Evidence of meeting #120 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was amendment.
A recording is available from Parliament.
Bloc
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Mr. Chair, I'm sorry if I missed this earlier when you stated it. What's the relationship between CPC-7 and NDP-6?
Liberal
The Chair Liberal Joël Lightbound
There is none.
It's being sent around to the clerk, then to members, but you've all heard it. There's a subamendment that has been moved by Mr. Savard-Tremblay.
I'll open the floor to debate the subamendment, which we have to deal with before we can go back to the amendment per se.
Mr. Turnbull.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you, Mr. Chair.
If I understand the intention of Monsieur Savard-Tremblay's subamendment, it would be to add “any other information that would be a breach to the fundamental right of privacy” on to the long list of factors that are there.
Is that correct?
Essentially that list would be deemed inexhaustive and would include “any other information”.
That's just a clarification question. I think I'm understanding correctly.
Liberal
The Chair Liberal Joël Lightbound
Thank you.
Mr. Savard‑Tremblay, do you want to answer your colleague's question?
Bloc
Simon-Pierre Savard-Tremblay Bloc Saint-Hyacinthe—Bagot, QC
The current list is probably intended to be exhaustive, but I think we need to give ourselves the possibility to add to the list other types of information that could violate the fundamental right to privacy.
I think that speaks for itself. If necessary, it will provide another basis for interpretation in the event of litigation, for instance.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you.
I guess what I'm struggling with is that this section that's being amended is adding factors or categories of types of information that would then qualify as sensitive and would then require express consent in all circumstances.
Is that correct, Mr. Schaan?
Could you maybe clarify for me if I am interpreting this correctly?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That is correct.
Liberal
Ryan Turnbull Liberal Whitby, ON
Are there any concerns with, for example, financial information or biometric data that would pose potential risks in terms of over-regulation?
I just wonder if this is something that financial institutions, for example, are used to dealing with.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I'll start and then I'll turn to my colleague.
I think that generally the broad ambition of making sure the information that is quite personal in nature holds a high degree of protection by commercial actors is a shared ambition for the entirety of this piece of law.
The rationale for why we have a definition of “personal information” and what's being proposed here as “sensitive information” is that there is some information that is personal in nature that is not sensitive. Ideally, while we get as precise as possible for corporations to understand their obligations, we leave room for two things: the first is for the OPC to have capacity to kind of continually interpret and understand the changing nature of information, while the second is to allow for context to inform information.
In many cases, some of these identifiers are not seen as personal information per se. My address, unless I've restricted it in various formats, is not always sensitive in the sense that it can be found in all sorts of public directories and various other sources.
However, the fact that it might be linked to data about the sale price of my house, for instance, which suddenly includes financial information, is now complexifying the use case of that. For the person who is in possession of my address, that's now sensitive. They should be treating it as such, and I should be able to offer express consent for the use of that.
I'll turn to Mr. Chhabra, but this is where I think we would want to make sure we're getting at all three of those ambitions: one, that we've made a distinction between sensitive information and personal information, recognizing that some information is in fact more sensitive and more in need of protection; two, that we've left room for OPC guidance; and three, that there's some room for context because information is not necessarily always the same in every single situation.
With that, I'll turn to Mr. Chhabra.
Director General, Marketplace Framework Policy Branch, Department of Industry
Thanks very much.
Just to follow up on Mr. Schaan's points, the way we read CPC-7, it would establish very broad categories for sensitive information that go beyond what is currently contained in the EU's GDPR or found in the Privacy Commissioner's own bulletin on sensitive information.
It doesn't allow for a contextual analysis or what defines sensitivity in a given scenario. An example of that would be that the GDPR does not identify financial data as being universally sensitive; I think that was the nature of the question.
That's also aligned with findings of the OPC and Canadian courts, which have stated that not all financial information is sensitive, and that sensitivity depends on the circumstances.
In a case called Royal Bank of Canada v. Trang in 2016, the Supreme Court found that the degree of sensitivity of specific financial information is a contextual determination.
The sensitivity of financial information [in that case, the current balance of a mortgage] must be assessed in the context of the related financial information already in the public domain, the purpose served by making the related information public, and the nature of the relationship among the mortgagor, mortgagee, and directly affected third parties.
That case was cited, as well, by the Privacy Commissioner's updated guidance on the meaning of sensitive information, which was published in 2022. It illustrates scenarios in which there may be very valid and important reasons for the sharing of certain financial information under certain circumstances, but to declare all of it sensitive would not allow for that contextual understanding.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you for that clarification.
Just to follow up on that, what I'm inferring from this is if you're deeming all of these categories of personal information as essentially sensitive information, you're raising the bar to require express consent in every single circumstance, which eliminates any room for context dependence to be considered.
What would the potential burden be on industry that probably functions right now to do all kinds of things that we.... I think we take for granted how the sharing of information is necessary in order for some of the services that we consume regularly and that are highly convenient to us...and if we raise the bar so high, I am concerned that many of those services we currently rely upon will not be convenient anymore.
In other words, those companies will have to come back to us for express consent on a lot more things than maybe we would really intend by making this change.
It seems to me there's a high risk of unintended consequences of over-regulation here. I just wanted to check, Mr. Schaan, whether you agree with that and whether you can give us any examples; I'm struggling to think of one.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Mr. Chair, indeed I think the desire here is to make sure there are appropriate protections in place for information that is truly sensitive.
The challenge, of course, when putting out a list is that we've assured ourselves that every instance of the utilization of the categories in that list would always meet the test of requiring express consent. As noted, something like financial data, for instance, can actually be widely construed and may not always necessitate express consent in every single one of those instances.
I think the challenge for a commercial organization in possession of some of this personal information is that, if they're actually in receipt of this bill and trying to think about implementation, suddenly there's a whole bunch of potentially new interactions they may need to have to implement some of this.
Some of it is potentially going to get very much in the way of existing business processes. That's not to say that we don't want to rule out harmful business processes, but for some of these there may be a better way to make sure sensitive personal information is defined and understood at a broad level, and yet not remove those two things that I suggested were important. One was room for guidance, and the second was context in some situations. De facto calling it sensitive in every instance may not actually be accurate to what it does in a particular instance or situation.
I'll turn it over to Mr. Chhabra.
Director General, Marketplace Framework Policy Branch, Department of Industry
I'll jump in with a short example here.
There are circumstances in which pieces of information, such as purchase data, might not necessarily be considered sensitive in a given context but might in another context—for example, an individual purchasing food items or health products that could relate to a medical diagnosis. In other words, the inferred information that can be captured, based on something that on the face of it seems to be pretty innocuous, could in fact be quite sensitive data. That's why it's so important to maintain this contextual awareness element in the bill and in the way it's interpreted and then applied by the OPC.
Liberal
Ryan Turnbull Liberal Whitby, ON
Just to follow up on that, let's say some of the information included in this list is not necessarily deemed sensitive in all circumstances. Does that mean it's necessarily unprotected information? I don't think that is the case, right? I mean, it's still considered personal information; it's just that not in every circumstance would it require express consent to be collected, utilized, etc.
But there are still some pretty significant requirements in this bill that would be obligations on the companies that are collecting and using that information, even though it wouldn't necessarily in every circumstance be deemed sensitive. Is that not correct?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That's right. What CPPA aims to do in broad strokes is to ensure that there is a high threshold of privacy protection for all personal information utilized in a commercial context and that there is significant and meaningful enforcement of obligations related to commercial entities that interact with personal information.
What “sensitive” aims to ensure is that there's a concentric circle or an inner circle of very protected data for which there are security protocols in place and much higher privacy protections, including about how they got that information in the first place, notably through some form of express consent. It's not the Wild West or Fort Knox. Ideally, it is a highly constrained utilization where it makes sense in how it's utilized, and then very constrained because of the nature of the information at play.
Liberal
Ryan Turnbull Liberal Whitby, ON
That makes a lot of sense. I know that we haven't gotten to those parts of the bill, so it's easy to reflect on definitions at the point we're at and not consider the very high number of requirements and obligations that companies would be under, given all the personal information that they may use. That's interesting.
If we add Mr. Savard-Tremblay's subamendment to this list, now we're going to “any other information”. I think that almost collapses that outer circle to include almost anything as sensitive information. I see that as being a very high risk for unintended consequences.
Mr. Schaan, could you comment on that?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Certainly, the insertion of the fundamental right to privacy in the bill itself suggests that the fundamental right to privacy applies to personal information. If we add in a category that is then now sensitive—that is, all information for which there is a fundamental right to privacy, which, by the preamble, is all personal information because of the nature of how we've set out the fundamental right to privacy—then there is no distinction anymore between personal information and sensitive information. All information is sensitive. All information must be treated as such and therefore requires express consent.
Liberal
Ryan Turnbull Liberal Whitby, ON
That would have a major implication for the other parts of this bill—in other words, that all personal information already comes with a number of different standards and obligations. That would essentially change the nature of the bill quite considerably, would it not? What would be the impact if Mr. Savard-Tremblay's subamendment were to pass?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
If all personal information is sensitive information, essentially there is no other means by which a corporation can ever access information except through the express consent of the individual. When we think of just the sheer volume of personal information in a commercial context that is provided, I'm not sure how one could implement it.
Liberal
Ryan Turnbull Liberal Whitby, ON
So you're saying it would not be implementable. It would essentially make this bill—what? What would be the impact?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
It would fundamentally shift business practices because if corporations had to rely on express consent for every single collection of personal information.... That's not how the market currently operates.
Each bit of personal information derived from....
I should have warned you all in advance, but my parents are visiting from Winnipeg. I don't wear a—
An hon. member
It's the only way they can see you because we have you here all of the time.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Exactly. It was my way of making sure that you all were nice today.