Mr. Antoine Guilmain at the Industry, Science and Technology Committee

On November 23rd, 2023. See this statement in context.

November 23rd, 2023 / 4:40 p.m.

Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual

Yes. I think there are two sub-aspects from my perspective.

The first aspect is the transition period. I think we should not undermine the fact that, even though there are already processes in place with PIPEDA and potentially with law 25, it does take time to have something that is meaningful.

I'm a lawyer, so I wish I could tell you that it's only a question of the papering aspect and just giving some policies and moving on. The fact is that privacy is much more than only legal professionals. I think there's an understanding internally in any organization to understand what is going on in terms of data flows and what we do to protect the information we have.

That's the reason why I tend to think that 36 months is the bare minimum. As a matter of fact, when we look around the world, that's what we are seeing. We saw with law 25 that 24 months was not sufficient. At the moment, companies are struggling very much to comply even with law 25, most of which came into force.

On the second aspect of your question, regarding what we can change, I will give you a simple example. If we go to proposed section 8 of the CPPA, it says, “An organization must designate one or more individuals to be responsible for matters related to its obligations under this Act.” I'll go back to my example of the convenience store in La Tuque. They have very little personal information. Their first question when they come to me would be, “Whom do I appoint? Who is my privacy officer?”

I think this is where it is problematic. It's not based on the size of the company; it's more a question of the volume and sensitivity of the information, the good news being that this threshold is present in Bill C-27 in some disposition. In particular, when I look at the privacy management program in proposed section 9, there is a caveat: depending on the “volume and sensitivity” of the information. I think the key aspect would be just to look at those absolute requirements and say, do we have a threshold based on the volume and sensitivity of the information? I think this could be a good exercise in the full version of the CPPA at least.

See context to find out what was said next.