Evidence of meeting #122 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was sensitive.
A video is available from Parliament.
Conservative
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
The parts of the bill we'll get to, hopefully, lay out what the rules related to sensitive information are, including around consent. That's where it will state that sensitive information—or at least the current version says sensitive information—requires express consent.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Can you point me to that section? I want to read it right now.
Director General, Strategy and Innovation Policy Sector, Department of Industry
I'm happy to add to that on behalf of Mr. Schaan.
Sensitive information is referenced in the bill in the definitions section, in proposed subsection 2(2); under “Privacy management program”, in proposed subsection 9(2); under the “Appropriate Purposes”—
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Can you just give me the page number, please?
Director General, Strategy and Innovation Policy Sector, Department of Industry
It's under, starting with the definitions, proposed subsection 2(2); under “Privacy management program”, in proposed subsection 9(2); in the “Appropriate Purposes” area, in proposed subsection 12(2); under “Consent”, in proposed subsection 15(5); under “Prospective business transaction”, in proposed subparagraph 22(1)(b)(ii); under “Completed business transaction”, in proposed subparagraph 22(3)(a)(ii); under “Retention and Disposal of Personal Information”, in proposed subsection 53(2); under “Security Safeguards”, in proposed subsection 57(1)—
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Mr. Chhabra, what specific section would apply to the apple example?
Director General, Strategy and Innovation Policy Sector, Department of Industry
I think the point Mr. Schaan was trying to make and the point we were trying to raise earlier—
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
No, specifically, in the current bill, where would the interpretation of “sensitive information” be applied?
Director General, Strategy and Innovation Policy Sector, Department of Industry
The interpretation of “sensitive information”, of course, would be applied to all of these sections, but I—
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
There are specific sections, though. I just want the specific number.
Director General, Strategy and Innovation Policy Sector, Department of Industry
Specifically, it would be consent. I think if I understand your example correctly—
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
It's not my example. It's the department's example.
Director General, Strategy and Innovation Policy Sector, Department of Industry
I think it's proposed subsection 15(5) that speaks to consent.
Director General, Strategy and Innovation Policy Sector, Department of Industry
I think the point the member was raising earlier was about how this would impact the practice. If I correctly understand the example reference made, there's already an existing payment system that would manage these issues. However, of course, the point the department is trying to raise here is that the payment processing system is predicated on our system of laws, including PIPEDA. In other words, PIPEDA, in the way that it's currently constructed, and the CPPA, in the way it was proposed to be put forward, enable these existing systems and processes when they are appropriate, lawful and rely on appropriate uses of consent.
The point that I think Mr. Schaan was raising earlier is that if we modify the definition of “sensitive information” in the way that's being proposed by the BQ subamendment, which the committee is considering right now, it would obviate the ability for those payment processing systems to rely on the current approaches they use. That's why it's particularly critical that we get the definition of “sensitive information” right.
I'll refer the committee back to the OPC's preferred formulation on this, which is to start with a reference to the notion that it depends on context. The context of the collection, use or disclosure is critical. Following that, we could put forward a list that is not exhaustive or exclusive and that gives an indication of the types of zones we're talking about. The current formulation of the BQ subamendment does not provide for the contextual analysis, nor does it provide any space for considerations of what could be on the list. It is, as Mr. Schaan already pointed out, a firm and final listing.
Conservative
Liberal
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
What's on the list remains part of the list.
Director General, Strategy and Innovation Policy Sector, Department of Industry
In other words, the list itself is final. It can be added to, but what about the stuff that's on the list? The way this is currently constructed.... Our point is that it must be sensitive no matter the context.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Going back to page 12 of the bill, under “Form of consent”, it ultimately makes the point I'm trying to make that we can have sensitive information and still allow for a contextual analysis, even though information is deemed sensitive. “Form of consent” on page 12 says:
Consent must be expressly obtained unless, subject to subsection (6), it is appropriate to rely on an individual’s implied consent
I'm stating this in the context of the Supreme Court ruling that was referenced in the last two meetings, which was specifically about implied consent. It must take “into account the reasonable expectations of the individual”—which we haven't discussed, while we've taken a very black-and-white reading of what sensitive information would be—“and the sensitivity of the personal information that is to be collected, used or disclosed.” Later in the bill, what I'm reading is that there is a reasonable expectation built into information that could be deemed sensitive and its commercial applicability.
Director General, Strategy and Innovation Policy Sector, Department of Industry
Your reference to subsection 15(5) is what we're looking at too, and it says:
the reasonable expectations of the individual and the sensitivity of the personal information
Both of those have to be considered in that scenario in order to be considered, so when you say “and the sensitivity”, and by definition you construct a bill that says that this information is always sensitive, you obviate the ability to take advantage of implied consent. You now default to a scenario of express consent, and that's the issue we're raising for consideration.
Conservative
Director General, Strategy and Innovation Policy Sector, Department of Industry
In other words, the test for appropriate use of implied consent requires two subordinate tests to be met: reasonable expectations and the sensitivity of the information. If we're automatically raising some personal information to the level of sensitive information at all times, it doesn't allow for this contextual analysis to occur.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
I don't completely agree with you, based on the interpretation bulletin from the Privacy Commissioner, but I'm going to leave it there.
Going back to my other question on freedom of information, it's my understanding that in the legislation in Canada, all information is deemed sensitive. The point I'm trying to make is that there are other contexts where financial information is deemed to be sensitive.
Here at committee, we've had to review contracts worth over $15 billion this year alone on Stellantis, NorthStar and Volkswagen. All of the arguments made about why the public shouldn't have access to that information were about it being sensitive information to the corporations. That's the context in which I'm approaching this. I know that's an example outside of the law, but it was really frustrating as an MP that we only had two hours with the contracts worth $15 billion.
Anyway, I digress.
Mr. Chhabra, that was a very helpful analysis. I still disagree, but you made a good point. Thank you.
