Thank you.
Evidence of meeting #91 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
Evidence of meeting #91 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
Liberal
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you, Mr. Chair.
What a great discussion we're having today. I really thank you all for your expert testimony.
Maybe just to follow up on Mr. Williams' line of questioning, Mr. Kardash, I'll point a couple of questions toward you.
Just so I understand correctly, you've said that basically the current definition of anonymized data is too high a standard. It doesn't align with other statutes. You're saying that essentially the standard is already high enough within those other statutes and we should just harmonize the CPPA with that.
Is that correct?
Partner, Canadian Anonymization Network
Yes. It's interoperability. I'll give three very quick components. I do recognize the time constraints.
Number one, it's a very high standard as articulated by jurisprudence. Number two, we cite at least 12 statutes in there for you to look at off-line, including Law 25 and a very rigorous regime, the Personal Health Information Protection Act, that basically incorporate this contextual requirement, “reasonably foreseeable risk in the circumstances”, or very similar wording.
It's for interoperability, which is absolutely critical; that's right.
Liberal
Ryan Turnbull Liberal Whitby, ON
Got it. Great.
You used the term “expressly contemplates contextual risk”, which I'm not sure I fully understand. Could you explain that a little bit further?
Partner, Canadian Anonymization Network
Yes. I would ask if my colleague Khaled could also supplement my comments.
Partner, Canadian Anonymization Network
When you are looking at a particular record of data, you have to look at it in context in order to make a determination. Doing that is actually for privacy protection. “Reasonably foreseeable in the circumstances” is that contextual factor that needs to be articulated. It's consistent with best practices. This is the way in which risk management is implemented for the purposes of this analysis.
Khaled, I would ask you to please supplement that. You deal with this so practically. It would be very helpful.
Professor, Canadian Anonymization Network
I think the key point is that the anonymized data includes modifications to the data as well as the additional controls that the data user or data recipient has to put in place—additional security controls, privacy controls and contractual controls. It's not just about the data; it's about the additional controls.
These are contextual in the sense that, depending on the sensitivity of the data, you may implement more controls, for example. It's not just about the data; it's about the data and the context around it, or the additional administrative and technical controls around it.
Liberal
Ryan Turnbull Liberal Whitby, ON
Thank you for that.
Ms. Gratton, Mr. Therrien said that the European law is the gold standard. He talked about how there is no real inconsistency in terms of protecting privacy and the legitimate interests that you had rightly pointed out. I think you were making very specific suggestions regarding the different types of legitimate interests that are included currently in the CPPA.
Would your suggestions actually further align us with the European law or the gold standard that Mr. Therrien mentioned?
Partner and National Leader, Privacy and Data Protection, BLG, As an Individual
I think so too. In fact, you'll note from my brief that I'm actually proposing that the “legitimate interest” consent exception be more aligned with the GDPR.
Liberal
Ryan Turnbull Liberal Whitby, ON
Okay. Great.
Are there any places where you think we could go, or need to go, further than the European law?
Partner and National Leader, Privacy and Data Protection, BLG, As an Individual
I don't think we need to go further than the European law. I guess my other comments really have to do with making sure that we're not hampering innovation.
Liberal
Ryan Turnbull Liberal Whitby, ON
Yes. I see the point that this is really about a balancing act. I think everybody has talked about that. It's how to get that balance right.
We started off our last meeting with the current Privacy Commissioner by having that discussion as well. We sort of got to that point at the end, that this is a delicate balancing act. I know that some members have expressed points of view that may side a little bit more with perhaps weighting privacy rights and protection even more. I think we've also heard witness testimony that innovation and privacy rights are largely aligned in many of the cases.
Ms. Gratton, from your perspective, is there a risk that we could go too far? I take it that a lot of your testimony is related to where we draw the line and how we can facilitate a process whereby innovators can continue to innovate and offer the value of all the digital tools that enhance our lives and that I think we all benefit from on a daily basis.
Could you speak to that?
Partner and National Leader, Privacy and Data Protection, BLG, As an Individual
When you say “go too far”, I'm assuming you're talking about protecting privacy—
Liberal
Ryan Turnbull Liberal Whitby, ON
I mean stifling innovation, because I'm concerned with just getting the balance right on both sides of this. I obviously value my fundamental right to privacy, as all Canadians do. At the same time, I don't want to stifle innovation and the kinds of benefits that Canadians get from these digital tools.
Partner and National Leader, Privacy and Data Protection, BLG, As an Individual
What I can say is that of the four recommendations I'm getting, three out of four are actually proposing that our law be more aligned with the laws of Europe or Quebec, which are actually more stringent.
It's also an issue with interoperability and making sure that our requirements are harmonized, especially when they make sense. We don't need to reinvent the wheel. If Quebec got it right, and if in Europe they got it right through the GDPR, why are we reinventing the wheel?
Perhaps one issue I'd like to raise is that in Europe they had interpreted their requirement to mean websites need cookie banners, and five years later they're reassessing that. There's a movement in Europe, the cookie pledge, and they are reassessing whether they are better protecting website users with these cookie banners, which are extremely complex. People are just accepting them.
I think maybe one lesson learned from Europe that we should not replicate here is pushing for website cookie banners.
Liberal
The Chair Liberal Joël Lightbound
Thank you very much, Madam Gratton and Mr. Turnbull.
Mr. Lemieux is next.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Thank you, Mr. Chair.
Mr. Kardash, the Canadian Anonymization Network has a particularly interesting case. According to a paper you published in May 2023, the current definition of “anonymize” sets an extremely high and virtually unattainable threshold for circumstances under which it can be concluded that information can no longer be used to identify someone.
The document refers to Bill 25, adopted by the Quebec National Assembly in 2021. The latter uses more moderate language, to ensure that anonymization is achievable, and advocates the adoption of similar language in order to ensure interoperability between the two regimes.
In your opinion, if the language is left as it is in the current bill, what will be the implications for Quebec companies, particularly small and medium-sized businesses that will be subject to Bill 25, since it would take precedence, but also to this bill, if their operations cross the border?
Partner, Canadian Anonymization Network
May I ask for clarification? Are you asking what the impact would be if we do or we do not make our recommended change to the definition of “anonymize”?
I'm sorry. I just want to clarify so that I answer your question correctly.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
I find your perspective interesting, but I'd like you to talk about what will happen if we apply it and if, on the contrary, we don't apply it.
October 24th, 2023 / 4:35 p.m.
Partner, Canadian Anonymization Network
Okay. It is really important for companies to have legislative schemes in the privacy area that are interoperable. If you don't have interoperability, you'll create lots of confusion, lots of uncertainty. There will be reticence risk, which is the risk of not doing anything, and just overall problems with it.
All we're doing is actually incorporating a well-understood concept to ensure the term was used in a harmonized way and interoperabilities were similar. It's really important to do that. There would be adverse consequences: If you don't put it in, there will be an open question of why. Obviously it's a different standard, and our view is that there's no need for that. Privacy protection could be there. It's a very high standard right now, and we just don't need that at all. It will not be beneficial at all. Especially, striking the balance that we just heard from before.... That's why we're so strongly in support.
I will add that we had these consultations. They were extensive. A working group spent countless hours dealing with it. We met with folks. This was universally accepted in all our discussions. Yes, let's make it clear. Let's stay with this. It's the appropriate and prudent approach to take.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
I apologize for my leaving off and on during the meeting. There are world events that particularly complicate my riding in Windsor and the Detroit region. I apologize if I repeat something or miss something, but I will go back and listen to the rest of the stuff I've missed from the witnesses.
Mr. Therrien, I do want to ask a question about a certain situation. The Competition Bureau recently had to pay a fine for investigating the Shaw takeover by Rogers and opposing it; and it ruled against them. Through other testimony we learned it might be the same process that could happen here for the privacy commission in this legislation. We have to sort that out, because I was told something from one, and we had different testimony from another.
Again, with the tribunal, I know you have a little more to offer. On creating this type of a body, do you really think it could undermine the strength of the privacy commission in general? I worry about that, because I know that the United States doesn't have this model; but for ourselves, it has actually served Canadians quite well.
I'd like you to expand on the vulnerability if we change the route that we have right now.