Industry Committee on Nov. 23rd, 2023

I'm going to be very blunt. I'm not equipped to respond to your question.

It's an interesting question. Are we talking about the executive order on artificial intelligence?

It's okay. I just wanted to check. There may be another one. You never know.

It's interesting. There's a lot of activity. There's a lot of work in the U.S. The National Institute of Standards and Technology, for example, has put together really good work on AI risk frameworks and how to manage it. We've heard a lot of good things in the executive order, so from a technology perspective I think it's exciting to see the talk of safe, trustworthy and responsible AI. Regardless of the procedure—I can't really speak to that—it's exciting to at least see there's a big push.

Canada is known for privacy by design, for example, so we have an opportunity as well to take the lead and to do things in AI. As was mentioned earlier, we have researchers who have done tremendous work, really, bringing this forward. Regardless of the procedure of how it was done, I do think it's interesting that they're pushing it so much.

A general thought would be that I don't see it as a particular problem, because that's what we see. Having seen many laws across the world, it's never unified. I think this is something impossible. Even in Canada, we have the private sector laws in B.C., Alberta and Quebec, and the federal statute at the moment. They are not unified; they are different.

What is important is interoperability. It's the ability to talk between the laws. I think that is something we should be seeking, as opposed to having exactly a carbon copy, potentially, of what is being done in the U.S. The same would apply to Europe. I think it's just looking at what they are doing and making sure our concepts are flexible enough to essentially talk with the potential legal regime that is being adopted in the U.S.

Do you mean the 15 recommendations?

If I can opine on one aspect, there are some interesting ideas. I think there's a will to add an accountability obligation for companies. I think that's something that is being proposed. I have some caveats in this regard, having seen what is happening in Quebec at the moment, especially for small and medium-sized companies, which are really struggling to have accountability documentation for everything.

It could be a good idea, to the extent that there are thresholds. I think that is the key aspect in these kinds of laws, having the notion and the principle but not forgetting the exception and the thresholds. That is my top potential concern with that recommendation.

Just to add to that, I think it's important to recognize there are trade-offs here. As we make the privacy rules in this legislation stricter, in many cases we're going to get less innovation, particularly from start-ups and small businesses. The big ones will be fine, but the start-ups and the small businesses will have a harder time as it gets more difficult for them to collect and organize data.

To the extent that those recommendations are accepted, keeping an eye on the situation and making sure we don't overburden those small businesses and those start-ups is important.

To quickly respond to Mr. Masse's question about the executive order, I would note that insofar as you're able to put things into secondary or delegated legislation, you would provide an opportunity for some type of harmonization. However, it's a tricky question of balancing what should be in primary legislation versus secondary legislation.

Thanks.

Again, that's something I'm not entirely qualified to comment on right now.

I want to start by saying something. It sounds like a paradox, but I believe it is true. More prescriptive requirements will not necessarily lead to more protection of personal information. I think it needs to be heard. It's not that because we are adding a lot of burden on organizations, it's going to be better for the public. I want to start with this statement.

That said, I will give you an example. When we hear the words “legitimate interest”, the perception may be just to say, “Well, it's a free pass. You do whatever you want. There's no consent, so you do whatever you want.” The fact is that in the GDPR, there is always documentation.

To your second question, about small and medium-sized companies, I don't think it makes sense to have different obligations based on the number of employees. What matters is the sensitivity of the information and the volume of the data. This should be, from that perspective, the trigger to essentially say that they need to have more documentation in place to explain what they are doing. These should be the triggers. This is my humble opinion.

Again, I don't think we should be afraid of using some terms. Also, “exception” doesn't mean that there's nothing in place. As a matter of fact, at the back end, what I'm seeing is that there's a lot of documentation in this regard.

No.