Industry Committee on Oct. 26th, 2023

It's in Canada's interest to get right what is a critically important issue—appropriate regulation of artificial intelligence. The idea that we want to race ahead with no consultation is just the wrong way to do something that all Canadians have an active interest in. We saw the government do the same on the generative AI guardrails, which were conducted privately, in secret, over the summer, and then rushed out with practically no public discussion.

When we look at some of the developments taking place around the world, we see that it becomes essential in terms of the kinds of protections Canadians might get with AI systems as well as some of the economic interests driven by the adoption of AI. We want to ensure that we contribute to that global conversation, and that some of our rules are broadly consistent with where things are headed, provided that they meet the kinds of standards that we're looking for.

In this instance, it's hard to figure out what the government is doing, other than that it raced out a sort of skeleton piece of legislation, got criticized for the lack of consultation and the lack of detail, and now says, “Okay, we'll provide more detail that makes it look a little bit more like Europe”, but we don't even have the language on that yet either.

We, as individuals, of course, ought to be the ones who own and certainly control our own data. That doesn't mean we can't make decisions about how organizations use that information, but what it requires is legislation that ensures we have that effective control, that it's informed—you heard several witnesses talk about the problems with things like implied consent—and that there are real penalties when organizations run afoul of what they've committed to Canadians or to the law itself.

I think there will always be differences of opinions as to whether definitions are sufficiently stringent or overly weak.

What would address our concerns? There are three categories of concerns that we have around de-identified and anonymized information. The first is that the definition has been weakened between Bill C-11 and the current iteration, Bill C-27. In the past definition, it included indirect identifiers. You can identify me by my name, but you can also identify me if you have a combination of my postal code, my gender and a few other factors about me. To truly de-identify information to an adequate standard where re-identification is unlikely, I believe—and my co-submitters believe—that the definition should include indirect identifiers.

To some degree, that definition has been weakened because Bill C-27 includes the addition of a new category of information: anonymized information. The problem with that new category is that technically people agree that it's extremely difficult to achieve perfect and effective anonymized information, and by taking anonymized information out of the scope of the bill, what we do is remove it from the ability of the Office of the Privacy Commissioner of Canada to inspect the processing that has happened to ensure that it has been done to a reasonable standard.

Like some of the witnesses you heard from—who would disagree with me about whether or not definitions should be stronger or weaker—I think we all agree on the reality that when personal information is processed, whether it is used to create de-identified information or anonymized information, there should be some checks and balances to make sure that the companies doing it are doing it to a reasonable standard that is broadly accepted. The way to achieve that is by including the ability within the bill for the Office of the Privacy Commissioner to inspect that processing and give it a passing grade, should that be necessary.

The last piece of concern we have with anonymization, which makes that scrutiny even more important, is that the bill conflates anonymization with deletion. It was introduced to great fanfare when this bill was put forward that individuals would now have a right to request deletion of their personal information from the companies with which they deal.

That right, I believe, is rendered moderately illusory. Certainly members of the public would not expect that if they ask for their information to be deleted, an organization could say, yes, they'll do that, and then simply anonymize the information and continue to use it for their own purposes. If we are going to allow anonymized information to be equivalent to deletion, again, it's incredibly important that we are 100% certain that the equivalency is real and valid, that truly no individual can be identified from that information and that it's not going to harm them in its use after they've explicitly exercised their right to ask for deletion.

Roughly speaking, de-identified information should make it highly unlikely that an individual can be identified. Anonymization should make it impossible. However, there are really important technical conversations happening about whether it's truly possible in our big data age, where we have data brokers who advertise that they have thousands of data points on up to two million or two billion people, that some recombination of data wouldn't facilitate re-identification. It's unlikely. It's not a risk that should be at the top of our consideration, but it should be there.

If this bill is to provide appropriate protection for people, ensuring that the technical standards of anonymization.... Computer science is a changeable field, and these standards change over time. Ensuring that someone has the oversight to ensure that the standards being used are appropriate in the circumstances is fundamentally important.

I think it's an interesting question about the way the “business activities” exemption and the “legitimate interest” exemption can interact, along with the question of implied versus explicit consent. It's very difficult to answer this question in a few seconds.

Broadly speaking, if we are to allow organizations to decide whether or not it's in their legitimate interest, then at a minimum we need to enhance the accountability and transparency measures, so that it doesn't happen without the knowledge or consent of individuals, and there is a requirement for organizations to justify to the public why they believe this information is in their legitimate interest to collect, and how they're protecting it.

Thank you for that question.

I was trying to draw, in that statement, a distinction between harmonizational convergence, which is a harmonization of text ensuring that the statutes essentially say the same thing, and interoperability, which I think means something subtlely different. It means that if businesses have a requirement to do something in one province or one jurisdiction, such as a privacy impact assessment under Quebec's law 25, it will in fact be accepted by a regulator elsewhere. You can see that distinction in Canada among different provincial laws that have been worked out over time pragmatically, but it's also important to see it internationally through the GDPR.

That was the point I was trying to make. I'm not an expert on Quebec law, but I was trying to point out certain areas in Quebec's law where I think businesses would be required to do more under that law than they would under the current text of Bill C-27. Then you have to ask this question: What might be the economic impact of that across Canada if the CPPA is perceived to be lowering the standard within the Quebec legislation? That's the point I was making.

I think the particular provision on international data flows is an interesting example, because in the CPPA at the moment there's really nothing explicit for businesses on what to do when they are processing data offshore, and the vast majority of data protection laws that I know of.... This is also something that's of critical importance to the European Union when it comes to making a judgment about the adequacy, and the continued adequacy, of our laws in Canada. What happens when data on Europeans comes to Canada and then it is processed offshore elsewhere? Those are critical questions. I think there would be some concerns about that by our European friends when they come to make those judgments.

I hope that answers your question.

Thank you for reading that work.

I first wrote about this issue about 10 years ago, when I issued a report to then commissioner Stoddart on political parties and privacy. It was obvious back then that there was a major gap in our law. Then Cambridge Analytica came along, and the issue hit the front pages, and there was a lot more attention to this.

I'll say this. It's become increasingly indefensible and untenable for political parties to be exempted—to say that they're exempted, to be clear—from provisions that businesses have to comply with, and I don't think the issue is going to go away.

The question is how that is done. An easy thing to do would be to apply the CPPA to federal political parties. That wouldn't necessarily undermine what Quebec has done, although the Quebec law, in fact, is an amendment to your Elections Act. It's by no means as far as I would want to go.

In British Columbia, the commissioner's office there has made a ruling that, in fact, that law does apply to federal political parties, as well as provincial political parties. That ruling is currently under judicial review, but you do have a real problem of interoperability, to go back to your original question, meaning that it's become absurd that the provincial political parties should have to comply with a higher set of standards in B.C. and Quebec than federal political parties federally.

I don't think that's in the interest of our political parties, either. It needs to be fixed. There need to be standards for federal political parties to comply with commonly accepted privacy standards of the kind that we are debating here with respect to businesses.

Oh, oh!