Industry Committee on April 29th, 2024

I'd be interested to know if we, as the industry committee, can actually put a question in to House of Commons.

The last time I asked for one of these earpieces, they were made in China. Maybe we should ask about these earpieces since we're talking about the quality of sound. They're the standard ones in the House of Commons. Perhaps, as the industry committee, we can ask specifically when these were manufactured, tested and delivered, and when the technology was provided for this. The piece I got in the House of Commons was created seven years ago. That's the manufacturing date, so perhaps that information might help our audio system.

I have no objection to asking the Speaker for that information, and we can share it with the members.

Mr. Vis.

Unfortunately, I had to visit an audiologist two weeks ago here in Ottawa. The first thing they said to me was that we have to get rid of those horrible earpieces because they do so much damage.

That's especially for the interpreters who have to wear them day in and day out.

I'll ask the Speaker. I have no problem with that, and I see no objection. Thank you, Mr. Masse.

With regard to our scheduling issue, as you know, before the end of May—as we agreed at the steering committee—we are to have another hour with the minister on Rio Tinto. We also have to invite him before the end of May on the main estimates. The clerk has asked for the minister to appear on both of these subjects. However, the minister, based on his very busy schedule, is only available on May 8 for an hour with the committee. I am seeking the guidance of the committee as to whether we should invite him on the main estimates and open the floor to all subjects or have him specifically on Rio Tinto.

He's prepared to answer questions on both topics, but the time that he has to allocate to the committee is limited. I'm seeking guidance in terms of what I send out for the notice. I know it's not going to be satisfactory to members that we don't have the minister for one hour on Rio Tinto and for one hour on the main estimates. However, the most pressing one, to me, would be.... Well, actually, time is of the essence for both, but I would go with Rio Tinto. That's my personal opinion.

I see Rick Perkins.

Thank you, Mr. Chair.

I find it disappointing, because last year we gave the minister grace and didn't call him for estimates because of his travel schedule. He had lots of notice of this request, and lots of flexibility from this committee to get that done before they're reported back to Parliament—which is why they're the primary item that has to go, I think. There's no point in having the minister much after they're reported back to Parliament, so I ask that the minister reconsider and find two hours in his schedule—if it's not on that date, then at least two separate hours—to deal with both issues, as the committee requested.

He has found a lot of time to visit U.S. politicians and be all over the world, but he hasn't had time to come to committee, which personally, I think, is disrespectful to Parliament and the work of this committee. I think he owes it to us to come for two hours, whether it's all at once or split into two separate periods. I request that the committee go back to the minister and say that we prefer for him to come for two one-hour appearances, as we originally requested.

Okay, so in the meantime, given that we've agreed and out of courtesy for Jean-Denis—whose motion it was to do the two hours of Rio Tinto and we agreed to it—I would suggest that on May 8 we have the minister appear on Rio Tinto, and I will resubmit an invitation to the minister for main estimates.

Mr. Chair, what's the date that the estimates are reported back to the House?

It's the end of May.

It's the end of May, so we'd have to find another hour before the end of May.

Mr. Généreux, you have the floor.

I have a great deal of respect for the minister, who obviously works extremely hard. However, in order to show respect for the procedure and for all the work that the committee must accomplish, he should at least come here for the two hours. He must appear if required to do so by the committee. I see no reason why he couldn't find two hours in his schedule. We see him making announcements all over the world. If he needs new batteries, we'll give him some. One thing is certain. He must appear if required to do so by the committee.

I quite agree with you. That said, when the minister appears before the committee, I often have trouble getting him to leave, because he stays longer than planned.

We'll try to work with him to see what can be done. In any event, I suggest that we invite him to appear on May 8 to discuss Rio Tinto and that we invite him back to discuss the main estimates. Even if the minister were totally unavailable between now and the end of May and the committee had already reported to the House on the budget, the minister could come a bit later, in June, to discuss it.

Would anyone else like to comment?

Mr. Masse, you have the floor.

Just to speak briefly to this, the estimates are important too. As we're creating this Bill C-27 sausage, it's important to have the minister talk about the estimates because there's money in the budget related to Bill C-27, so the timing would be extra important this time.

Thank you.

Mr. Savard‑Tremblay, you have the floor.

First, thank you for having me in this committee.

We're prepared to agree to this taking place over two meetings, if necessary, on two conditions. First, two hours must be spent on these issues, meaning one hour to discuss Rio Tinto and another hour to discuss the main estimates. For us, this is non‑negotiable. Of course, we must also take into account the deadline for the committee to report the main estimates to the House.

Two hours is the bare minimum for us, especially since the committee has already been flexible about the date.

In this case, the best solution would be to meet with the minister to discuss the main estimates on May 8, and then find a later date between now and the end of the session to discuss Rio Tinto. I think that this would suit everyone. If members of Parliament have urgent questions about Rio Tinto, the minister can still answer them, even though he'll be there to talk about the main estimates. That way, we still have an hour to discuss each topic.

That's what we'll do. Thank you, colleagues.

That brings us to our regularly scheduled programming on Bill C-27, and if I'm not mistaken we were on CPC-4.

Mr. Masse, the floor is yours on CPC-4.

(On clause 2)

Thank you, Mr. Chair.

Resuming at where we were discussing the age of 18 or 14 with regard to consent and everything, maybe you can do a quick summary. My biggest concern, if we are going to go with 18, would be how somebody who is 14, 15, 16 or 17 can champion themselves in terms of their data versus a potential guardian or somebody else who might have a different set of opinions about how that person's data should be handled.

I'm looking at the process and how difficult it is for those individuals in that grey area, who perhaps would have to compete against somebody else who might have a different set of values or interests about the use of their data through the private sector, if that's something we could go to....

That's helpful.

Let's just walk through this process. Say, for example, that a 17-year-old wants to determine that. The company—let's say it's Microsoft or whatever—would then have to challenge the capabilities of the individual. They would have to abide by the wishes of the individual. You'd have to abide by the individual first, and then the company would have to challenge that. Would it go to the Privacy Commissioner to determine? I'm just looking for the practical path.

To conclude with this, I used to be an employment specialist for persons with disabilities, and there was the whole People First movement, because, for a lot of people, it had been determined that they weren't capable of certain things when they were capable. How would this apply with regard to persons with disabilities as well? That has tended to ebb and flow with societal standards, which at times have been rather poor in many respects. We've adjusted some, but it's still quite a bit of a challenge. How would it apply for persons with disabilities?

Yes, because, also, like I mentioned, there are persons with dementia and people living longer and so forth. There are other types of mental health challenges that are probably going to get more complicated or to at least be inclusive of mainstream society, because it's more than just persons with disabilities now. It's also persons who will develop memory issues. Okay, that part (b) will cover this.

I'm going to conclude with this. I have one last question, because originally the motion from the Conservatives was age 14. Then it was moved to age 18, and I understand the reasons for it, but there were a lot of other submissions for 14 that came in from us. Have I missed anything other than that in terms of other testimony that has come in to move it to 18? Or has it been still more soundly represented at 14?

Great.

Thank you, Mr. Chair, for the time. It's been very helpful to get to the comfortable zone of supporting this amendment. I think it's appropriate.

Thank you, Mr. Masse.

Mr. Généreux, the floor is yours.

Thank you, Mr. Chair.

Does any other legislation in Canada provide for authorized representatives for young people under the age of 18?

The Canada Elections Act is clear. Minors are people under the age of 18. If I'm not mistaken, under this legislation, young people aren't adults before the age of 18.

I agree. However, it's also a concept to set, in a bill of this nature, the age of majority at 18, meaning the age up to which people are subject to privacy legislation.

I've had conversations with people of various ages about the age at which individuals can make decisions for themselves. Of course, the answers differed, because the views vary from person to person.

I'm thinking back to the early 20th century, or even to 35 years ago, when the Internet didn't exist. I don't know how old you are, but I'm 62. We didn't have the communication tools 25 years ago that we have today. Does this make us smarter? I'm not sure. When we were teenagers, we didn't have the same tools. These days, a number of young people have access to these tools from a very early age. In some cases, it's almost dangerous. In my opinion, having access to these technological tools doesn't make young people any more responsible.

Based on my conversations on this topic, the age of 18 is still a given, in theory. The legislation could say 14, 15 or 16. However, 18 is the generally accepted age in western countries. In a way, it's only natural.

We propose that the bill set the age at 18. This isn't binding. Obviously, it would require young people to obey the law. However, it would give us greater leeway. When we legislate, we must think about young people who are more sensitive, more open to attack, in a way, or more naive. No matter what we call them, we have a duty to protect these young people. In a way, we play the role of guardians of these young people. For that reason, we think that this amendment is important, even though Quebec's law 25 sets the age at 14.

In terms of consistency or compatibility, I would like to know the age established in various pieces of legislation both in Canada and abroad in the United States or the European Union.

In this case, wouldn't the age limit of 14 be too restrictive?

Okay. Thank you.

Thank you, Mr. Généreux.

Mr. Savard‑Tremblay, the floor is yours.

I just want to clarify something to make sure that I understand the amendment.

First, you compared the bill to practices in other parts of the world. I should point out that, in Quebec, the age is 13. It's even lower than the originally proposed age of 14.

Suppose a young woman or young man wanted to have negative information about themselves removed. According to the amendment, I gather that they would absolutely or quite likely need to do so through their parents. Is that right?

I just want to make sure that I understand. How is “capacity” legally defined?

Thank you.

Thank you.

Since there are no further comments on amendment CPC‑4, we can vote on it, unless there's unanimous consent to adopt it.

I would like a recorded vote.

We'll proceed with a recorded vote.

I should point out that, when moving his amendment, Mr. Vis changed it so that the age would be 18 and not 14 as it appeared in the paper version submitted.

(Amendment agreed to: yeas 10; nays 1 [See Minutes of Proceedings])

Thank you, colleagues.

This brings us to amendment CPC‑5. Before Mr. Perkins moves it, I must inform you that…

Are you not moving CPC-5, Mr. Perkins?

Yes, Ryan is.

Just before Mr. Williams moves it, I want to inform members that should CPC-5 be adopted, BQ-1 will be inadmissible due to a line conflict.

I'll let Mr. Williams move CPC-5.

Thank you, Mr. Chair.

I want to reference all amendments, because I think they're really important. In this discussion, when we're talking about personal information, we have our first amendment, which talks about including inferred information about an identifiable individual. However, I think it's important in my discussion of this that we also recognize some of the other amendments. Perhaps through this discussion—I know there will be a vote—out of four, I think we can probably come to an agreement of some kind of consolidation of this, as we've done with past amendments.

I'll start with what we're talking about. We talk about personal information as “information about an identifiable individual”, but when we're talking about AIDA and the age of AI and big data, we've identified that we also need to make mention of inference.

The Privacy Commissioner has said:

...inferences can lead to a depth of revelations, such as those relating to political affinity, interests, financial class, race, etc. This is important because the misuse of such information can lead to harms to individuals and groups in the same way as collected information—a position confirmed by the Supreme Court in Ewert v. Canada. In fact, as noted by the former European Article 29 Data Protection Working Party, “[m]ore often than not, it is not the information collected in itself that is sensitive, but rather the inferences that are drawn from it and the way in which those inferences are drawn, that could give cause for concern.”

He continued:

General support for the idea that inferences constitute personal information can be found in past OPC decisions and Canadian jurisprudence. For instance, the OPC has found that credit scores amount to personal information (PIPEDA Report of Findings #2013-008, among others), and that inferences amount to personal information under the Privacy Act (Accidental disclosure by Health Canada, paragraph 46). This is also consistent with the Supreme Court’s understanding of informational privacy, which includes inferences and assumptions drawn from information.

We've had the Privacy Commissioner give past cases on this.

He continued:

In light of these conflicting viewpoints, we believe the law should be clarified to include explicit reference to inferences under the definition of personal information. This would be in accordance with modern privacy legislation such as the California Consumer Privacy Act (CCPA)...

Looking at this, I normally note the GDPR as being the gold standard. We think the California example is the better example for personal information.

To go further into that, when we talk about personal information, one limitation of the definition is its broad scope, which can encompass a wide range of data, including information that may not always directly identify an individual. This can lead to ambiguity and challenges in determining what constitutes personal information, especially in cases where data points are combined or analyzed in aggregate.

Additionally, the definition may not adequately address emerging technologies and forms of data, such as IoT devices or anonymized data—as we've talked about before—that could potentially be reidentified.

Besides the inclusion of inference, to improve the definition to look more like the California example, it could include specific criteria or examples to clarify what qualifies as personal information. Additionally, incorporating provisions for emerging technologies and data types would enhance its applicability and reference.

To look at how it's defined in the California code, this is how it reads right now. Personal information includes, but is not limited to, any information that directly “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”.

It then includes examples, which I think are really important. It says this includes, but is not limited to, names, postal addresses, email addresses, social insurance numbers, driver's licence numbers, passport numbers, financial account numbers, credit card numbers, biometric information, geolocation data, Internet protocol addresses, device identifiers, browsing history and any other information that could be reasonably used alone or in combination with other data to identify an individual or household.

We talk about how it's much better to talk about human information when we talk about privacy, because it refers us back to human beings, but giving examples allows the Privacy Commissioner, when looking at cases, to look at exact examples, and then in a court of law to have those more defined.

Mr. Schaan, I'll start with you. Starting with the inferred information as defined in this amendment we're talking about, does it constitute the same protection as personal information throughout the entire bill, even with this proposed amendment?

You might have answered my question already, but with this new definition, is personal information still regulated to appropriately reflect the inclusion of inferred information as it exists in the California privacy act and Australia's Privacy Act?

I know we're looking at this clause, but also that, as before, the discussion was that if this clause were to go through it would take away the other three amendments...clauses. Given the discussion that I introduced of looking at the California section of the privacy act, identifying certain use cases for personal data, would that fall in line with what you think would strengthen this bill?

I agree with that because I think that in the past we've disagreed within regulation, which may not define. However, could we use the words “such as”? Is there language that would allow that list not to be limited and exhaustive, as you point out?

Through you, Mr. Chair, we have NDP-4. We bring this up now because if we pass this first motion, we eliminate it. It does have wording in that, including:

individual that can be used to identify them, directly or indirectly, and includes their name, an identification number, location data, an online identifier or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

However, what we're looking for, then, is something that says, “such as” or “could include”. Isn't that right? That's probably the wording we're looking for.

If you go back to the California code, it says, “Personal information includes, but is not limited to” any information that directly “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”. It's a longer definition before they list the examples.

Should we be looking for that kind of a definition? Again, we're talking about “inferred” on one side. However, again, when we look down the list, I think it is the Bloc amendment that talks about including “an identifiable individual or group”.

If we look at the California code, we see that they've really nailed that first part of the definition. Would that be something that would encompass all of the amendments that we looked at?

Mr. Chair, I'm going to let others chime in so that we can see what the other parties are thinking.

Thank you, Mr. Williams.

I'll just make a point of clarification, which you've mentioned. If CPC-5 is adopted, BQ-1 cannot be moved, but NDP-4 and NDP-5 could still be moved.

Mr. Masse.

Thanks, Mr. Chair.

I think we're playing a game of snakes and ladders here as we go back and forth with all the different numbers. I think what's happening here is that we're trying to make it better, but we don't want to make it worse. I appreciate the Conservatives' bringing this amendment forward. If we go with NDP-4, though, and insert “but not limited to”, would that be a better fix?

Okay. That's what I want to hear. We're trying to get to the same place here, so please be frank.

If we're looking to bolster what we're trying to do here, which amendment should we be constructing on? We've ruled out NDP-4, which is fine.

Again, I think we're all trying to get to the same spot.

So we're really looking—and please say no if I'm wrong—at the one currently in front of us, NDP-5, as being the better of the options going forward.

From those two choices, is there one that's preferable?

That's fine. Again, it's about getting the result. I think NDP-5 is better, but we all want to get to the same space.

Thank you very much. That has been very helpful. I will turn the floor back to the chair.

Thank you.

Mr. Turnbull, the floor is yours.

I will be quick.

Our position is that amendment CPC-5 is something that can be supported, but based on, I think, Mr. Williams' questions, inferred information may already be included in the interpretation of PIPEDA and the EU GDPR.

Is that not correct, Mr. Schaan?

So including it doesn't really add a whole lot, except maybe for greater certainty, as you all say sometimes. I know that's a term that comes up in this committee a lot. It may actually improve the bill ever so slightly in terms of just being a bit more explicit that inferred information is included. Would you say that's sort of—

Okay, great.

I appreciate all the questions on the other amendments that have been proposed, and maybe we'll get into those in a moment, but maybe we can vote on this one. I'm certainly prepared to support amendment CPC-5.

Are there any other comments?

Mr. Van Bynen, go ahead.

I want to clarify. I think there was some discussion about including the words “but not limited to information”. Is that something you had indicated earlier, Mr. Schaan, that you wanted to see included in that amendment?

Thank you.

I see that there are no other comments, so I will call amendment CPC-5 to a vote.

(Amendment agreed to: 11 yeas; 0 nays)

Thank you, everyone.

Since amendment CPC‑5 has just been adopted, amendment BQ‑1 is now inadmissible due to the line conflict that I referred to.

This brings us to amendment NDP‑4.

Before giving the floor to Mr. Masse, I just want to inform him that, if amendment NDP‑4 is adopted, amendment NDP‑5 can't be moved, due to a line conflict, once again.

You're going to have to choose which one you want to move, because if NDP-4 is adopted, then NDP-5 cannot be moved.

Mr. Chair, I think we have had a good amount of discussion. I can drop amendments NDP-4 and NDP-5. I'm comfortable with the discussion we've had and with working that through.

Okay, so they are not moved.

I don't think we've ever gone this fast before. Let's keep it going.

That brings us to amendment CPC-6.

Mr. Généreux, you have the floor to move amendment CPC‑6.

Thank you, Mr. Chair.

Amendment CPC‑6 adds, after line 31 on page 5, the following definition of the term “profiling”:

Profiling means any form of automated processing of personal information consisting of the use of personal information to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual's performance at work, economic situation, health, reliability, behaviour, location or movements.

In his brief to the committee on Bill C‑27, the Privacy Commissioner of Canada pointed out a gap in the bill. He said that, “unlike the European Union's general data protection regulation (GDPR) and other modern privacy laws in California and Quebec,” Bill C‑27 doesn't contain any provisions requiring organizations to take protective measures against profiling carried out by automated decision‑making systems. As drafted in the bill, the obligations would apply to organizations only when they use automated decision‑making systems to make decisions, recommendations or predictions about an individual. However, as the commissioner stated, “while profiling may be implicitly included in recommendations or predictions, not including it explicitly in the [proposed legislation] could create unnecessary ambiguity resulting in a significant gap” in terms of privacy. As a result, “often‑opaque activities such as data brokering—selling or … making available datasets about individuals which they will typically be unaware of—may not have the same needed transparency.” It's also unclear “if the obligations would apply to personalized digital environments,” such as the metaverse, in this case Facebook.

Although Bill C‑27 as currently drafted doesn't include any reference to the term “profiling”, the Conservatives are moving two amendments that use the term. As a result, this definition must be added.

Amendment CPC‑6 seeks to add a definition of the term “profiling” to the bill in order to support other Conservative amendments that use the term. These amendments seek to allow individuals to file an appeal against automated decisions made about them when they have been profiled, and to introduce a requirement for organizations to explain, in plain language, how their automated decision‑making systems profile selected groups.

With your permission, Mr. Chair, I would like to ask the witnesses a question.

The Privacy Commissioner of Canada and stakeholders from the Centre for Digital Rights have expressed concerns about the current gaps in decision‑making.

Are there currently any other gaps in the bill related to automated processing or decision‑making?

The European Union's General Data Protection Regulation and other statutes make distinctions about profiling in terms of group settings.

As far as personal information is concerned, are there other clauses of the bill that do not take into account an individual's option to opt out when a group of which they are a member chooses to register? In other words, when a person is in a group, is it possible for them to withdraw from that group?

Profiling is not defined in the bill, even though we know very well, indirectly, that it occurs. I would even go so far as to say that racial profiling is very important for a number of service providers who do mass data collection. I don't want to get into a debate, but we have seen on a number of occasions—in Montreal in particular—the whole issue of racial profiling in the public safety file.

Inevitably, individuals find themselves associated with certain groups that are profiled based on elements of their private life, such as race or age. Could the lack of an extremely explicit definition of profiling in the bill put these individuals at risk, since they are profiled without even knowing it and will, therefore, not have the opportunity to challenge the law going forward, in one way or another?

Then I gather that you are not opposed to our proposal to include this definition in the bill. We think this is essential. Would you agree with that?

Thank you.

Thank you very much.

Mr. Turnbull, go ahead.

My understanding from the last exchange is that the concept of profiling activities is already included in the bill.

Is that right, Mr. Schaan?

It's the construct around automated decision-making models...there are specific requirements for that included in the bill.

Is that right?

Could you briefly describe what those requirements are?

Got it.

Is the inclusion of this definition going to create any problems in the interpretation of the bill? Is there any confusion that it could create?

It's similar to inferred information, which was already included in the bill, in a way, but adding it explicitly doesn't necessarily harm the interpretability of it.

This is not a hill we're going to die on. We'll support you.

Thank you very much.

Mr. Vis, you have the floor.

I'm going back to the good work this committee's done on putting the best interests of children as a paramount concept at the onset of the future legislation.

I'm thinking in the context of my four-year-old son. Does the department acknowledge that companies seek to profile children who may get a hold of their parent's iPad and want to buy the latest PAW Patrol? PAW Patrol is everywhere. It is a known fact that companies that have access to the PAW Patrol licensing are profiling and trying to get parents like me to buy some really crappy toys that fill up my basement and I find underneath my couch.

I'm bringing it back down to reality.

When and if Bill C-27 is passed, would the bill provide the safeguards needed with some of the amendments already passed to stop that current commercial practice?

Is that based on the example you just gave about what an obligation of a corporation would be?

There is another scenario that I'm concerned about.

My kid has an iPad—don't judge me, please. Sometimes they get to use that on the weekend, whatever, it happens, and those things happen with PAW Patrol. I know Bernard is laughing because it's the same with his grandkids. That's a fact; I've been to his house and I've seen PAW Patrol.

The other scenario is that, in my household, I have an Amazon Alexa. Again, don't judge me, but this is the life I live. My children put on all sorts of wild music like these frog songs right now. I can't get over them. It's also my iPhone and my Samsung. They listen to me as well, and it all seems to be tied together.

On Saturday night we were cooking Filipino food, and my wife was telling my children why we were doing this a certain way, because that's what she does, and it's part of her culture. The next day on Facebook, we saw reels of Filipino cooking. That is a fact, and it happens to everyone. My reels are often rugby, politics and Filipino food, so there you go.

The other scenario I'm concerned about relates to children. I don't believe that this law is going to stop all of the things that all of us get concerned about when it relates to children. All of these things are being said in the context of a home, and most of us probably have a Google or Alexa-style device in our household, as they're ubiquitous now. We're not going to be able to stop all types of profiling even if we have very strong safeguards and clear language in the bill, because there are so many ways that corporations will be able to circumvent the intention of the law. It's going to take court cases to go to the next step in protecting kids.

Would that be a fair assessment?

Thank you, Mr. Chair.

Thank you, Mr. Vis.

Seeing no further discussion on amendment CPC-6, I'm ready to put it to a vote.

Having said that, I see that Mr. Masse and Mr. Williams are not here right now. In that case, we could proceed by consensus.

Is there a consensus around the room on CPC-6?

(Amendment agreed to)

This brings us to CPC-7.

Mr. Masse and Mr. Williams, we adopted CPC-6 by consensus. I hope it's fine with both of you. If it's not, it's done already.

On CPC-7, I have Mr. Perkins, but I'm guessing it's someone else on the Conservative side moving it.

Mr. Vis, the floor is yours.

I didn't think we'd get this far today.

This follows nicely the good dialogue we just had with Mr. Schaan regarding how implicit or explicit this bill actually becomes. CPC-7 proposes to define sensitive information:

sensitive, in relation to information, includes any information pertaining to an individual that reveals

(a) their racial or ethnic origin;

(b) their political opinions, religious or philosophical beliefs, trade union or political membership, or political contribution history;

(c) their sexual orientation or sexual habits;

(d) genetic data or biometric data that can uniquely identify them;

(e) their health condition, including any treatment or prescription on their medical record;

(f) government identifiers, such as their social security, passport or driver's license numbers;

(g) the content of their electronic devices, including messages, images, address books, calendars and call history;

(h) their passwords; or

(i) financial data.

Bill C-27 makes several references to the terms “sensitive information” and “sensitivity” without providing definitions for the terms. This approach is incredibly problematic for consumers and businesses if the definition is left to interpretation, with the obvious risk that some information will be regarded as sensitive data and other information as not, and those interpretations will vary. To resolve this issue, stakeholder groups and the Privacy Commissioner have advocated for a clear definition of the term, outlining a list of items legislators constitute as sensitive information.

I note that, in committee testimony on October 31, the Centre for Digital Rights stated:

At the moment, the definition of sensitive categories of personal information is left open and the words “sensitive” and “sensitivity” are used throughout Bill C-27 without definition (with the exception of minors). Thus, the definition is left to the organization with the obvious risk that some sensitive data will not be regarded as such, and that interpretations will vary.

This is a key element that differentiates the CPPA from other modern privacy laws like the EU GDPR and those found in California and Quebec:

So as to provide certainty for Canadians and Canadian businesses, and to align with both Quebec's Law 25...Bill C-27 should define “sensitive information” first by establishing a general principle of sensitivity followed by an explicitly open-ended list of examples....

The Office of Privacy Commissioner, in its submission to our committee, stated:

That a definition of sensitive information be included in the CPPA, that would establish a general principle for sensitivity followed by an open-ended list of examples.

In the GDPR, article 9, paragraph 1, it states:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

It's very clear we relied heavily on the GDPR example in putting forward this proposed amendment.

I note that the Canadian Research Insights Council, on May 9, stated:

Bill C-27 could offer more protection for minors, for which the Bill is nearly silent. Bill C-27 indicates that information with respect to minors be considered sensitive information but offers no definition of minor nor sensitive information.

Australia's Privacy Act follows a similar line of language to the GDPR.

In America, the American Data Privacy and Protection Act outlines a whole suite of matters related to their definition, including:

(i) A government-issued identifier, such as a Social Security number, passport number, or driver's license number....

(ii) Any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis or health care condition or treatment of an individual.

The list includes financial information and:

(iv) Biometric information.

(v) Genetic information.

(vi) Precise geolocation information.

(vii) An individual's private communications....

The list includes passwords, sexual orientation or:

(ix) ...sexual behaviour in a manner inconsistent with the individual's reasonable expectation regarding disclosure of such information.

(x) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual's device....

It includes non-consensual intimate images, information that reveals the video content or services requested or selected by an individual, and minors' information.

I'll go on.

Daniel Konikoff from the University of Toronto stated:

The term “sensitivity” appears often throughout the CPPA, yet it remains undefined in the Bill's glossary. Bill C-27 should follow global standards and explicitly define sensitive information to capture the above-mentioned categories with an emphasis on biometric information, which is at the core of an individual's identity. The EU AI Act is already ahead of the curve on this, explicitly defining biometric data in a way that acknowledges its sensitivity, its unique capacity to identify a person, and the importance of consent in systems that identify based on “...physiological, behavioural and psychological human features”....

The CPPA's failure to capture biometric data as sensitive information leaves far too much up to interpretation, and may lead businesses to establish inadequate protections—or none at all—for information that merits stronger safeguards. Without this definition, other sections of the CPPA—such as 53(2) and 62(2)(e), which refer to retention periods for sensitive personal information, or 57(1), which pertains to establishing safeguards proportionate to the sensitivity of the information—are left open to interpretation.

California follows the federal law in America, which provides much of the same language in terms of sexual orientation, racial or ethnic origin, or religious or philosophical beliefs.

I'll note that the Canadian Civil Liberties Association outlined that sensitive information remains undefined in Bill C-27. It said, “Parliament should follow international standards and explicitly define sensitive information to better protect special categories of personal information.”

Bill C-27 defines “personal information” as “information about an identifiable individual.” According to the European Union's General Data Protection Regulation, personal information includes names, ID numbers, “location data, an online identifier or...factors...to the physiological, genetic, mental, economic, cultural or social identity” of the person.

I think there is ample testimony from business and civil liberties groups as well as the Privacy Commissioner outlining the need to have a definition in there. At the same time, I acknowledge some of the rationale we've heard from the department about the nature of lists. However, I also relied heavily on the expertise of the Privacy Commissioner when putting this forward. Our intention behind it is to avoid broad interpretation if and when this bill is enacted and becomes the new standard for Canada.

Thank you, Mr. Chair.

Thank you, Mr. Vis.

On my list of speakers, I have Mr. Savard‑Tremblay, followed by Mr. Turnbull and then Mr. Gaheer.

Mr. Savard‑Tremblay, you have the floor.

Thank you, Mr. Chair.

I would just like to move a subamendment, which consists in adding the following element:

(j) any other information violating the fundamental right to privacy.

Mr. Savard‑Tremblay, would it be possible to send us your subamendment in writing, in both official languages, if that has not already been done?

Yes, we're working on it.

Mr. Chair, I'm sorry if I missed this earlier when you stated it. What's the relationship between CPC-7 and NDP-6?

There is none.

It's being sent around to the clerk, then to members, but you've all heard it. There's a subamendment that has been moved by Mr. Savard-Tremblay.

I'll open the floor to debate the subamendment, which we have to deal with before we can go back to the amendment per se.

Mr. Turnbull.

Thank you, Mr. Chair.

If I understand the intention of Monsieur Savard-Tremblay's subamendment, it would be to add “any other information that would be a breach to the fundamental right of privacy” on to the long list of factors that are there.

Is that correct?

Essentially that list would be deemed inexhaustive and would include “any other information”.

That's just a clarification question. I think I'm understanding correctly.

Thank you.

Mr. Savard‑Tremblay, do you want to answer your colleague's question?

The current list is probably intended to be exhaustive, but I think we need to give ourselves the possibility to add to the list other types of information that could violate the fundamental right to privacy.

I think that speaks for itself. If necessary, it will provide another basis for interpretation in the event of litigation, for instance.

Thank you.

I guess what I'm struggling with is that this section that's being amended is adding factors or categories of types of information that would then qualify as sensitive and would then require express consent in all circumstances.

Is that correct, Mr. Schaan?

Could you maybe clarify for me if I am interpreting this correctly?

Are there any concerns with, for example, financial information or biometric data that would pose potential risks in terms of over-regulation?

I just wonder if this is something that financial institutions, for example, are used to dealing with.

Thank you for that clarification.

Just to follow up on that, what I'm inferring from this is if you're deeming all of these categories of personal information as essentially sensitive information, you're raising the bar to require express consent in every single circumstance, which eliminates any room for context dependence to be considered.

What would the potential burden be on industry that probably functions right now to do all kinds of things that we.... I think we take for granted how the sharing of information is necessary in order for some of the services that we consume regularly and that are highly convenient to us...and if we raise the bar so high, I am concerned that many of those services we currently rely upon will not be convenient anymore.

In other words, those companies will have to come back to us for express consent on a lot more things than maybe we would really intend by making this change.

It seems to me there's a high risk of unintended consequences of over-regulation here. I just wanted to check, Mr. Schaan, whether you agree with that and whether you can give us any examples; I'm struggling to think of one.

Just to follow up on that, let's say some of the information included in this list is not necessarily deemed sensitive in all circumstances. Does that mean it's necessarily unprotected information? I don't think that is the case, right? I mean, it's still considered personal information; it's just that not in every circumstance would it require express consent to be collected, utilized, etc.

But there are still some pretty significant requirements in this bill that would be obligations on the companies that are collecting and using that information, even though it wouldn't necessarily in every circumstance be deemed sensitive. Is that not correct?

That makes a lot of sense. I know that we haven't gotten to those parts of the bill, so it's easy to reflect on definitions at the point we're at and not consider the very high number of requirements and obligations that companies would be under, given all the personal information that they may use. That's interesting.

If we add Mr. Savard-Tremblay's subamendment to this list, now we're going to “any other information”. I think that almost collapses that outer circle to include almost anything as sensitive information. I see that as being a very high risk for unintended consequences.

Mr. Schaan, could you comment on that?

That would have a major implication for the other parts of this bill—in other words, that all personal information already comes with a number of different standards and obligations. That would essentially change the nature of the bill quite considerably, would it not? What would be the impact if Mr. Savard-Tremblay's subamendment were to pass?

So you're saying it would not be implementable. It would essentially make this bill—what? What would be the impact?

Congratulations.

That sounds to me like it would defeat this bill in the sense of the intentions of it. It would also be very annoying for almost everybody out there who uses services that require the sharing of personal information, including your mom and myself with my Apple Watch.

I'm sure there are many other examples, if you universalize that across our entire economy, that we probably take for granted to some degree, but I think it would be a major imposition on business functioning in order to offer the value that we normally experience from those services.

Thank you for that.

I don't know whether Mr. Savard-Tremblay intended for that to be the case, but after hearing the clarifications made here, I think it seems that this subamendment is not going to have an overly helpful effect at achieving the policy objectives of this particular bill. I'm wondering whether we can vote on that.

I know my colleague, Mr. Gaheer, was on the list to offer some thoughts on the original motion that the Conservatives put forward, which we hope we can get to today.

Thanks.

Thank you, Mr. Turnbull.

In the meantime, we're still on the subamendment until I've exhausted the list of speakers.

I have on my list Brad Vis and Mr. Savard-Tremblay.

Just so you know, we have a motion by Mr. Williams that he'd like to move towards the end of the meeting, so at about five minutes to 1:00, we could move on to Mr. Williams' motion.

Mr. Vis.

I'll provide a general comment.

I don't believe this subamendment was put forward with ill will, but I would accept some of the rationale about its being overly broad in this context. On the CPC side, we're going to be voting against it.

Thank you.

Mr. Savard‑Tremblay is next on my list, but I see that he is currently talking to Mr Williams.

Mr. Savard‑Tremblay, you now have the floor.

Thank you, Mr. Chair. I thought it was my colleague's turn.

I would have liked to be able to speak about 20 minutes ago to prevent people from talking about my subamendment for nothing, as I finally decided that I wanted to withdraw it and propose something else.

Just a moment, Mr. Savard‑Tremblay.

Do I have the committee's unanimous consent for Mr. Savard‑Tremblay to withdraw his subamendment?

(Subamendment withdrawn)

We'll go back to you, Mr. Savard‑Tremblay.

Based on the discussion I've heard, I believe that, rather than adding item (j) to amendment CPC-7, it would be much more accurate for this item to be at the end of amendment NDP-6. I'm just throwing that out there. I'm not sending it to you in writing, since you already have it.

So it would become the end of the wording proposed in amendment NDP-6, replacing “personal information in respect of which, due to the context of its use or disclosure, an individual has a high reasonable expectation of privacy”.

I think that would clarify everything, in addition to addressing all the fears and considerations we heard about the subamendment I had proposed previously.

If I understand correctly, point (j) would become another subamendment that you would propose. Is that correct?

Yes. This subamendment that I would propose would eat into the end of amendment NDP-6.

I invite you to send the text of the subamendment to the clerk so that we can debate it.

There's not much time left in the meeting. I will still let you finish your remarks, Mr. Savard‑Tremblay, if you have something to add. That said, I think we have clearly understood the subamendment you are proposing: It's about replacing the end of amendment NDP-6 with what you had proposed to add as point (j) to amendment CPC-7.

The wording will be sent in writing to the clerk and then sent to the committee members, and we can debate it next time. Since we have only 10 minutes left in the meeting, if it's okay with you, colleagues, I move that we end our clause-by-clause consideration of the bill here.

We'll come back to the subamendment proposed by Mr. Savard-Tremblay when we get back to the next meeting, because I'd like us to have enough time for Mr. Williams' motion.

Mr. Williams, go ahead.

Thank you, Mr. Chair.

We have circulated a motion.

Mr. Chair, you'd think for $15 billion of hard-earned taxpayer dollars that Canada would get supply chains for batteries, some manufacturing jobs for car parts or even a steering wheel. In Windsor at Stellantis—and I know we've talked about this before—we have $15 billion going to this plant. We had news from the union, from the CBTU members, this week that at this plant they're still seeing foreign workers employed over Canadian workers. We've made noise before about how we think Canadians should have been offered these jobs. For $15 billion, Canadians should have been put front and centre. We worked with the unions to make sure these were good jobs for Windsorites. This is a plant in Windsor, and we want the good people of Windsor to have these jobs and to be working in this plant, especially for this amount of money. We are still hearing from the union that foreign workers rather than Canadian workers are still working in jobs that were promised to Canadians. At Stellantis they're even asking their Canadian suppliers to sponsor foreign workers and refugees to perform the work when there are more than 180 Canadian ironworkers and millwrights sitting at home unemployed. This is a very concerning problem right now for this government.

What we're asking for in this motion, Mr. Chair, is:

That, in regard to the government's EV battery plant subsidies, the committee invite the CEOs of Stellantis N.V., LG Energy Solutions Ltd. and NextStar Inc., and the Minister of Innovation, Science and Economic Development Canada to answer questions no later than Friday, May 17, 2024.

Thank you.

Thank you, Mr. Williams.

Mr. Masse, go ahead.

Thank you, Mr. Chair.

Thank you for the motion that's been brought here. I would add an amendment to include Minister Vic Fedeli from the Province of Ontario. There is a fifty-fifty partnership going on with regard to this investment, and to not have the province would be egregious in many respects, because it is also responsible for allowing and following up on who's on site through the labour code.

We've had some allegations with regard to the type of work that's being done there. Why would we leave out the province? It would be, in my opinion, a missed opportunity to understand what's actually taking place and to clear the air. This follows another Conservative motion that's being looked at by the OGGO committee as well. This one's a little more specific to my riding, and I think the more transparency we can have, the better.

I move an amendment to include Minister Vic Fedeli, as well as any other provincial operatives, to enforce the contract. Again, this is a fifty-fifty deal that's being done, and it would be odd to exclude the province from doing this.

Thank you, Mr. Masse.

We have an amendment to the motion on the floor to include relevant provincial counterparts for the deal that's pertinent to the motion.

Are there any comments on the amendment proposed by Mr. Masse?

Mr. Turnbull.

I don't particularly have an issue with the amendment to the motion. I'd speak to the motion with the amendment. I think—

Mr. Turnbull, I'm sorry. We have to deal with the amendment before we can get back to discussing the motion.

I have a sense you might disagree with the motion, but do we agree with the amendment that's proposed, and can we get back to the debate on the motion?

Mr. Williams, please go ahead.

The main premise of this motion was to get support for getting the CEOs here. We haven't heard from them and we haven't had any reaction. The union is saying it's not heard back from the CEOs on any level.

We've had the minister here. When we have discussions about getting the minister here for other items...we can't ask the minister about those items when the minister's here.

This is primarily to get the CEOs here, in front of the committee. The province can probably talk about the process and what's happened on its end in terms of trying to work with these companies. It's going to see this as an investment. I'm sure it's also going to work on behalf of the unions, so I don't see it as being detrimental to this.

The premise of this was to have the CEOs here. They're the companies that promised that Canadian workers would get Canadian jobs, and they're not.

I'm indifferent to the amendment, but it's not the focus we wanted. We want to focus on the companies that need to answer why, when they are receiving hard-earned tax dollars, they are not putting those hard-earned tax dollars to work for Canadian jobs instead of foreign jobs.

Thank you.

Mr. Savard‑Tremblay is next. I remind you that the debate is still on the proposed amendment to the motion.

Yes, I want to speak to the proposed amendment.

Far be it from me to get involved in what is going on in Ontario, but the crux of the matter is precisely the fact that, in my opinion, the provinces are accountable to their people, not to the House of Commons. So I would be inclined to oppose this amendment.

Okay.

I don't think there are any other speakers. I would suggest that we vote on the amendment and then come back to the motion.

(Amendment negatived: nays 10; yeas 1)

Unfortunately for you, Mr. Masse, your amendment was defeated.

That brings us back to the motion as presented by Mr. Williams.

Mr. Turnbull.

Thank you, Chair.

I just wanted to say we had a very detailed subcommittee report that came back to the committee. We had agreed on a set schedule. We have quite a lot of business that we've prioritized and we've even wedged in some additional meetings to make sure that everybody has opportunities to study their various topics.

Obviously, Conservatives, we know that you are bringing a new motion every single week with a timeline that seems to want to delay Bill C-27 work. I'm not saying this isn't an important topic. I don't want you to hear it that way.

I notice, though, Mr. Williams, Honda isn't even included. You started by talking about Honda and it is not even in the motion you brought, which is kind of strange.

Regardless, I think that our committee calendar is completely full until the end of June when we break for the summer, so I would say that we stick to that. We reached consensus with the Conservatives around having an additional meeting on SDTC. If you want to have this instead of that, I think that's an option you could consider, but when you bring a new topic every single week that is supposedly urgent, I would just say that you've got to prioritize at some point and say what you really want to study.

I think we've all agreed Bill C-27 is taking priority. We're digging in; we're doing some great work together. We want to keep that momentum going. Maybe you can wait until the fall to study this or swap out SDTC. That's what I would humbly suggest as an alternative.

Thanks.

Thank you, Mr. Turnbull.

Mr. Masse.

Thank you, Mr. Chair.

I'm really disappointed in this committee and the members for moving a motion like this without including the most important partner involved in this investment in Windsor and that is the Province of Ontario, which has not been addressed here. I understand the Bloc's position with that, but, at the same time, it's going against the province's opportunity to have its voice here at the table as opposed to its voice being used and abused.

If you watch the Honda announcement that took place, it was just an unbelievable compliment session for half an hour, but it also included the fact the Province of Ontario has been a fifty-fifty partner with the federal government with regard to all of these investments, including the Windsor one. It had to be done twice, because the original investment was not the same as the current ones that were offered, and it was obviously going to walk away from the table at that point in time.

For us not to have the province is kind of startling. Perhaps there's more to be learned from either the federal Conservatives or the federal Liberals with regard to why they don't want the province here to describe specifically how it went about creating decisions that are different for each plant. Stellantis, Volkswagen and Honda are all different, but they're all involved in constructing the new facilities and they have different contracts available to them, not only with regard to subsidies. Whether it is direct cash or direct subsidies to the battery development later on or whether it is the labour, it all is enforced, at the end of the day, by the Province of Ontario, because it has the Ministry of Labour, and it has the jurisdiction.

That we would want to work against the provincial jurisdiction to provide this type of opportunity to highlight what it is doing is bizarre and twisted, to be quite frank. How do you have a full partnership in front of us here to describe what's going on, including Stellantis or whoever else, when you don't even have the second half of the chapter there? It makes no sense whatsoever, and it's not going to lead to a solution. We're going to have letters and allegations from a number of different sources.

I appreciate the union coming forward on this, because it is on the ground floor right there, but it is also the one having to bring complaints to the Province of Ontario.

It's unbelievable that we would consider bringing it forward, again without Doug Ford's representation here at the table, given the massive subsidies it is putting in. Basically, I can't support some type of fishing expedition that's not going to end in a real result for workers, and that's what we want. We want the workers to have the real result.

If you remember correctly, when this first came into place last year, I said that the Stellantis project should have been the vessel to create the training and opportunities for the new places that are getting the investments now, because it was the forebear of all those things. I was there for the groundbreaking of the Stellantis project, and at the time nobody talked about foreign workers, not the federal government nor the provincial government. Because of our trade agreements and because of the way we've laid things out, it has left us basically susceptible to a number of practices that are continuing to antagonize the process of what we need to do as a country, which is to fight for good auto jobs.

Without that element as a part of it, in terms of having the federal government and the provincial government here, I find it not only just a missed opportunity; I find it disrespectful to the province. I find it disrespectful to the workers. I find it disrespectful to the citizens of Windsor who want clarity. I think it's unfortunate.

If we want to continue to use this as a political football, that's fine. If some partisan agreements that have been made, I guess, between the Province of Ontario and the federal government are too sensitive to talk about here, they are not going to go away. If we want something to go away or to be resolved, then we have to have the people here who are making the decisions and are the true partners. Again, this is the Province of Ontario, the federal government and all the companies involved, including the unions, that should have a voice here as well. Leaving them out is just unacceptable.

Thank you, Mr. Masse.

Do I have any other speaker on the list or can I put the motion to a vote?

We'll go to a vote.

(Motion negatived: nays 6; yeas 5)

That brings us to the end of the meeting. Thank you, everyone. We'll see each other again on Wednesday.