Industry Committee on Oct. 19th, 2023

This section...I'm not comfortable with it. I'm recommending that it be modified so that the authority would be more narrow. As indicated in my submission, there's another section elsewhere in the act, which is highlighted in my submission, where, again, a whole activity can be removed altogether from the bill. The bill wouldn't apply at all. This is something that should be corrected to limit its scope.

On the current privacy legislation, we've provided guidance in terms of how to obtain meaningful consent. In that, we talk about some things that should be looked at in the context of children.

My federal, provincial and territorial colleagues and I have recently issued a statement, a resolution, on protecting young persons' privacy. It gives examples of things that should be done and should not be done with the data of children, nudges them not to make a bad decision, and recognizes that they are more vulnerable.

We can interpret the law, to some extent, to protect children, but we need to do more, and this bill has started to do so. There is now a recognition in the initial version of the bill, and I give credit to Minister Champagne on that. This was in the original Bill C-27 as tabled—the recognition that the information of minors would be deemed to be sensitive information. That has impacts in a number of areas, in terms of disposal rights, and so on.

We took that, and in our recommendations, we recommended going even further than that to highlight the best interest of the child in the preamble of the bill, so that if there is doubt, in terms of interpretation, you can look at that. The minister has signalled his agreement with that and has suggested going further to include the special situation of children in proposed section 12 on interpreting appropriate purposes. That is a further improvement that I would certainly support. We see comments like that in the European context with recital 38 to the GDPR, highlighting that children deserve special protection. UNICEF has said that.

We know that our kids are digital citizens. They're spending time online for all aspects of their lives, including school. We certainly saw it more during the pandemic. It's important that the legislation protects them appropriately and protects them as children. We need to protect the best interests of the child. We need children to be able to be children in that world, to be protected, and not to suffer consequences later on, when they're adults, for things they have done online. There are improvements there, and I certainly support them.

The sensitivity of information is an element that's going to be considered in the bill. It's going to be considered. I have to consider that in how I conduct myself. The sensitivity of information impacts the form of consent, impacts the retention periods and impacts the security safeguards. Certainly, it's something to be considered, and it should be relevant.

The proposal by the minister, which I support, to add the special situation of children to the appropriate purposes clause, proposed section 12, is important. I would add to that my recommendation today to make sure that if you breach the proposed section 12, and if you breach the appropriate purposes, including by treating children's information inappropriately, there would be fines available for that.

Beyond that, with respect to children, I'm not suggesting more than what has been suggested in the recent proposals by the minister.

Bill C-27 needs to prevent that to the same extent that the current law prevents that. As you know, this was a matter that my office investigated. We made findings that Tim Hortons had breached privacy law by collecting more information than it needed and by not being transparent about what was being done with that information.

We see these situations, and we've made some recommendations and some findings. Bill C-27 will help more than the current law, because it will provide for more explicit obligations in terms of explaining consent—making consent something that is explained in a meaningful way for individuals to understand. There is also the possibility that my office can issue orders, and there is the possibility of fines.

I believe that, in the Tim Hortons situation, the organization followed the recommendations. In the Home Depot decision that I issued last year, finding a breach of privacy, the organization agreed with the recommendation. However, that's not always going to be the case, so there need to be these enforcement tools—hopefully not to use them but to reach those results faster and in a proactive way.

Yes, absolutely. The use of sandboxes is good practice. Our British counterparts are very far along on that front. In the case of AI technologies, the industry gets to test out the data and methods in a secure environment.

It's clear that our office would have to be resourced to set up a sandbox. The bill doesn't go as far as establishing a sandbox, but it does require my office to provide the industry with advice as needed. That will be especially important for small and medium-sized businesses. Again, though, it will require capacity. The bill also calls on the commissioner's office to approve codes of practice and certification programs.

Those are all proactive and preventative measures. My recommendations on PIAs and privacy management programs are also prevention-oriented. That's the approach. Organizations have to do these things in the beginning and invest the necessary resources.

The OECD surveyed business leaders and legal experts to find out what challenges they were facing, challenges related not so much to AI, but, rather, to international trade. They said it was sometimes hard to know where to allocate resources because certain investments didn't yield any legal benefit or it was unclear.

Even if well-intentioned business leaders want to set up a sandbox, convincing shareholders to fund it is a challenge. Imposing a legal requirement on companies is helpful, because it sends the message that not only is it the right thing to do, but it's also required of them under the law. The same applies to PIAs.

By the way, I'm quite fond of the certification program provisions in Bill C-27. Europe has that mechanism, and what it basically does is encourage companies to develop the programs and seek the commissioner's approval. Doing this and following the process will help them when complaints arise, because it shows that they acted in good faith and were proactive. It could even lessen fines.

All of those measures encourage companies to move in the right direction. Incentives are extremely important. To encourage innovation and ensure that Canada is well positioned, we have to act on two fronts: impose fines in problematic cases, and reward and recognize good behaviour. They go hand in hand.

My office's mission is to promote and protect privacy rights, and I really appreciate that. It's about more than telling people they did something wrong after the fact. It's also about working alongside them to make sure things are done right from the start.

We have a lot of discussions, in particular with the FTC in the U.S., which has jurisdiction for antitrust law. It is the equivalent of our Competition Bureau. Also, through that, it deals with privacy.

There's no national privacy legislation in the U.S. at the moment. There are proposals before Congress on this, but it's not moving forward. California has its own model, and they have some innovative mechanisms there to protect privacy. Nationally, there is no equivalent in the U.S.

We are in close discussions with those colleagues about AI. In fact, when I was in Japan last June, we issued a statement on generative AI. This was from all of the G7 commissioners for privacy, and for the U.S., that was the FTC. In that, we noted a few things. We noted that there are laws that apply to AI for privacy, and they need to be applied and they need to be respected. It also highlighted that we need to have privacy impact assessments. We need to have a culture of privacy when we're dealing with generative AI, because in many cases it is built on personal information.

There are a lot of exchanges that are going on in that space. I think the consensus is making sure that our citizens are aware that, yes, AI is moving at a fast pace, but we have privacy laws to protect citizens.

Yes, we're working very closely with Europe, with the G7 and the community worldwide.

I was at a meeting of the Global Privacy Assembly just last week, talking about ethical uses of AI and highlighting the fact that we need proactive, strong privacy protections.

Going back to the collaboration with the G7 again, working very closely together, we issued a statement on AI. I was pleased to see the statement cited in the voluntary code issued by the Department of Industry to deal with AI, reminding organizations that we currently have laws that apply and that have to be respected.

However, in this new bill, that's why I am highlighting that we absolutely need to make sure that protective, proactive privacy assessments are there, and that they are a legal obligation. Right now, in the public sector, there's no obligation for privacy impact assessments. It's in a policy of Treasury Board. Often we'll see that if those impact assessments are done, they'll be done later. Therefore, it's important to have that legal obligation.

I can tell you that the international community is very much focused on AI, as are the G7 ministers. As you said, the debates are going on in the U.S., but certainly what is being highlighted and noted is that you cannot separate privacy from AI. To protect AI, to deal with AI, to have guardrails, you need strong privacy protections.

I think you'd have to put your last question to the minister to find out why he accepted certain recommendations and not others. To be clear, he did say in his letter that he was open to looking at others, further to the committee's proceedings. Beyond that, I can't speculate.

As for providing additional opinions, I would be glad to help the committee however I can be of service, whether it's commenting on proposed amendments or meeting with the committee again, later in the study, to answer other questions. It would be my pleasure.

Yes.