Industry Committee on Nov. 23rd, 2023

Thank you, Chair Lightbound and members of the committee, for today's invitation.

I'm a doctoral candidate at the University of Toronto's faculty of law, and a graduate fellow of the Schwartz Reisman Institute. I have more than a dozen peer-reviewed publications and numerous policy interventions on privacy and data protection law in Canada, the European Union and the United States.

I submitted a brief on children's issues in the consumer privacy protection act with my colleague, Leslie Regan Shade, who is a professor at the University of Toronto's faculty of information, a faculty affiliate of the Schwartz Reisman Institute. I am here today in my personal capacity.

Children's privacy in the digital environment is essential for their agency, dignity and safety. Indeed, data protection laws are one important piece of a response to mounting evidence that corporate surveillance and persuasive design are undermining children's agency and well-being. At the same time, though, digital technologies are vital for children's inclusion and participation in society. Members of the committee, you are in a special position to help ensure that the digital environment aligns with children's rights.

Before highlighting a few of the recommendations made in our submission, let me note that the UN Committee on the Rights of the Child has consistently recommended more robust and standardized mechanisms for meaningfully obtaining children's views on legal and policy matters affecting them. It is thus regrettable that there is no evidence of youth consultation for this important bill. I respectfully urge you to solicit their views.

Let me briefly discuss our recommendations.

First, several key definitions need to be clarified. These include a definition of a minor and a definition of capacity to determine when a minor is “capable” of exercising rights and recourse under the act. The act must also clarify the scope of and the relationship between parental and child decision-making. Additionally, more specification is needed with regard to what happens when minors reach the age of majority. Information about one's childhood should, furthermore, remain “sensitive information” even after one has attained the age of majority.

Second, the best interests of the child should be included as a fundamental principle in the act. Doing so would make the child's interests a primary concern in all aspects of the proposed legislation. For example, the best interests of children should matter in specifying the purposes of data collection, use and disclosure, as well as data retention.

Third, age and parental consent verification requirements and limitations are needed. Treating minors and adults differently makes verification for both age and parental consent an important part of compliance. Such verification, though, can be highly intrusive, unreliable and insecure. Verification also poses serious threats to the freedom of expression of all Internet users.

Fourth, the Office of the Privacy Commissioner should be mandated to develop a children's design code with meaningful participation from youth. Design codes are age-appropriate standards for youth-directed products to ensure the highest level of privacy by design. They also help ensure that youth-directed products do not undermine children's rights. Businesses also welcome the certainty that codes provide. Since codes only elaborate on general principles and obligations arising from the legislation, robust protections for privacy and agency must be in the law itself.

Finally, kindly recognize that providing robust protections for children should not be a justification for meagre protections for adults.

Before concluding, I want to respectfully remind the committee that the ongoing lack of high-speed Internet access among northern, rural, first nations, Inuit and Métis communities deprives children and adults alike in those communities of the same opportunities found elsewhere in Canada. The CPPA's promises and potential are illusory without equitable access to the Internet.

I appreciate your work on this important study, and I look forward to your questions.

Thank you.

Thank you for your kind invitation to appear before the committee and discuss Bill C-27.

I'm a professor of marketing at the University of Toronto, where I hold the Rotman chair in artificial intelligence and health care. My research focuses on the economics of information technology, including several papers on privacy regulation and on artificial intelligence.

Canada is a leader in AI research. Many of the core technologies underlying the recent excitement about AI were developed right here at Canadian universities. At the same time, our productivity is lacking. My research has shown that AI and related data-focused tools are particularly promising technologies for accelerating innovation, productivity and economic growth. In my view, a big worry for the Canadian economy going forward is that we do not have enough AI, and so our standard of living, including our ability to fund health care and education, would stagnate. It would be a shame if Canada's research success did not lead to applications that increase Canadian prosperity.

This act is a careful attempt to ensure that Canadians benefit from AI and related data-focused technologies while protecting privacy and reducing the potential for these technologies to harm individuals.

Next, I'll provide specific comments on AI regulation in part 3 and on privacy regulation in part 1. I have specific comments [Technical difficulty—Editor] intelligence and data act.

First, the act correctly recognizes that there is always a human or a team of humans behind decisions enabled by AI. In part 1, proposed subsection 5(2) is commendable for noting that “a person is responsible for an artificial intelligence system”. Proposed sections 7 through 9 make these responsibilities clear. In my experience, such clarity about the role of humans in AI systems is both unusual and commendable.

Second, the act constructively defines explainability and transparency in part 1, proposed sections 11 and 12. By making it clear how and why the high-impact system is being used rather than focusing on the inner workings of the algorithm, it will provide useful information without forcing potentially misleading oversimplification of how the algorithms work.

Third, while the details of the act itself implicitly recognize the role of AI in Canadian prosperity, the preamble to the AI and data act does not recognize that technological progress is fundamental to our prosperity, and instead focuses only on regulation and harms.

Fourth, there are two sections of the act that might create incentives not to adopt beneficial AI because the liability is not explicitly benchmarked around some human performance level [Technical difficulty—Editor] and safety.

In part 1 of the AI act, proposed subsection 5(1) examines bias. The bias definition suggests that any bias would be prohibited. AI systems will almost surely be imperfect, because they're likely to be trained on imperfect and biased human decisions. Therefore, this definition of biased output incentivizes the continued use of biased human decision-making processes over potentially less biased but auditable AI-supported decisions.

In part 2 of the AI act, proposed paragraph 39(a) examines physical and psychological harm or physical damage. As with bias, the benchmark seems to be perfection. For example, autonomous vehicles will almost surely cause serious physical harm and substantial property damage, because vehicles are dangerous. If the autonomous vehicle system, however, generates much less harm than the current human driving systems, then it would be beneficial to enable its adoption.

The fifth comment on the AI and data act is about the definition of an AI system in proposed section 2 of the AI act: “the use of a genetic algorithm, a neural network, machine learning or other technique in order to generate content or make decisions, recommendations, or predictions.” This definition is overly broad. It includes regression analysis and could even be interpreted to include the calculation of averages. For example, if an employer receives thousands of applications for a job, calculates the average score on some standardized test and uses that score to autonomously select above-average applications to be sent to a human resource worker for further examination, that scoring rule would be an AI system, as I understand it, under the current definition.

I have two specific comments about the consumer privacy protection act.

First, the purpose of the act in proposed section 5 clearly lays out the often competing goals of protecting privacy while facilitating economic activity. While I do understand the wishful thinking that there would be no trade-offs between privacy and innovation, research has consistently documented such trade-offs. Privacy is not free, but it is valuable. Individuals care about their privacy. In protecting privacy, this act will require companies [Technical difficulty—Editor] on legal expertise for interpretation. Such expertise is readily available for large, established companies, but onerous for small businesses and start-ups. In the implementation by the commissioner, some direction to reduce any unnecessary burden on small businesses and start-ups would be constructive.

Proposed subsection 15(5) makes the cost of an audit payable by the person audited even if the Privacy Commissioner does not bring a successful case. This creates a large burden on small and new businesses if they get audited unnecessarily.

To conclude, while I have specific suggestions to clarify the language of the act, in my view Bill C-27 is a careful attempt to ensure that Canadians benefit from AI and related data-focused technologies while protecting privacy and reducing the potential of these technologies to harm individuals.

Thank you for this opportunity to discuss my research. I look forward to hearing your questions.

Mr. Chair, committee members, thank you for inviting me to comment on Bill C‑27.

Although I'll be testifying in English today, I'll answer your questions in either French or English.

I'm co-leader of the national cybersecurity and data protection group at Gowling WLG. I'm a practising lawyer called to the bars of Quebec and Paris. My evidence today represents my own views. I'm here as an individual, not representing my law firm, clients or any third parties.

Much of my legal career has focused on comparative analysis of legal regimes across the globe, advising clients on their compliance obligations in the jurisdictions in which I am qualified to practice.

Bill C-27 presents a tremendous opportunity to modernize Canada's federal privacy regime. It is possible, and indeed essential, that Canada protects the rights and interests of the public while facilitating competition, investment and ambitious innovation.

Many of the proposals in the bill are highly impactful, but I will focus my comments today on the consumer privacy protection act and two areas in particular that I consider to be of great importance. First are lessons learned from Quebec's law 25.

The majority of the provisions under law 25 came into force in September 2023. Over the last summer, Gowling WLG, in collaboration with the Interactive Advertising Bureau of Canada, conducted a readiness survey of over 100 organizations regarding this new law. The results of the survey were clear. Industry was ill-prepared for such an implementation. Specifically, 69% of the respondents expressed a need for greater clarity, and 52% indicated that they lacked sufficient resources. This also highlights that the compliance burden for SMEs is especially high.

There are four specific learnings from Law 25 that I wish to highlight today.

First, Bill C-27 should not exceed standards set by the EU general data protection regulation. For example, legitimate interest is a flexible legal basis for processing, but it must always be justified and documented in a separate assessment under the GDPR and under other global laws. A similar standard could apply in Bill C-27.

Second, Bill C-27 should not rely on future regulations to substantiate each requirement. This is a recipe for delays and uncertainty. For example, in Quebec, anonymization is currently regarded by the regulator as impossible because the regulations are not yet in place.

Third, Bill C-27's timeline for implementation should be sufficiently long. Based on experience from law 25, implementation should be at least 36 months after the bill becomes law.

Finally, Bill C-27 should be aligned with law 25 on key concepts, including around the legal bases for processing data and legitimate business exceptions. This is especially important when it comes to children's privacy.

I'm a father of two young children, so protecting children in the digital economy is important to me personally, and it's a subject that I engage with regularly in the course of my work. I believe amendments to Bill C-27 are necessary to ensure that minors' data is reasonably, meaningfully and consistently protected.

I wish to highlight four key topics for consideration.

First, as opposed to the GDPR, Bill C-27 lacks a threshold for determining when services are intended to target children. Practically, organizations will not be able to remain age-blind and will therefore have to ask the age of users each time they engage with them, to the potential detriment of user privacy interests and data minimization.

Alternative legal bases for processing should be available, depending on the maturity process of the individual. Specifically, legal capacity should be a baseline for assessing legitimate bases as opposed to the age of majority alone.

The process for collecting parental consent can be extremely complicated. Bill C-27 should set a specific age at which parental consent is required. Under 14 years of age seems the most reasonable standard.

Finally, the concept of the best interest of the child should be positioned as a key determinant of how minors' personal information should be treated, rather than relying primarily on the concept of express consent.

With the chair's permission, I would be pleased to submit a copy of the survey report for the committee's consideration, as well as a short written brief in French and English on the issues I've addressed in my opening remarks.

I wish to thank Michael Walsh for his assistance in preparing this material.

Thank you. I look forward to answering the committee's questions.

Thank you.

I'm very pleased to have been invited to participate in the work of the House of Commons Standing Committee on Industry and Technology on Bill C‑27. I hope to be able to answer your questions on privacy and artificial intelligence services and technologies.

Although my opening remarks will be in English, please know that I will be pleased to answer your questions in either French or English.

My name is Luk Arbuckle. I am chief methodologist and privacy officer at Privacy Analytics, an Ottawa-based IQVIA company employing over 100 privacy experts.

My role at Privacy Analytics is to ensure that our company and our global clients are aligned on the practical applications of privacy-enhancing technologies and to inform our practices based on current guidance and emerging methods. I also provide guidance on the practice and risks of applying artificial intelligence in real-life applications. My role has been largely informed by my time as director of technology analysis at the Office of the Privacy Commissioner of Canada, when I also drafted guidance on anonymization for the office.

Privacy Analytics operates as an independent entity within the global IQVIA group of companies, so that we can provide both IQVIA and our global clients with services and technology for the safe and responsible use and sharing of data. The Privacy Analytics platform has been deployed globally to protect the privacy of close to one billion patients. For example, our software has enabled safe research that improves cancer outcomes for patients through the European oncology evidence network and the American Society of Clinical Oncology's CancerLinQ. We have also worked with multiple government agencies in Canada, Europe, the United States and globally to implement safe data access models that enable faster data access, promote research and innovation and implement data-driven decision-making.

It is against this backdrop that I wish to provide comments today. In particular, I will provide a perspective on the importance of health data and analytics for Canadians. Health care-related research is increasingly driven by analyses that draw from real-world evidence to reveal the effectiveness of treatments beyond the clinical trial phase. The success of that approach is predicated on the availability of the necessary data from various sources within the relevant health care system and on the ability to analyze data across different health care systems.

For Canada to take part in this new frontier of health care research, it is important that we prioritize a responsible data access model that strikes the appropriate balance between privacy and having useful data for the intended purposes. We also need a data protection framework that allows for efficient and effective data sharing and collaboration with stakeholders from all over the world, including the United States and Europe. As COVID-19 has shown, it is crucial that Canada stays active and competitive in life sciences. This means developing an approach to privacy that supports local research and innovation and allows health care research in Canada to align with efforts outside of the country.

I will only summarize three recommendations in my introductory remarks and invite you to consult IQVIA's full-length comment document on Bill C-27 for additional comments and details.

Recommendation one is to consider a reasonableness component within the definition of “anonymize”. The use of anonymized data in health care analytics is a key element in the research and innovation activities that help drive Canada's health care future. Canada's diverse group of health care stakeholders use anonymized information to identify inefficiencies and allocate resources more effectively, to speed up the development and approval of new treatments and to understand the needs of patients and health care professionals. Such uses of anonymized information contribute to better health outcomes and other notable benefits.

Including a reasonableness component within the bill's definition of anonymization would align better to other Canadian frameworks, such as Quebec's law 25 and Ontario's PHIPA. A reasonableness approach would also align better to the growing consensus in the academic and technical literature regarding the need for a realistic framing of risk in describing anonymized information. Take, for example, the risk-based international standard for an anonymization framework, technically known as ISO 27559. This technical standard was developed by experts from around the world and is consistent with the draft guidance I produced while at the OPC.

Recommendation two is to consider expanding the consent exception for “socially beneficial purposes” to include private sector organizations. A more principled approach would be to enable responsible data sharing between a broader range of actors while also mandating adequate oversight and data protection best practices.

Recommendation three is to consider a consent exception for external research, analysis and development purposes. Removing the internal qualifier would be a more beneficial approach, as it aligns with existing guidance and would enable a more useful model for health care research and innovation.

With that, I would like to thank the committee again for your time and for the opportunity to speak with you today. I strongly believe that it is possible to safely and responsibly use and share data in ways that protect privacy while driving innovation for the benefit of Canadians. I look forward to the continued discussions.

I will remain at your disposal during the discussion.

Thank you for your attention.

As I said in my remarks, I do believe the law can be more prescriptive in terms of making sure we get it right for children. That is something we've seen in other jurisdictions. They've done it separately in a different law with a specific children's code. I think we can make certain amendments to the law or have a separate regulation.

Part of the problem with a regulation, as Mr. Guilmain said, is that sometimes it takes forever to get there and to get that guidance, so it's not always best to leave it to regulation, but that is one way of doing it. I do believe there are ways of adding amendments and making them more prescriptive so we can get it right in the law.

I don't think they're two separate things. I think you can have privacy by design in a privacy management program.

I don't have a specific definition, but I do believe we should be able to give a non-exhaustive list of examples, similar to what we've done in law 25 in Quebec.

Sure. Some examples we've seen are biometric data, health data, financial data and children's data. Those are the ones off the top of my head, but I could certainly submit some more examples.

That's definitely a risk, but I don't think that's a reason not to do it right now. PIPEDA has worked really well for 20 years. There's always going to be modernization of laws, but I think it's important to try to get that list now, with the acknowledgement that there is the possibility of updating it as things change.

I don't have any specific comments right now on prescriptive language. Again, that's something I'd have to go back to.

I know that's something my colleague Mr. Guilmain also referred to, so maybe he has comments on that.

Yes. I would like to take a look at what is being done in Europe at the moment. Of course, the GDPR has been a change for them, and privacy, children's privacy, was a key consideration.

Because it's extremely difficult to provide prescriptive requirements, they instead relied heavily on the notion of “best interest of the child”, and this is working. The reason is that it's not a free pass saying, “You know what? We talk about children but there's nothing to be done.” Organizations need to have documentation regarding what they are doing.

There's a second aspect I would like to highlight. Of course, being a lawyer, I like clear definitions, but the notion of evolving concepts such as “best interest of the child” is important as well in laws, as opposed to very clear-cut concepts such as express consent, where essentially we would need to have express consent every time, regardless of whether the person is a teenager or under 13 years old.

I think this is what we are seeing across the world, because many Parliaments understand that we are living in a world that is constantly evolving and that we need future-proof concepts, and the “best interest of the child” is not moot. It's a good concept. At least that's my personal opinion.

Thank you for the question.

There are two key forces at play here. The first force is that any time you regulate companies and start-ups, especially small businesses, they're going to require lawyers in order to do business. That's going to slow down what they're able to do. That's on the one side. On the other side, if there is no legislation in place, then potential customers of those companies aren't going to trust the companies. Even though the need to get legal advice—apologies to the lawyers in the room—is a real barrier for small businesses and start-ups, you do need legislation so that people can trust the companies they interact with.

In my view, this bill balances those two very well, with some minor exceptions that I've mentioned. It protects against the most severe privacy harms, so that we'll have more trust in what organizations do with data. That will, in turn.... On the set of regulations as described, yes, it is a bill that runs dozens and dozens of pages—you'll need expertise—but it is not so onerous that I would expect that the small businesses and start-ups that have a big opportunity with AI will have to shut it down.

In my view, on balance, this will position Canada well going forward for our ability to commercialize AI.

We have plenty of evidence that the GDPR, when and where enforced, reduced innovation, hurt the European software industry relative to the American software industry, and helped the largest companies, particularly in advertising technology, do better and better. There were real costs to the protection of privacy that happened through the GDPR.

When I look at how this bill was drafted, I think that in protecting privacy and thinking about and addressing the potential harms of AI, to me it's clear that it was drafted with an eye towards the need for start-ups and small businesses to compete on a level playing field with the largest companies. In my view, this bill is more innovation-friendly, particularly for small businesses and start-ups, compared to the GDPR.

Yes. The word “contextual” is important here, as well, because that's kind of how we want to look at anonymization. We want to look at where we are using this information.

When Statistics Canada produces statistics or data that they make publicly available, the risks are very high because it's on the Internet. Anyone can access it. They also take data and put it in a research data centre. It's disconnected from the Internet. You have controls according to who has access to the data, how they can use the data and what they can come in or out of the environment with. The risks are much lower, so it's contextual in that sense.

The idea of a reasonableness standard is bringing that contextual piece to it. When we look at international standards, for example, they're primarily very scientifically driven by risks, and risks are never zero. Therefore, by looking at it in this contextual way, we can manage the threats and use other tools besides just aggregating and creating means, as was mentioned earlier. We can do things that are a little more sophisticated, and we can have strong environments that control that information.

The technology we use, the sophistication of it, is compliant in the sense that we look at the best practices that exist. We look at international standards. We look at guidance that is being produced, and we ensure that the anonymization we do meets those standards.

We have guidance in Ontario, for example. We have the law itself, for example, in Quebec. We have a variety of jurisprudence, which is not in my area, of course. We look at the best practices in terms of technology. We monitor the literature and the landscape of what's happening, and we modify accordingly.

At the moment, conceptually, Bill C‑27 is quite compatible with Bill 25. I would even say that, in many respects, Bill 25 is stricter than Bill C‑27. I'll go further than that: Bill 25 is one of the strictest laws in the world. That has to be recognized.

In my practice, I work with international clients, whether they are based in the United States, Europe or Latin America, and today, they look at Bill 25 and say that it's really one of the most complicated laws to implement and that it's difficult to comply with it. That's not a good thing.

My position today, quite frankly, is that the two pieces of legislation are compatible. However, I think there are lessons to be learned from Bill 25. I took the liberty of quoting the European Union's General Data Protection Regulation, the GDPR, and I think that's a very interesting model for Bill C‑27 to look at. That's really my position.

There are some very good things in Bill C‑27. It should be noted that, from a legislative standpoint, it makes a very different change. Bill 25 amended existing legislation by patching things up a little. We tried to add an act dating back to 1994. The beauty of Bill C‑27 is that it's unified. There really is a collective understanding.

So my comment on this is to say that looking at Bill 25 as a yardstick may not be the best approach, in my humble opinion.

There's a fairly fundamental difference. As you know, when it comes to privacy, the notion of consent is central. It's all about consent. We're talking about either express consent implicitly or an exception to consent. That's how Bill C‑27, the current federal act and the Quebec act are built.

Currently, Quebec's approach is very different from the rest of Canada. In fact, it decided to enshrine in law that, when it comes to the collection of personal information, consent isn't always required, provided that the reasons for collecting, using or communicating personal information are disclosed. This was recently confirmed in the guidelines of the Commission d'accès à l'information du Québec.

What does that mean in concrete terms? It's very theoretical, but it's not that theoretical. When you visit a website, you are “attacked” by various methods of consent. That's what we want to impose on children. As adults, our ability to concentrate is very limited. Personally, I have a full-time interest in this, and I don't read everything.

Quebec has decided to take a different approach: we don't force people to give express consent, to click, we just give them the information, and then they can continue with the process. This aspect of transparency is unique to Quebec.

At the moment, the federal legislation, as drafted, seems to indicate that a positive gesture should always be made in certain cases. I think that's a pretty significant difference. Again, not a bad thing. In fact, we're a different approach to the problem. We're providing a little more transparency, a little more control, instead of forcing people to consent in an almost fictitious way.

I'd first like to mention that our federal legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA, is a quality piece of legislation. I wouldn't say that there's an urgent need to act, but that's a very personal opinion. There are fairly broad concepts in PIPEDA that already allow companies to do very good things. We aren't in a vacuum at the moment.

That said, Bill C‑27 is very ambitious. I'm talking about the part that deals with the protection of personal information. We shouldn't underestimate the time it will take to adjust the processes. Let's not forget that companies had to grapple with Quebec's Bill 25 a few months ago and complied with it last September. It was a real in-house effort.

I think there's an interest in avoiding a duplication of resources, at the risk of creating a kind of fatigue on the part of companies with regard to requirements. Businesses will no longer understand the message being sent to them. I think it's important to keep in mind the significant transition period.

I don't think there's an urgent need to act, but that's my very personal opinion.

In terms of aligning with the European Union, I must say that it will require an analysis that may take years. Japan recently received a suitability decision and is considered a good country for the transfer of personal information. This is the result of years of work by the European Commission.

I think Bill C‑27 is a very good bill in terms of complying with European standards, in this case the European Union's General Data Protection Regulation. There are a lot of “Canadianized” concepts, if I may say so. It's worded a little differently, particularly when it comes to sensitive data. I still think that Bill C‑27 is a good bill in that regard, apart from certain aspects on anonymization and the legal basis for handling personal information, as I mentioned.

I'd have to think about that for a minute, so perhaps one of my colleagues can start.

I'm going to be very blunt. I'm not equipped to respond to your question.

It's an interesting question. Are we talking about the executive order on artificial intelligence?

It's okay. I just wanted to check. There may be another one. You never know.

It's interesting. There's a lot of activity. There's a lot of work in the U.S. The National Institute of Standards and Technology, for example, has put together really good work on AI risk frameworks and how to manage it. We've heard a lot of good things in the executive order, so from a technology perspective I think it's exciting to see the talk of safe, trustworthy and responsible AI. Regardless of the procedure—I can't really speak to that—it's exciting to at least see there's a big push.

Canada is known for privacy by design, for example, so we have an opportunity as well to take the lead and to do things in AI. As was mentioned earlier, we have researchers who have done tremendous work, really, bringing this forward. Regardless of the procedure of how it was done, I do think it's interesting that they're pushing it so much.

A general thought would be that I don't see it as a particular problem, because that's what we see. Having seen many laws across the world, it's never unified. I think this is something impossible. Even in Canada, we have the private sector laws in B.C., Alberta and Quebec, and the federal statute at the moment. They are not unified; they are different.

What is important is interoperability. It's the ability to talk between the laws. I think that is something we should be seeking, as opposed to having exactly a carbon copy, potentially, of what is being done in the U.S. The same would apply to Europe. I think it's just looking at what they are doing and making sure our concepts are flexible enough to essentially talk with the potential legal regime that is being adopted in the U.S.

Do you mean the 15 recommendations?

If I can opine on one aspect, there are some interesting ideas. I think there's a will to add an accountability obligation for companies. I think that's something that is being proposed. I have some caveats in this regard, having seen what is happening in Quebec at the moment, especially for small and medium-sized companies, which are really struggling to have accountability documentation for everything.

It could be a good idea, to the extent that there are thresholds. I think that is the key aspect in these kinds of laws, having the notion and the principle but not forgetting the exception and the thresholds. That is my top potential concern with that recommendation.

Just to add to that, I think it's important to recognize there are trade-offs here. As we make the privacy rules in this legislation stricter, in many cases we're going to get less innovation, particularly from start-ups and small businesses. The big ones will be fine, but the start-ups and the small businesses will have a harder time as it gets more difficult for them to collect and organize data.

To the extent that those recommendations are accepted, keeping an eye on the situation and making sure we don't overburden those small businesses and those start-ups is important.

To quickly respond to Mr. Masse's question about the executive order, I would note that insofar as you're able to put things into secondary or delegated legislation, you would provide an opportunity for some type of harmonization. However, it's a tricky question of balancing what should be in primary legislation versus secondary legislation.

Thanks.

That's a really good question.

I generally support the new exceptions to consent in Bill C-27 , which are similar—slightly different—to the GDPR. I agree that the application of the legitimate interest exception, whether as a stand-alone right or as an exception to applied consent, will help a contextual analysis and will help nurture innovation and allow for a difference between...how organizations look at their programs and at accountability and transparency.

Again, that's something I'm not entirely qualified to comment on right now.

I want to start by saying something. It sounds like a paradox, but I believe it is true. More prescriptive requirements will not necessarily lead to more protection of personal information. I think it needs to be heard. It's not that because we are adding a lot of burden on organizations, it's going to be better for the public. I want to start with this statement.

That said, I will give you an example. When we hear the words “legitimate interest”, the perception may be just to say, “Well, it's a free pass. You do whatever you want. There's no consent, so you do whatever you want.” The fact is that in the GDPR, there is always documentation.

To your second question, about small and medium-sized companies, I don't think it makes sense to have different obligations based on the number of employees. What matters is the sensitivity of the information and the volume of the data. This should be, from that perspective, the trigger to essentially say that they need to have more documentation in place to explain what they are doing. These should be the triggers. This is my humble opinion.

Again, I don't think we should be afraid of using some terms. Also, “exception” doesn't mean that there's nothing in place. As a matter of fact, at the back end, what I'm seeing is that there's a lot of documentation in this regard.

No.

It would be to the extent that we are adding sufficient triggers based on the types of information.

These questions were raised as part of law 25. Clearly, the question was, what do we do with a company that...? Let's say a convenience store in La Tuque has some personal information. What do we do with this? The fact is that the convenience store in La Tuque potentially will have non-sensitive personal information. As such, it should not potentially need to have a privacy officer. That makes sense.

However, let's say we have a growing company with 20 people building a very interesting AI model with biometric data or health information. Then I think it would make sense to potentially have some obligation.

Again, this needs to be proportional. I want to give my opinion. I don't think that the number of employees makes sense. Even the revenue is not a good threshold, from my perspective.

Creating thresholds based on the number of employees creates incentives for businesses to stay small. While there is a desire to have these additional burdens on businesses, we have to recognize that there is a trade-off if doing so depends on the number of employees, because what you're telling businesses is that you don't want them to grow.

I am very supportive of all the comments that have been made. We had this debate when I was at the OPC. We did a public consultation, and the question came up about an AI start-up processing terabytes of data. It's not about the size; it's about the amount of data and the kind of data.

To your earlier question as well, I'll just add to some of the comments I made earlier about consent exceptions. I think there is an opportunity to align more closely with the GDPR in the sense of making it available to a broader range of organizations—small, large, etc.

When we're dealing with health data, for example—and I've seen this while working across Canada—we have some small, vulnerable population groups, and they can't anonymize that information with such a small population, so how do we bring that data together? How do we bring health care data together? It's partly through some of these current provisions where there is de-identification. We take out the person's name and we put in a pseudonym, but we still link and then produce really interesting, important statistics.

That's the one thing I wanted to bring forward.

The point about record-keeping obligations is interesting. To my knowledge, the only olive branch the GDPR hands small and medium-sized enterprises is indeed concerning their record-keeping obligations.

I would note that in the case of a children's code, which Ms. Gordon and I have spoken about, that can actually be very useful for helping businesses, because it provides them, in a way, with a starter manual for thinking through how they should design their products and services that are directed to children. You can raise protections while also being clear and helping businesses in terms of compliance.

Absolutely.

In my speaking notes, I have a footnote, so I'll just read that: “the use of a genetic algorithm, a neural network, machine learning or another AI technique in order to generate content or make decisions”.

The current definition is about any prediction model—and an average or a regression is a prediction model. The definition of an AI technique will evolve over time. What the use of “another AI technique” does is allow for the flexibility of technology to change over time, but it doesn't start regulating statistical technologies that have been around for centuries.

My starting point is that I think this legislation already is at a good starting point. Where we are right now is good. My concern about the trade-offs would be if we're adding additional things.

That said, there are two pieces that I think are particularly important. The first one is some recognition by the commissioner of the burden on small and start-up businesses. Especially, right now, the cost is borne by the person audited, even if the commissioner finds nothing. That strikes me as very risky. If we have a commissioner who decides, for whatever reason, that a particular company, especially a small company or a start-up, deserves an audit and they go through that process, for the start-ups that work with the Creative Destruction Lab, that may very well kill the company. Some reasonable expenses, in my view, should be covered by the commissioner or by the government when the audit shows no evidence of a contradiction of proposed sections 6 to 12.

Yes. I think there are two sub-aspects from my perspective.

The first aspect is the transition period. I think we should not undermine the fact that, even though there are already processes in place with PIPEDA and potentially with law 25, it does take time to have something that is meaningful.

I'm a lawyer, so I wish I could tell you that it's only a question of the papering aspect and just giving some policies and moving on. The fact is that privacy is much more than only legal professionals. I think there's an understanding internally in any organization to understand what is going on in terms of data flows and what we do to protect the information we have.

That's the reason why I tend to think that 36 months is the bare minimum. As a matter of fact, when we look around the world, that's what we are seeing. We saw with law 25 that 24 months was not sufficient. At the moment, companies are struggling very much to comply even with law 25, most of which came into force.

On the second aspect of your question, regarding what we can change, I will give you a simple example. If we go to proposed section 8 of the CPPA, it says, “An organization must designate one or more individuals to be responsible for matters related to its obligations under this Act.” I'll go back to my example of the convenience store in La Tuque. They have very little personal information. Their first question when they come to me would be, “Whom do I appoint? Who is my privacy officer?”

I think this is where it is problematic. It's not based on the size of the company; it's more a question of the volume and sensitivity of the information, the good news being that this threshold is present in Bill C-27 in some disposition. In particular, when I look at the privacy management program in proposed section 9, there is a caveat: depending on the “volume and sensitivity” of the information. I think the key aspect would be just to look at those absolute requirements and say, do we have a threshold based on the volume and sensitivity of the information? I think this could be a good exercise in the full version of the CPPA at least.

Sure. We've even seen it in other jurisdictions. Basically, the best example is probably the one of small populations. When you want to bring data together and produce.... Basically, what is anonymization? It's producing statistics. We've heard means, aggregates, averages and stuff. That's essentially what we want to do when we talk about anonymization.

If we make the threshold such that it's a zero risk, and if I have 100 people.... If I take the average age of everyone in this room, you will say, “Well, it's not anonymized enough”, but who is going to be able to identify me from the average age in this room? That's the risk. You're going so far and you're saying, “Well, 100 people are not enough. We have to go to 1,000.” Suddenly, you cannot generate the statistics that we currently generate for things like.... In our submission, we included opioids and mental health. These are examples where it would be very hard to create the granular data to see trends over time in different age groups and in different provinces.

From my read of the bill right now, it is not addressing AI and copyright.

I think there are important trade-offs to recognize in thinking through this. On the one hand, it's very important that artists and other people who create work get compensated for it. It is also important that we recognize that there has to be some aspect of their use.... When we, ourselves, read a document and then write something two or three years later, that document might somehow be in the back of our mind as we're drafting it up. We might cite that original person, or we may not, but we don't owe that person funds for copyright.

The first response is that, from my understanding, this bill does not address that. There are reasons to think that clarity will be good. Wherever we land, with a lack of clarity, it is going to be difficult for businesses to build AI systems, and it's going to be difficult for copyright owners to get compensated for their work. Clarity is good. As I understand it, it's not in this bill.

Second, I think it's important to recognize that some of the ways in which copyrighted work is input as data into the AI systems are very clearly related to the value of the copyright. If you ask it to write a song in the style of The Tragically Hip, it will. That's the style of The Tragically Hip, and that seems related to The Tragically Hip copyright. In contrast, if you ask it to create something that rhymes and somehow, in the dataset, there is some copyrighted work that rhymes, thinking through how every single copyright owner who's written something that rhymes should be compensated will be quite a nightmare.

I was at a recent poetry reading, of all things, at an AI conference. The poet used AI to develop her poetry, and it was amazing and fascinating and a pleasure to listen to. That's creativity enabled by AI. That poet got to copyright her work. The other poems that were inputs into the overall database at that point did not get to benefit from their copyright.

The reason I tell that story is to recognize that for cultural creativity, going forward, there are reasons to want a very open use of these AI systems. There's incredible creativity coming out of these AI systems—not the [Inaudible—Editor], to be clear. One of the things I love about the bill itself is that it's so clear that humans make decisions and not machines, so the creativity is human creativity enabled by AI systems.

In the process, though, we need to make sure that when copyright is violated in a particular way—for example, it's clear that you were trying to mimic a particular artist's style—it gets protected.

Other witnesses who testified here have said they should be included in the legislation. I agree with them and agree with their reasoning.

Yes. I would agree as well.

My only problem is—and maybe I'm a bit too dry—that the title of the law itself is “consumer privacy protection act”. The notion of “consumer” is misleading at this stage. I think it's something to emphasize, even though I don't disagree with the principle of potentially having federal political parties be subject to the law.

I know that Colin Bennett, among others who appeared before this committee, also raised this point. In light of big data political campaigning, I think it's very difficult to sustain a justification for why political parties should not be subject to data protection laws. I would certainly encourage their inclusion.

If there are specific concerns, a balancing can take place, in the way that data protection laws frequently balance with journalistic purposes and these sorts of things. If there are very specific concerns about campaigning and the political process and how data protection law can affect that, I think that should be considered in a very specific manner, but certainly as a big-picture item, I think political parties should indeed be subject to data protection law.

If I may, I'll answer in three parts.

First, there is Bill C‑27 in and of itself. I grant you, in my humble opinion, that part 3 and parts 1 and 2 are probably unrelated. That's a real problem. I won't hide the fact that, when I talk about the aspect of Bill C‑27 that I like—it's always like that in a relationship, we like or we like less—I'm talking about parts 1 and 2, to be quite honest with you. That's the first thing. I think part 1 is a very good start. There are gaps. As I told you, it's not perfect in terms of compensation and the flexibility of consent, among other things. However, in my opinion, the bill is a very good foundation.

Second—and I go back to my earlier comment—I think there's a common sense rule with respect to this piece of legislation. It's just a matter of looking at the obligations in a very cold way. We have to ask ourselves some questions. I would like to come back to the example of the famous La Tuque convenience store, which, by the way, is being well advertised. I don't know if there are two, though. In any case, if I were the owner of this famous convenience store and I saw this text, I would wonder if it would help me in how I operate. Is this piece of legislation really going to change the way I do things? That is the objective. We really have to show businesses that we don't want to create problems for them for the sake of creating problems for them. We have to tell them that we want to help them focus their attention on the right things.

I gave you the example of the privacy officer. I don't personally believe that our convenience store needs a privacy officer. I think it's that kind of analysis that could really help small and medium-sized businesses. We have to put ourselves in their shoes and ask ourselves whether, based on what we see, based on non-sensitive data…. Again, I think this is an important element, because small and medium-sized businesses have a voice that is heard, obviously, but it will depend on the data. Data is really the key. However, I think you have to look at some of those things, and obviously that has been taken into account in some provisions and not in others.

Perhaps we need to make an effort to be consistent and to ensure that this aspect is truly taken into account. That could help, I think.

I don't agree with that statement, quite frankly.

I think you have to look at the nature of the organization. The Office of the Privacy Commissioner was created as an ombudsman would have been, and that's its role. The Privacy Tribunal would have a different, purely jurisdictional role. I think that's an interesting approach.

I'd like to look at what's being done in Quebec. You might be interested in that. We have the Commission d'accès à l'information du Québec, which wears two hats. It has general oversight over everything to do with complaints, recordings, and so on. It has a jurisdictional section, where administrative judges render decisions.

I find that an element of complexity. I think it's good to have two distinct entities. That's my own point of view. I don't think that's a bad idea per se.

Just on the topic of the tribunal, I do support that idea. I think the current role of the Privacy Commissioner.... That office has done an incredible job, but it wears many hats. The commissioner wears the hat of an advocate and of an educator and does investigations, but what's always been said about that role is that it has no teeth, that whoever is in charge doesn't have teeth to implement fines and issue fines. By having the separate role of the tribunal, that will allow for a more robust legislative process and allow the hats of the commissioner to be separate.

No, not really.

There are a couple of things.

I think the first aspect is that the idea of asking the organization to explain what they are doing on the privacy side is very similar to the GDPR, to what we are seeing at the moment. I think it's positive in itself.

The second aspect is that there are some interesting legal bases and ways of making legal the processing of personal information, and I will give the example of legitimate business exemptions. Unfortunately, I want to say that they don't go as far as the GDPR does, and I think this is something that should be considered, at the very least.

The third aspect—and I think it's important—is that the CPPA places privacy as a cornerstone for society, very similarly to the GDPR. I want to be clear that the GDPR has been a shock in Europe in itself. Everyone knew about it. It was an earthquake. I tend to think that the CPPA in its current version, with some improvements, could have the same effect, potentially pushing the organizations to do even more on the privacy side, relying on what they've been doing.

I think those are the elements that are common between the two regimes.

The first months were rough. Let's be honest. I think that everyone was just trying to adjust. We have to keep in mind that it was in May 2018, so it was the first big change in the world. Just to be clear, it's been the same across the world. Brazil recently adopted its own privacy laws, Singapore.... It really was the beginning. Let's put it that way.

Then, eventually, I think the regulators, in consultation with the organizations, were able to make sure that the organizations understood what was expected from them. I think that at this stage, there's a big aspect of expectation, because the companies want to do well. That's what I see in my practice. They want to comply. No one wants to say, “Well, you know what? We don't want to comply.” The problem is always in being clear regarding the requirements and being reasonable as well.

On the GDPR, at the moment in North America we are using the GDPR as a gold standard in transactions between U.S. and Canada. We are using language from the GDPR. Clearly, it shows that it's been a success for Europe, if we are being honest. That's my position.

Yes. I know that you've been discussing this notion of legitimate interest. When we hear “legitimate interest”, it sounds like a free pass to do whatever we want, but I want to emphasize that if you look carefully at the CPPA, there is always an aspect of assessment, of explaining why we can actually rely on legitimate interest.

The fact that we are limiting.... For instance, for influencing the decision, we don't want to use legitimate interest. That's what we have at the moment in the law. I think it's a mistake, because the influence could be bad or it could be good. I will give you an example. For instance, my children are online on social media. They can see targeted advertising, contextual, without any context, regarding alcohol or something I don't necessarily like as a parent. I'd prefer for them just to have specific tailor-made advertising for children. That's what I'd prefer. I think legitimate interest could be used.

I think this is the perfect segue between legitimate interest and children. I think those are topics that you've been discussing a lot lately, as I understand. I think potentially legitimate interest is not evil. I think it's a question of documentation. I'm going to give you the word that we use in Europe: legitimate interest comes with LIA, legitimate interest assessment. This is a document, a report, explaining why and how you are relying on these legal pieces. I think the same could be done here.

I'm going to emphasize the obvious. I'm here in my personal capacity, to start.

The second aspect is that what you are showing at the moment is the limits of consent. That's what it is. It's essentially showing a big chunk of text and expecting the individual to consent. That's the reason exemptions to consent are interesting, because you will actually focus on the important moment of a data flow. Essentially, if you want an express consent on biometric data, then you're going to ask for consent.

Those kinds of things potentially could have been, in my personal view, captured by the notion of legitimate interest. If the regulator, the OPC, has any questions, then it can knock on the door and ask, “Why are you doing this? Show us the assessment.”

That's the reason why consent, to me, is not necessarily the solution. It's not bad. I think, globally, there's a consensus. Everyone understands consent. We like the notion. I think it sounds good. At the same time, it has limits. If we want meaningful consent, then we should focus on express consent in limited situations. Otherwise, we will spend our time consenting and not meaningfully consenting. I think this is my—

That's not necessarily the case, because the balance is always in thinking about the rights and interests of the individual. It's not something that you do in a vacuum. These are analyses of proportionality and of necessity. It's a long assessment. It's not a two-pager. I think it's not only that.

I'll be a little careful. I'm not a lawyer. I'm an economist. In my view, as an economist reading this, the harms of data flows are well protected, while at the same time, businesses and other organizations are going to be able to use data in ways that allow them to deliver better products and services to individuals—with the caveat of recognizing that I'm reading it with the eyes of an economist and not a legal scholar.

Would you mind repeating the question?

Again, in my view, given my expertise as an economist, the explicit recognition of trade-offs is positive, and together with the explicit sentence that this is what somebody would expect if they were interacting with this company, it suggests a careful weighing of the trade-offs between the benefits of data flow and the benefits of privacy.

Maybe I can give you a very simple example regarding cookies. We've all heard about cookies on websites, and 10 years ago cookies were very new, something that people didn't understand. Now, 10 years later—or more like 15 to 20 years later, actually—I think this is something that is well known by reasonable persons. Just to be clear, the fact that it's evolving is not bad. I think our laws are built on a notion like this, that essentially we are making things evolve.

What I see in proposed section 18, to be frank, is the assessment. The assessment makes me feel more comfortable in being able to say that this is rational and it's been explained. It's been detailed, and it's not just somebody saying, “You know what? I think I have a legitimate interest.”

Again, I understand that those are valid concerns. I hear you, but at the same time the world is changing fast. I think we can do tremendous work, and I think Bill C-27 is full of potential, but we need to accept as well that technology is going so fast that those kinds of concepts need to be embedded in the law.

That's my position.

Thank you.

Mr. Perkins, I think any data protection laws are going to necessarily involve a weighing exercise. This is something that Mr. Goldfarb picked up on too. It's about weighing different interests.

I think that a lot of work could be done in proposed paragraph 18(4)(c) in terms of the prescribed requirements as part of the conditions of precedent, if there are specific concerns there. That's something that maybe the committee can think through quite carefully in terms of fixing specific things or addressing particular concerns regarding vulnerabilities of different users. I would also note that vulnerability is indeed a concept that appears throughout the GDPR, in particular its recitals.

I mean that the concerns could be dealt with in terms of prescribed requirements issued by the minister instead of having them solidified into the legislation itself. I think it's unreasonable to say that absolutely no data used should possibly engender any sort of harm to any specific user. That would be treating privacy as an absolute. That, to me, as someone who consistently advocates for robust privacy protections, seems unreasonable.

I would say that the bill specifically gives the Privacy Commissioner the ability to issue administrative monetary penalties, which is a very welcome addition.

The one thing that strikes me, which I would like to highlight, is the fact that at the moment the OPC cannot issue an AMP for breaches of proposed section 12. I think this is quite an important section, since the purposes of data processing are the pillar for determining what is or is not a legitimate use of data. Therefore, I would recommend including proposed section 12 as a kind of enforceable ground for the OPC.

I'm sorry, but what is the particular question?

I will be careful, a little bit, about my expertise in terms of the operations of it. That is not what I know well, but in my view, the bill is clear about what it gives the commissioner. If anything, I came in thinking that the commissioner is getting a lot of power out of this bill to potentially interfere with how small businesses and start-ups operate. I do think that, if anything, it does get the balance right.

My view is that, in many ways, the most important thing about a policy—and, to some extent, a privacy policy—is to ensure that we protect competition.

At the same time, I don't know what an amendment to this act would look like in terms of protecting competition for the next generation of technology. A vigorous antitrust enforcement by the Competition Bureau and the continued vigilance on how large tech companies and others are potentially using their existing dominance in some markets to connect to and take advantage of new markets is worth protecting.

I'm not sure that belongs in Bill C-27, in the sense that things like ensuring interoperability between existing systems and new technologies are very valuable.

When we think about technology and technological change, information technology is capital, so the owners of that capital have done better and better. This whole literature on the decreasing labour share and the increasing capital share of the economy is partly related to the ability to scale through information technology.

The impact of these particular data-driven technologies on market power is more subtle. The reason is that, in a Stats 101 sense—and I don't know if and when you took statistics—there are decreasing returns to scale and data in a formal technical sense. It's like this: If you have 10 people and you get an eleventh, you learn a lot; if you have a million people and you get one more, you don't learn that much. In an explicit technical sense, there are no economies of scale in data.

On data-driven and machine-learning technologies, there are reasons not to expect monopolization. There are, importantly, other forces going in the other direction, and those are the things that we should keep an eye on and regulate. The forces going in the other direction are things like.... The ability to use data requires certain other technologies or can benefit from certain other markets where there is dominance. The ability to use data, and use it well, requires computing, so if the cloud services market is monopolized or has strong market power, that's going to impede innovation and be a real competition worry. Also, if media, in some ways, are monopolized, and therefore the ability to understand users as they interact with media becomes monopolized, that's another way that could [Technical difficulty—Editor] in terms of competition.

In my view, those are related, but only tangentially related, to most of the content of Bill C-27.