Thank you for inviting me.
I'm pleased to be here today to share my thoughts on Bill C‑27.
I am a partner at Borden Ladner Gervais and the leader of the firm's national privacy and data protection practice. Having worked in the field for more than two decades, I provide advice to large national companies in a number of industries across the private sector. Many of these companies have international operations as well, so I have followed the developments in the European Union's General Data Protection Regulation, or GDPR, in recent years. The GDPR is, of course, the EU's equivalent to our privacy legislation.
I believe this privacy reform process should draw on the lessons learned by Quebec and the European Union in reforming their privacy legislation.
I am here today as an individual. I'm going to switch to English now, but I would be happy to answer members' questions in English or French.
Today I stand before you to discuss a matter of paramount importance, the reform of the federal privacy law.
We find ourselves at a critical juncture. We have the unique opportunity to strike a balance that ensures the protection of our privacy rights while fostering an environment of innovation. In a rapidly evolving digital age, where information flows faster than ever before, our privacy is at an increased risk. This makes it imperative that we reform our privacy laws to reflect the realities of today.
However, data protection laws should not stifle the innovative spirit that has propelled us into the 21st century. Canada needs to remain competitive. Innovation drives economic growth, creates jobs and improves our quality of life. It is the engine of progress. Striking the right balance between privacy and innovation is a complex task, but I don't think it's an impossible one.
I'll focus my presentation on the consumer privacy protection act and areas of improvement for four specific issues that potentially impact innovation.
First, I absolutely welcome the introduction of a consent exception regarding specified business activities and for certain activities in which the organization has “legitimate interest” under subclause 18(3). This being said, the legitimate interest exception is actually narrower than the same exception under the EU's GDPR, the General Data Protection Regulation.
David raised this issue, so I'm going to talk a bit more about it.
Bill C-27 provides no exception, nor any significant flexibility, as to the application of the consent rule to the collection of personal information collected from publicly available sources on the Internet. It prevents all organizations from leveraging data available on the web, including legitimate ones working on new products and services that may benefit society and that need a large volume of information.
In short, I submit to you that this legitimate interest exception should be more closely aligned with the GDPR legitimate interest legal basis to accommodate innovative types of business models while protecting the privacy interests of Canadians.
Clause 39 creates a new consent exception for disclosures of de-identified personal information to specific public sector entities, including government, health care and post-secondary educational institutions. Limiting this consent exception only to disclosures to public sector entities instead of public and private sector entities severely restricts its utility. Clause 39 should authorize and facilitate responsible data sharing between a broader range of actors to have access to talent and resources that they can leverage to pursue socially beneficial purposes.
The third point is that the CPPA introduces new definitions for the terms “anonymize” and “de-identify” and provides greater flexibility regarding the processing of these categories of information. However, the proposed standard for anonymization under subclause 2(1) is more stringent than other recently updated privacy legislation, including the GDPR and the recently amended Quebec private sector act.
My point is that the CPPA should include a reasonableness standard instead of holding organizations accountable to an absolute standard that may be impossible to meet in practice. As you certainly know, access to to anonymized datasets, with legal certainty, is crucial to research and development performed by Canadian organizations. I have a feeling that Adam Kardash and Khaled El Emam will be talking about this a bit more.
My last point is that clause 21 introduces a new consent exception for the use of de-identified information for internal research, analysis and development purposes.
Restricting such use to internal uses may limit collaboration and the fostering of research partnerships, preventing stakeholders from sharing datasets to create data pools that are broad enough for the production of useful and actionable insights. This section should authorize the use and sharing of de-identified information among different organizations.
I've submitted a short brief in French and English in which I provide additional detail on these four proposed changes. I think innovation and privacy can coexist, and the responsible use of personal information can be the cornerstone of building new and exciting technologies while respecting our fundamental rights.
Thank you, and I welcome questions.