Industry Committee on Nov. 2nd, 2023

Yes, I mean the whole thing.

Thank you.

Yes, the issue of consent has been a challenge the whole time. Even under PIPEDA and other privacy laws, an organization is not supposed to be able to refuse to provide the good or service just because you refuse to provide consent. However, they all do, and that hasn't been challenged and hasn't been enforced. As you say, with regard to Zoom and all the rest of them, they do collect the information.

We don't have a choice right now. It's all or nothing, a Faustian bargain. If you want to use this website, if you want to get a car loan online, if you want to do anything online, yes, you're supposed to read the privacy policy that Mark Zuckerberg also admitted to Congress even he doesn't read. Therefore, the organizations—that acknowledge that no one reads their privacy policies and that, yet, still collect the personal information without now, admittedly, having received informed consent—are collecting personal information in violation of PIPEDA and the other laws. No one's ever challenged that.

The only way we're going to get around it is to give each one of us a control as to who gets our information and what they're going to do with it. If I say, “Yes, Zoom, you may collect these pieces of information about me, and you will give me a receipt, an automated receipt system, so that I have proof that this is what I consented to,” then I have something to challenge it with. If the companies were held to account.... It's a challenge because most of them are outside of Canada, but other laws do have extraterritorial reach. Perhaps this one could as well, because consent is the foundation of all of this. In the EU also, it's not a whole lot better. That's one that we absolutely have to tighten up.

I personally don't think that consent should be something that we can be fatigued of. I think that consent is an ongoing process and something where, regardless of a service, the more informed you are at the outset before using it.... I recognize that there are challenges in place or that there are hurdles to getting people to actually meaningfully engage with very boring, very stuffy privacy policies. I don't think that it's really something I would conceive in terms of fatigue.

Consent fatigue I don't think is a problem. As you say, people don't read these things, first of all, because the last time I counted.... I do read them sometimes—or often. The last time I counted, for Google and its primary websites, the combined length of the privacy policies was 38 pages. It's a small book. It's bigger than a bedtime book, and it puts you to sleep faster. They're meaningless.

I challenged the Apple privacy policy to the Privacy Commissioner of Canada. He took it up, which was great. They changed some language, and that was wonderful. However, I'm under no illusions. When they change something here, they change something else there. The problem is that the law allows vague language such as “We will collect your personal information from you and about you for reasonable purposes. We are a for-profit business. Anything that improves our bottom line we think is a reasonable purpose.” It needs to be tightened up.

This is a great question.

All I know is that by leaving that language in there for any “prescribed activity”, I fear that there's too wide a catch-all. I think the language is frustratingly vague, and I worry that, without any sort of clear definition on what any prescribed activity is, that could be very much ripe for abuse. Whether that means you take that out or you provide some sort of clearer restriction on activities, I feel that there shouldn't be these large carve-outs that allow any prescribed activity to be added later on.

I think that, if you are using a system that will be gathering some sort of high volume of data, a privacy impact assessment is a good first step in terms of making sure that you're doing the due diligence, getting out ahead of this and assessing potential risks.

It's not my job to really put a timeline on anything, nor do I really understand how these processes work. It seems to me that it takes quite a while.

Again, it's not about starting over on the CPPA, I wouldn't say. It's about starting over on AIDA or about separating AIDA—or at least making some sort of decision around what to do with AIDA—which it seems most are in agreement is difficult, with “difficult” being an understatement. I don't know if I can speak exactly to the timeline question.

With AIDA...? Again, I assume it would have to do with the machinations of government. I assume that it would have to do with sending the bill back. That's within your power, I believe. Matt stated that it's within your power. It is a possibility.

I think it's something that would need more.... Matt is on the screen over there, so that would be something that perhaps.... I don't know if I could speak to timelines.

Thank you.

Speaking to the point of urgency, like I said, our community also feels some urgency, but why is the urgency so much higher in Canada than in other jurisdictions that are looking at AI? Everyone is moving forward, of course, with delineating the risks, the impacts and how to address them appropriately, but the idea that Canada must move before many of our peers doesn't make a lot of sense to me. I don't think it's going to lead to the best possible rules.

I think that, if we're looking at the timeline, at the very least we should be taking the time for a full public consultation. Consultations like that are really how we stress-test legislation and tease out the different types of problems that can occur. It's a really critical step to improving the final product. We've seen it work with other legislation. It's done on most legislation. I don't see any good reason why we skipped it here.