Industry Committee on Nov. 23rd, 2023

Thank you for the question.

There are two key forces at play here. The first force is that any time you regulate companies and start-ups, especially small businesses, they're going to require lawyers in order to do business. That's going to slow down what they're able to do. That's on the one side. On the other side, if there is no legislation in place, then potential customers of those companies aren't going to trust the companies. Even though the need to get legal advice—apologies to the lawyers in the room—is a real barrier for small businesses and start-ups, you do need legislation so that people can trust the companies they interact with.

In my view, this bill balances those two very well, with some minor exceptions that I've mentioned. It protects against the most severe privacy harms, so that we'll have more trust in what organizations do with data. That will, in turn.... On the set of regulations as described, yes, it is a bill that runs dozens and dozens of pages—you'll need expertise—but it is not so onerous that I would expect that the small businesses and start-ups that have a big opportunity with AI will have to shut it down.

In my view, on balance, this will position Canada well going forward for our ability to commercialize AI.

We have plenty of evidence that the GDPR, when and where enforced, reduced innovation, hurt the European software industry relative to the American software industry, and helped the largest companies, particularly in advertising technology, do better and better. There were real costs to the protection of privacy that happened through the GDPR.

When I look at how this bill was drafted, I think that in protecting privacy and thinking about and addressing the potential harms of AI, to me it's clear that it was drafted with an eye towards the need for start-ups and small businesses to compete on a level playing field with the largest companies. In my view, this bill is more innovation-friendly, particularly for small businesses and start-ups, compared to the GDPR.

Yes. The word “contextual” is important here, as well, because that's kind of how we want to look at anonymization. We want to look at where we are using this information.

When Statistics Canada produces statistics or data that they make publicly available, the risks are very high because it's on the Internet. Anyone can access it. They also take data and put it in a research data centre. It's disconnected from the Internet. You have controls according to who has access to the data, how they can use the data and what they can come in or out of the environment with. The risks are much lower, so it's contextual in that sense.

The idea of a reasonableness standard is bringing that contextual piece to it. When we look at international standards, for example, they're primarily very scientifically driven by risks, and risks are never zero. Therefore, by looking at it in this contextual way, we can manage the threats and use other tools besides just aggregating and creating means, as was mentioned earlier. We can do things that are a little more sophisticated, and we can have strong environments that control that information.

The technology we use, the sophistication of it, is compliant in the sense that we look at the best practices that exist. We look at international standards. We look at guidance that is being produced, and we ensure that the anonymization we do meets those standards.

We have guidance in Ontario, for example. We have the law itself, for example, in Quebec. We have a variety of jurisprudence, which is not in my area, of course. We look at the best practices in terms of technology. We monitor the literature and the landscape of what's happening, and we modify accordingly.

At the moment, conceptually, Bill C‑27 is quite compatible with Bill 25. I would even say that, in many respects, Bill 25 is stricter than Bill C‑27. I'll go further than that: Bill 25 is one of the strictest laws in the world. That has to be recognized.

In my practice, I work with international clients, whether they are based in the United States, Europe or Latin America, and today, they look at Bill 25 and say that it's really one of the most complicated laws to implement and that it's difficult to comply with it. That's not a good thing.

My position today, quite frankly, is that the two pieces of legislation are compatible. However, I think there are lessons to be learned from Bill 25. I took the liberty of quoting the European Union's General Data Protection Regulation, the GDPR, and I think that's a very interesting model for Bill C‑27 to look at. That's really my position.

There are some very good things in Bill C‑27. It should be noted that, from a legislative standpoint, it makes a very different change. Bill 25 amended existing legislation by patching things up a little. We tried to add an act dating back to 1994. The beauty of Bill C‑27 is that it's unified. There really is a collective understanding.

So my comment on this is to say that looking at Bill 25 as a yardstick may not be the best approach, in my humble opinion.

There's a fairly fundamental difference. As you know, when it comes to privacy, the notion of consent is central. It's all about consent. We're talking about either express consent implicitly or an exception to consent. That's how Bill C‑27, the current federal act and the Quebec act are built.

Currently, Quebec's approach is very different from the rest of Canada. In fact, it decided to enshrine in law that, when it comes to the collection of personal information, consent isn't always required, provided that the reasons for collecting, using or communicating personal information are disclosed. This was recently confirmed in the guidelines of the Commission d'accès à l'information du Québec.

What does that mean in concrete terms? It's very theoretical, but it's not that theoretical. When you visit a website, you are “attacked” by various methods of consent. That's what we want to impose on children. As adults, our ability to concentrate is very limited. Personally, I have a full-time interest in this, and I don't read everything.

Quebec has decided to take a different approach: we don't force people to give express consent, to click, we just give them the information, and then they can continue with the process. This aspect of transparency is unique to Quebec.

At the moment, the federal legislation, as drafted, seems to indicate that a positive gesture should always be made in certain cases. I think that's a pretty significant difference. Again, not a bad thing. In fact, we're a different approach to the problem. We're providing a little more transparency, a little more control, instead of forcing people to consent in an almost fictitious way.

I'd first like to mention that our federal legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA, is a quality piece of legislation. I wouldn't say that there's an urgent need to act, but that's a very personal opinion. There are fairly broad concepts in PIPEDA that already allow companies to do very good things. We aren't in a vacuum at the moment.

That said, Bill C‑27 is very ambitious. I'm talking about the part that deals with the protection of personal information. We shouldn't underestimate the time it will take to adjust the processes. Let's not forget that companies had to grapple with Quebec's Bill 25 a few months ago and complied with it last September. It was a real in-house effort.

I think there's an interest in avoiding a duplication of resources, at the risk of creating a kind of fatigue on the part of companies with regard to requirements. Businesses will no longer understand the message being sent to them. I think it's important to keep in mind the significant transition period.

I don't think there's an urgent need to act, but that's my very personal opinion.

In terms of aligning with the European Union, I must say that it will require an analysis that may take years. Japan recently received a suitability decision and is considered a good country for the transfer of personal information. This is the result of years of work by the European Commission.

I think Bill C‑27 is a very good bill in terms of complying with European standards, in this case the European Union's General Data Protection Regulation. There are a lot of “Canadianized” concepts, if I may say so. It's worded a little differently, particularly when it comes to sensitive data. I still think that Bill C‑27 is a good bill in that regard, apart from certain aspects on anonymization and the legal basis for handling personal information, as I mentioned.