Industry Committee on Oct. 24th, 2023

Thank you very much, and thank you for your kind invitation to appear before this committee to assist in its important study of Bill C-27.

I'm a partner in private practice at a law firm where I've been practising privacy law for 22 years. Most of my practice involves advising international businesses on complying with Canadian privacy laws. More often than not, they're trying to make their existing privacy programs, which they've developed in places like Europe and California, work in Canada. I also advise Canadian businesses, large and small, on compliance with these laws. I regularly advise organizations in connection with investigations and encounters with the Office of the Privacy Commissioner of Canada and his provincial counterparts.

I'm here in my own personal capacity, but obviously my work and opinions are informed by my experience working with my clients.

Now, I may come across as somewhat contrarian in saying this, but I actually think that PIPEDA works pretty well as it is. It was designed to be technologically neutral, based on existing principles that are largely embedded in Bill C-27. One thing I've often said is that Bill C-27 takes PIPEDA and turns it up to 11.

I don't think the legislation's necessarily broken. I think the commissioner, over the past 22 years, has not necessarily exhausted all of his enforcement powers and authorities over that time.

I'd like to start by saying that I don't really like the name of the new statute. Canadians aren't simply consumers. This legislation applies to consumers. It also applies to certain employees in the federally regulated sector. It's a bit negative and dismissive. If we're wedded to the acronym CPPA, we could call it the “Canadian Privacy Protection Act”, but I don't think that actually affects its substance.

Now, I like PIPEDA, but over the last little while, it's been pretty clear that there's an emerging consensus in looking toward order-making powers and penalties and thinking they're desirable. In the course of this, I would ask the committee to consider that that requires a commensurate and appropriate increase and shift to greater procedural fairness than is currently in the bill.

Based on my experience, I'm of the view that the Privacy Commissioner potentially has a conflict in being a privacy advocate, a privacy educator, the privacy police, the privacy judge and the privacy executioner. Any determination of whether a violation of the CPPA has taken place and what penalties should be imposed should be carried out by an independent arm's-length tribunal, such as the Federal Court or the new tribunal. The commissioner can recommend a penalty and can take on the role of prosecutor, but ultimately the determination of whether or not a violation has taken place and whether or not a penalty should be imposed should be vested in an arm's-length body.

I think the recent Facebook case in the Federal Court is a bit of a cautionary tale. I'd be happy to talk more about that.

Children's privacy is obviously a very important theme in this particular piece of legislation. I agree with and appreciate the views of the government and the commissioner with respect to protecting the privacy of children.

One thing I'm a bit concerned about is that the current bill would be difficult to operationalize for businesses that operate across Canada. Whether or not somebody is a minor currently depends upon provincial law. That varies from province to province, and implementing consistent programs across the country would be difficult. I would advocate putting in the legislation that a minor is 18 years or below.

I would also suggest that there be a presumption that children under the age of 13 are not able to make their own privacy decisions and that their parents should be their substitute decision-makers by default.

For organizations that offer a general service to the public—like a car dealership, for example—there should be a presumption that all of their customers are adults, unless they know otherwise. If you have a website that's focused toward children, you know there are children in the audience and you have to calibrate your practices appropriately. Anything different might lead to mandatory age verification, which can be very difficult and raises its own issues.

Having been involved in investigations and in litigation involving privacy claims, I would suggest that the “private right of action” be amended to be limited to the Federal Court of Canada, if you're wedded to a private right of action to begin with. The problem with the existing legislation is that anybody can go to the Federal Court of Canada or a provincial court. We know that there are going to be hundreds of people affected over the next decade or so, with respect to particular incidents. You're going to end up with duplicative proceedings simultaneously across the country. We already know that judicial resources are significantly taxed.

I think legitimate purposes—which are largely based on the European model—need to be more closely aligned. I'm happy to provide more details on what is happening in Europe.

With respect to the artificial intelligence and data act, it should be its own bill and subject to its own study. I would note that excluding the government from it is dangerous. The government has guns. The government decides about benefits, immigration and things like that. I think it's subject to a constitutional challenge. It's not necessarily harmonized with what's going on with our international trading partners, and there should be reciprocal recognition.

If a company is complying with European data regulation and we have deemed it to be substantially similar, that should work. Otherwise, we're going to have difficulty with Canadian businesses operating internationally and international businesses coming here.

Finally, I think research and development should be removed from the bill, because it presents no real risk of harm to an individual until it's presented into the public.

I have a longer list. I could go on for much more than five minutes, but I think that's my time. I look forward to the discussion.

Thank you for inviting me.

I'm pleased to be here today to share my thoughts on Bill C‑27.

I am a partner at Borden Ladner Gervais and the leader of the firm's national privacy and data protection practice. Having worked in the field for more than two decades, I provide advice to large national companies in a number of industries across the private sector. Many of these companies have international operations as well, so I have followed the developments in the European Union's General Data Protection Regulation, or GDPR, in recent years. The GDPR is, of course, the EU's equivalent to our privacy legislation.

I believe this privacy reform process should draw on the lessons learned by Quebec and the European Union in reforming their privacy legislation.

I am here today as an individual. I'm going to switch to English now, but I would be happy to answer members' questions in English or French.

Today I stand before you to discuss a matter of paramount importance, the reform of the federal privacy law.

We find ourselves at a critical juncture. We have the unique opportunity to strike a balance that ensures the protection of our privacy rights while fostering an environment of innovation. In a rapidly evolving digital age, where information flows faster than ever before, our privacy is at an increased risk. This makes it imperative that we reform our privacy laws to reflect the realities of today.

However, data protection laws should not stifle the innovative spirit that has propelled us into the 21st century. Canada needs to remain competitive. Innovation drives economic growth, creates jobs and improves our quality of life. It is the engine of progress. Striking the right balance between privacy and innovation is a complex task, but I don't think it's an impossible one.

I'll focus my presentation on the consumer privacy protection act and areas of improvement for four specific issues that potentially impact innovation.

First, I absolutely welcome the introduction of a consent exception regarding specified business activities and for certain activities in which the organization has “legitimate interest” under subclause 18(3). This being said, the legitimate interest exception is actually narrower than the same exception under the EU's GDPR, the General Data Protection Regulation.

David raised this issue, so I'm going to talk a bit more about it.

Bill C-27 provides no exception, nor any significant flexibility, as to the application of the consent rule to the collection of personal information collected from publicly available sources on the Internet. It prevents all organizations from leveraging data available on the web, including legitimate ones working on new products and services that may benefit society and that need a large volume of information.

In short, I submit to you that this legitimate interest exception should be more closely aligned with the GDPR legitimate interest legal basis to accommodate innovative types of business models while protecting the privacy interests of Canadians.

Clause 39 creates a new consent exception for disclosures of de-identified personal information to specific public sector entities, including government, health care and post-secondary educational institutions. Limiting this consent exception only to disclosures to public sector entities instead of public and private sector entities severely restricts its utility. Clause 39 should authorize and facilitate responsible data sharing between a broader range of actors to have access to talent and resources that they can leverage to pursue socially beneficial purposes.

The third point is that the CPPA introduces new definitions for the terms “anonymize” and “de-identify” and provides greater flexibility regarding the processing of these categories of information. However, the proposed standard for anonymization under subclause 2(1) is more stringent than other recently updated privacy legislation, including the GDPR and the recently amended Quebec private sector act.

My point is that the CPPA should include a reasonableness standard instead of holding organizations accountable to an absolute standard that may be impossible to meet in practice. As you certainly know, access to to anonymized datasets, with legal certainty, is crucial to research and development performed by Canadian organizations. I have a feeling that Adam Kardash and Khaled El Emam will be talking about this a bit more.

My last point is that clause 21 introduces a new consent exception for the use of de-identified information for internal research, analysis and development purposes.

Restricting such use to internal uses may limit collaboration and the fostering of research partnerships, preventing stakeholders from sharing datasets to create data pools that are broad enough for the production of useful and actionable insights. This section should authorize the use and sharing of de-identified information among different organizations.

I've submitted a short brief in French and English in which I provide additional detail on these four proposed changes. I think innovation and privacy can coexist, and the responsible use of personal information can be the cornerstone of building new and exciting technologies while respecting our fundamental rights.

Thank you, and I welcome questions.

Thank you, Mr. Chair.

Thank you, committee members, for inviting me to participate in your study.

I am here as an individual, but my experience as the federal privacy commissioner from 2014 to 2022 will certainly be reflected in my remarks.

To begin, let me say I agree with my successor, Philippe Dufresne, that the bill before you is a step in the right direction, but that it is necessary to go further in order to properly protect Canadians. I also agree with the Office of the Privacy Commissioner's 15 recommendations for amending Bill C‑27, with some nuances on audits, remedies and appeals. The government has taken up, at least in part, a good number of the recommendations I had made regarding Bill C‑11, the predecessor to Bill C‑27. Among those that were not accepted is the application of privacy law to political parties.

I am very pleased that a consensus appears to have emerged among political parties to recognize in the law that privacy is a fundamental right. I applaud parliamentarians for that decision. The question now becomes how to best translate into law the principle with which you now all agree.

Minister Champagne suggests amending the preamble and the purpose clause of the CPPA. These are steps in the right direction, but they are not sufficient. You should also amend two operative clauses: proposed section 12 of the act on “appropriate purposes”, and proposed section 94, which provides for administrative monetary penalties for certain violations of the law. Without these amendments, the law would still give greater weight to commercial interests than to privacy, which is a fundamental right. This does not appear to be your intent.

Based on my reading of parliamentary debates, it also seems to me there's consensus around the idea that privacy and economic growth through innovation are not in a zero-sum game. The question is generally not on deciding which should prevail—privacy protection or innovation—as both can and should be pursued at the same time. It is only in rare cases that it will not be possible. In those cases, privacy as a fundamental right should take precedence.

Proposed section 12 of the CPPA does not, in my view, faithfully translate this consensus. Rather, it upholds the traditional approach, which is that privacy and economic goals are conflicting interests that must be balanced without considering that privacy is a fundamental right. This may have made sense under the current act's purpose clause, but it will no longer make sense if the CPPA's purpose clause recognizes privacy as a fundamental right, as is currently proposed.

Proposed section 12 is central to the exercise that commercial organizations, the Privacy Commissioner and ultimately the courts will have to go through in order to determine the factual context of each case and the weight given to privacy and commercial interests.

Section 12 as drafted gives more weight to economic interests. It does that in several ways.

The first is through the terminology it uses. It refers to “business needs” and does not refer to privacy as a right, fundamental or otherwise.

When the proposed section does refer to privacy, in paragraphs (2)(d) and (e), it is as an element to consider in achieving business goals, mitigating losses where possible, that is where achieving business goals can be achieved at comparable cost and with comparable benefits.

Nowhere is it mentioned that privacy protection is an objective at least equally as important as economic goals. On the contrary, the focus is on economic goals, and privacy loss as something to be mitigated, where possible, in the pursuit of those goals.

I have provided you with my proposals for amending section 12, and they would be consistent with the amendments proposed at section 5.

With respect to sanctions, all violations of section 12, including the appropriate purposes clause at subsection (1), should potentially lead to administrative monetary penalties. Without sanctions, recognizing privacy as a fundamental right would be a pious wish, without real consequences.

I would go further and recommend that all violations of the CPPA should be subject to these penalties. This would align Canada with most other jurisdictions.

I have a few words on the Artificial Intelligence and Data Act. That part of Bill C-27 is brief, even skeletal, and leaves a lot of room for regulations. While I understand why some are concerned with this, I think this approach is defensible, given the fact that AI technology is relatively nascent and is certainly evolving very quickly; however, the lack of precision in AIDA, in my opinion, requires that certain fundamental principles and values be recognized in the act itself. First and foremost, the act should recognize the importance of protecting fundamental rights, including the right to privacy, in the development and implementation of AI systems.

Finally, some of you expressed concerns in an earlier meeting with the difficulty of detecting violations of the law and the potential value of proactive audits to facilitate detection. As commissioner, I had recommended proactive audits, and I still believe they are a necessary part of an effective enforcement regime. This is particularly true in the case of AI.

Thank you. I would be pleased to take your questions later.

Thank you. Good afternoon, everyone.

My name is Adam Kardash. I'm chair of Osler, Hoskin and Harcourt's national privacy law and data management practice, and I've been practising exclusively in the privacy area for more than 20 years.

I'm pleased to be before INDU on behalf of CANON, the Canadian Anonymization Network, which is a not-for-profit organization whose members comprise large data custodians from across the public, private and health sectors.

I'm joined this afternoon by Khaled El Emam, a Canada research chair in medical AI at the University of Ottawa and the leading global expert on anonymization and de-identification technologies and methods.

As you are aware, Bill C-27 introduces definitions of anonymized data and de-identified data within the text of the proposed consumer privacy protection act. The concept of anonymized data is a core feature of the CPPA, as it clarifies the scope of application of the CPPA's privacy legislative scheme.

There are several very important provisions throughout the CPPA related to the terms de-identification and anonymization. It is therefore essential that the CPPA provisions relating to these terms—anonymized and de-identified data—be carefully considered and appropriately articulated within the CPPA's legislative scheme.

In August of 2022, CANON struck a working group to conduct a thorough legal consideration of Bill C-27, and we received comments from stakeholders across all sectors as part of a consultation process, including a workshop attended by over 100 participants.

CANON is proposing surgical revisions that provide critical clarifications to several provisions within the CPPA, including to the provision referenced by my colleague Éloïse Gratton for proposed section 39. We're proposing additional privacy protections to disclosures without consent for socially beneficial purposes. The details of our submissions are contained within the written submission we submitted to INDU.

Our most important recommendation relates to the CPPA's current definition of “anonymize”. The current definition provides that personal information would be anonymized only if it is “irreversibly and permanently” modified in accordance with “generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly....”

We are proposing an amendment as a surgical addition to this definition, as the current text of the definition of “anonymize” sets an extremely high and practically unworkable threshold for the circumstances in which information would no longer be deemed to be identifiable. Specifically, anonymized data within the CPPA does not incorporate the concept of reasonably foreseeable risk in the circumstances and therefore is not consistent with the standard for anonymization within legislative schemes across the country, including Quebec's Law 25, Ontario's Personal Health Information Protection Act, and multiple other statutes cited in our submission. We have everyone. There are at least 12 that we've cited in the statutes for your consideration when you're reviewing our brief.

To be clear, and this is critically important, there is a very high legal standard for anonymization right now in Law 25, under PHIPA and under all these other statutory frameworks. It's very high, but unlike the CPPA, the anonymization standard in these other legislative schemes is practically workable. The reason is that it expressly contemplates contextual risk.

As a result of these concerns, CANON has proposed an amendment to the CPPA's definition of “anonymize” that simply incorporates the concept of reasonably foreseeable risk in the circumstances into the definition. Our proposed surgical amendment would align the CPPA's concept of anonymized data and, critically, ensure the interoperability of the CPPA with the standard for anonymization within other legislative schemes across Canadian jurisdictions. Our proposal is fully consistent with well-established Canadian jurisprudence on the scope of the concept of personal information, the citations for which we provide in our submission.

I'm going to turn my comments over now to Khaled El Emam to conclude our introductory remarks.

Thank you, Adam.

I want to use my time today to highlight the practical importance of CANON's proposals to the definition of “anonymize”.

My comments today are based on my experience with anonymization over the last two decades, both in the context of research and applications and of practice. A core focus of my work has been on the anonymization of health data such that it can be used and disclosed for research purposes, which includes developing new treatments and devices to help patients.

In my view, the CPPA's current definition of “anonymize” most often will not work well in practice when interpreted literally. It risks setting an unachievable standard that in practice is not necessary for good privacy protection. The text needs to reflect the reality that the outcome of anonymization is not absolute. It is well established among anonymization and data de-identification experts that data anonymization is a process of risk management. This is a foundational element of the recently published ISO international standard for data de-identification. Good contemporary practices, when implemented properly, can ensure that the re-identification risk is very small. Very small re-identification risk can be precisely defined and has been precisely defined by organizations such as Health Canada.

Effective re-identification risk management involves using techniques and technology to modify data as well as the implementation of appropriate administrative and technical controls. The combination of modified data that has been wrapped with appropriate administrative and technical controls ensures that the re-identification risk can be made very small.

This concept of risk management will not ensure that the re-identification risk is zero or that anonymized data is absolutely irreversible. That is not a practical standard that can be met. This is why it's important to amend the current definition of the term “anonymize”, which currently implies zero risk.

Our proposal supports the important and necessary requirement currently within the CPPA's definition that generally accepted best practices are followed during the process of anonymization, but the CANON proposal adds the concept of reasonably foreseeable risk and the circumstances so that the definition is actually workable in practice.

Based on my years of developing and implementing anonymization methods and technology, on behalf of CANON I think the implementation of CANON's proposals will enable a more responsible use and disclosure of data compared to the current definition.

We thank you in advance for your consideration. We would be pleased to answer any questions you may have.

We had a couple of discussions with Mr. Bains and Mr. Champagne. We never saw the actual text of the bill, but there were discussions.

Yes.

I characterize Bill C-11 as a step backwards. I think Bill C-27 is a step forward. Some recommendations that I had made as commissioner were accepted—not all, and not some that I think are essential that I spoke to.

Yes.

At that time, yes.

The first point I make is that it is important that proposed section 5 speak to and qualify the right to privacy as fundamental. It has meaning. However, you have to look at the whole of the purpose clause, the preamble first—