Evidence of meeting #93 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was organizations.
A recording is available from Parliament.
5:45 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Villemure.
I'll now yield the floor to MP Van Bynen.
I'm sorry. I skipped you in the last round, but the floor is yours, MP Van Bynen.
I went from Mr. Falk to Mr. Villemure, but it should have been MP Van Bynen.
5:45 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Thank you very much.
My question will be for Ms. Krugel.
Particularly with respect to the Canadian Bankers Association, what barriers would an organization have to overcome to meet the new obligations under the consumer privacy protection act?
5:45 p.m.
Vice-President, Privacy and Data, Canadian Bankers Association
Are you asking what the net new obligations are compared with those of today?
5:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Yes. How substantive are they in terms of implementation, and what would it take?
5:50 p.m.
Vice-President, Privacy and Data, Canadian Bankers Association
There are a number that are actually quite substantive. PIPEDA is very principles-based. Organizations have been able to scale what they do according to the circumstance.
The CPPA takes inspiration from the GDPR and the law in Quebec, and some of the key concepts are very prescriptive. Some of those can be very.... It can take a lot to implement. For example, relating to the automated decision system, this is a provision that goes beyond what the GDPR and Quebec do. Both Quebec and GDPR only focus on scenarios that are exclusively automated, and the organization would need to tell the individual when a decision is solely automated.
Under the CPPA, organizations will have to consider all of the automated systems, which could be AI systems or even an Excel spreadsheet that is automated, and have an understanding of whether they assist in the decision-making or in making a prediction or a recommendation. There's a lot.... The organization would need to take a look at almost everything they do and be prepared to provide explanations to individuals. With respect to training and understanding all of these processes, it can be quite cumbersome.
That's one element.
5:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
There's a discussion about a two-year cycle for implementation. Is that correct?
5:50 p.m.
Vice-President, Privacy and Data, Canadian Bankers Association
Yes. Some of these requirements—any changes to consent and anything that requires changes to a system—can have a very long runway, particularly in larger, complex organizations. Even printing out new consent forms and ordering paper can be very time-consuming, as well as getting access to legal experts to make sure you understand the requirements, particularly if there are differences between federal and provincial requirements—and technology resources as well. There are scarce resources that need to be shared among all organizations to be able to understand requirements to comply.
5:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Proposed sections 76 to 81 of the consumer privacy protection act would provide for a procedure allowing organizations that are subject to the act to create codes of practice and certification programs that would go to the Privacy Commissioner for approval.
Would your organization submit a code of practice to the Office of the Privacy Commissioner that would apply to all of your members? Would that be your intention?
5:50 p.m.
Vice-President, Privacy and Data, Canadian Bankers Association
It would depend. Certainly a code of practice could be beneficial if there were a certain area where there was a potential for differing interpretations of what is required. It could set out rules that organizations would follow.
Basically, there would be additional trust provided by the Privacy Commissioner, to say this is the type of approach that would be supported under the CPPA. It could provide trust to consumers that it has been reviewed, and also trust and certainty to organizations. Whether or not the Canadian Bankers Association would choose a specific code of practice, we haven't gone down that far just yet.
5:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Okay.
I understand that your organization does have codes of practice in terms of certification for investment advisers, etc.
5:50 p.m.
Vice-President, Privacy and Data, Canadian Bankers Association
No, it's not under the Canadian Bankers Association. The banking industry does have some codes of practice, and I think it's also with respect to credit practices.
5:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
I'd like to go with the same question to Ms. Clodman.
In terms of your organization, would you be instituting codes of practice that would be subject to the approval of the Privacy Commissioner?
5:50 p.m.
Vice-President, Public Affairs and Thought Leadership, Canadian Marketing Association
We haven't made a final decision yet about that.
We were talking about a code of practice around marketing. We already have the “Canadian Marketing Code of Ethics & Standards”, and also possibly one related to the use of children's data. Again, we have that in place and have had it for many years.
5:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
That is the reason I wanted to approach you on that. You have established your own code, so I was trying to determine your intent with respect to setting the same standards.
Setting up those certificate programs goes back to the values-based principles that you want organizations to accept. I was trying to get a better understanding as to whether or not the two organizations that you represent would be pursuing the values-based principles in applying...your consideration as to how you would go forward with this.
Go ahead.
5:50 p.m.
Vice-President, Privacy and Data, Canadian Bankers Association
With respect to a code of practice, we understand, too, that there might be certain very narrow scenarios that could really benefit from a code of practice. For example, information sharing could be something that's very specific.
Generally speaking, for the banking sector, each of our banks has very robust privacy management programs already in place under PIPEDA, so we wouldn't necessarily look to create a code of practice for all compliance for the CPPA, although we could see some very good benefit for small and medium-sized businesses, for example.
5:50 p.m.
Liberal
The Chair Liberal Joël Lightbound
You're over by a minute and 20 seconds, Mr. Van Bynen. Thank you very much.
For our final round of questions, I'll yield the floor to Ms. McPherson.
5:50 p.m.
NDP
Heather McPherson NDP Edmonton Strathcona, AB
Thank you very much, Mr. Chair.
Again, thank you to all the witnesses for their testimony today.
Mr. Balsillie, in your brief, you recommended establishing a complaint-funding mechanism to help finance legal proceedings brought by individual or group complainants and/or public interest organizations seeking remedies against organizations for alleged contravention of the CPPA. Can you explain why this is important and why it's essential to this regulatory process?
5:55 p.m.
Founder, Centre for Digital Rights
There's a structural asymmetry in the nature of this evidence, where you click a consent where somebody writes a sophisticated consent and then somebody does click, or the individual doesn't have the ability to exploit their data, but a large company can. There's also a marked failure in the ability to follow through on a complaint. What you're really trying to do here is create rebalancing mechanisms so that the public good is served.
5:55 p.m.
NDP
Heather McPherson NDP Edmonton Strathcona, AB
To make sure I have this right, could you explain why a private right to action is important, as has been the case in other jurisdictions, such as the United States?
5:55 p.m.
Founder, Centre for Digital Rights
An individual who thinks they've been harmed has the ability to file a complaint and use the judicial system to say that they've been harmed and not appeal to a busy regulator that is grappling with budget constraints, multiple priorities and possibly different points of view based on their circumstance.
5:55 p.m.
NDP
Heather McPherson NDP Edmonton Strathcona, AB
Thank you.
Perhaps our guests from the CLC would also like to comment on that.
October 31st, 2023 / 5:55 p.m.
Executive Vice-President, Canadian Labour Congress
I'm sorry. Could you repeat the question for me?
5:55 p.m.
NDP
Heather McPherson NDP Edmonton Strathcona, AB
It's about the idea of using a complaint-funding mechanism to help finance legal proceedings. The question is whether or not you would be in agreement with that.
