Industry Committee on Oct. 19th, 2023

Criminal charges are not something that would be laid by a commissioner, here or elsewhere. That would be done by the police, but there are—

There are provisions whereby we can notify the authorities in that context, and one of my recommendations, in fact, is to amend the period of time for summary charges. Right now it's 12 months, and I'm recommending that that period be longer or that there be an extension possibility, because I don't want individuals to run out of time if the process takes longer.

The recommendation on audits was one that was made for proactivity. It was this notion that with great power comes great responsibility, so if you have authorities in cases where there may be an exception to consent for the use of information, there should be an ability to do what I think my predecessor referred to as “looking under the hood”, so having verifications. That's what the audit process allows.

There were concerns with the criteria for initiating an audit. I'm looking for the section in Bill C-27. My colleagues can point it out to me. At the time, under the existing legislation, it talked about having reasonable grounds to believe that the act had been violated, and there is recognition that that was too strict. The current proposal in Bill C-27 now talks about having been violated or being likely to be violated, as I recall, and I'll be able to correct that.... Proposed section 97 says:

The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization has contravened, is contravening or is likely to contravene Part 1.

So it has been improved in the proposal on Bill C-27. The test is not as reactive as it was before, because of this notion of “is likely to contravene”.

I could, and as I think you heard, this was an issue that came up with the departmental officials. I would agree with the departmental officials' answer to that question, which was that they are comparable and in some instances higher than our comparators in Europe, in terms of the percentages. I'm looking for the sections. I think it's 4% of the turnover. If it's a fine, it goes up to $10 million and 3% of the organization's gross global revenue, and if it's an offence, the percentages are higher.

That's comparable to what we see internationally, but there is also the possibility of issuing orders. I think the combination of those two tools is important and something to be monitored, but it's not standing out as being too small a percentage compared to international comparators.

In terms of collaboration with my office, we treat individual complaints case by case. We've seen situations in which we're making recommendations and they are complied with. Sometimes they are not.

In terms of pure obstruction that would rise to the level of criminal offences, I'm not aware of any. It's something that, obviously, has to be dealt with in the legislation so that there is a tool or a mechanism if that occurs.

That ability goes to the necessity of having enforcement authority. If you have right now only the ability to make recommendations, that is useful if the organization agrees and complies. If it does not, then you don't have a remedy.

Currently, if we look at proposed section 5, the purpose provision talks about the “rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use” and so on.

That's why I was concerned from day one about the need to recognize privacy as a fundamental right. It's to send the message that, yes, you have to consider those two things, but these are not equal things. Yes, you will do everything to have both innovation and privacy. In most cases, I am convinced that you can have those things. It's the same with public interest.

If there's a clear conflict that you can't resolve, the fundamental right should prevail.

I think that putting in the preamble a recognition of privacy as a fundamental right in this way, with this amendment, clarifies the superior nature of the right that we're talking about, which is consistent with the treatment of it internationally and by the courts in Canada.

It's crucial to ensure that the regime can be met by small and medium enterprises, absolutely. The bill provides for a role for my office in terms of guidance. It provides the ability to join in certification programs and codes of practice. It's something that has to be taken into consideration. It's certainly something that I'm very mindful of.

To the point on competition and privacy, this is an example in which you can have overlap between competition and privacy. We need to make sure that protecting privacy doesn't harm competition and vice versa. We've made recommendations to Parliament and to the department on competition law review, to make sure you are dealing with what we call “dark patterns”, which are manipulative uses of language and psychological tools to incite individuals to make wrong choices, either from a privacy or competition standpoint.

This is why, in the last few months, my colleagues, the competition commissioner and the CRTC chair, and I created a digital regulators forum. We are working together to identify these areas of connection and interoperability. There are similar groups internationally. Our first focus right now, in our first year, is AI and making sure we are on top of those new developments.

This is why my 15th recommendation is to expand the scope of my office's ability to collaborate with regulators like these, in particular in the context of complaints. Right now I can't do that with my Canadian colleagues, but I can do it with my international colleagues.

We need to make sure that the law will hold up despite the rapid evolution of technology, if not with it. There's a lot of talk about generative artificial intelligence right now. A year from now, it'll be even more powerful. Who knows? So the law has to be able to adapt. That's why the bill contains principles and doesn't talk specifically about generative artificial intelligence, for example, but rather about automated decisions. The definitions need to encompass all this and there needs to be flexibility for the government to set regulations and for my office to set guidelines so we can adapt to new technologies.

The recommendation we're making on privacy impact assessments is very important in this regard. Every time we develop something, we have to document it, assess the risks and carry out consultations, precisely to stay ahead of these technologies. This is one of my priorities, along with protecting children's privacy. We have to keep up with the evolution of technology. This measure makes it possible.

Another of our recommendations concerns de‑identified information. De‑identified information is defined a little too broadly, in my opinion, particularly in French. This definition must be very strict, because it limits legal obligations. In these definitions, we must also take into account the risk of “re‑identification.” The bill says that more can be done with de‑identified information, and that if it's anonymized, the law doesn't apply at all. So there's a big responsibility that comes with that. These definitions need to be strict.

On the issue of de‑identified information, I recommended that we take into account the risk of “re‑identification,” because technology evolves. If a piece of information is de‑identified today, but in two or three years' time, thanks to technology, we'll be able to know again who it's linked to, we'll be right back where we started. This has to be able to evolve over time.