Industry Committee on April 15th, 2024

If Quebec's law obligates companies to abide by generally accepted best practices, if the law that we end up passing through this committee doesn't include that, what would be the risk there? It seems like that would compromise interoperability. Wouldn't it also have some kind of an impact on...? Potentially, at least, I could foresee that best practices in Quebec would be recognized but perhaps not in other provinces across the country. Wouldn't that create some problems?

The other thing I wanted to ask is who the experts are on anonymization. We've heard lots of people reference the Privacy Commissioner, but I imagine that the Canadian Anonymization Network, which been asking for this to be included, might actually have more experience when it comes to anonymization than the Privacy Commissioner. It's nothing against the Privacy Commissioner. I love the guy. He's fantastic. I dealt with him when he was the legal counsel, and he was just fantastic. I have the utmost respect for him, but isn't it true that the Canadian Anonymization Network, or CANON for short, has a lot of experience? What are they saying about this?

To the point that one of the strengths of including this is that it evolves, I think some of the comments we have heard from others suggest that if it's not an exhaustive list today, in essence that provides some ambiguity that would be taken advantage of, but I think the opposite is the case. The argument could be made that it needs to evolve because the technology and the methods for anonymization are changing quite quickly. How do you ensure that the OPC can...? What's the mechanism for continually updating that? I think that's the clarity a lot of us sound like we need to have in order to feel this is robust enough that it's not going to open that door.

How do we envision the general guidance around generally accepted best practices evolving? Would it be the OPC guidance? Where would the expertise come from?

In essence, because anonymization includes not being able to reidentify, and the anonymization process and techniques are evolving quite quickly, if you don't have this then what's the risk?

The risk to me is that perhaps it goes out of date, or organizations and companies are not keeping up with the pace of those generally accepted best practices.

What's the big risk, though, in terms of the public and privacy concerns? Mr. Chhabra, your comments really point to a risk that I haven't heard anyone talk about yet, and the main reason why our position is against removing this clause.

That bar is continuously moving, so the standard that we're setting will continue to increase as technology evolves. That obligation for those companies would then be tethered to that moving target. The standards best practices are going to have to be followed. They can't just check out, use outdated anonymization techniques and forget about staying up to date with the best practices, am I right?

I have a final point, just to really punch home the point that leaving this in, and not taking it out as the NDP has proposed, continues to align Canada's legislation with Quebec's privacy law. I would also want to point to the fact that our next amendment, which Mr. Masse read out—the Quebec law on reasonably foreseeable risk—further aligns our legislation with Quebec's privacy law. Is that correct?

Okay. Thanks Chair.

Thank you very much.

Mr. Généreux, you now have the floor.

Thank you, Mr. Chair.

I would also like to thank the witnesses for being with us.

At the outset, madam, gentlemen, I would like to say that the series of questions I am going to ask you are not so much about the amendment itself as about the process that led to it.

I think we all agree that the definition of the verb “anonymize” in Bill C‑27 is a very important element for the future and for the interpretation that will be made of it going forward.

I absolutely do not want you to consider my series of questions as a form of judgment. I just want to understand the process.

Almost two years ago, the government introduced this bill, which is now being studied in committee. We analyzed it with the help of witnesses, and today we find ourselves with more than 50 amendments from the government.

Were you the ones who drafted the bill in the first place?

Okay.

Following consultations held after this bill was introduced, the Minister of Innovation, Science and Industry put forward a series of amendments last September. He told us that you had consulted about 300 individuals and groups.

In addition, during the consultations, people who were called to our committee meetings told us that their names were not on the list of those 300 individuals and groups. Some came to tell us that they had not been consulted or that they would have liked to be consulted, or that they would have liked to see much broader consultations. In fact, we have been told several times that the consultations on Bill C‑27 should have been much more extensive.

Now we have a series of amendments, including amendments NDP‑2 and G‑2, which again show that some people have tried to get you to change your perception of the bill or the way you're drafting the bill.

You met with some groups much more intensively than others, if I understood correctly. That is the case for representatives of the Canadian Anonymization of Data Network, CANON, whom you have apparently met with about 10 times.

Why has it been necessary to meet with representatives of this group more than 10 times since the bill's introduction and our analysis of it in committee?

Okay.

In September, the Minister of Innovation, Science and Industry proposed a series of amendments, and the government is now proposing some 50 more as a result of the meetings you had with the various groups.

Do these amendments stem from the testimony we heard during the study of the bill or do they also stem from the meetings you had with representatives of certain groups? I would remind you that you have met with them more than 10 times.

I will come back to the amendment we are currently discussing.

The government is proposing a new definition. The NDP is proposing another one, which is consistent with the one used in Quebec, if I understood correctly.

What is the government's intention in terms of changing the definition? In our opinion, the definition is less appropriate than the one in the NDP amendment, which aligns with the definition used in Quebec.

As was mentioned, you've met with various stakeholders over 10 times. They were trying to influence you so to draft a particular definition.

Are you currently still meeting with those stakeholders?

Do you think that the large number of interventions made by some groups, far more than others, could give the impression that industry players are trying to soften Bill C‑27, to make it more acceptable to them or easier to interpret and implement?

Are industry players looking to make their jobs easier at the expense of the real need to fundamentally protect privacy or children?

The purpose of the proposed legislation is to protect Canadians. Do you get the impression that these organizations want to water down the bill—if I can put it that way—to make it easier to interpret?