Evidence of meeting #96 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was aida.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Alexander Jarvie  Partner, Davies Ward Phillips & Vineberg LLP, As an Individual
François Joli-Cœur  Partner, Borden Ladner Gervais, As an Individual
Scott Lamb  Partner, Clark Wilson LLP, As an Individual
Carole Piovesan  Co-founder and Partner, INQ Law, As an Individual
David Young  Principal, Privacy and Regulatory Law Counsel, David Young Law, As an Individual

4:20 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

In the context of de-identified....

4:20 p.m.

Principal, Privacy and Regulatory Law Counsel, David Young Law, As an Individual

David Young

That's right. Half of them in their language use the term “de-identified information”. You don't have to turn around and say it isn't “not personal information”. It just reads that way. That's really what I'm talking about.

4:20 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

Okay, I have another question, if I can.

The Chair Liberal Joël Lightbound

I'll be generous, Mr. Perkins. You have one last question.

4:20 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

Mr. Young, you also said all de-identified...needs to remain personal. Can you explain why that's important and it's not done in the act?

4:20 p.m.

Principal, Privacy and Regulatory Law Counsel, David Young Law, As an Individual

David Young

It's essentially the same point. I was just leading on from that point I just made. It goes back to Bill C-11, which really tried to suck and blow at the same time. It defined a term of “de-identified information”, which if you read it, inherently said it's outside the statute, because it's not personal information—it cannot reasonably identify an individual. However, the statute went on to actually have several provisions, really some of which are still here, that said these apply; these are rules for de-identified information. That was crazy.

I'm sorry, but I lost track. Ask your question again.

4:20 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

De-identified information needs to remain classified as personal information.

4:20 p.m.

Principal, Privacy and Regulatory Law Counsel, David Young Law, As an Individual

David Young

It's personal information. That's the point. The point is that there are really three levels: personal information, de-identified information and anonymized information. There are different levels of identifiability, let's call it.

Personal information is fully identifiable. De-identified information, consistent with both the GDPR and the law in Quebec, does not include a direct identifier, but it may be re-identified. It has a risk of impacting individuals. The statute says that it is still personal information.

However, it has certain specific exceptions that are totally taken out of the view of the statute. The way it reads now is that it continues to be personal information. You don't need to say that. You can just say that it is de-identified information.

That means that, one, it is personal information and two, it's governed by the statute. That is de-identified information.

The anonymized level is theoretically outside the application of the statute altogether, but as I mentioned, that isn't the whole story; there are still rules that apply to it.

4:20 p.m.

Conservative

Rick Perkins Conservative South Shore—St. Margarets, NS

Thank you very much.

The Chair Liberal Joël Lightbound

Thank you very much.

Over to you, Mr. Turnbull.

Ryan Turnbull Liberal Whitby, ON

This is really great testimony today. Thank you very much. I'm finding this very interesting and I really appreciated your opening remarks. Thank you all for being here.

Mr. Lamb, I want to go back to something Mr. Perkins was asking you about. I know he was trying to budget his time and you didn't quite finish what you were saying, but I just want to go back to it for a second with regard to your point of view on implied consent.

I think you were starting to say that if you didn't have implied consent, you'd need to have stronger legitimate interest clauses in there, perhaps. I don't want to put words in your mouth.

Maybe you could just go back and finish your thought on that and just spell that out for us.

4:20 p.m.

Partner, Clark Wilson LLP, As an Individual

Scott Lamb

I think you would have to get to the GDPR standard of a stand-alone right. If you don't have implied consent, you're going to go for a stand-alone right for that legitimate interest.

Ryan Turnbull Liberal Whitby, ON

Could I just follow up on that and ask if you do agree that implied consent needs to be in the current bill?

November 9th, 2023 / 4:20 p.m.

Partner, Clark Wilson LLP, As an Individual

Scott Lamb

I'm fine with the structure as it is, with legitimate interest as an exception. I think that's a balancing. If you get rid of implied consent, I think you're heading down the path, then, of a stand-alone right.

Ryan Turnbull Liberal Whitby, ON

Ms. Piovesan, I appreciated your comments as well, with respect to the new exceptions to consent. It sounded as though you were very supportive of that approach. You mentioned legitimate and beneficial purposes as being reasonable. I think you said “reasonably measured”. Can you explain what you meant by that a bit more?

4:25 p.m.

Co-founder and Partner, INQ Law, As an Individual

Carole Piovesan

Well, there are safeguards that are put in place for the use of that exception. There is a test that needs to be met, depending on the exception that you're going to apply. There are safeguards, such as a legitimate interest analysis, that are detailed in the draft bill. All of that is in addition to requirements for a privacy impact assessment or something that looks like it.

There is an analysis that has to go into effect. In addition, at first instance, you have to meet the threshold test of reasonableness. Is the use or collection within the reasonable expectation of the individual?

Ultimately, you may have to submit that brief to the Privacy Commissioner if there is a question.

This is all to say that there are reasonable safeguards put in place to prohibit the flagrant misuse of that consent exception.

Ryan Turnbull Liberal Whitby, ON

Mr. Young, I saw you nodding your head. Do you agree with that as well?

4:25 p.m.

Principal, Privacy and Regulatory Law Counsel, David Young Law, As an Individual

David Young

I agree with it, yes, absolutely.

Ryan Turnbull Liberal Whitby, ON

That's good.

Carole, you made comments as well about the AIDA portion of the bill. I know our focus has been on the privacy and the PIPEDA modernization portion, but I want to ask you about that, since we have you here today.

I think what you were saying in your opening remarks was that the high rewards or high benefits of these AI systems also come with risks, and I take the point very well that risk and reward often go together.

Can you speak to the risk-based approach and describe that a little more? You mentioned in your opening remarks how important that is to AI governance.

Can you explain that a bit more, so that we have it on the record?

4:25 p.m.

Co-founder and Partner, INQ Law, As an Individual

Carole Piovesan

It's consistent with the point I was making earlier. If you look at jurisdictions such as the United States and the EU, the EU has a robust artificial intelligence act that is to be passed, we're told, any day now.

Look at the Canadian context. The application of a governance framework is triggered when there is a high-risk scenario, meaning that not every single AI system will be subject to the same kind of oversight and rigour as a system that would fall within that high-risk category. That allows for a little more flexibility in the way we manage high-risk use cases. It does put more emphasis on a thoughtful approach to the types of intended purposes these systems are put to.

Ryan Turnbull Liberal Whitby, ON

That makes a lot of sense to me. Otherwise, you might over-regulate and not get the benefit from some of these systems. I think that's a real risk in terms of this legislation, wouldn't you say?

4:25 p.m.

Co-founder and Partner, INQ Law, As an Individual

Carole Piovesan

I would agree with that.

Ryan Turnbull Liberal Whitby, ON

Going back to what you were saying about the EU's legislation and work, which seems to be the gold standard that people keep referring to, how would our approach in AIDA align with the AI laws in the EU?

4:25 p.m.

Co-founder and Partner, INQ Law, As an Individual

Carole Piovesan

At its core, it is similar in that it takes a risk-based approach to governing artificial intelligence. Our draft law is much more bare bones than what you see in the EU context. The EU AIA, the artificial intelligence act, is far more prescriptive than what we have in AIDA. There are some distinct differences between our approach and our draft law and theirs.

At the core, we're looking at a risk-based approach that seeks to govern the data inputs, the models themselves and the outputs of those models throughout the life cycle of the AI system. At its core, that is consistent not only with the EU but with approaches we see in the U.S. as well.

Ryan Turnbull Liberal Whitby, ON

I'm concerned that AIDA is going to be out of date by the time it's developed, just because of how fast the generative AI space is evolving. You mentioned this in your opening remarks as well, the amount of data being processed, how complex these systems are and how fast they're evolving.

Does that necessitate a really flexible approach? I think, from my perspective, that our approach started with a container, and then we heard from the minister that there were amendments coming. Is that the right approach to take, from your point of view, given how fast the space is evolving?