Evidence of meeting #96 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was aida.
A recording is available from Parliament.
4:50 p.m.
Conservative
November 9th, 2023 / 4:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Thank you, Mr. Chair.
My first question is for Ms. Piovesan.
We have talked about de-identified information, but there is provision under proposed section 39 of the consumer privacy protection act that an organization has the right to disclose an individual's de-identified personal information without their knowledge or consent to entities listed in paragraph 39(1)(b) if the disclosure is made for a socially beneficial purpose.
Do you think that the definition of socially beneficial purpose is precise enough to ensure that Canadians' privacy is protected?
4:50 p.m.
Co-founder and Partner, INQ Law, As an Individual
I want to start by saying I think there is real value to being able to use data for good, so the inclusion of this provision is important and I support it.
The definition as provided relates to “health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose”. To the extent that it is not sufficient, there are opportunities to include a more defined and precise definition in the long run.
However, as an initial inclusion, I am comfortable with what we have here.
4:50 p.m.
Liberal
4:50 p.m.
François Joli-Coeur
I agree that there should be a possibility to use de-identified data for socially beneficial purposes. I think some of my colleagues on this panel have suggested extending this permission to also disclose personal information for socially beneficial purposes to more than just, essentially, public sector organizations, and even to other private organizations.
4:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Thank you.
Mr. Joli-Coeur, the government provided a written response that indicated that it expects the Quebec laws to take precedence over the federal ones, as they would be considered substantially similar. Do you believe this bill will generally align with Quebec law?
4:50 p.m.
François Joli-Coeur
Generally, yes. There are some discrepancies, which were outlined today.
I think, from a general perspective, Quebec will meet the substantially similar threshold. There could be improvements for interoperability that would help organizations, as we've mentioned. The notion of anonymization and its definition are one example, but generally speaking, the bill is broadly aligned.
4:50 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
I'll put this question to you first. If you could propose only two amendments to the act, what would they be and why do you feel they're important amendments?
4:50 p.m.
François Joli-Coeur
I could go back to the suggestions I put forward in my speaking notes.
The definition of anonymization is too strict. It should be more flexible. There should be a reasonableness standard there that would align with Quebec's and other global standards.
Perhaps the other one is the one I mentioned about automated decision-making. Restrict the definition a bit to cover only decisions that are made and that are replacing a human—only decisions where there is no human in the loop.
4:55 p.m.
Liberal
4:55 p.m.
Partner, Davies Ward Phillips & Vineberg LLP, As an Individual
I agree with many of the other witnesses here today in supporting a change to the definition of anonymization to align more with Quebec's definition and maintain some interoperability there. Given the way it's drafted now, it's an impossible standard.
The other—and I'll make reference to my opening remarks—would be to change the consent exception framework for public interest purposes. That includes proposed sections 35 and 39. I think, in this regard, we could take some inspiration from Law 25, which inserted a new framework for disclosures by private sector entities to other private sector or public sector entities. That includes undertaking a privacy impact assessment and entering into an agreement with the other party. In the case of Quebec, it's actually submitting the agreement to the Commission d’accès à l’information. In the case of Bill C-27, it's adapting the language from proposed paragraph 35(c), which suggests notice to the commissioner at the very least.
In addition to allowing for information exchanges among private sector entities, which could be beneficial, I think it could also be extended to include taking information from the public Internet. As we know, machine learning technologies, in many cases, can benefit from having access to this, provided that some appropriate guardrails are in place, as suggested.
4:55 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Going back to the social purpose question I posed earlier, are there any other requirements of the organizations, other than those found in proposed section 39, that should be included? You made reference to notifying the commissioner.
4:55 p.m.
Partner, Davies Ward Phillips & Vineberg LLP, As an Individual
Yes. If we were to undertake the suggestion to combine or generalize proposed sections 35 and 39, to make it a bit more like the framework in Quebec's Law 25, which begins at section 21 of that law, then it would involve what is styled in that law as “privacy impact assessments”. That isn't a concept that figures, as such, in Bill C-27, but I think it's been discussed to some extent at this committee already. It's been broadly outlined. It's understood. You're examining the disclosure in this case, or the collection.
I suggest that after seeing what kind of privacy impact it has, you do a proportionality analysis and many other things besides that. If an agreement is entered into between the parties to the exchange, it should have certain contractual assurances around how the information is to be handled throughout its life cycle for this purpose. Finally, notice should be given to the commissioner.
As I said, in Quebec's case, you actually submit the agreement to the commissioner, and then you can activate or operationalize that agreement only after 30 days, giving the Quebec commissioner time to respond, presumably. Once the commissioner has notice, they can of course simply request the agreement. They can request the privacy impact assessment and undertake any other steps. The important thing is to provide notice, so that the commissioner is aware.
4:55 p.m.
Liberal
4:55 p.m.
Co-founder and Partner, INQ Law, As an Individual
Can you just repeat the question?
4:55 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
What are your thoughts on the statements that were made earlier about having a more robust requirement for privacy impact assessments?
4:55 p.m.
Co-founder and Partner, INQ Law, As an Individual
I fully agree with my colleague's point that you can combine proposed sections 35 and 39. It can be an effective way to more flexibly use personal information in a responsible manner, but you would do so with the governance of the privacy impact assessment in place, so that there is a thoughtful and measured approach to identifying the data that you'll be collecting, the justification for that data, the potential privacy risks associated with that use, and then a clear plan to mitigate those risks.
I would very much support that proposal.
5 p.m.
Liberal
Tony Van Bynen Liberal Newmarket—Aurora, ON
Would that include notification to the appropriate authority?
5 p.m.
Co-founder and Partner, INQ Law, As an Individual
Do you mean in advance of the collection?
5 p.m.
Co-founder and Partner, INQ Law, As an Individual
I'm not necessarily sure about that. I don't know if it's reasonable that it would be tabled with the commissioner in advance, but I do support the application of the privacy impact assessment as a tool to mitigate risk.
5 p.m.
Liberal
