Evidence of meeting #90 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was office.
A recording is available from Parliament.
4:05 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That's number two.
Number three is to provide more flexibility for my office—
4:05 p.m.
NDP
Brian Masse NDP Windsor West, ON
Without going into details, would it be one, two, three, four and five? Is that how you stacked your document to us?
4:05 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I was listing them in the order that the minister had them. If you prefer, I can give you the numbers in my recommendations.
4:05 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
My number one recommendation on fundamental rights has been accepted. The number two recommendation on children's privacy has been accepted.
Recommendation number 12 is to “provide greater flexibility in the use of voluntary compliance agreements to help resolve matters”.
Recommendation 15 is not explicitly in the annex. I take it from the minister's testimony and from the overall mentions in his letter that he is open to coordination and co-operation between regulators. That is number 15.
I understand—
4:05 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That's right.
4:05 p.m.
NDP
Brian Masse NDP Windsor West, ON
As my previous question about the tribunal blows that potential, we'd really have to figure that out, because I was told that it wasn't the case, and now it is.
Is number five in here, too? Does it match up with any of your recommendations?
4:05 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I've identified four. Those are the four—number one, number two, number 12 and number 15.
The minister did allude to other themes in his letter. He talked about the exceptions, but he was not as definitive.
4:05 p.m.
NDP
Brian Masse NDP Windsor West, ON
We know only that there are going to be three amendments coming forward, so it'll be interesting, because that doesn't even match up right there.
I'm going to be running out of time soon, so I'm conscious of that. Is there any possibility that we can get from you a ranking of your other recommendations?
I'm going to go through this and do the due diligence, but I'm curious as to where, in the professional opinion of the Privacy Commissioner and your office, there's a high level or degree of exposure or complications that need to be fixed, and maybe which other ones are less costly to privacy. I'm looking for almost a ranking of some sort that we can weed our way through, especially with respect to those that are coming forward.
4:10 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I've given that to you today in my opening statement. I've listed five outstanding ones that the minister has not yet agreed to.
4:10 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Those would be the top priority, starting with the notion of a privacy impact assessment for generative AI. To me, that is a major shortcoming.
If you look at AIDA and if you look at the minister's proposed amendments to AIDA, you see a lot of discussion about risk mitigation, identifying risk and managing risk. This is absolutely essential and critical. However, we need to do this for privacy as well as for non-privacy harms. I'm very much insisting on this.
The other important recommendation, which I would say is the top priority, is making sure that fines are available for violation of the “appropriate purposes” provision. This is a violation of section 12. This is the key central provision. This is at the heart of the bill in a way, but there are no fines for that. That, in my view, should be corrected. It's easily corrected by adding that to the list of the breaches.
Other comparable legislation, like Quebec's, for instance, simply says, “a violation of the law”. The whole law is there. It's all covered. This approach lists offences, and then in Bill C-11 there were more omissions. It's been corrected to some extent, but it needs to be corrected further.
I talked about algorithmic transparency. It is an important element, especially at this time in AI. Again, we can manage that by providing guidance to industry, so it's something that's workable, but I think Canadians need to understand what is going on with their data and how decisions are made about them. If we limit it to matters that have significant impact, we're creating debates and limiting the transparency that Canadians deserve.
That is—
4:10 p.m.
NDP
Brian Masse NDP Windsor West, ON
I think I'm out of time.
Just in summary, here's what we've done. We have a bill here in which private bad actors have the capability of suing your commission, just like the Competition Bureau, and we've limited our fines and penalties on bad actors.
That's a perfect scenario.
Thank you, Mr. Chair.
4:10 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Masse.
Before going to Mr. Williams, if you will allow it, colleagues, I'll grant myself a minute for one quick question to Mr. Dufresne.
4:10 p.m.
Some hon. members
Agreed.
4:10 p.m.
Liberal
The Chair Liberal Joël Lightbound
There is unanimous consent.
I have a question for you, Mr. Dufresne.
If you were playing devil's advocate, what would you say is the best argument for a tribunal?
4:10 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
One of the concerns that's been expressed publicly, as I understand it, is that too much responsibility or authority is going to a single body, in other words, my office. Since the bill provides the authority to issue orders and significant fines, more procedural fairness may be warranted.
To address that concern, the government could say, yes, more procedural fairness is needed. That's the model used in Quebec and other parts of the world. You can't have the same process in a regime that includes fines and orders. The way the system works now, an investigation takes place and it culminates in recommendations. The level of procedural fairness isn't the same as that provided for in the bill.
Furthermore, the bill gives my office a new tool, the ability to conduct an inquiry. This tool ensures that procedural fairness and gives the parties an opportunity to be heard. It's something that exists in Quebec, British Columbia, Europe, Great Britain and France. The idea is that the commissioner can conduct somewhat of a more informal investigation at first, but once an order or a fine is issued, it becomes more formal and it moves up to the next level. That's where the procedural fairness comes in.
To my mind, following that model and allowing decisions to be reviewed directly by the Federal Court of Appeal wouldn't be an issue. The Supreme Court has recognized that an administrative decision-maker can have multiple roles. Obviously, it has to be managed properly.
That's my answer. I think the issue is the concentration of responsibilities or authority in one place.
October 19th, 2023 / 4:10 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Thank you, Mr. Chair, and thank you, Privacy Commissioner.
I know there have been a lot of comments today about what the minister said and what's forthcoming. I want to make this very clear to those listening at home: This bill is very important because, for the first time in 20-some years, we're dealing with having the largest amount of data that individuals, including our children, have ever had out in the open. We're dealing with data and, of course, in the second section, with AI. It's not up to the minister to approve certain amendments or decide what he wants to give us. It's up to this committee and then the House of Commons to determine how this bill, if adequate, will go forth to protect Canadians. I want to make that very clear.
We feel that, as the bill is presented right now, this government has not taken privacy seriously. It has not listed privacy as a fundamental right in the “purpose” statement of this bill, which other subregions of the country, like Quebec, already do.
I want to speak today on a certain portion of this bill that already gives more power to business than it does to individuals. It's a section that I think you identified, called “legitimate interest”.
Commissioner, I'd like you to define “legitimate interest” in your own words for the public and for people listening. I know you have a legal background. It's your fourth recommendation. I want you to explain how this drafted bill continues to allow the government to make exceptions to the law by way of regulations, without the need to demonstrate that those exceptions are necessary.
4:15 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
The bill provides for some exceptions to the ordinary obligation to have consent and knowledge. It provides exceptions in situations linked to and necessary for business operations. There is a carve-out for activities that should not be for the purpose of influencing individuals. The bill recognizes there may be some instances in which businesses would need the information and it's not practical to obtain consent or advise individuals of it. The condition for this is that a reasonable person would expect the collection or use for such an activity.
I have a concern where the bill provides a list of activities that could be considered business activities in the act. Some of them are.... The first one is “an activity that is necessary to provide a product or service that the individual has requested from the organization”. There is that element of necessity. The second example is “an activity that is necessary for the organization's information, system or network security”. Again, necessity is there. The third is “an activity that is necessary for the safety of a product” or for the organization. This element of necessity is crucial, because that's what justifies the fact that you're going to get consent.
However, the fourth—this is at paragraph 18(2)(d)—says, “any other prescribed activity.” It means that the government can add anything in there without a requirement of necessity.
My recommendation is that this be limited by saying, “any other prescribed necessary activity”, or by making it clear that the government is always limited by that necessity test.
4:15 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
How hard would it be for you and your office to disprove claims to the collection and use of Canadians' data without consent under the “legitimate interest” exemption for business, as it's currently written?
4:15 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
The concern I have with this provision is not in our ability to prove or disprove something, or to make a finding on something. It's because, if you add an activity in this list, I am bound by that list. The courts are bound by it. If you add an activity in there that isn't necessary, it becomes an unnecessary exception to the rule of consent. It's one I would have to apply, because I am certainly bound by the law. I will apply the law, as will the courts. It means that, because of this paragraph, there is that risk or possibility. I'm not suggesting it's the intention of the government to do so, but the law would allow the government to carve out something that is unnecessary.
I think that should be reduced and limited to make sure the exceptions we have to the fundamental right to privacy are necessary.
4:15 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Commissioner, answer yes or no: Are you comfortable that Bill C-27—in not defining “legitimate interest” for businesses, as it currently stands—allows the government to make lists of activities and regulations that would balance businesses over the privacy of individuals?
4:15 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
What I'm saying is that this is a problematic granting of authority to the government to carve out parts of the act.