Evidence of meeting #98 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
4:25 p.m.
Lawyer and Founder, GEM Privacy Consulting, As an Individual
I'd have to think about that for a minute, so perhaps one of my colleagues can start.
4:25 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
I'm going to be very blunt. I'm not equipped to respond to your question.
4:25 p.m.
Chief Methodologist and Privacy Officer, IQVIA Solutions Canada Inc.
It's an interesting question. Are we talking about the executive order on artificial intelligence?
4:25 p.m.
Chief Methodologist and Privacy Officer, IQVIA Solutions Canada Inc.
It's okay. I just wanted to check. There may be another one. You never know.
It's interesting. There's a lot of activity. There's a lot of work in the U.S. The National Institute of Standards and Technology, for example, has put together really good work on AI risk frameworks and how to manage it. We've heard a lot of good things in the executive order, so from a technology perspective I think it's exciting to see the talk of safe, trustworthy and responsible AI. Regardless of the procedure—I can't really speak to that—it's exciting to at least see there's a big push.
Canada is known for privacy by design, for example, so we have an opportunity as well to take the lead and to do things in AI. As was mentioned earlier, we have researchers who have done tremendous work, really, bringing this forward. Regardless of the procedure of how it was done, I do think it's interesting that they're pushing it so much.
4:25 p.m.
NDP
Brian Masse NDP Windsor West, ON
If you don't have comments on this, that's okay. The reason I outlined the procedure is that it's going to come right from the president now, and it actually bypasses, to some degree, the oversight of Congress and the Senate.
That was the way they approached it. They almost handed over the elements to the president, whereas we're still in a committee here. We still have to go through a legislative process, and then we have to send this bill to the Senate, and then we have to get it done. At the same time, we don't know exactly if it's going to be somewhat consistent with the United States. We have to somehow figure that out. It's almost like, if we want to have something similar or comparable, we need a treaty in some respects for this.
Of course, we want our sovereignty, but I guess what I'm worried about is that.... If we are significantly different from the United States, does that affect our capabilities to retain investment and AI here, or does it put us in a better position, potentially? I'm wondering what your thoughts are, because we could have two different models in North America on how to deal with AI. Do you have any thoughts on that?
4:25 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
A general thought would be that I don't see it as a particular problem, because that's what we see. Having seen many laws across the world, it's never unified. I think this is something impossible. Even in Canada, we have the private sector laws in B.C., Alberta and Quebec, and the federal statute at the moment. They are not unified; they are different.
What is important is interoperability. It's the ability to talk between the laws. I think that is something we should be seeking, as opposed to having exactly a carbon copy, potentially, of what is being done in the U.S. The same would apply to Europe. I think it's just looking at what they are doing and making sure our concepts are flexible enough to essentially talk with the potential legal regime that is being adopted in the U.S.
4:25 p.m.
NDP
Brian Masse NDP Windsor West, ON
Okay, that's a good distinction.
What I worry about, coming from my world, is that for years we had two different sets of bumpers on cars. It stopped the ability to talk and to trade, and we actually had some companies doing duplicate stuff. I don't know enough about this as to whether or not it impedes.... Unlike the European Union, in many respects, we have a lot of North American partners and subsidies back and forth. I'm just trying to figure that out.
How much time do I have, Mr. Chair?
4:25 p.m.
NDP
Brian Masse NDP Windsor West, ON
Just quickly, does anybody have any comments on the issue of the Privacy Commissioner's recommendations? Are you in favour of the Privacy Commissioner's recommendations or opposed to them? Is there anything that is glaring there? Does anybody have any comments on that?
4:30 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
Do you mean the 15 recommendations?
4:30 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
If I can opine on one aspect, there are some interesting ideas. I think there's a will to add an accountability obligation for companies. I think that's something that is being proposed. I have some caveats in this regard, having seen what is happening in Quebec at the moment, especially for small and medium-sized companies, which are really struggling to have accountability documentation for everything.
It could be a good idea, to the extent that there are thresholds. I think that is the key aspect in these kinds of laws, having the notion and the principle but not forgetting the exception and the thresholds. That is my top potential concern with that recommendation.
4:30 p.m.
Prof. Avi Goldfarb
Just to add to that, I think it's important to recognize there are trade-offs here. As we make the privacy rules in this legislation stricter, in many cases we're going to get less innovation, particularly from start-ups and small businesses. The big ones will be fine, but the start-ups and the small businesses will have a harder time as it gets more difficult for them to collect and organize data.
To the extent that those recommendations are accepted, keeping an eye on the situation and making sure we don't overburden those small businesses and those start-ups is important.
4:30 p.m.
Doctoral Candidate, Faculty of Law, University of Toronto, As an Individual
To quickly respond to Mr. Masse's question about the executive order, I would note that insofar as you're able to put things into secondary or delegated legislation, you would provide an opportunity for some type of harmonization. However, it's a tricky question of balancing what should be in primary legislation versus secondary legislation.
Thanks.
4:30 p.m.
Liberal
4:30 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Thank you, Mr. Chair.
I want to stay in the same vein. I think this is a great discussion.
We obviously believe in privacy as a fundamental right, but at the same time, businesses have to be able to collect and use data. We're in a unique situation right now with Bill C-27 because the GDPR has just come into place with some of their.... I hate to call it red tape, but it's the processes in which businesses, small and otherwise, have to follow those rules.
We're trying to look for good amendments in this bill that obviously make sure that privacy is held as a fundamental human right, but also protect businesses from the overburden and the policies and procedures that are going to weigh on businesses' ability to do business as well as collect and use data for good.
I'm going to start with Ms. Gordon.
What can we do in this bill to ensure that this collection and the consent models are easy for businesses while also protecting privacy? What have we learned from the GDPR?
4:30 p.m.
Lawyer and Founder, GEM Privacy Consulting, As an Individual
That's a really good question.
I generally support the new exceptions to consent in Bill C-27 , which are similar—slightly different—to the GDPR. I agree that the application of the legitimate interest exception, whether as a stand-alone right or as an exception to applied consent, will help a contextual analysis and will help nurture innovation and allow for a difference between...how organizations look at their programs and at accountability and transparency.
4:30 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Would you support an amendment to the bill to exempt businesses of a certain size from filing requirements?
4:30 p.m.
Lawyer and Founder, GEM Privacy Consulting, As an Individual
Again, that's something I'm not entirely qualified to comment on right now.
4:30 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
Thank you.
Mr. Guilmain, could you respond to that question specifically, but also comment on the burden to business?
4:30 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
I want to start by saying something. It sounds like a paradox, but I believe it is true. More prescriptive requirements will not necessarily lead to more protection of personal information. I think it needs to be heard. It's not that because we are adding a lot of burden on organizations, it's going to be better for the public. I want to start with this statement.
That said, I will give you an example. When we hear the words “legitimate interest”, the perception may be just to say, “Well, it's a free pass. You do whatever you want. There's no consent, so you do whatever you want.” The fact is that in the GDPR, there is always documentation.
To your second question, about small and medium-sized companies, I don't think it makes sense to have different obligations based on the number of employees. What matters is the sensitivity of the information and the volume of the data. This should be, from that perspective, the trigger to essentially say that they need to have more documentation in place to explain what they are doing. These should be the triggers. This is my humble opinion.
Again, I don't think we should be afraid of using some terms. Also, “exception” doesn't mean that there's nothing in place. As a matter of fact, at the back end, what I'm seeing is that there's a lot of documentation in this regard.
4:35 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
To ask that specific question again, would you support amending the bill to exempt businesses of a certain size from filing requirements?
4:35 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
No.
4:35 p.m.
Conservative
Ryan Williams Conservative Bay of Quinte, ON
You'd require all businesses to fill out that documentation.
