Evidence of meeting #121 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was list.
A recording is available from Parliament.
NDP
Brian Masse NDP Windsor West, ON
Okay. As long as we don't have to revisit something again, procedurally. I'm not opposed to this, but I just want to make sure.
That's kind of where we are, and that would help my colleague here. We're just splitting it off and then adding it in. We're good to go.
NDP
Brian Masse NDP Windsor West, ON
Yes. I think I would probably withdraw it, actually, at that point. It might achieve a better result, so I appreciate what the Bloc is trying to do here.
Liberal
The Chair Liberal Joël Lightbound
Are there any other comments regarding the subamendment seeking to change amendment CPC‑7?
Mr. Garon, you have the floor.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
This is the third try. Let’s try not to get caught up a third time.
Essentially, we considered the list of elements outlined in amendment CPC‑7 to be exhaustive, and we considered it appropriate.
That being said, when presenting a list, there’s always the risk that the executive branch or the courts may not consider the list to be exhaustive. That is why we appropriated a portion of the NDP’s subsequent amendment, which granted more flexibility in interpreting the definition.
Liberal
The Chair Liberal Joël Lightbound
Thank you.
Are there any other comments on the proposed subamendment?
Mr. Turnbull, you have the floor.
Liberal
Ryan Turnbull Liberal Whitby, ON
I'm trying to understand the effect of this.
We were in a fairly rigorous debate on the definition of “sensitive personal information”. We were clarifying with officials that CPC-7, before the amendment, would have a risk of over-regulation and that it wouldn't necessarily take context into account. Financial information, for example, in some contexts, is not deemed sensitive, and in other contexts, it is deemed sensitive, so there's some risk in having a list of very specific factors that are deemed to be sensitive.
We had suggested subamendments for both CPC-7 and NDP-6. We were prepared to hopefully move something that would help us get towards consensus. We saw the value in both of those amendments, but now we're mashing them together. It's kind of compounding the issues that I have with it.
I want to go to Mr. Schaan to tell us how adding in the end of NDP-6 to the list would actually have an impact on the debate we are having. My preference would have been to deal with them one at a time. It's up to you all, if that's what you want to do.
Mr. Schaan, maybe you could explain what impact this would have.
Mark Schaan Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Maybe just to recap a bit of the discussion we had at the last meeting, this committee has made the determination, through earlier amendments, that the preamble of the bill highlights the fundamental right to privacy, which is the interpretive lens that then gets applied to all the subsequent obligations and responsibilities in the act.
It then imposes a number of obligations related to the treatment of personal information. We had a good discussion at the meeting on Monday about how personal information needs to be broadly understood to be about someone and not just an identification of someone because “about someone” brings in this construct. Then, there are amendments made to ensure that inferred information is part of that understanding of personal information, which will become important when we then come to the obligations and the responsibilities of commercial actors when using personal information.
The conversation we had on Monday about “sensitive” is that there are a number of things that happen that are tied into the bill about the obligations that are applied to sensitive. One is that we have already determined children's information, the personal information related to those under the age of 18, is all sensitive, which means it requires a duty of care and a higher standard of protection by commercial actors. More importantly, when we get to later provisions of the bill, sensitive information necessitates an express consent by an individual for that information's continued treatment, disclosure and collection.
Our concern about having an exhaustive list was that, one, exhaustive lists don't necessarily allow for a principles-based approach to the interpretation of the obligation, which allows it to be a bit more contextual and dynamic, in the sense of understanding how information might come and go from whether it is always sensitive or not. Two, the categories need to be really well considered. If they're overbroad, you're going to apply sensitive information classifications to categories of information for which express consent will now be required, and that might undo very reasonable privacy protecting practices that are currently the practice of business entities.
We had this conversation about financial data in particular, which is a category that potentially possesses a huge ream of potential areas. If all financial data is considered sensitive and requires express consent, then suddenly we're going to be maybe in a world of consent fatigue because people are going to have to be expressly consenting to the use of their financial data all the time because it's deemed sensitive.
The thought about the NDP amendment that's now potentially being proposed is that we just want to make sure, for this additional categorization, with the wording “due to the context of its use or disclosure, an individual has a high reasonable expectation of privacy”, that we've understood the boundaries of that. Any information for which there would then be a high degree or a high expectation of privacy would now be subject to express consent. We would raise that for the committee's consideration.
I'll turn to Mr. Chhabra. I think he wants to supplement.
Samir Chhabra Director General, Strategy and Innovation Policy Sector, Department of Industry
Thanks very much.
If there is going to be an addition of this personal information in respect of context, where the current wording says, “due to the context of its use or disclosure”, then we would suggest that it should be “the context of its collection, use or disclosure”. It would be more appropriate to have that framing a bit further up ahead of the bulleted list so that it provides a reasonable frame for reading the entire section, rather than as a follow-on at the very end of the list.
Then, there are certainly some considerations about what's currently presented in the list that are worth going through and having a discussion on as well, in our view.
Liberal
Ryan Turnbull Liberal Whitby, ON
Okay, great. That was helpful.
I know, Mr. Garon, that you weren't able to be here last time and your colleague was filling in. I had asked a question that I think is important for this debate. If personal information is not deemed sensitive, that doesn't necessarily mean that it's not protected and that it doesn't have some pretty stringent requirements that have to be followed.
I think that's important to realize. Just because some personal information.... If we over-regulate, in the sense that every piece of personal information or a very large swath of it can be deemed sensitive, then it will require that high bar of express consent, which could lead to not being able to recognize context dependence and which doesn't allow the OPC to issue guidance and evolve with guidance. It leads to consent fatigue, which I think is something that we should take seriously.
Are there any specific factors that are listed there that are problematic from your perspective? There are some of them that I think we agree with generally, and some of them that I have concerns with. I think financial information was one, and perhaps there was the biometric one as well.
Mr. Schaan, can you maybe illustrate that a bit?
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Yes. Maybe, just for the benefit of members, I'll go through at least a couple of specific ones and then I'll turn to Mr. Chhabra.
Again, to your first point, it's important that we're not making this a contrast between, as I think I said on Monday, the Wild West and Fort Knox, because essentially the whole goal of the CPPA is to elevate the obligations as it relates to the fundamental protection of the privacy of Canadians through the use of personal information. Just because something's not sensitive doesn't mean that it's a free-for-all. In fact, once we get to the provisions and obligations on corporations that collect, use and disclose personal information, we'll see that there are actually quite a lot of obligations to ensure there is privacy protection within that. I think you want to preserve sensitive information for that which is truly sensitive, for which there's a really high understanding of privacy in that specific case.
In the case of financial data, I think we raised actual Supreme Court jurisprudence that was clear that financial data is not always sensitive. In fact, in RBC v. Trang, the Supreme Court found that “the degree of sensitivity of specific financial information is a contextual determination.” In fact, if financial data, for instance, were to stand in this list, there's a lot of financial data that actually is disclosed between financial institutions for the purposes of processing as a fundamental function of business practice. If that now necessitates, because it's deemed sensitive, the express consent of the individual every single time financial data is disclosed between entities for the purposes of processing, payments and other factors, we'll gum up the overall operations of the current financial transactions.
I'll turn to Mr. Chhabra for some others on the list, but I would say that one has to think about all of the personal information for which now this would require express consent and think about the list in that regard. I may even put sexual habits, for instance, on that list, because there's a lot of information that potentially may disclose someone's sexual habits and that may not necessarily require express consent, particularly from a transaction perspective.
I'll turn to Mr. Chhabra.
Director General, Strategy and Innovation Policy Sector, Department of Industry
Thank you.
I'll touch on a few points within the bulleted list to offer some considerations, starting with (d), for example. The reference here is to “genetic data or biometric data”. In this instance, it would likely be more appropriate to reference “information” rather than “data”. Information is in keeping with the terminology of the CPPA. Data and information are not always interchangeable, data being more broad and unstructured, whereas information is generally understood to be structured data, and it's a form that can be used. That's one consideration on item (d).
On (f), the reference here is to “government identifiers”, such as “social security, passport or driver's license numbers”. In an effort to be more aligned with Canadian law, you'd probably want to go with “social insurance number” rather than “social security”. There are some questions about the information contained in a passport and whether it needs to be specifically identified as such, given that it already has what would be considered sensitive information in it.
On driver's licence numbers, the OPC guidance itself references the fact that in Alberta and B.C. the licence number “has little or no significance or meaning in terms of...personal information attributes”. Therefore, it would be an odd thing to include in a national statute a reference to driver's licence numbers when the OPC itself has noted that in at least two provinces today driver's licences don't contain what it would consider to be sensitive information.
Referencing (g), “the content of their electronic devices”, this is another interesting one where it's not in OPC guidance. The OPC has recognized there can be sensitive information, but that all information on a device wouldn't necessarily be sensitive de facto. Again, on a photo in physical terms versus a photo on an electronic device, why it would make it more sensitive just because it's on an electronic device is a question worth pondering. It's setting up dual standards. Setting up standards that are not technologically neutral would run afoul of the purpose of the act.
On passwords, which is point (h), it's worth pointing out again that there's a concern here about tech neutrality. Over time, other ways to protect accounts have been developed. Passwords are increasingly challenged in terms of how secure they are, especially as we move toward a world where quantum and cryptographic hacking techniques are stronger. Password-free types of technology, including multifactor authentication, are often used. Again, it's an issue here about the sensitivity of the information, the sensitivity of the log-in information. In some jurisdictions—in California, for example—the password is sensitive only when it gives access to certain types of accounts that are sensitive.
Then, on “financial data”, as Mr. Schaan has already pointed out, there are a number of uses for financial data, including between creditors. Specifically, in the Supreme Court reference Mr. Schaan just gave, there was a very specific case about this exact nature, when one financial institution had in fact the right—an obligation—to disclose the credit status of an individual. You can imagine that seeking express consent could actually curtail what are perfectly appropriate business activities.
Liberal
The Chair Liberal Joël Lightbound
I'll get back to you, Mr. Turnbull. I'd like to deal with that first.
Bells are ringing. They're 30-minute bells. I know it's an important vote. It's a budget vote. Maybe some members want to be there in person.
I want to gauge the opinion of the committee. Do I have unanimous consent to go until six, for instance? That gives you 10 minutes to get to the House, which is probably enough. The bells started at 5:40 and at 6:10 is the vote.
On another note, but still relevant, our officials, who have gracefully given us a lot of time and will continue to do so in the coming weeks—and maybe months—have a flight to catch at eight o'clock, so they need to be out around 6:30 to get to the airport. What I would suggest is that when we adjourn at six for the vote and we don't come back to committee, unfortunately, because of all the delays. The meeting was supposed to end at 6:30, but—
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
What am I going to do with the rest of my night?
Liberal
The Chair Liberal Joël Lightbound
I'm sure you'll find something.
We'll resume, then, until about six.
Mr. Turnbull.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you.
Thank you both for your clarification, Mr. Chhabra and Mr. Schaan. It's very helpful.
Maybe what I'll just say is that we had a subamendment that Mr. Gaheer was going to introduce. Obviously, my Bloc colleague beat us to the punch here in suggesting something, but I think that what's been suggested still runs into the concerns and challenges that the officials have clarified here.
Maybe we could distinguish it without that because I know we can't move it until we dispense with the subamendment. It really was a compromise between NDP-6 and CPC-7, which address the officials' concerns that have been outlined. I'm trying to be very humble about this. It's not about us getting the credit for making a subamendment. I could care less. We just want to do the right thing here. This particular subamendment still runs into the challenges.
I don't know if Mr. Gaheer wants to speak to it, but I was just going to highlight what it does so that we can distinguish.... Perhaps Mr. Garon would be willing to withdraw his subamendment and allow us to introduce ours, but only if he feels comfortable with that.
We have sent this around, I believe.
Liberal
The Chair Liberal Joël Lightbound
Mr. Turnbull, it was circulated, so all members have it in writing. I would just clarify that perhaps it would be best framed as an amendment that you're proposing and not as a subamendment because it's essentially rewriting the....
Liberal
The Chair Liberal Joël Lightbound
It was table-dropped to some extent, but it was sent in advance. You have it.
Procedurally, the most elegant way to proceed if the committee wants to adopt Mr. Gaheer's proposed amendment that's been sent around is to defeat CPC-7 and then propose that amendment, which incorporates a lot of NDP-6 as well.
Right now, just to be clear, we're on the subamendment proposed by Mr. Savard-Tremblay from the Bloc. We still have to deal with that and then CPC-7.
I don't know, MP Gaheer, if you still want to—
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
If we get to that point where it's voted down, do I immediately then present my amendment or later on?
NDP
Brian Masse NDP Windsor West, ON
I have a point of order.
How do we get there? My understanding—which could be wrong—is that, since I've submitted mine, we would deal with mine next and then this goes into the system later on. We just don't automatically go to their stuff.