Thank you, Mr. Chair.
I want to reference all amendments, because I think they're really important. In this discussion, when we're talking about personal information, we have our first amendment, which talks about including inferred information about an identifiable individual. However, I think it's important in my discussion of this that we also recognize some of the other amendments. Perhaps through this discussion—I know there will be a vote—out of four, I think we can probably come to an agreement of some kind of consolidation of this, as we've done with past amendments.
I'll start with what we're talking about. We talk about personal information as “information about an identifiable individual”, but when we're talking about AIDA and the age of AI and big data, we've identified that we also need to make mention of inference.
The Privacy Commissioner has said:
...inferences can lead to a depth of revelations, such as those relating to political affinity, interests, financial class, race, etc. This is important because the misuse of such information can lead to harms to individuals and groups in the same way as collected information—a position confirmed by the Supreme Court in Ewert v. Canada. In fact, as noted by the former European Article 29 Data Protection Working Party, “[m]ore often than not, it is not the information collected in itself that is sensitive, but rather the inferences that are drawn from it and the way in which those inferences are drawn, that could give cause for concern.”
He continued:
General support for the idea that inferences constitute personal information can be found in past OPC decisions and Canadian jurisprudence. For instance, the OPC has found that credit scores amount to personal information (PIPEDA Report of Findings #2013-008, among others), and that inferences amount to personal information under the Privacy Act (Accidental disclosure by Health Canada, paragraph 46). This is also consistent with the Supreme Court’s understanding of informational privacy, which includes inferences and assumptions drawn from information.
We've had the Privacy Commissioner give past cases on this.
He continued:
In light of these conflicting viewpoints, we believe the law should be clarified to include explicit reference to inferences under the definition of personal information. This would be in accordance with modern privacy legislation such as the California Consumer Privacy Act (CCPA)...
Looking at this, I normally note the GDPR as being the gold standard. We think the California example is the better example for personal information.
To go further into that, when we talk about personal information, one limitation of the definition is its broad scope, which can encompass a wide range of data, including information that may not always directly identify an individual. This can lead to ambiguity and challenges in determining what constitutes personal information, especially in cases where data points are combined or analyzed in aggregate.
Additionally, the definition may not adequately address emerging technologies and forms of data, such as IoT devices or anonymized data—as we've talked about before—that could potentially be reidentified.
Besides the inclusion of inference, to improve the definition to look more like the California example, it could include specific criteria or examples to clarify what qualifies as personal information. Additionally, incorporating provisions for emerging technologies and data types would enhance its applicability and reference.
To look at how it's defined in the California code, this is how it reads right now. Personal information includes, but is not limited to, any information that directly “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”.
It then includes examples, which I think are really important. It says this includes, but is not limited to, names, postal addresses, email addresses, social insurance numbers, driver's licence numbers, passport numbers, financial account numbers, credit card numbers, biometric information, geolocation data, Internet protocol addresses, device identifiers, browsing history and any other information that could be reasonably used alone or in combination with other data to identify an individual or household.
We talk about how it's much better to talk about human information when we talk about privacy, because it refers us back to human beings, but giving examples allows the Privacy Commissioner, when looking at cases, to look at exact examples, and then in a court of law to have those more defined.
Mr. Schaan, I'll start with you. Starting with the inferred information as defined in this amendment we're talking about, does it constitute the same protection as personal information throughout the entire bill, even with this proposed amendment?