Evidence of meeting #120 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was amendment.
A recording is available from Parliament.
12:05 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That's correct.
12:05 p.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
It's the construct around automated decision-making models...there are specific requirements for that included in the bill.
Is that right?
12:05 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That's right.
12:05 p.m.
Liberal
12:05 p.m.
Senior Director, Strategy and Innovation Policy Sector, Department of Industry
They're transparency requirements. Essentially, organizations using automated decision-making systems, ADS, have to tell users that they're using them. Once a decision is made using such a system, an individual can also ask for that decision to be explained. How exactly was that personal information used to make a certain decision using an ADS?
Those are the two requirements with respect to ADS.
12:05 p.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
Got it.
Is the inclusion of this definition going to create any problems in the interpretation of the bill? Is there any confusion that it could create?
12:05 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
We don't see any confusion. It adds an interpretation that already exists within the law, but is not at odds with the current interpretation.
12:05 p.m.
Liberal
Ryan Turnbull Liberal Whitby, ON
It's similar to inferred information, which was already included in the bill, in a way, but adding it explicitly doesn't necessarily harm the interpretability of it.
12:05 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That's correct.
12:05 p.m.
Liberal
12:05 p.m.
Liberal
12:05 p.m.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
I'm going back to the good work this committee's done on putting the best interests of children as a paramount concept at the onset of the future legislation.
I'm thinking in the context of my four-year-old son. Does the department acknowledge that companies seek to profile children who may get a hold of their parent's iPad and want to buy the latest PAW Patrol? PAW Patrol is everywhere. It is a known fact that companies that have access to the PAW Patrol licensing are profiling and trying to get parents like me to buy some really crappy toys that fill up my basement and I find underneath my couch.
I'm bringing it back down to reality.
12:05 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Obviously, profiling as a function of taking personal information, automating that in some ways and then using that to market to an individual would require the individual to be informed of the fact that there's an automated decision-making system at play and also to know what personal information is being utilized to make that determination.
Because we've determined that children's information is sensitive, corporations would be required to adopt appropriate privacy management programs to ensure that the sensitivity of the information, for instance, of your four-year-old, is not utilized in inappropriate ways. It's on how they are protecting that and linking it. Linking it to your information, for instance, could be acceptable in certain circumstances, but it would need to be clear in terms of how consent was offered and how it was dealt with.
12:05 p.m.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
When and if Bill C-27 is passed, would the bill provide the safeguards needed with some of the amendments already passed to stop that current commercial practice?
12:10 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That would be very much dependent on the use cases related to what was consented to and how.
12:10 p.m.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Is that based on the example you just gave about what an obligation of a corporation would be?
12:10 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Again, this is not knowing what the initial service agreement was with the individual. When the information was actually collected, when the account for your four-year-old was first generated they had to tell you in plain language, which Bill C-27 will require, “This is what we're going to do with your information, are you comfortable with that?”
First of all, it's a four-year-old, which means you're making that determination. I'm sure your four-year-old is probably very clever, but they probably wouldn't meet the capability tests struck by the Supreme Court to make determinations on their own. You would be making that determination to say that you are willing to hand over this information.
There's guidance on that, in terms of what then occurs. It would be very much determined by what you said yes to. They could come back to you to say, “It looks you might be in a household that accompanies a four-year-old. I bet you probably really like PAW Patrol. Maybe you should watch or buy more of it.” It would depend on what you originally consented to.
12:10 p.m.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
There is another scenario that I'm concerned about.
My kid has an iPad—don't judge me, please. Sometimes they get to use that on the weekend, whatever, it happens, and those things happen with PAW Patrol. I know Bernard is laughing because it's the same with his grandkids. That's a fact; I've been to his house and I've seen PAW Patrol.
The other scenario is that, in my household, I have an Amazon Alexa. Again, don't judge me, but this is the life I live. My children put on all sorts of wild music like these frog songs right now. I can't get over them. It's also my iPhone and my Samsung. They listen to me as well, and it all seems to be tied together.
On Saturday night we were cooking Filipino food, and my wife was telling my children why we were doing this a certain way, because that's what she does, and it's part of her culture. The next day on Facebook, we saw reels of Filipino cooking. That is a fact, and it happens to everyone. My reels are often rugby, politics and Filipino food, so there you go.
The other scenario I'm concerned about relates to children. I don't believe that this law is going to stop all of the things that all of us get concerned about when it relates to children. All of these things are being said in the context of a home, and most of us probably have a Google or Alexa-style device in our household, as they're ubiquitous now. We're not going to be able to stop all types of profiling even if we have very strong safeguards and clear language in the bill, because there are so many ways that corporations will be able to circumvent the intention of the law. It's going to take court cases to go to the next step in protecting kids.
Would that be a fair assessment?
12:10 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Continued guidance and jurisprudence help flesh out the responsibilities that will be borne out or that are being identified and adopted through this piece of legislation. By making the broad parameter that children's information or the information of those under the age of 18 is sensitive, thus requiring a higher bar for its treatment, protection and use will get fleshed out by guidance and by jurisprudence as to how companies have to interact with that obligation.
The degree to which modern and new technologies...and this is why it's very important that the law remains technologically neutral, means that there will be new tools that will allow for this information to be used in ways that we don't anticipate right now. Broad definitions, like personal information is information about someone or that an automated decision-making system is a decision that uses information to automatically make a determination about you, are useful because it means that people are held to those standards.
I concur that each of these use cases is going to be very particular to what you signed up for, what you agreed to, what you said and what's happening to your personal information. The general constructs that we're getting, particularly today, include inference and the roles by which your information may live in a broader dataset that is still being used to make determinations about you. This means you may have some recourse or right as it relates to your privacy therein.
12:15 p.m.
Conservative
12:15 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Vis.
Seeing no further discussion on amendment CPC-6, I'm ready to put it to a vote.
Having said that, I see that Mr. Masse and Mr. Williams are not here right now. In that case, we could proceed by consensus.
Is there a consensus around the room on CPC-6?
(Amendment agreed to)
This brings us to CPC-7.
Mr. Masse and Mr. Williams, we adopted CPC-6 by consensus. I hope it's fine with both of you. If it's not, it's done already.
On CPC-7, I have Mr. Perkins, but I'm guessing it's someone else on the Conservative side moving it.
Mr. Vis, the floor is yours.
12:15 p.m.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
I didn't think we'd get this far today.
This follows nicely the good dialogue we just had with Mr. Schaan regarding how implicit or explicit this bill actually becomes. CPC-7 proposes to define sensitive information:
sensitive, in relation to information, includes any information pertaining to an individual that reveals
(a) their racial or ethnic origin;
(b) their political opinions, religious or philosophical beliefs, trade union or political membership, or political contribution history;
(c) their sexual orientation or sexual habits;
(d) genetic data or biometric data that can uniquely identify them;
(e) their health condition, including any treatment or prescription on their medical record;
(f) government identifiers, such as their social security, passport or driver's license numbers;
(g) the content of their electronic devices, including messages, images, address books, calendars and call history;
(h) their passwords; or
(i) financial data.
Bill C-27 makes several references to the terms “sensitive information” and “sensitivity” without providing definitions for the terms. This approach is incredibly problematic for consumers and businesses if the definition is left to interpretation, with the obvious risk that some information will be regarded as sensitive data and other information as not, and those interpretations will vary. To resolve this issue, stakeholder groups and the Privacy Commissioner have advocated for a clear definition of the term, outlining a list of items legislators constitute as sensitive information.
I note that, in committee testimony on October 31, the Centre for Digital Rights stated:
At the moment, the definition of sensitive categories of personal information is left open and the words “sensitive” and “sensitivity” are used throughout Bill C-27 without definition (with the exception of minors). Thus, the definition is left to the organization with the obvious risk that some sensitive data will not be regarded as such, and that interpretations will vary.
This is a key element that differentiates the CPPA from other modern privacy laws like the EU GDPR and those found in California and Quebec:
So as to provide certainty for Canadians and Canadian businesses, and to align with both Quebec's Law 25...Bill C-27 should define “sensitive information” first by establishing a general principle of sensitivity followed by an explicitly open-ended list of examples....
The Office of Privacy Commissioner, in its submission to our committee, stated:
That a definition of sensitive information be included in the CPPA, that would establish a general principle for sensitivity followed by an open-ended list of examples.
In the GDPR, article 9, paragraph 1, it states:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
It's very clear we relied heavily on the GDPR example in putting forward this proposed amendment.
I note that the Canadian Research Insights Council, on May 9, stated:
Bill C-27 could offer more protection for minors, for which the Bill is nearly silent. Bill C-27 indicates that information with respect to minors be considered sensitive information but offers no definition of minor nor sensitive information.
Australia's Privacy Act follows a similar line of language to the GDPR.
In America, the American Data Privacy and Protection Act outlines a whole suite of matters related to their definition, including:
(i) A government-issued identifier, such as a Social Security number, passport number, or driver's license number....
(ii) Any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis or health care condition or treatment of an individual.
The list includes financial information and:
(iv) Biometric information.
(v) Genetic information.
(vi) Precise geolocation information.
(vii) An individual's private communications....
The list includes passwords, sexual orientation or:
(ix) ...sexual behaviour in a manner inconsistent with the individual's reasonable expectation regarding disclosure of such information.
(x) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual's device....
It includes non-consensual intimate images, information that reveals the video content or services requested or selected by an individual, and minors' information.
I'll go on.
Daniel Konikoff from the University of Toronto stated:
The term “sensitivity” appears often throughout the CPPA, yet it remains undefined in the Bill's glossary. Bill C-27 should follow global standards and explicitly define sensitive information to capture the above-mentioned categories with an emphasis on biometric information, which is at the core of an individual's identity. The EU AI Act is already ahead of the curve on this, explicitly defining biometric data in a way that acknowledges its sensitivity, its unique capacity to identify a person, and the importance of consent in systems that identify based on “...physiological, behavioural and psychological human features”....
The CPPA's failure to capture biometric data as sensitive information leaves far too much up to interpretation, and may lead businesses to establish inadequate protections—or none at all—for information that merits stronger safeguards. Without this definition, other sections of the CPPA—such as 53(2) and 62(2)(e), which refer to retention periods for sensitive personal information, or 57(1), which pertains to establishing safeguards proportionate to the sensitivity of the information—are left open to interpretation.
California follows the federal law in America, which provides much of the same language in terms of sexual orientation, racial or ethnic origin, or religious or philosophical beliefs.
I'll note that the Canadian Civil Liberties Association outlined that sensitive information remains undefined in Bill C-27. It said, “Parliament should follow international standards and explicitly define sensitive information to better protect special categories of personal information.”
Bill C-27 defines “personal information” as “information about an identifiable individual.” According to the European Union's General Data Protection Regulation, personal information includes names, ID numbers, “location data, an online identifier or...factors...to the physiological, genetic, mental, economic, cultural or social identity” of the person.
I think there is ample testimony from business and civil liberties groups as well as the Privacy Commissioner outlining the need to have a definition in there. At the same time, I acknowledge some of the rationale we've heard from the department about the nature of lists. However, I also relied heavily on the expertise of the Privacy Commissioner when putting this forward. Our intention behind it is to avoid broad interpretation if and when this bill is enacted and becomes the new standard for Canada.
Thank you, Mr. Chair.
12:25 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Vis.
On my list of speakers, I have Mr. Savard‑Tremblay, followed by Mr. Turnbull and then Mr. Gaheer.
Mr. Savard‑Tremblay, you have the floor.
12:25 p.m.
Bloc
Simon-Pierre Savard-Tremblay Bloc Saint-Hyacinthe—Bagot, QC
Thank you, Mr. Chair.
I would just like to move a subamendment, which consists in adding the following element:
(j) any other information violating the fundamental right to privacy.
12:25 p.m.
Liberal
The Chair Liberal Joël Lightbound
Mr. Savard‑Tremblay, would it be possible to send us your subamendment in writing, in both official languages, if that has not already been done?