Thank you for the invitation to appear before this committee for its important review of Bill C-27.
This bill includes significant proposed amendments to Canada's privacy laws at the same time as it introduces a proposed oversight regime for artificial intelligence. The AIDA component warrants focused study by the committee. Certainly, as you've heard from my co-witnesses, there's a lot to consider there. However, I will restrict my comments to the privacy components.
I am a privacy and regulatory lawyer. My practice over the past 25 years has included advising private sector organizations—both for-profit and non-profit—as well as government and Crown agencies. I address all relevant areas, including individual privacy, employee privacy and health privacy.
In these introductory comments, I will focus on one impactful area of the bill, which you have heard some comments about already: de-identified and anonymized information. I'm hoping to provide some clarification as well as my thoughts on how the proposed provisions can be improved.
The proposed treatment of such information in Bill C-27 is critically important. Firstly, it clarifies a category of information that, while not being fully identifiable and therefore available for specific uses without consent, is still deemed appropriate for protection under the law. Secondly, it provides for a category of anonymized information that can be used more broadly for research purposes, innovation and policy development.
The first category, de-identified information, is governed by all of the law's privacy protections, subject to certain specific exceptions. Conversely, the second category, anonymized information, is stated to not be subject to the law. However, as I will mention, this stipulation—that it's not subject to the law—is not the end of the story. The law will and should continue to provide oversight over anonymized information. This is a point that is sometimes missed. I certainly heard it raised as a concern in previous comments. I think it's very important to understand that, however we define the term—and we've heard a number of comments here—it will continue to be subject to the law.
I have a number of recommendations for improvement.
First, with respect to de-identified information, the definition should be amended to stipulate appropriate processes to ensure no person can be directly identified from the information. Additionally, proposed section 74 of the CPPA, which addresses technical and administrative protections, should be amended to include, as an additional criterion, the risk of re-identification.
Secondly, the definition of anonymized information should be amended to make more explicit the processes required for anonymization. With its law 25, Quebec got it right in this area. I recommend aligning with Quebec's approach, which stipulates that the generally accepted best practices for anonymization should be those set out in appropriate regulations. Such regulations should include transparency, risks of re-identification, accountability and guardrails for downstream uses. The Quebec law also recognizes that it is not possible, from a practical perspective, to say that anonymized information cannot be re-identified. The CPPA provision should reflect the same approach. Additionally, there should be a requirement for the organization performing any anonymization process to conduct a re-identification risk analysis. This is a proposed requirement in Quebec's regulations governing anonymized information.
Thirdly, the applicability of the law's protections for de-identified information is a bit of a complicated area. I can certainly go into it in more detail during questions, if you like. Currently, the CPPA provides that de-identified information is personal information, except for certain provisions, where it will not be considered personal information.
This is the wrong approach. Instead, as recommended by the OPC, a simple statement should be made that all de-identified personal information remains personal information. Also, the list of exceptions in the bill is confusing. To make it simpler and clearer, many of the exceptions should be omitted entirely—they are not needed. I can explain that in more detail if you wish.
My final comment is to address, as I mentioned a couple of minutes ago, a concerned voice by some stakeholders that the statute's anonymization regime should be made expressly subject to oversight by the Privacy Commissioner. I know you've heard that from at least one witness and maybe others here. In my view, such a provision is not required. The commissioner will have oversight over an organization's compliance with the anonymization rules, whatever they are. Also, and very importantly, if anonymized information does become identifiable—and that's this whole risk of reidentification—all of the statute's protective provisions again will apply with full vigour, and the commissioner will have oversight. Actually, there are two routes whereby the commissioner will or may continue to have oversight.
In sum, my recommendations are as follows.
First, the definition of “de-identified” information should be made more rigorous, including addressing the risk of reidentification. Secondly, the definition of anonymized information should be amended to make more explicit the processes required to achieve anonymization, and these should be set out in regulations, including a requirement for risk assessment. Finally, the regime for applicability of the CPPA's protections for de-identified information should be made clearer, in particular, stating that all such information remains personal information.
I will be happy to elaborate and answer any questions you have regarding these comments or any other provisions of the bill.