Evidence of meeting #96 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was aida.
A recording is available from Parliament.
Principal, Privacy and Regulatory Law Counsel, David Young Law, As an Individual
No. I would phrase it this way, Mr. Masse. It will impact companies, because it will be more costly, more complicated or whatever to come up with the compliance mechanisms. That's the biggest impact on organizations' collecting data if we don't align the standards.
NDP
Brian Masse NDP Windsor West, ON
I'll let you finish on this, because I would like other witnesses to talk about this, as well, if they'd like to get in on it.
I want your opinion on an AI commissioner being independent, almost like an officer of Parliament.
Do you have an opinion on that? I would like to invite comments from the other witnesses. This would be having an AI commissioner as an independent regulator, similar to the Auditor General, outside of the political influence of the minister to make rulings.
What are your thoughts on that, and do you have an opinion on that? I'll also turn it over to other guests who are at the table there.
Principal, Privacy and Regulatory Law Counsel, David Young Law, As an Individual
Are you asking me? Okay.
Yes, the commissioner should be independent, absolutely, and appointed by Parliament.
NDP
Partner, Davies Ward Phillips & Vineberg LLP, As an Individual
Sure, I will. This was part of my opening statement.
It's actually imperative that we have some independence from the ministry for the artificial intelligence and data commissioner. A parliamentary officer sounds like a good way to effect this, as long as it's at arm's length in some way, so that there is someone outside the ministry who is going to be looking after all these regulations and actually calling them on it.
NDP
Brian Masse NDP Windsor West, ON
Would you prefer that to be drafted as a component of the law, or should it be separate from that? That would be even more challenging at the moment. Do you think it can be done within the current construct of the law?
I'll get legal advice on that, as well. I'm pretty sure it can be, from what I understand, but I want to make sure. The Privacy Commissioner and the Competition Bureau are a bit different, but this might be baked more into the data itself.
November 9th, 2023 / 4:40 p.m.
Partner, Davies Ward Phillips & Vineberg LLP, As an Individual
I don't want to overstate what I know would work or wouldn't work as a mechanic in terms of embedding it in the law. I think it would, but take that with a grain of salt, because I'd have to do my own legal analysis on that.
NDP
Brian Masse NDP Windsor West, ON
That's fair enough.
I'd also like to ask whether anybody has any strong opinions on the ethics tribunal. I'd like to hear about that if somebody has an opinion on the ethics tribunal.
Liberal
The Chair Liberal Joël Lightbound
Mr. Masse, I think you have ethics on your mind, because it's the privacy tribunal.
NDP
Brian Masse NDP Windsor West, ON
I do. Thank you. After my last experience at the ethics committee, it's taking a long time to scrub that. I don't know if anybody watched it. Yes, it's the privacy tribunal.
Thank you, Mr. Chair, for your assistance. I don't know how much time I have left—it's probably just a minute or so—but if anybody wants to jump in on that, that would be great. If not, we can move on.
Partner, Clark Wilson LLP, As an Individual
I would just reiterate my initial comments that I support a separate tribunal. Despite the misgivings of the Privacy Commissioner, I think that would be a useful forum and protection for the development of the law in this area.
Liberal
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Thank you, Mr. Chair, and thank you to all of the witnesses for some excellent testimony and comments today.
Mr. Lamb, I have a quick point of clarification. I believe you said in your opening statement that under proposed subsection 18(1) of the bill, an organization would not be able to transfer that data to another organization.
Is that correct?
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
In previous meetings, we have heard that there are some loopholes in this legislation regarding data portability, specifically as it relates to the transfer of data abroad.
I have a hard time understanding that interpretation of the legislation in the context of proposed section 20, which is “De-identification of personal information”, and proposed section 19, which is “Transfer to service provider”, where an organization may transfer an individual's personal information to a service provider without that individual's knowledge or consent.
Am I misunderstanding the legislation here? What is your understanding of what I just stated?
Partner, Clark Wilson LLP, As an Individual
I think your concern is correct, and I do worry about the wording, particularly in proposed subsection 18(3).
The member of Parliament, Mr. Perkins, raised that issue. I think you should delete the word “internal” from that proposed subsection 21. I am concerned about the ability to pool.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Thank you.
You touched upon the GDPR in some of your comments as well. This question relates to a debate that's starting to form—we haven't really touched on it too much—between privacy by design and.... Unlike the European Union's GDPR, the CPPA does not contain an explicit reference to the concept of privacy by design.
In the Office of the Privacy Commissioner of Canada's submission on Bill C-27, the commissioner recommends that the CPPA require organizations to implement privacy by design measures for a product, service or initiative from the earliest stages of development.
During their appearance before the committee, however, government representatives indicated that several elements of the CPPA, such as the fact that it requires organizations to develop a privacy management program, mean that the concept of privacy by design is already embedded in the legislation.
Do we need something similar to the GDPR, where it's explicitly stated, or is the current approach of privacy management as contained in proposed section 9 going to work okay?
Partner, Clark Wilson LLP, As an Individual
I think the privacy management program effectively does deal with privacy by design. It forces organizations to develop their policies. It forces organizations to consider privacy impacts. I think overall that achieves what you want.
If we didn't have privacy management programs, then I think you would have to have something like privacy by design to ensure that we're developing a culture in all organizations that recognizes the impacts of privacy on individuals.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Thank you.
Ms. Piovesan, I understand you played an active role in some of the consultations undertaken for this legislation prior to its being tabled.
In previous meetings, I have focused very extensively on the rights of children in this legislation. Why was the fundamental right to privacy specifically for children not included in the legislation originally?
My second question would be about the fact that, under the legislation as it stands right now, information related to children is deemed to be sensitive information, yet the legislation lacks a definition of what sensitive information is.
Can sensitive information as it relates to children be de-identified and de-anonymized under this bill, or if the information is sensitive, can it never be touched?
Co-founder and Partner, INQ Law, As an Individual
To the first point, I don't know. I don't know why it wasn't included in the original draft, so I don't have an answer to that. It wasn't part of the consultations that I was part of.
To the second point, sensitive information has always been, and remains, a contextual analysis of factors that look at things like health information, financial information and the degree to which there are elements of the information that should be protected.
Conservative
Co-founder and Partner, INQ Law, As an Individual
Biometric data would constitute sensitive information as well. By and large, thinking about the contextual analysis, I would typically include that there.
If you look at Law 25 in Quebec, you will see a definition of sensitive information that I think can be very informative, so to my fellow witness's point, I think that is important.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Would it be your position that we should adopt a definition of sensitive information that is similar to the Quebec law and include it in Bill C-27?