I don't think we should view this as a competition between innovation and privacy. The two can be harmonized. The question is, how do we get responsible innovation that respects what I believe is the fundamental human right to privacy that all of us enjoy?
I think it is very instructive to look at what has happened in the European Union since the enactment of the GDPR, which has consent as one of six bases that an organization that collects, processes and uses personal data can use. Legitimate interest is a key part of the European data protection framework, and it is relied upon very extensively to provide all kinds of innovative services. In fact, in the European Union, as far as I know—and this is getting into AIDA territory—it's the main way that training data for AI is acquired.
The European law, unlike what we are thinking of here, includes many more protections around the use of those exceptions to consent. When we are relying on those exceptions in order to get business activity or other forms of innovation, I think it's very important that there are, for example—and I've mentioned this before—data protection impact assessments, to think very carefully and evaluate very carefully the interests of the data processor and what they are doing versus the interests of the people whose data is being processed.
Especially when it comes to data that is sensitive, those protections are extremely strong in the European approach, and this goes to Professor Bennett's point in response to another honourable member's question about interoperability versus harmonization. We can make our law interoperable with other laws, but maybe here is an area where a bit of harmonization with Europe would be good, to protect the privacy rights of Canadians but also to allow us to do business on a transatlantic basis, because we are going to have that strong level of protection that one of our leading trading partners has as well.