Evidence of meeting #92 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was commissioner.
A recording is available from Parliament.
4:50 p.m.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Thank you so much, sir.
We're going to work to ensure that the best interests of children are included in this legislation.
4:50 p.m.
Associate Professor of Law, University of Colorado Law School, As an Individual
Thank you.
4:50 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Vis.
I'll now turn over the floor to Mr. Van Bynen.
MP Van Bynen, I believe we have an issue with your audio. Is your boom properly placed?
4:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Thank you. I'm sorry. It wouldn't be the first time we've needed to lower the boom in this environment.
In any event, the information has been very informative, and I very much understand and appreciate the concern for consent and privacy.
One of the things I heard earlier was the risk of reticence. If we become too strident in the way we manage data, are we going to be losing innovative opportunities? Are we going to be losing legitimate business opportunities? How can that be structured so that we can balance the interests of both?
I'll start with Mr. Krishnamurthy.
4:50 p.m.
Associate Professor of Law, University of Colorado Law School, As an Individual
I don't think we should view this as a competition between innovation and privacy. The two can be harmonized. The question is, how do we get responsible innovation that respects what I believe is the fundamental human right to privacy that all of us enjoy?
I think it is very instructive to look at what has happened in the European Union since the enactment of the GDPR, which has consent as one of six bases that an organization that collects, processes and uses personal data can use. Legitimate interest is a key part of the European data protection framework, and it is relied upon very extensively to provide all kinds of innovative services. In fact, in the European Union, as far as I know—and this is getting into AIDA territory—it's the main way that training data for AI is acquired.
The European law, unlike what we are thinking of here, includes many more protections around the use of those exceptions to consent. When we are relying on those exceptions in order to get business activity or other forms of innovation, I think it's very important that there are, for example—and I've mentioned this before—data protection impact assessments, to think very carefully and evaluate very carefully the interests of the data processor and what they are doing versus the interests of the people whose data is being processed.
Especially when it comes to data that is sensitive, those protections are extremely strong in the European approach, and this goes to Professor Bennett's point in response to another honourable member's question about interoperability versus harmonization. We can make our law interoperable with other laws, but maybe here is an area where a bit of harmonization with Europe would be good, to protect the privacy rights of Canadians but also to allow us to do business on a transatlantic basis, because we are going to have that strong level of protection that one of our leading trading partners has as well.
4:55 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
How would we strengthen the protection of the international transfer of data?
4:55 p.m.
Associate Professor of Law, University of Colorado Law School, As an Individual
I believe this is a question that may be best addressed to Professor Bennett, who has thought about this more than I have.
4:55 p.m.
Professor, Political Science, Unversity of Victoria, As an Individual
Historically, there are two ways you can do this. You can do it the way that is included in PIPEDA, which is to put the onus on the organization to ensure that, when data is transferred anywhere to a service provider, whether that is in Canada or elsewhere, the same legal protections apply. The problem with that approach is that it relies on contract or other business-to-business agreements, and the individual tends to be excluded from that arrangement.
The other approach is to do what the Europeans have done over the years, which is a legal test, a jurisdiction-to-jurisdiction approach, which is to say, “These are the countries around the world to which personal data might be safely transferred.” The disadvantage with that is that it's a lengthy approach. It's highly legalistic. At the end of the day, it doesn't do a lot to ensure that the data is protected on the ground.
The short answer to your question is that it's complex. As I said, I think the approach that says that when a business is transferring data to a service provider, whether that's in Canada or offshore, it has to do an assessment, not only an assessment of what the company is doing but also an assessment of the legal and political environment.... For economic reasons, our businesses transfer personal data on Canadians to countries around the world that do not have proper privacy protection and, in some cases, have questionable human rights records. I think Canadians would be pretty annoyed about that if they knew it was happening.
A business should have to assess that. This is essentially what the Quebec law says. Do a privacy impact assessment—actually, broader than a privacy impact assessment—and be ready to demonstrate accountability for that data if and when a regulator comes calling.
That would be the compromise approach that I would suggest, but, at the moment, a business looks at this bill and says, “I want to transfer that data overseas. I want that data to be processed overseas. What do I have to do?” It's not clear. There's nothing there. Most legislation, as I said, has a section on international data transfers, and I think that would be something I would strongly advise.
4:55 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
With respect to the speed at which this is being addressed, I've often heard that perfection is the enemy of progress. The reality is that the genie is out of the bottle with respect to data processing and with respect to the Internet, and the swift emergence of AI is a matter of concern.
I've heard a lot of things about what is not right in this bill. Can you tell me three things in the bill that we absolutely need to safeguard to make sure that it's effective and that it accomplishes the intent of protecting the privacy of data?
4:55 p.m.
Professor, Political Science, Unversity of Victoria, As an Individual
On the powers of the commissioner, there are several things in the bill about the new powers of the commissioner, the penalties and the sanctions, etc., that I think are improvements and for which advocates have been calling for a long time.
The current situation in PIPEDA, where the Privacy Commissioner really just has recommendation powers, has been untenable. Many of us have been saying this for a very long time. Michael Geist testified back in the day and so did I. To give the Privacy Commissioner more teeth, more bite, is a clear improvement, not only in terms of fines and administrative penalties, but also some of the other things in the bill that he is able to do.
I'd just leave it at that and perhaps my colleagues could also add.
5 p.m.
Liberal
The Chair Liberal Joël Lightbound
I'm afraid we're out of time, Mr. Van Bynen, so we'll have to stop there.
Mr. Lemire now has the floor.
5 p.m.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Thank you, Mr. Chair.
Dr. Geist, I'd like us to discuss the data the government collects.
Is this something we should be concerned about? Do people feel that the public and private sectors are equally subject to the provisions of Bill C‑27? Should we feel reassured? Is our data adequately protected, given what the various levels of government do with it?
5 p.m.
Professor of Law, Canada Research Chair in Internet and e-Commerce Law, Faculty of Law, University of Ottawa, As an Individual
A conventional way to look at the government-related collection of data is through the Privacy Act lens, which successive commissioners, going back well before even the creation of PIPEDA, have argued is insufficient and inadequate. Government has consistently failed to hold itself to the same standard that it expects of the Privacy Commissioner. We know the reason why privacy commissioners have regularly raised it, but it has rarely risen to the level of actual reform.
If the question is more around political parties and their potential application—we've had several witnesses raise this—I think if we're honest about it, it's pretty obvious why they're not included. It's because political parties have grown addicted to access to that data. They value that data and, quite frankly, they fear that if they had to actually get the same level of consent that they are expecting businesses to obtain from users, they wouldn't get that consent and it would put that data at risk.
For me, this highlights two things. First, I just think it's so obvious: If you claim that there's a fundamental right to privacy and you're going to elevate the expectations for businesses, please put up the mirror and have that same expectation for yourselves as political parties.
It also highlights why there are real challenges with the law with respect to the private sector. Just as political parties don't want to have any sort of limitations on the collection and use of the data outside of some bare bones sort of legislation, so too for lots of businesses. They would also say that they are super innovative and acting in the public interest or have a legitimate interest. We know all the kinds of language that comes out of this. Fundamentally, they don't want to have to ask for actual, informed consent because they know they might not get it.
We can see why you need to ensure in these rules that we hold those businesses to a higher standard. I'd argue that we ought to be doing the same thing for political parties.
5 p.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
Yes, it's a critical aspect. We didn't do that on the do-not-call list. I think that's a serious void that needs to be looked at, so I appreciate those words.
I know you have hesitations on how we got here, but if you were looking at this bill from our perspective, in terms of trying to make it work, what are the key components that you would suggest right now? I'm sorry I missed your opening elements, but maybe you can build on some of that. What do we really need to do at a bare minimum to get it done?
5 p.m.
Professor of Law, Canada Research Chair in Internet and e-Commerce Law, Faculty of Law, University of Ottawa, As an Individual
I guess I will start.
Part of the problem that I see—and I think it's been echoed by some of the other witnesses, who may want to chime in—is that this omnibus approach that has combined both privacy and AI fundamentally really impairs the ability to have an effective review of the legislation as a whole. We are unsurprisingly having much of our discussion on the privacy side, which I understand. That's where the committee was driving, at least initially, but the AI rules are critically important. As we've said, we don't even have the full text associated with them, and the implications are enormous.
To me, the starting point fix for this committee is to say that this is not working the way it needs to work for the committee to do its job effectively. You want to shelve the AI portion altogether for the moment and either go back to the drawing board or say that you're going to conduct two studies or that two committees are going to conduct studies. Perhaps ETHI gets involved. There has to be some sort of mechanism where both of these different pieces of legislation get the kind of attention they deserve.
In terms of the privacy side, very quickly, on this bill, I've highlighted the political party side. I guess I would again emphasize that we will hear, and we do hear, from many of our witnesses that we need to be innovative. We can't be out of step with these things. I have to say that you need to recognize that this is going back to the hearings in the 1990s. We saw the same kind of idea that the sky is falling if you legislate in this way. You saw the same kind of comments being made in Europe when the GDPR was being developed. The reality is that businesses will adapt. They will adopt those rules and, in many instances, find competitive advantage for doing so.
I would urge you, as you go through the bill, to look for where can it be strengthened and where there are some exceptions—we heard today about many of the exceptions that are problematic—but, most fundamentally, recognize that the lens that needs to be brought here is not one of the scare tactics of “You're going to harm innovation in this country”, because that's just the basic playbook on privacy rules. It's rather how we can ensure that we have the best possible law looking a decade or two decades ahead.
5:05 p.m.
NDP
Brian Masse NDP Windsor West, ON
Just on a quick point, Mr. Chair, that's why the NDP asked the Speaker for a ruling about this bill. It's split in terms of votes in the House on the two components, the AI and the other one, because they really were inappropriate. We're going to study them together here, but the voting in the House of Commons will be separated into those two elements.
Thank you, Mr. Chair.
5:05 p.m.
Liberal
October 26th, 2023 / 5:05 p.m.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Thank you, Mr. Chair.
I'm sorry. I had an urgent call. I had to leave, so like MP Masse, I apologize if somebody covered this.
My first questions will be for Dr. McPhail.
I want to start by saying that we've had some interesting testimony already, and some pulling of teeth out of the minister to get the amendments he said he would make and then refused to make and then did make as drafts—which I think, in some cases on privacy, are wholly inadequate.
You know, we had Bill C-11, which the Liberal government brought in and which was flawed. They didn't listen to the privacy commissioner of the day and got responses afterwards, when it was tabled, that it was a bad bill. Then the 2021 election came along, so it died. The minister didn't listen to the testimony and brought in a flawed bill again, and let it sit in the House for a year before we debated it. Then, at the last minute, after four years of battling back and forth, he decides that maybe individual privacy matters, so we'll recognize a fundamental right.
Here's my problem with where the government is, and I think Dr. McPhail and Dr. Scassa outlined some of the reasons. If you had watched my earlier questioning.... While the Liberals are going to put the fundamental right in the “Purpose” section, the most important section, they also say the ability of an organization to use that data is basically of parallel importance in the purpose of the bill.
Then, as you've pointed out, there are issues in proposed section 12 around consent and implied consent. Quite frankly, I thought implied consent was gone a long time ago, in the 1990s, like reverse consent. Apparently, implied consent still exists here, so I can just say, “No problem, Brad. I think you would have consented to this, so I'll use it anyway.”
Then, in proposed subsection 15(5), as pointed out in the testimony we had earlier, there's a huge problem.
Proposed section 18, which I've talked a lot about, basically says, “No problem. Big business can use your data, no matter what the consent is, if it's in their interest to use it, even if it causes harm.”
Then there's proposed section 35. I brought up proposed section 35 to the former privacy commissioner last time. It says that if an organization is using your data for research or statistics, it can use the data however it wants—unidentified, directly. It doesn't say, like PIPEDA used to say, that it is for scholarly work. Those words are no longer there. It says that an organization can use it, and “an organization”, as we know, in this bill is a business.
There's a lot to fix in this bill to put the balance back on the individual. The Liberals have put the balance on big, multinational data-mining companies—Facebook, Google and others—to have the rights to do whatever they want with an individual's data. I am wondering, is it simply removing proposed section 18, the legitimate interest, that puts the balance, or do you have to make another statement of a higher level in the “Purpose" section? Do you have to get rid of proposed section 35 and replace it with what already existed in PIPEDA that's being removed here?
Maybe I could ask Dr. McPhail and then Dr. Scassa to comment.
5:10 p.m.
Acting Executive Director, Master of Public Policy in Digital Society Program, McMaster University, As an Individual
The simple answer is this: It's not simply proposed section 18; there are a series of interlocking flaws with the bill. One of the other witnesses mentioned that you have to look at this bill in a totality. The clauses work together, so there are, as you have stated, many places where amendments could be used to strengthen the bill.
Adding the fundamental right to privacy is an important one. I would reiterate my comment that it really needs to be embedded more substantively within the bill, precisely for the reason you've identified. One of the ostensible purposes of the bill is to balance what is now an individual's right to privacy with a business's interest in collecting and using information. To make sure we get that balance right, we need to make sure that the weighting of an individual's right is proportionate to the way we're looking at the business's interest. Adding that fundamental language is important, and there are a number of places—which I'd be happy to document in writing later—where I think the bill could be improved by adding it.