted best practices.
Liberal
Ryan Turnbull Liberal Whitby, ON
This may be one more clarification question. Who decides what a generally accepted best practice is? Is it subject to OPC guidelines as well? How would that be determined and identified for people?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
The OPC issues guidance. Certainly in the field of anonymization, there are lots of folks who have done work in this space. However, there is also considerable effort under way by the standards community and others to set out appropriate mechanisms for that. These include civil society actors as well as academics and those who implement the construct in real time.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you for all of those clarifications.
Mr. Masse, at least from our perspective, Mr. Schaan has provided a lot of clarification and rationale for our position, which is to oppose this amendment. We think the “generally accepted best practices” portion of the wording in this particular clause will be quite useful for keeping pace with the practices that are clearly going to evolve and emerge over time on anonymization.
That was to provide rationale for our position. I don't know how others feel about this particular amendment, but that's certainly where we stand.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Thank you, Mr. Chair.
I think this is an important discussion. I'm sure it will spill over into our next meeting.
I thank the NDP for bringing up an important amendment.
It's very important that we get the definition of “anonymize” correct. We had a lot of witnesses talk about anonymization versus de-identification.
I'm going off of what we were talking about before. The conversation was about the balance between what businesses need in order to interpret the risk and what the body responsible for enforcing the laws in the Privacy Act needs, which is the Privacy Commissioner, the OPC. They have to see certainty, not uncertainty, when they are interpreting the law for privacy. Based on our last amendment, we rely on the Privacy Commissioner to give us the best definitions to allow them to uphold the Privacy Act. The Privacy Commissioner and the tribunal will need those definitions to be exact.
To give you an example, the Privacy Commissioner, Philippe Dufresne, laid out a case during his appearance before the committee in our fall meeting on October 19, 2023. He said, “The bill says that more can be done with de‑identified information, and that if it's anonymized, the law doesn't apply at all. So there's a big responsibility that comes with that. These definitions need to be strict.” That's about how they interpret those definitions in the bill. I think that's why we're spending a lot of time here. Even though it's a preamble and a definition, it sets the tone for the rest of the bill and the rest of the conversations we're going to have.
Proposed subsection 6(5) of the CPPA exempts anonymized information from all protections it establishes. Given that our argument from this side—which you'll hear more than once—is that privacy is a fundamental right, we're making sure we get the definitions right when we go through this.
The Office of the Privacy Commissioner's submission from May 2023 talked about this piece and noted:
A final point relates to the new definition proposed for anonymized information. As currently drafted, organizations could anonymize personal information using “generally accepted best practices”. However, there is no explanation of what these practices are or what would be considered “generally accepted.” Including this language opens the door to the possibility that some organizations might rely on anonymization techniques promoted by certain experts or groups that are insufficient for a given dataset.
It could be insufficient for a given test regarding what we're trying to define and enforce under this privacy law. That is why it's very important. We have a problem, as the Privacy Commissioner did, with including the language “generally accepted best practices”.
Mr. Schaan, I know Mr. Turnbull just asked some questions on this, but do we have an actual legal definition of “generally accepted best practices” or a list that will be very specific for the OPC?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I think it's an evolving technology. I think having generally acceptable best practices in the statute allows for the OPC to continue to pass judgment on whether or not the actions conformed to the generally acceptable best practices that have emerged. I think we point to it as a means to encourage standardization of approaches and to ensure that people are living up to the best available opportunity to ensure the anonymization of the information.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
I think when we look at the opportunity, we want to look at business. We're going to look at some of the burdens they see from this act. They've come to the committee and talked about compliance costs, regulatory burdens and impacts on innovation and competitiveness. However, when we look at the OPC and what they need, they need certainty. They need to make sure they have clear definitions. They need to be able to uphold the law. It's so different when we look at the Competition Act, some of the definitions and the ways they've looked to interpret that to enforce the law.
We've certainly been very clear that we want to see the protection of children, and privacy as a fundamental right. I think this is a big one, because this bill is not for today but for the future. When we look at de-identification—you'll hear about this further in some of the arguments we'll present—it still states, even in the definition, that “a risk of the individual being identified remains”. That is in the definition of “de-identify”. Anonymization removes that, but to remove more of that nuance to ensure that “generally accepted best practices” doesn't define what those are—
Liberal
The Chair Liberal Joël Lightbound
Mr. Williams, as interesting as I think your comments are, we're reaching the end of the hour. You'll have some time over the weekend to think about that. We'll hear some more on Monday as we resume this study.
Thanks to our witnesses.
We'll see you all on Monday.
The meeting is adjourned.