Evidence of meeting #90 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was office.
A recording is available from Parliament.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
Just going back with regard to the tribunal, you mentioned alternatives if we don't go to the tribunal. What would be the picture laid out from your design for that, if we dropped the tribunal altogether?
October 19th, 2023 / 5:05 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That would be the model, in fact, that exists in Quebec and that exists internationally. In fact, the GDPR—which, as you know, is the regulation that applies to the European Union—states that the DPAs, which would be the privacy commissioners, have the ability to issue fines. In the recital, in the description of this, they're talking about the DPAs issuing the fines, and they're generally reviewed by the courts. They list Estonia and Denmark as being exceptions, where they have to ask courts to issue fines because of the specifics of their legal structure.
The CAI, my counterpart in Quebec, has the ability to issue fines. They are reviewable by the normal court system. If there were no tribunal, this could work in the same way. BillC-27, as drafted, already creates a more formal process for my decisions. It provides that the investigations happen at the front end. You try to resolve matters. If you don't resolve the matter, then it goes to what is called an inquiry, and I will have obligations under the law to adapt codes of practice and consultation with industry. Procedural fairness has to be an element of that, and at the end of the day, those decisions, if you choose as a Parliament to give the authority to my office to issue fines directly, would be reviewable by the Federal Court through the normal judicial review process. That's certainly an option.
On the other option, if the decision is to create a new tribunal, my recommendation is that if we're adding a layer of review, we should remove one, so it should go straight to the Court of Appeal, otherwise there will be a cost.
NDP
Brian Masse NDP Windsor West, ON
If we create the tribunal, that will create a conflict with the Quebec model. Is that not correct?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
With which model? I'm sorry, but I didn't hear you.
NDP
Brian Masse NDP Windsor West, ON
If we create the tribunal, that will create a conflict with the Quebec model. Is that not correct?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Well, it would be a different model. There would be a situation, and we would have to manage that in practice, because we do some joint investigations. As you know, we're currently doing an investigation on TikTok and ChatGPT. That's the case now, because right now I don't have the authority to issue fines or orders. They do, so that's something we'll need to manage.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
I suspect that's why we don't have the amendments in front of us.
Liberal
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Thank you, Mr. Chair, and thank you, Commissioner.
We had a discussion earlier about the preamble having no legal binding, that it's a statement of intent and, once passed, doesn't appear in the statute in Canada. The purpose section, then, is very important. You just said in response to other questions that if you put “fundamental right” in and the word “and”, “and” is there balancing against that, but that's okay. It still makes “fundamental right” prominent.
I'll go in a different direction on that. Let's assume that's correct. The Liberals are introducing into this bill a concept in privacy protection, the concept of a legitimate interest, the legitimate interest of the business—the big business and its legitimate interest to use one's data in a way in which it doesn't have permission to use it, and to allow it to use it even if it causes harm to the individual.
I would argue that proposed section 18, which introduces this concept, actually does not make the privacy of the individual of paramount importance. Proposed section 18 actually makes business interests more important, because a large business can ignore whether or not you gave it permission. It can ignore whether or not the information being used is going to harm you for its own legitimate interests, which are not always aligned with those of an individual.
Would you not agree that having that “and” gives that power in proposed section 18 much more weight, enabling them to ignore whether or not it's a fundamental right?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I've recommended a few things to address this in my 15 recommendations.
In terms of the preamble, we did—
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
I don't want to talk about that. I just want to talk about this issue. I don't have a lot of time.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
All right. I think that goes to the recommendation on making sure that the business activities are defined very carefully, that they are all necessary, and that you remove the ability to make exceptions by regulations without showing that they're necessary. The recommendation, in terms of clarifying and highlighting the fundamental right, has to be in the purpose clause, but it should also be in a preamble in the law, not just in the bill but also in the law itself, so that when people read it, they have—
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
That takes away the power from Parliament and leaves the judgment in the hands of bureaucrats as to what the list is, because that's where regulations get made.
I would also argue that the Liberals are further watering down this issue. When you look at the terms of express consent in proposed section 15.... For those watching, express consent means I have to give you permission to use my data. The Liberals have designed a number of escape clauses from express consent that allow businesses to get around it. Those escape clauses in proposed section 18 allow them to get around it.
Also, in proposed subsection 12(4), in the purposes of the bill, it reads that where a business needs to use a person's information for a new use, it doesn't have to get the person's permission. It just has to record it somewhere. There's no need for consent from the person if the business uses it for a new use.
As we know, this is evolving rapidly. I got somebody's consent five years ago. I decide to use their stuff in a different way. I just have to record it somewhere now. I don't even have to tell the person I'm using it. It's a further watering down of the person's protection as a fundamental right, giving much more power.... When you combine it with proposed sections 18 and 15, the exceptions, and with proposed subsection 12(4), that's giving enormous power to a business to do whatever they want with that individual's data without their permission.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Proposed section 14 talks about new purposes and indicates that they must not use it for a purpose other than the one determined and recorded, unless the organization obtains the individual's—
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Sorry, but that's not what proposed subsection 12(4) says. It reads:
If the organization determines that the personal information it has collected is to be used or disclosed for a new purpose, the organization must record that new purpose before using or disclosing that
It doesn't say that it has to actually get express consent. That's in the appropriate purposes and express consent sections. It doesn't say that you have to go back for a new purpose and get express consent.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
On those purposes, one of the recommendations we've made is to make sure that the purposes are specific and explicit. It's important for Canadians to know why this is going to be used, and it's important that when you're collecting this information, Canadians have an understanding of what it's for and what it's not for, and that this is something they would be reasonably expecting. We need to make sure that it is used in those ways.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
I have one last question, and this deals with individual privacy. There have been a lot of submissions already that ask about the ability to breach your privacy when you're put in a group. Group data management is a way, as a former marketer, that I dealt with data from customers. I put them into groups, customer segments; then I pitch to you, based on data, what's going on.
Should there not be some provisions in here that limit the use of group data for the protection of personal privacy?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
You will no doubt hear views on that. We made recommendations on the predecessor bill in terms of inferences and treating inferences as personal information. I think that when you're talking about AI, we can see more and more ability to use information, maybe even de-identified information or anonymized information, then draw some conclusions about groups. I think that is certainly something to think about and consider. Those privacy impact assessments with AI, I think, become key to looking at that aspect. This is why our definitions on de-identification and anonymization are strict. Not everyone agrees with that. Some have said it may be too strict, but it takes it outside the law.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
I've met with many professors and computer folks who have told me that there's no such thing as anonymized data. It's very easy to back out, so I have one last question.
This puts more important responsibilities on your office. The tribunal element probably puts more on as well.
Have you done estimates about what this is going to cost in funding for your department to do this level of...?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes, we have. The amount we came up with is almost a doubling of the current resources that we have. We would need an additional $25 million per year to have the resources on the compliance side, certainly, but also on the proactive side. The discussion we've been having provides responsibilities to approve codes of practice and certification programs, and maybe there will be a decision to have sandboxes.
All this advice to organizations and SMEs will need to be resourced. The new process will need to be more formalized. The fact that there are more protections may well lead to more complaints and more judicial reviews and challenges, certainly at the front end.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Does that change if there isn't a tribunal as one of your options, or if you are given more authority to do compliance agreements with fines?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think that the compliance agreements will help, because it will mean we can resolve matters. Again, it presumes that the organization will agree. A compliance agreement is a settlement agreement. If the organization agrees to pay the amount, then we can resolve it. If the organization does not, then there still needs to be a process that will go forward. I think the tribunal will have resources that have to be dedicated to that, if there's a tribunal to be created. If there isn't, part of that may have to be done by my office, but we'll certainly manage it as carefully as we can.
