Evidence of meeting #118 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was definition.
A recording is available from Parliament.
11:15 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
Allow me to interrupt you. I'm talking about the concept of the best interests of the child because I think that, first and foremost, there was an objective there.
What you are saying is not entirely accurate. I'm trying to understand why, in some cases, ambiguity and recourse to the courts are tolerated, but not in other cases.
Is there, to your knowledge, a single technique that guarantees 100% the inability to identify individuals, without uncertainty or risk?
11:15 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
It depends on the case. Sensitive information related to an individual's privacy is used in many contexts or sectors.
I'm not familiar with the technological context related to the use of that information. So I can't really comment on whether or not it is possible for information to be identifiable. It also depends on the case because, as I said, technological capacity is evolving. It's the General Data Protection Regulation, GDPR, that—
11:15 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
I'm sorry to interrupt.
In this case, you are saying that there is a clear objective, namely that individuals cannot be reidentified.
11:20 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Yes, that's right.
11:20 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
Based on what I learned in my past professional life and what the experts have told us, there is no technique that completely ensures that a person cannot be reidentified. The fact is that there are a number of methods of reidentification that can be used together, including using the data in motion.
What is the acceptable risk, and who determines that?
In that context, who determines what methods are acceptable based on the level of risk deemed acceptable at a specific time?
You have to understand that this is all evolving very quickly. I repeated the word “acceptable” several times, but you understand what I mean.
Who determines that? Apart from the fact that the bill is proposed in good faith, there is not much.
11:20 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
In the bill, there is a definition of the verbs “anonymize” and “depersonalize”. It is during the process of implementing this bill that the Privacy Commissioner determines whether an organization's practices really correspond to the definitions set out in the act.
11:20 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
So the commissioner will keep a list of best practices to adopt.
Is that correct?
11:20 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
If it is presumed that there has been a breach of privacy, the commissioner consults technology experts to ensure that good practices have been used.
Until the bill comes into force, there are industry standards, and perhaps also sector- or context-dependent guidelines.
Internationally, there are also rules that govern data protection. For example, while the GDPR does not set out generally acceptable best practices, it does indicate that it is essential to use or consider available technology for anonymization. It's the same concept.
11:20 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
Basically, you're saying that a person whose rights have been violated can file a complaint with the commissioner, who then looks into the situation. They verify whether the company used best practices, and then they give their opinion on that.
Don't you think that if there were, for example, regulations that enabled the minister to determine in advance, following consultations, a certain number of best practices, we could avoid putting the burden on an individual to file a complaint with the commissioner?
Once someone's rights have been violated, they can be compensated or the fact that their rights were violated can be acknowledged, but their digital identity is lost forever.
11:20 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That is why the bill promotes the establishment of standards and guidelines. It gives individuals an opportunity to consult useful sources. It also makes it possible to establish this list or to develop this concept.
There are two aspects to using best practices. The first is standardization of business practices. It's important for the effectiveness and functioning of the economy and for citizens—
11:20 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
I'm sorry to interrupt, but we must have this conversation.
How do we standardize these practices, when the practice of anonymization, for example, can be part of trade secrets, of the ability to do things properly? It's a business advantage to be able to do things properly.
How do we make sure that practices are consistent when there is no definition?
11:20 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
It's the same with a lot of standards. You set a target, and then you set out the methods or the processes by which to achieve that target.
Many organizations, such as the International Organization for Standardization, known as ISO, create these kinds of standards to confirm what the right methods and best practices are.
That said, standards must eventually be reviewed because of the speed at which technology evolves. That's why the Canadian Anonymization Network brings together a lot of civil society and organizational stakeholders. That's good because the network can provide guidelines. In addition, it is always possible to improve this process by drawing on the standards set by other organizations.
11:25 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
I will conclude by putting my question directly to Mr. Masse.
I don't have a problem with the amendment itself. However, I do not understand what you are trying to accomplish by removing the notion of best practices. I would like to better understand the purpose of this amendment.
11:25 a.m.
Liberal
11:25 a.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
Thank you to my colleague for the question.
First of all, I think there are a couple of things to clarify with the original discussion on this. It was interesting that some were attempting to use the Privacy Commissioner as a reason to get rid of this amendment, when this actual amendment comes from the Privacy Commissioner himself, on pages 14 and 15, and I can probably provide some clarity on both points that we're making here.
First of all, in his submission to us, colleagues, this is under the definition of “de-identification and anonymization” in recommendation 7: “Strengthen the framework for de-identification and anonymized information.”
What the Privacy Commissioner said is that “[t]he OPC supports the introduction of a new framework for de-identification and anonymization”. He says:
The framework has some positive elements, for example. It provides flexibility to organizations using de-identified information, and adds some needed clarity as to how and in what circumstances de-identified personal information can be used and disclosed.
Right there, that's opening a door for businesses and their ability to use some measures.
He continues:
That said, as currently drafted, it provides too little protection for de-identified and anonymized data.
This is where we get into some specifics about the philosophy on this. On “best practices”, can you name who is going to actually make the best practices, Mr. Schaan?
11:25 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
As I noted, Mr. Chair, there are a number of mechanisms by which—
11:25 a.m.
NDP
11:25 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Mr. Chair, if I can complete my sentence, I would say that industrial standards organizations, which have a necessity to be tripartite in their formation, including the participation of academics and civil society, as well as industry, are often party to the making of industrial standards—
April 15th, 2024 / 11:25 a.m.
NDP
Brian Masse NDP Windsor West, ON
Yet they're actually part of them, and that's the basic point we have here. You're either siding with the decision of people having de-identified and anonymized information being protected from themselves or having it industry led by Google and others and their associations, some of which actually have other funding and so forth.
What's interesting is this issue with regard to the Quebec consistency. I think it's an important one and a distinction that the Privacy Commissioner has addressed. Also, it's been addressed by testimony from Diane Poitras, the former president of Quebec's commission on information. Specifically on Quebec legislation, the relevant provision in section 23 is this:
Where the purposes for which information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided...by an Act. For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows a person to be de-identified directly or indirectly. Information anonymized under this Act [can] be anonymized according to generally accepted best practices and [according to the] criteria and terms [determined] by regulation.
Part of that in the testimony we received from the Privacy Commissioner also was that they wanted to fall on the side of caution at that moment, but what's interesting from Ms. Poitras, the former president of Quebec's commission, as I mentioned, is that she stated in response to a question:
If I understood correctly, part of your question was whether we had any concerns about [the] interoperability. There are a couple of things I have concerns about. Among other things, there are important distinctions in the regimes applicable to anonymized data and de-identified information.
The door was left open to actually improve the situation, even for the residents of Quebec, with regard to having empowerment over some of their data, and there's quite a comfort level that having this difference is okay.
What we are really talking about at the end of the day here is whether or not best practices, which would be industry led, policed and determined, would be used against the OPC, because best practices, if there is a distinction or difference, will be used against the Office of the Privacy Commissioner with regard to that.
Basically, at the end of the day, this boils down to having faith in whether the Privacy Commissioner should have control over this measure or whether or not we want it to be industry led. I'm going to side with the Privacy Commissioner.
Thank you, Mr. Chair.
11:25 a.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Masse.
Next to speak will be Mr. Turnbull. Then we will hear from Mr. Généreux and Mr. Perkins.
Go ahead, Mr. Turnbull.
11:30 a.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thanks very much, Chair. It's a great debate on an important consideration for this bill.
To go back, anonymization is, in our view, privacy-enhancing by nature, is it not? Mr. Schaan, can you speak to that?
11:30 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Yes, anonymization is a privacy-enhancing mechanism because it does render the information “un-reidentifiable”.
11:30 a.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
We see teased out here in various different comments that the Privacy Commissioner in this case is saying essentially that if you add “generally accepted best practices” into the legislation or the definition of anonymization, this could open the door.
I think our position is that it's the opposite, that in fact putting this in there allows for the evolution and the emergent properties of best practices to help inform.
Could you provide a better rationale? I feel like this is the main difference. Mr. Masse is pointing to the OPC and wanting to suggest that he's siding with the OPC.
We're not against the OPC. It's what is the best mechanism to encourage anonymization and to do so in a way that recognizes that the technology is advancing and evolving.