Evidence of meeting #98 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
4:50 p.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
Federal parties are not currently included in the bill. Does anybody have any feelings on that and whether the inclusion of federal parties should be part of it? We were exempted from other legislation in the past. The do not call list is one exemption.
Does anybody have any feelings on whether federal parties should be part of the bill? It usually comes to the privacy commissioners and others.
4:50 p.m.
Lawyer and Founder, GEM Privacy Consulting, As an Individual
Other witnesses who testified here have said they should be included in the legislation. I agree with them and agree with their reasoning.
4:55 p.m.
NDP
Brian Masse NDP Windsor West, ON
It doesn't have to be exactly the same as the business sector either; it could be done in a different way. It doesn't have to be entirely the same, but I think there is an argument that could be made that federal parties should be part of this.
4:55 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
Yes. I would agree as well.
My only problem is—and maybe I'm a bit too dry—that the title of the law itself is “consumer privacy protection act”. The notion of “consumer” is misleading at this stage. I think it's something to emphasize, even though I don't disagree with the principle of potentially having federal political parties be subject to the law.
4:55 p.m.
NDP
Brian Masse NDP Windsor West, ON
Well, if you have been here long enough, you know that the titles of bills are often divorced from the reality of what they are.
That's a fair point, and I'm complimenting, not criticizing, your analysis of that.
Does anybody else have any thoughts on that?
4:55 p.m.
Doctoral Candidate, Faculty of Law, University of Toronto, As an Individual
I know that Colin Bennett, among others who appeared before this committee, also raised this point. In light of big data political campaigning, I think it's very difficult to sustain a justification for why political parties should not be subject to data protection laws. I would certainly encourage their inclusion.
If there are specific concerns, a balancing can take place, in the way that data protection laws frequently balance with journalistic purposes and these sorts of things. If there are very specific concerns about campaigning and the political process and how data protection law can affect that, I think that should be considered in a very specific manner, but certainly as a big-picture item, I think political parties should indeed be subject to data protection law.
4:55 p.m.
Conservative
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
Thank you, Mr. Chair.
I'd like to thank all the witnesses. Their comments are really very interesting.
Mr. Guilmain, I'll turn to you.
I'll go back to the example you gave, the convenience store in La Tuque. We all understand that you chose that location, since the convenience store is in Minister François-Philippe Champagne's riding. Up until now, he probably thought he had a little private life, but with the convenience store story, his life has now become public.
I'm using your example to talk about small businesses across Canada. We know that 95% of businesses in Canada are the backbone of our economy. With this bill, we are addressing both individuals and businesses and entrepreneurs who will have to adapt to this legislation.
Earlier, you referred to a survey you conducted on Quebec's Bill 25. Nearly 70% of respondents needed more information or clarification on the act.
Do you think the process will possibly be the same for Bill C‑27?
We're talking about consultations. You think this is a good bill, from what I understand. However, I must say that this isn't exactly what we've heard since the beginning of the consultations.
A number of people have told us that they weren't consulted. Representatives of organizations, who have appeared before our committee so far, have said that they weren't consulted. Some have told us that it would be preferable for them to be consulted. I think one of the witnesses said so earlier. He said that it would be good if there were more consultations.
Do you think it would be a good idea to hold more consultations?
We've been told on a number of occasions that we should normally, at the outset, separate the whole issue of artificial intelligence from that of privacy, because they are two completely different things.
What are the real or possible consequences of the elements that will, in a way, bury SMEs in bureaucracy?
4:55 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
If I may, I'll answer in three parts.
First, there is Bill C‑27 in and of itself. I grant you, in my humble opinion, that part 3 and parts 1 and 2 are probably unrelated. That's a real problem. I won't hide the fact that, when I talk about the aspect of Bill C‑27 that I like—it's always like that in a relationship, we like or we like less—I'm talking about parts 1 and 2, to be quite honest with you. That's the first thing. I think part 1 is a very good start. There are gaps. As I told you, it's not perfect in terms of compensation and the flexibility of consent, among other things. However, in my opinion, the bill is a very good foundation.
Second—and I go back to my earlier comment—I think there's a common sense rule with respect to this piece of legislation. It's just a matter of looking at the obligations in a very cold way. We have to ask ourselves some questions. I would like to come back to the example of the famous La Tuque convenience store, which, by the way, is being well advertised. I don't know if there are two, though. In any case, if I were the owner of this famous convenience store and I saw this text, I would wonder if it would help me in how I operate. Is this piece of legislation really going to change the way I do things? That is the objective. We really have to show businesses that we don't want to create problems for them for the sake of creating problems for them. We have to tell them that we want to help them focus their attention on the right things.
I gave you the example of the privacy officer. I don't personally believe that our convenience store needs a privacy officer. I think it's that kind of analysis that could really help small and medium-sized businesses. We have to put ourselves in their shoes and ask ourselves whether, based on what we see, based on non-sensitive data…. Again, I think this is an important element, because small and medium-sized businesses have a voice that is heard, obviously, but it will depend on the data. Data is really the key. However, I think you have to look at some of those things, and obviously that has been taken into account in some provisions and not in others.
Perhaps we need to make an effort to be consistent and to ensure that this aspect is truly taken into account. That could help, I think.
5 p.m.
Conservative
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
While I'm at it, since you're a lawyer, I'm going to ask you about a proposal that was made in the legislation to set up a tribunal.
If that question is of interest to Mr. Arbuckle and Ms. Gordon, they can also answer it.
Some have told us that establishing a tribunal should be set aside. For example, Mr. Balsillie, from the Centre for Digital Rights, said that it was a dog's breakfast, that it would do absolutely nothing. Other witnesses have said that this will delay the process.
What do you think?
I'd like to hear from all three witnesses.
5 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
I don't agree with that statement, quite frankly.
I think you have to look at the nature of the organization. The Office of the Privacy Commissioner was created as an ombudsman would have been, and that's its role. The Privacy Tribunal would have a different, purely jurisdictional role. I think that's an interesting approach.
I'd like to look at what's being done in Quebec. You might be interested in that. We have the Commission d'accès à l'information du Québec, which wears two hats. It has general oversight over everything to do with complaints, recordings, and so on. It has a jurisdictional section, where administrative judges render decisions.
I find that an element of complexity. I think it's good to have two distinct entities. That's my own point of view. I don't think that's a bad idea per se.
5 p.m.
Conservative
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
What do you think, Ms. Gordon?
5 p.m.
Lawyer and Founder, GEM Privacy Consulting, As an Individual
Just on the topic of the tribunal, I do support that idea. I think the current role of the Privacy Commissioner.... That office has done an incredible job, but it wears many hats. The commissioner wears the hat of an advocate and of an educator and does investigations, but what's always been said about that role is that it has no teeth, that whoever is in charge doesn't have teeth to implement fines and issue fines. By having the separate role of the tribunal, that will allow for a more robust legislative process and allow the hats of the commissioner to be separate.
5 p.m.
Conservative
Bernard Généreux Conservative Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC
Mr. Arbuckle, I don't think you're a lawyer, but do you have an opinion on that?
5 p.m.
Chief Methodologist and Privacy Officer, IQVIA Solutions Canada Inc.
No, not really.
5 p.m.
Liberal
5 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Thank you, Chair.
Thank you to all the witnesses for making time for the committee.
My questions are for Mr. Guilmain.
I think you've answered this piecemeal, but I wanted to give you the question so you can approach it: How does the CPPA align with other privacy and data protection regimes? I want you to focus on the GDPR. Given your expertise, how do you think it compares overall?
5 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
There are a couple of things.
I think the first aspect is that the idea of asking the organization to explain what they are doing on the privacy side is very similar to the GDPR, to what we are seeing at the moment. I think it's positive in itself.
The second aspect is that there are some interesting legal bases and ways of making legal the processing of personal information, and I will give the example of legitimate business exemptions. Unfortunately, I want to say that they don't go as far as the GDPR does, and I think this is something that should be considered, at the very least.
The third aspect—and I think it's important—is that the CPPA places privacy as a cornerstone for society, very similarly to the GDPR. I want to be clear that the GDPR has been a shock in Europe in itself. Everyone knew about it. It was an earthquake. I tend to think that the CPPA in its current version, with some improvements, could have the same effect, potentially pushing the organizations to do even more on the privacy side, relying on what they've been doing.
I think those are the elements that are common between the two regimes.
5:05 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Thank you.
How was the GDPR received by businesses in Europe? Was there a warm reception? Were they able to get on board and comply?
5:05 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
The first months were rough. Let's be honest. I think that everyone was just trying to adjust. We have to keep in mind that it was in May 2018, so it was the first big change in the world. Just to be clear, it's been the same across the world. Brazil recently adopted its own privacy laws, Singapore.... It really was the beginning. Let's put it that way.
Then, eventually, I think the regulators, in consultation with the organizations, were able to make sure that the organizations understood what was expected from them. I think that at this stage, there's a big aspect of expectation, because the companies want to do well. That's what I see in my practice. They want to comply. No one wants to say, “Well, you know what? We don't want to comply.” The problem is always in being clear regarding the requirements and being reasonable as well.
On the GDPR, at the moment in North America we are using the GDPR as a gold standard in transactions between U.S. and Canada. We are using language from the GDPR. Clearly, it shows that it's been a success for Europe, if we are being honest. That's my position.
5:05 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
In your second point, you mentioned that the exception in the CPPA doesn't go far enough. Could you speak about exceptions generally and maybe about the business purpose exemption in particular?
5:05 p.m.
Counsel and Co-Leader, National Cyber Security and Data Protection Practice Group, Gowling WLG, As an Individual
Yes. I know that you've been discussing this notion of legitimate interest. When we hear “legitimate interest”, it sounds like a free pass to do whatever we want, but I want to emphasize that if you look carefully at the CPPA, there is always an aspect of assessment, of explaining why we can actually rely on legitimate interest.
The fact that we are limiting.... For instance, for influencing the decision, we don't want to use legitimate interest. That's what we have at the moment in the law. I think it's a mistake, because the influence could be bad or it could be good. I will give you an example. For instance, my children are online on social media. They can see targeted advertising, contextual, without any context, regarding alcohol or something I don't necessarily like as a parent. I'd prefer for them just to have specific tailor-made advertising for children. That's what I'd prefer. I think legitimate interest could be used.
I think this is the perfect segue between legitimate interest and children. I think those are topics that you've been discussing a lot lately, as I understand. I think potentially legitimate interest is not evil. I think it's a question of documentation. I'm going to give you the word that we use in Europe: legitimate interest comes with LIA, legitimate interest assessment. This is a document, a report, explaining why and how you are relying on these legal pieces. I think the same could be done here.
