Industry Committee on April 15th, 2024

Thank you, Mr. Chair.

It's nice to see the witnesses again. I'm sure we'll see you a few more times before summertime.

When we were debating this last week, we left off with talking about the definition of “anonymize”. Amendment NDP-2 was to take out the words “in accordance with generally accepted best practices” in that definition. We are in agreement with that.

The main reason for that is that we need these definitions to be clear and concise. As it stands right now, organizations can anonymize personal information using commonly accepted best practices. However, the draft lacks clarity on these practices and what constitutes generally accepted best practices. The ambiguity allows for the potential reliance on anonymization techniques recommended by specific experts, which may not be adequate for a particular dataset.

We want to talk to you on a couple of these points. This isn't very clear, and we believe that it has to be very clear. When we look at how this act is going to be enforced, it is by the Privacy Commissioner. The Privacy Commissioner has stated that he needs this definition to be clear and concise.

With a lack of consistency in anonymization methods across different organizations and without clear guidelines on what constitutes generally accepted best practices, there's a risk of inconsistency in the level of data protection and a potential for the undermining of privacy standards.

We have a few examples of where that has happened, and that's why we're looking at this. I think the bigger point, looking across the board, is that in what we've heard from witnesses there's been a difference between anonymization and de-identification. The problem I had and the problem we've had when we've talked to witnesses about de-identification was that in the definition it said that a risk of identification of the individual still remained. That's a major issue when we're talking about what we're trying to achieve here.

In terms of privacy, individuals should have the right to have their private information not just de-identified, knowing that there's a risk of that information being reidentified, but to have their information completely anonymized or able to be protected under this privacy act.

I want to give two examples of how this has happened in the past. All of us recognize that we have had our information breached, our privacy breached, on many different occasions. I get emails on certain apps and sometimes even my bank or Netflix will send an email that says, “Your information has been compromised. Please change your password.” This happens all the time.

I'm going to give two examples, one American and one Canadian, of how this has happened and caused harm to consumers. In 2006 Netflix launched a competition known as “The Netflix Prize” offering a million-dollar prize to improve its recommendation algorithm by 10%. Netflix released a dataset containing movie ratings by anonymous users; however, researchers later demonstrated it was possible to reidentify individuals in the dataset using external information.

In 2007, two individuals showed that, by combining the Netflix dataset with publicly available IMDb data, they could identify specific individuals and their movie preferences. This raised serious privacy concerns as it highlighted the risk of reidentification even when data is anonymized.

In Canada, we had the 2011 Ontario Ministry of Health and Long-Term Care's data breach. In this incident, the personal health information of thousands of Ontario residents was compromised due to inadequate de-identification measures. The ministry had released health data to researchers for an analysis but failed to sufficiently anonymize the data, allowing individuals to be reidentified. As a result, sensitive information, such as medical conditions, treatments and hospital visits, became accessible to unauthorized parties. This breach raised serious privacy concerns and highlighted the importance of robust de-identification practices, especially when dealing with sensitive health data.

The main point is we have to be clear and concise. We have to ensure that the Privacy Commissioner, who has raised concerns about this definition, does not see ambiguity whenever he's looking at this, but at the same time ensures that we have businesses that can't skirt the rules and be lenient with private data. I think that's the main point we're making.

Mr. Schaan, I think I asked you some questions the last time we were here. I don't have the blues, so I can't see if I asked this already. I think I asked you about generally accepted best practices for anonymizing information. If I haven't, can you please answer that?

At the end of the day, you're putting a definition in that is not defined in the act. Is that correct?

The biggest question is, who would be determining if the data was anonymized according to those generally accepted best practices? Is it the department, the Privacy Commissioner or is it a case of self-regulation?

We've heard from some of those witnesses, but it was the Privacy Commissioner himself who noted that this was not something that he'd like to see in there, especially if there was not a clear and concise concept of who was setting those and what businesses knew what the best practices were.

Do we have other countries that we've looked at? You've mentioned Quebec, but did you look at other countries that had generally accepted best practices in their legislation when it came to anonymization?

From what we've seen, there aren't many others and the CPPA does not have that in there.

When it came to consultation for this, we had many witnesses here at the committee. You in the department met personally with quite a few witnesses.

Is that correct?

Did you meet with all the witnesses that we had here at the committee?

Did you meet with any witnesses more than others? Were there any that requested more meetings with you on this and other topics?

Of that, we did note that you met with the Canadian Marketing Association—which has been a strong advocate for this kind of language being included in the bill—10 times.

Are you aware that they're trying to keep general best practices in this definition?

I know we've had some testimony, but because you've met with them 10 times...are they stating that it is going to hurt their business if they don't have this included?

Were there any concerns that this definition of anonymization could be too strict for them?

In terms of how that's going to be identified, accepted best practices, is the department going to have those best practices? If it was included, would there be a list somewhere that the public and businesses could find?

To my point, if the Privacy Commissioner is stating at the onset here that this provides no guidance, that it's going to be ambiguous, I'm wondering where it's supposed to live?

Our fail-safe is to go to the Privacy Commissioner, because first and foremost the whole premise of this act—where we're coming from on this side—is that privacy needs to be a fundamental right and there should be no ambiguity. If some organizations want this wording in to provide more elbow room, that's not really what we're here for. We're here to protect Canadians' fundamental private rights.

When we look at this bill I can't see any reason why so far—except for it being in Quebec's legislation—we're seeing it as a best practice anywhere else to include this language, except for the fact that some of these organizations like the Canadian Marketing Association are saying that it's not going to allow them to collect and be free with Canadians' private information.

Mr. Chair, I will leave this here just so the rest of the committee can come in, but on our side we can't see why this amendment would be here.

Thank you.

Thank you, Mr. Williams.

I now give the floor to Mr. Garon, who will be followed by Mr. Masse, Mr. Turnbull, Mr. Généreux and Mr. Perkins.

Mr. Garon, go ahead.

Thank you very much.

I will continue in the same vein as my colleague Mr. Williams. Obviously, we are introducing the concept of best practices, a rapidly evolving concept. According to a University of Toronto professor who appeared before us, some practices that were considered effective three or four years ago are no longer considered effective.

You are telling us that you are introducing a concept, not a definition, into the act. I get the impression that, at some point, if there is a lawsuit or if the rights of an individual or group are infringed, it will be up to the courts to interpret that concept. It introduces a lot of uncertainty.

Why did the concept not work in the best interests of the child at the time? You know we've discussed this. It's a concept. Now we are being told that this leads to uncertainty, that there is no definition, that the courts will have to get involved, that it is terrible for companies.

How is it that, with this concept here, all of a sudden it's okay and it doesn't introduce too much uncertainty? Is it because there is a kind of consensus and there is no uncertainty as to how companies will interpret this?