Thank you, Mr. Therrien.
Mr. Sorbara is next.
Evidence of meeting #91 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
October 24th, 2023 / 5:15 p.m.
Liberal
Francesco Sorbara Liberal Vaughan—Woodbridge, ON
Thank you, and good afternoon, gentlemen.
I apologize for missing your earlier testimony for a pre-existing appointment.
Adam, you made a comment earlier about the bar on personal data—I may have forgotten the words exactly—in terms of how we identify personal data as being owned by the individual or not owned by the individual, or identifying it. Can you elaborate on that point?
If it wasn't you, I apologize, but there was a reference to that.
Partner, Canadian Anonymization Network
I think it might have been a reference about the current bar of when data is identifiable or no longer identifiable.
Partner, Canadian Anonymization Network
First of all, the concept of personal information, or more specifically identifiability, is well established in Canadian jurisprudence. If there is a serious risk of possibility of identifying an individual directly or indirectly or just contextually, it will be deemed to be identifiable. That is a very high bar, given the environment, especially the contextual part, as there is more dynamic data and more data, etc. That's what I was speaking to.
The injection of our proposed amendment was to align the current definition of “anonymize” in the CPPA to ensure that we're consistent with the jurisprudence and consistent and interoperable with the statutory regimes across the country.
Liberal
Francesco Sorbara Liberal Vaughan—Woodbridge, ON
As a non-lawyer, I wonder if the bar is too high, too low, or...?
Partner, Canadian Anonymization Network
Very simply, the bar set out in the current text of the CPPA is too high. It's practically unworkable. A simple surgical amendment, as recommended by CANON and others, would address it, and it would address it in a way that's totally consistent with other legislative regimes.
Liberal
Francesco Sorbara Liberal Vaughan—Woodbridge, ON
Bill C-27, in my humble view, is a groundbreaking piece of legislation. I'll use that term. I think it is groundbreaking in terms of the update it's providing to the act and to privacy.
Mr. Therrien, you're fully versed on privacy issues relating to Canadians. When I think of this bill and I think of my constituents back in the city of Vaughan in my riding of Vaughan—Woodbridge, I would tell them how their privacy is being protected and not being protected on a very granular basis. I would use layman's terms. What would you tell me to tell them in terms of your view of BillC-27?
Lawyer and Former Privacy Commissioner of Canada, As an Individual
You may be referring to whether the law should be principles-based or rules-based, for instance—
Liberal
Francesco Sorbara Liberal Vaughan—Woodbridge, ON
If I could interject, as a finance person and someone with an extensive accounting and finance background, I know principles-based and rules-based matters, so yes, please....
Lawyer and Former Privacy Commissioner of Canada, As an Individual
I think on the aspect of risk, it's a bit of both. Currently, PIPEDA is principles-based—there are some rules, but rules are few. CPPA would certainly keep principles but adopt many more rules. I think an effective system has both principles and rules that are at a sufficient level of generality that they can still be relevant even if the technology or the business context changes over time.
I think where I would disagree with my colleague Mr. Fraser is that PIPEDA lacked the rules that would ensure protection. I'm not suggesting a prescriptive statute, but I'm suggesting a statute that has both principles and actual rules stated at the right level of generality.
Liberal
Francesco Sorbara Liberal Vaughan—Woodbridge, ON
I have a final question.
When producing legislation or enacting legislation, we obviously want the legislation to be robust to handle evolving technologies—in this case, evolving situations. Where we are today is vastly different from where we were 10 years ago in privacy and in AI and just the technologies, I think. The legislation we have in front of us, in my view, has that robustness, but obviously you folks are much more expert on this front. How would you characterize the robustness in this legislation to handle the evolving environment we're in?
Mr. Kardash can begin. Then we can go across if we have time.
Partner, Canadian Anonymization Network
The legislation is drafted in a technologically neutral and sectorally agnostic way, so that will serve Canadians well, and organizations trying to comply with it, because it will allow for the evolution of practices over time to deal with that, so I think that's really helpful.
I also think that while it's often referred to as a consent-based regime, fundamentally it's an accountability-based regime. I can't speak for my other colleagues, but I think there's broad-based agreement that Canada has actually led the way internationally with this accountability model. It's been adopted otherwise, and now it's been strengthened.
You have the combination of the accountability model with some careful drafting, with some enhancements to privacy protections that I think will serve organizations and, in particular, Canadians well.
Liberal
Francesco Sorbara Liberal Vaughan—Woodbridge, ON
I'm not sure if we have time, Chair, but perhaps Mr. Fraser or Mr. Therrien would like to land on that.
Partner, McInnes Cooper, As an Individual
I think it will ultimately prove to be a resilient piece of legislation. I don't see potholes or anything else like that, or pitfalls such that we're going to have to come back to revisit it in five or 10 years' time necessarily.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Sorbara.
We have five more minutes, so I'm willing to open the floor. I'll yield the floor to me first—
Liberal
The Chair Liberal Joël Lightbound
—with consent.
Maybe you won't like the question I'm about to ask, but if we were to include political parties in the act, what would be the lowest-hanging fruit that could be included, and the most important one?
This is for Mr. Therrien and Mr. Kardash.
Lawyer and Former Privacy Commissioner of Canada, As an Individual
I think you could include rules on disclosure by political parties and others on use. The worst possible case was that of Cambridge Analytica, a company that authored certain practices aimed at influencing voters. If political parties were subject to privacy laws and these practices continued to be used, at least penalties could be imposed on those who obtain this type of information. There's a whole range of consequences.
Rules on the protection of information—that is to say security mechanisms—could also be included. These issues are currently the subject of voluntary measures on the part of political parties. If the parties were subject to the laws, there would be legal consequences for not protecting the information properly.
Partner, Canadian Anonymization Network
I would say rights of redress to the Office of the Privacy Commissioner of Canada, security breach notification requirements, rights of access so that individuals have an understanding of the personal information that is in parties' custody and control. I would say—and I missed the beginning of the remarks from Mr. Therrien—that I think there's the wave of other fair information practices that are encapsulated within the statutory regime.
Again, I just don't think it can be overstated that this is something that's really missing, and from a broader discourse, we're all focusing.... The digital charter rightly focuses on trust, and in order to establish trust, we need all participants to be subject to the same rules, etc., and I think political parties should be subject to those rules as well.
Liberal
The Chair Liberal Joël Lightbound
Thank you very much. This concludes my questions.
We still have four minutes. I recognize Mr. Lemire and then Mr. Perkins.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Thank you, Mr. Chair.
Mr. Therrien, in the context of Bill C‑27 and, more specifically, in the context of artificial intelligence, I would like to hear your opinion on industry self-regulation standards. That is, I would say, the new approach that is being put forward, both in Europe and by Mr. Champagne as a temporary or transitional measure. Can we trust industry to regulate itself?
Lawyer and Former Privacy Commissioner of Canada, As an Individual
Over the past 20 years, we have clearly seen that there are significant limits to self-regulation. That is why it is currently necessary to amend the legislation and to provide for penalties, among other things.
In terms of artificial intelligence, again, it's not emerging technology, but its application is now becoming much more important. I think it would be a mistake to try to regulate it too precisely, too quickly.
So I wouldn't just rely on self-regulation. I don't think Mr. Champagne does either, since he is talking about self-regulation on a temporary basis while waiting for the upcoming act and regulations. In my opinion, it takes this legal architecture of an act, regulations and codes of practice for companies to have the best possible protection. Self-regulation alone is not enough.