Skip to main content

INDU Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content






House of Commons Emblem

Standing Committee on Industry and Technology


NUMBER 118 
l
1st SESSION 
l
44th PARLIAMENT 

EVIDENCE

Monday, April 15, 2024

[Recorded by Electronic Apparatus]

(1105)

[Translation]

    I call this meeting to order.
    Welcome to meeting number 118 of the House of Commons Standing Committee on Industry and Technology.
    Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. In addition, pursuant to the order of reference of Monday, April 24, 2023, the committee is resuming consideration of Bill C‑27, an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other acts.
    Today we are continuing clause‑by‑clause consideration of the bill.
    I'd like to welcome back the representatives from the Department of Industry and thank them for joining us again.
    We have Mark Schaan, senior assistant deputy minister, strategy and innovation policy sector; Samir Chhabra, director general, marketplace framework policy branch; and Runa Angus, senior director, strategy and innovation policy sector.
    Colleagues, as you will recall, we were at amendment NDP‑2, which relates to clause 2.
    (Clause 2)

[English]

     Monsieur Williams, you had the floor when we were debating NDP-2. I'll give it back to you as we resume the clause-by-clause on Bill C-27.
     Thank you, Mr. Chair.
    It's nice to see the witnesses again. I'm sure we'll see you a few more times before summertime.
    When we were debating this last week, we left off with talking about the definition of “anonymize”. Amendment NDP-2 was to take out the words “in accordance with generally accepted best practices” in that definition. We are in agreement with that.
     The main reason for that is that we need these definitions to be clear and concise. As it stands right now, organizations can anonymize personal information using commonly accepted best practices. However, the draft lacks clarity on these practices and what constitutes generally accepted best practices. The ambiguity allows for the potential reliance on anonymization techniques recommended by specific experts, which may not be adequate for a particular dataset.
    We want to talk to you on a couple of these points. This isn't very clear, and we believe that it has to be very clear. When we look at how this act is going to be enforced, it is by the Privacy Commissioner. The Privacy Commissioner has stated that he needs this definition to be clear and concise.
    With a lack of consistency in anonymization methods across different organizations and without clear guidelines on what constitutes generally accepted best practices, there's a risk of inconsistency in the level of data protection and a potential for the undermining of privacy standards.
    We have a few examples of where that has happened, and that's why we're looking at this. I think the bigger point, looking across the board, is that in what we've heard from witnesses there's been a difference between anonymization and de-identification. The problem I had and the problem we've had when we've talked to witnesses about de-identification was that in the definition it said that a risk of identification of the individual still remained. That's a major issue when we're talking about what we're trying to achieve here.
    In terms of privacy, individuals should have the right to have their private information not just de-identified, knowing that there's a risk of that information being reidentified, but to have their information completely anonymized or able to be protected under this privacy act.
    I want to give two examples of how this has happened in the past. All of us recognize that we have had our information breached, our privacy breached, on many different occasions. I get emails on certain apps and sometimes even my bank or Netflix will send an email that says, “Your information has been compromised. Please change your password.” This happens all the time.
    I'm going to give two examples, one American and one Canadian, of how this has happened and caused harm to consumers. In 2006 Netflix launched a competition known as “The Netflix Prize” offering a million-dollar prize to improve its recommendation algorithm by 10%. Netflix released a dataset containing movie ratings by anonymous users; however, researchers later demonstrated it was possible to reidentify individuals in the dataset using external information.
    In 2007, two individuals showed that, by combining the Netflix dataset with publicly available IMDb data, they could identify specific individuals and their movie preferences. This raised serious privacy concerns as it highlighted the risk of reidentification even when data is anonymized.
    In Canada, we had the 2011 Ontario Ministry of Health and Long-Term Care's data breach. In this incident, the personal health information of thousands of Ontario residents was compromised due to inadequate de-identification measures. The ministry had released health data to researchers for an analysis but failed to sufficiently anonymize the data, allowing individuals to be reidentified. As a result, sensitive information, such as medical conditions, treatments and hospital visits, became accessible to unauthorized parties. This breach raised serious privacy concerns and highlighted the importance of robust de-identification practices, especially when dealing with sensitive health data.
    The main point is we have to be clear and concise. We have to ensure that the Privacy Commissioner, who has raised concerns about this definition, does not see ambiguity whenever he's looking at this, but at the same time ensures that we have businesses that can't skirt the rules and be lenient with private data. I think that's the main point we're making.
    Mr. Schaan, I think I asked you some questions the last time we were here. I don't have the blues, so I can't see if I asked this already. I think I asked you about generally accepted best practices for anonymizing information. If I haven't, can you please answer that?

[Translation]

[English]

     One feature of generally accepted best practices is that they continue to evolve with the state of the technology. It's one of the reasons we believe it's an important consideration for inclusion within the act, so that it continues to ensure that it meets the state of the art.
    We have concerns that absent a commitment to generally accepted best practices, organizations would not have a North Star or a guide as to what they should be doing as it relates to the anonymization of information. There could be a plethora of approaches taken.
    Generally accepted best practices would vary, but I think you'd find within industry and within users a lot that they could turn to as it relates to that.
    That would be my primary response.
    At the end of the day, you're putting a definition in that is not defined in the act. Is that correct?
    We're putting a concept into the act that then tags along with the definition. The definition remains “anonymized” as it appears and then it has the concept of “generally accepted best practice” alongside it.
(1110)
    The biggest question is, who would be determining if the data was anonymized according to those generally accepted best practices? Is it the department, the Privacy Commissioner or is it a case of self-regulation?
    Mr. Chair, I would offer a couple of things.
    All of this is definitional, which means that it then relates to the powers and obligations that people would be scrutinized by as it relates to the enforcement of that act. The enforcement of the act is by the Office of the Privacy Commissioner.
    The determination as to whether someone had actually anonymized information for the purposes of meeting the test of generally acceptable best practices would be determined by the Privacy Commissioner should there be concerns about a violation of the CPPA.
    The conception of generally acceptable best practices, as I noted, appears within Quebec's law. It's also the approach that's consistent with what experts have called for.
    The Canadian Anonymization Network, or CANON, is a not-for-profit organization with representatives from public, private and health sectors in Canada. It includes the participation of experts in the field of de-identification and anonymization, including Statistics Canada. They stated that the inclusion of the phrase generally accepted best practices “will help future-proof the definition of 'anonymize', as it sets a statutory obligation for organizations to consider the evolving de-identification techniques and standards that would sufficiently protect personal information for their industry and context.”
    We've heard from some of those witnesses, but it was the Privacy Commissioner himself who noted that this was not something that he'd like to see in there, especially if there was not a clear and concise concept of who was setting those and what businesses knew what the best practices were.
    Do we have other countries that we've looked at? You've mentioned Quebec, but did you look at other countries that had generally accepted best practices in their legislation when it came to anonymization?
    The one I'm most familiar with is Quebec's law 25, which does make that.... I'm not sure of others.
    From what we've seen, there aren't many others and the CPPA does not have that in there.
    When it came to consultation for this, we had many witnesses here at the committee. You in the department met personally with quite a few witnesses.
    Is that correct?
    That's correct.
    Did you meet with all the witnesses that we had here at the committee?
    I'd have to review the witness list, but I would say that over the course of the years I've been within the department, it's probably likely that I've met with all the witnesses that you heard testimony from.
    Did you meet with any witnesses more than others? Were there any that requested more meetings with you on this and other topics?
    I'd have to review. I'd say that in general there's a strong representation from the academic sector and a strong representation from industry.
    Of that, we did note that you met with the Canadian Marketing Association—which has been a strong advocate for this kind of language being included in the bill—10 times.
    Are you aware that they're trying to keep general best practices in this definition?
    I know that it's one of the issues the CMA has raised in its submission to this committee.
    I know we've had some testimony, but because you've met with them 10 times...are they stating that it is going to hurt their business if they don't have this included?
    Were there any concerns that this definition of anonymization could be too strict for them?
     No. I think you will find the specifics within their submission as well as within their own testimony, but I think their view is—I don't want to paraphrase their view but as I understand it—they would like a standard by which they could know where to follow. They want to be able to ensure that there are standardized approaches, which is why they believe generally acceptable best practices, I think, is helpful.
    In terms of how that's going to be identified, accepted best practices, is the department going to have those best practices? If it was included, would there be a list somewhere that the public and businesses could find?
(1115)
    I think there are two considerations for that. One is there is industry standards that can be referenced and leveraged. There's a specific opportunity for that within the CPPA. Then there's the opportunity as well for the Office of the Privacy Commissioner to issue guidance.
    To my point, if the Privacy Commissioner is stating at the onset here that this provides no guidance, that it's going to be ambiguous, I'm wondering where it's supposed to live?
    Our fail-safe is to go to the Privacy Commissioner, because first and foremost the whole premise of this act—where we're coming from on this side—is that privacy needs to be a fundamental right and there should be no ambiguity. If some organizations want this wording in to provide more elbow room, that's not really what we're here for. We're here to protect Canadians' fundamental private rights.
    When we look at this bill I can't see any reason why so far—except for it being in Quebec's legislation—we're seeing it as a best practice anywhere else to include this language, except for the fact that some of these organizations like the Canadian Marketing Association are saying that it's not going to allow them to collect and be free with Canadians' private information.
    Mr. Chair, I will leave this here just so the rest of the committee can come in, but on our side we can't see why this amendment would be here.
    Thank you.

[Translation]

    Thank you, Mr. Williams.
    I now give the floor to Mr. Garon, who will be followed by Mr. Masse, Mr. Turnbull, Mr. Généreux and Mr. Perkins.
    Mr. Garon, go ahead.
    Thank you very much.
    I will continue in the same vein as my colleague Mr. Williams. Obviously, we are introducing the concept of best practices, a rapidly evolving concept. According to a University of Toronto professor who appeared before us, some practices that were considered effective three or four years ago are no longer considered effective.
    You are telling us that you are introducing a concept, not a definition, into the act. I get the impression that, at some point, if there is a lawsuit or if the rights of an individual or group are infringed, it will be up to the courts to interpret that concept. It introduces a lot of uncertainty.
    Why did the concept not work in the best interests of the child at the time? You know we've discussed this. It's a concept. Now we are being told that this leads to uncertainty, that there is no definition, that the courts will have to get involved, that it is terrible for companies.
    How is it that, with this concept here, all of a sudden it's okay and it doesn't introduce too much uncertainty? Is it because there is a kind of consensus and there is no uncertainty as to how companies will interpret this?
    I think the concept of best practices has an objective, since there is an objective in the definition and it's really about the inability to reidentify an individual. A method is associated with the concept of best practices—using the best practices from around the world to make it impossible to reidentify people.
    So it is not a concept without an objective. It's a method, a process for comparisons used for—
    Allow me to interrupt you. I'm talking about the concept of the best interests of the child because I think that, first and foremost, there was an objective there.
    What you are saying is not entirely accurate. I'm trying to understand why, in some cases, ambiguity and recourse to the courts are tolerated, but not in other cases.
    Is there, to your knowledge, a single technique that guarantees 100% the inability to identify individuals, without uncertainty or risk?
    It depends on the case. Sensitive information related to an individual's privacy is used in many contexts or sectors.
    I'm not familiar with the technological context related to the use of that information. So I can't really comment on whether or not it is possible for information to be identifiable. It also depends on the case because, as I said, technological capacity is evolving. It's the General Data Protection Regulation, GDPR, that—
    I'm sorry to interrupt.
    In this case, you are saying that there is a clear objective, namely that individuals cannot be reidentified.
(1120)
    Yes, that's right.
    Based on what I learned in my past professional life and what the experts have told us, there is no technique that completely ensures that a person cannot be reidentified. The fact is that there are a number of methods of reidentification that can be used together, including using the data in motion.
    What is the acceptable risk, and who determines that?
    In that context, who determines what methods are acceptable based on the level of risk deemed acceptable at a specific time?
    You have to understand that this is all evolving very quickly. I repeated the word “acceptable” several times, but you understand what I mean.
    Who determines that? Apart from the fact that the bill is proposed in good faith, there is not much.
    In the bill, there is a definition of the verbs “anonymize” and “depersonalize”. It is during the process of implementing this bill that the Privacy Commissioner determines whether an organization's practices really correspond to the definitions set out in the act.
    So the commissioner will keep a list of best practices to adopt.
    Is that correct?
    If it is presumed that there has been a breach of privacy, the commissioner consults technology experts to ensure that good practices have been used.
    Until the bill comes into force, there are industry standards, and perhaps also sector- or context-dependent guidelines.
    Internationally, there are also rules that govern data protection. For example, while the GDPR does not set out generally acceptable best practices, it does indicate that it is essential to use or consider available technology for anonymization. It's the same concept.
    Basically, you're saying that a person whose rights have been violated can file a complaint with the commissioner, who then looks into the situation. They verify whether the company used best practices, and then they give their opinion on that.
    Don't you think that if there were, for example, regulations that enabled the minister to determine in advance, following consultations, a certain number of best practices, we could avoid putting the burden on an individual to file a complaint with the commissioner?
    Once someone's rights have been violated, they can be compensated or the fact that their rights were violated can be acknowledged, but their digital identity is lost forever.
    That is why the bill promotes the establishment of standards and guidelines. It gives individuals an opportunity to consult useful sources. It also makes it possible to establish this list or to develop this concept.
    There are two aspects to using best practices. The first is standardization of business practices. It's important for the effectiveness and functioning of the economy and for citizens—
    I'm sorry to interrupt, but we must have this conversation.
    How do we standardize these practices, when the practice of anonymization, for example, can be part of trade secrets, of the ability to do things properly? It's a business advantage to be able to do things properly.
    How do we make sure that practices are consistent when there is no definition?
    It's the same with a lot of standards. You set a target, and then you set out the methods or the processes by which to achieve that target.
    Many organizations, such as the International Organization for Standardization, known as ISO, create these kinds of standards to confirm what the right methods and best practices are.
    That said, standards must eventually be reviewed because of the speed at which technology evolves. That's why the Canadian Anonymization Network brings together a lot of civil society and organizational stakeholders. That's good because the network can provide guidelines. In addition, it is always possible to improve this process by drawing on the standards set by other organizations.
(1125)
    I will conclude by putting my question directly to Mr. Masse.
    I don't have a problem with the amendment itself. However, I do not understand what you are trying to accomplish by removing the notion of best practices. I would like to better understand the purpose of this amendment.
    That works out well, Mr. Garon, as Mr. Masse is next on the list.
    Okay.
    Go ahead, Mr. Masse.

[English]

     Thank you, Mr. Chair.
    Thank you to my colleague for the question.
    First of all, I think there are a couple of things to clarify with the original discussion on this. It was interesting that some were attempting to use the Privacy Commissioner as a reason to get rid of this amendment, when this actual amendment comes from the Privacy Commissioner himself, on pages 14 and 15, and I can probably provide some clarity on both points that we're making here.
    First of all, in his submission to us, colleagues, this is under the definition of “de-identification and anonymization” in recommendation 7: “Strengthen the framework for de-identification and anonymized information.”
    What the Privacy Commissioner said is that “[t]he OPC supports the introduction of a new framework for de-identification and anonymization”. He says:
The framework has some positive elements, for example. It provides flexibility to organizations using de-identified information, and adds some needed clarity as to how and in what circumstances de-identified personal information can be used and disclosed.
    Right there, that's opening a door for businesses and their ability to use some measures.
     He continues:
That said, as currently drafted, it provides too little protection for de-identified and anonymized data.
    This is where we get into some specifics about the philosophy on this. On “best practices”, can you name who is going to actually make the best practices, Mr. Schaan?
    As I noted, Mr. Chair, there are a number of mechanisms by which—
    Not mechanisms: Who and what companies will make best practices?
    Mr. Chair, if I can complete my sentence, I would say that industrial standards organizations, which have a necessity to be tripartite in their formation, including the participation of academics and civil society, as well as industry, are often party to the making of industrial standards—
    Yet they're actually part of them, and that's the basic point we have here. You're either siding with the decision of people having de-identified and anonymized information being protected from themselves or having it industry led by Google and others and their associations, some of which actually have other funding and so forth.
    What's interesting is this issue with regard to the Quebec consistency. I think it's an important one and a distinction that the Privacy Commissioner has addressed. Also, it's been addressed by testimony from Diane Poitras, the former president of Quebec's commission on information. Specifically on Quebec legislation, the relevant provision in section 23 is this:
Where the purposes for which information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided...by an Act. For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows a person to be de-identified directly or indirectly. Information anonymized under this Act [can] be anonymized according to generally accepted best practices and [according to the] criteria and terms [determined] by regulation.
    Part of that in the testimony we received from the Privacy Commissioner also was that they wanted to fall on the side of caution at that moment, but what's interesting from Ms. Poitras, the former president of Quebec's commission, as I mentioned, is that she stated in response to a question:
If I understood correctly, part of your question was whether we had any concerns about [the] interoperability. There are a couple of things I have concerns about. Among other things, there are important distinctions in the regimes applicable to anonymized data and de-identified information.
    The door was left open to actually improve the situation, even for the residents of Quebec, with regard to having empowerment over some of their data, and there's quite a comfort level that having this difference is okay.
    What we are really talking about at the end of the day here is whether or not best practices, which would be industry led, policed and determined, would be used against the OPC, because best practices, if there is a distinction or difference, will be used against the Office of the Privacy Commissioner with regard to that.
     Basically, at the end of the day, this boils down to having faith in whether the Privacy Commissioner should have control over this measure or whether or not we want it to be industry led. I'm going to side with the Privacy Commissioner.
    Thank you, Mr. Chair.

[Translation]

    Thank you, Mr. Masse.
    Next to speak will be Mr. Turnbull. Then we will hear from Mr. Généreux and Mr. Perkins.
    Go ahead, Mr. Turnbull.
(1130)

[English]

     Thanks very much, Chair. It's a great debate on an important consideration for this bill.
    To go back, anonymization is, in our view, privacy-enhancing by nature, is it not? Mr. Schaan, can you speak to that?
    Yes, anonymization is a privacy-enhancing mechanism because it does render the information “un-reidentifiable”.
    We see teased out here in various different comments that the Privacy Commissioner in this case is saying essentially that if you add “generally accepted best practices” into the legislation or the definition of anonymization, this could open the door.
    I think our position is that it's the opposite, that in fact putting this in there allows for the evolution and the emergent properties of best practices to help inform.
    Could you provide a better rationale? I feel like this is the main difference. Mr. Masse is pointing to the OPC and wanting to suggest that he's siding with the OPC.
    We're not against the OPC. It's what is the best mechanism to encourage anonymization and to do so in a way that recognizes that the technology is advancing and evolving.
    Absent the terms “generally accepted best practices”, the definition has nothing but a goal, which is an incapacity for reidentification.
    Our view is that the term “generally accepted best practices” obligates organizations to continuously ensure that anonymization techniques they use are in line with evolving standards. Without the reference to “generally accepted best practices” in the definition, organizations may determine for themselves what is an appropriate technique regardless of whether it meets widely recognized standards or is even a credible technique.
    Our view is that, by obligating in the definition organizations to conform to what is the best-in-class approach to anonymization, we've actually got a higher standard than leaving it as solely the goal.
    If Quebec's law obligates companies to abide by generally accepted best practices, if the law that we end up passing through this committee doesn't include that, what would be the risk there? It seems like that would compromise interoperability. Wouldn't it also have some kind of an impact on...? Potentially, at least, I could foresee that best practices in Quebec would be recognized but perhaps not in other provinces across the country. Wouldn't that create some problems?
     Obviously, what we're hoping for with the construct of “generally accepted best practices” is that we set a very high standard that requires corporations to continue to evolve the process and to ensure that they're using those best possible techniques.
    If there's an obligation in Quebec to do so but not in other places, we run the risk that some organizations may not be seeking out those best techniques, and then we'll have differential privacy, depending on which law you're conforming to.
    The other thing I wanted to ask is who the experts are on anonymization. We've heard lots of people reference the Privacy Commissioner, but I imagine that the Canadian Anonymization Network, which been asking for this to be included, might actually have more experience when it comes to anonymization than the Privacy Commissioner. It's nothing against the Privacy Commissioner. I love the guy. He's fantastic. I dealt with him when he was the legal counsel, and he was just fantastic. I have the utmost respect for him, but isn't it true that the Canadian Anonymization Network, or CANON for short, has a lot of experience? What are they saying about this?
    CANON is a not-for-profit organization that does have representation from public, private and health sectors in Canada and also includes the participation of experts in the field of de-identification and anonymization, including Statistics Canada, for whom the anonymization of information is a principle consideration. I do think there is a well of capacity and expertise in their recommendation that generally acceptable best practices are a useful standard to hold people to.
(1135)
    To the point that one of the strengths of including this is that it evolves, I think some of the comments we have heard from others suggest that if it's not an exhaustive list today, in essence that provides some ambiguity that would be taken advantage of, but I think the opposite is the case. The argument could be made that it needs to evolve because the technology and the methods for anonymization are changing quite quickly. How do you ensure that the OPC can...? What's the mechanism for continually updating that? I think that's the clarity a lot of us sound like we need to have in order to feel this is robust enough that it's not going to open that door.
    How do we envision the general guidance around generally accepted best practices evolving? Would it be the OPC guidance? Where would the expertise come from?
    I will defer to Mr. Chhabra on this one.
    I think it's important to recognize that de-identification and anonymization techniques live on a spectrum. Anonymization is at the far extreme end. De-identification is something far more simple.
    The committee in its earlier deliberations today referenced some cases that go back to the mid-2000s where information was stripped out of a dataset and it was easy to reidentify it. That's exactly the kind of issue we're trying to combat by establishing a higher bar for anonymization.
    Anonymization techniques are generally algorithmic in nature. They involve things like differential privacy, or K-anonymization. These are very sophisticated mathematical algorithmic techniques that, of course, because they are algorithmic in nature can over time have their efficacy degraded. As other algorithms are developed, as new mathematical techniques are developed, as computing becomes more powerful vis-à-vis quantum computing, for example, there are opportunities downstream for what was at one point considered anonymous in nature to later, in a matter of years, become much more easy to break.
    The reason for including a standard that says “generally accepted best practices” is that it requires an organization to continually review and update.
    The whole point of anonymization in the context of the act here is to ensure that truly anonymized data can be used for beneficial things like improving health informatics, health systems and delivery. When it is at risk of reidentification, it means it's then back into the auspices of the act and all the requirements apply.
    In practice, the way we would see the Office of the Privacy Commissioner using a generally accepted best practices requirement is if there were a case in which there was a security breach, or the personal information was leaked, they would then be able to point at the act and say the act requires that you anonymize in accordance with generally accepted best practices and we can or cannot find evidence that you have done so, or that you have maintained a modernity or contemporaneously with generally accepted best practices. Maybe you did it eight years or 10 years ago, but then you left the dataset alone and it became breachable.
    What this does is it requires a constant evolution of standards that says if you're going to try to maintain this as being an anonymized dataset and the protections that includes, you have to keep updating the standards by which you have applied that anonymization.
    In essence, because anonymization includes not being able to reidentify, and the anonymization process and techniques are evolving quite quickly, if you don't have this then what's the risk?
    The risk to me is that perhaps it goes out of date, or organizations and companies are not keeping up with the pace of those generally accepted best practices.
    What's the big risk, though, in terms of the public and privacy concerns? Mr. Chhabra, your comments really point to a risk that I haven't heard anyone talk about yet, and the main reason why our position is against removing this clause.
    We have acknowledged the construct of anonymized information, but have set the bar very high for its usage, first of all, to have no reasonable prospect of reidentification and second of all, for conformity to the generally accepted best practices. I think, absent that, the worry is the commitment is solely to the purposes of non-reidentification and it doesn't necessarily provide that ongoing obligation back to industry to say have you assured yourselves that you're continuing to meet the new bar.
(1140)
     That bar is continuously moving, so the standard that we're setting will continue to increase as technology evolves. That obligation for those companies would then be tethered to that moving target. The standards best practices are going to have to be followed. They can't just check out, use outdated anonymization techniques and forget about staying up to date with the best practices, am I right?
    That's right. Essentially, it ensures that, as opposed to having a potential for a reidentification test that ultimately results in a breach, it is then revealed by the Privacy Commissioner to not have met the standard.
    Instead, there are two elements. There's a non-reidentification, and the commitment to the use of generally acceptable best practices. This means you're continuing to ensure you're actually drawing on the techniques that are most modern.
    I have a final point, just to really punch home the point that leaving this in, and not taking it out as the NDP has proposed, continues to align Canada's legislation with Quebec's privacy law. I would also want to point to the fact that our next amendment, which Mr. Masse read out—the Quebec law on reasonably foreseeable risk—further aligns our legislation with Quebec's privacy law. Is that correct?
    That's correct.
    Okay. Thanks Chair.

[Translation]

    Thank you very much.
    Mr. Généreux, you now have the floor.
    I would also like to thank the witnesses for being with us.
    At the outset, madam, gentlemen, I would like to say that the series of questions I am going to ask you are not so much about the amendment itself as about the process that led to it.
    I think we all agree that the definition of the verb “anonymize” in Bill C‑27 is a very important element for the future and for the interpretation that will be made of it going forward.
    I absolutely do not want you to consider my series of questions as a form of judgment. I just want to understand the process.
    Almost two years ago, the government introduced this bill, which is now being studied in committee. We analyzed it with the help of witnesses, and today we find ourselves with more than 50 amendments from the government.
    Were you the ones who drafted the bill in the first place?
    In collaboration with my colleagues from the Department of Justice, my team is responsible for the drafting of Bill C‑27, whose objectives were set by ministers and cabinets.
    Okay.
    Following consultations held after this bill was introduced, the Minister of Innovation, Science and Industry put forward a series of amendments last September. He told us that you had consulted about 300 individuals and groups.
    In addition, during the consultations, people who were called to our committee meetings told us that their names were not on the list of those 300 individuals and groups. Some came to tell us that they had not been consulted or that they would have liked to be consulted, or that they would have liked to see much broader consultations. In fact, we have been told several times that the consultations on Bill C‑27 should have been much more extensive.
    Now we have a series of amendments, including amendments NDP‑2 and G‑2, which again show that some people have tried to get you to change your perception of the bill or the way you're drafting the bill.
    You met with some groups much more intensively than others, if I understood correctly. That is the case for representatives of the Canadian Anonymization of Data Network, CANON, whom you have apparently met with about 10 times.
    Why has it been necessary to meet with representatives of this group more than 10 times since the bill's introduction and our analysis of it in committee?
    Thank you, Mr. Chair.
    We are open to the idea of meeting with all stakeholders on Bill C‑27. We have received many requests for meetings, which I have accepted.
    Obviously, my schedule is quite busy, especially because I come to testify before House committees, but members of my team are available to meet with those people.
    I think there are two important parts to your question.
    We met with representatives of the Canadian Marketing Association, as well as representatives of the Canadian Anonymization Network, CANON, a non-profit organization that brings together experts, other non-profit organizations and academics. That group has attended a number or conferences and meetings on the bill.
    As I said, I accept any requests for a meeting to discuss the bill.
(1145)
    Okay.
    In September, the Minister of Innovation, Science and Industry proposed a series of amendments, and the government is now proposing some 50 more as a result of the meetings you had with the various groups.
    Do these amendments stem from the testimony we heard during the study of the bill or do they also stem from the meetings you had with representatives of certain groups? I would remind you that you have met with them more than 10 times.
    The process of drafting a bill is not linear. An amendment does not necessarily come out of a meeting where representatives made recommendations.
    Stakeholders actually propose improvements or concepts, or express their interests. The department then conducts an analysis to ensure that the bill continues to achieve the objectives identified by cabinet and the minister.
    I will come back to the amendment we are currently discussing.
    The government is proposing a new definition. The NDP is proposing another one, which is consistent with the one used in Quebec, if I understood correctly.
    What is the government's intention in terms of changing the definition? In our opinion, the definition is less appropriate than the one in the NDP amendment, which aligns with the definition used in Quebec.
    As was mentioned, you've met with various stakeholders over 10 times. They were trying to influence you so to draft a particular definition.
    Are you currently still meeting with those stakeholders?
    If I understand correctly, there are two parts to your question.
    It's important for me to clarify something. An NDP amendment asks that a few sentences be removed from the definition proposed in the bill. The original definition was consistent with the Quebec definition. It's important to encourage the use of anonymized information because it better protects the privacy of Canadians.
    Getting back to the amendment and what motivated it, as well as the current definition set out in the bill, I must say that many stakeholders have conducted analyses, and that's what the proposed definition was based on in May 2022.
(1150)
    Do you think that the large number of interventions made by some groups, far more than others, could give the impression that industry players are trying to soften Bill C‑27, to make it more acceptable to them or easier to interpret and implement?
    Are industry players looking to make their jobs easier at the expense of the real need to fundamentally protect privacy or children?
    The purpose of the proposed legislation is to protect Canadians. Do you get the impression that these organizations want to water down the bill—if I can put it that way—to make it easier to interpret?
    I'm not in a position to interpret the intentions of those involved. However, I can say that two objectives emerged from the conversations I had with people in each sector.
    On the one hand, people want the standards to be clarified so that companies are really able to implement them.
    On the other hand, the aim is to protect privacy.
    Thank you, Mr. Généreux.
    We will continue with Mr. Perkins, followed by Mr. Vis and Mr. Garon.
    Mr. Perkins, the floor is yours.

[English]

    Thank you to the witnesses.
    I'll take a step back, Mr. Schaan. What's the purpose of anonymization?
    As Mr. Chhabra explained, there's a continuum of the privacy-enhancing nature of the state of a piece of information. On one end is anonymization, which essentially renders it incapable of being able to reidentify the individual, and then, on the other end, it would be fully declarable. I don't know what the right term is, but it's essentially understood who the individual is.
    The goal is to create a continuum of likely states of information and recognize their existence in a commercial context, which the CPPA will regulate, ensure that appropriate safeguards are placed along each stage of the continuum and then potentially encourage the usage of information in those states with the appropriate safeguards in place at each stage.
    What's the purpose of a company being forced to take it to that final test of making sure it's anonymized? Is it because they're sharing it outside their organization? If it's information you gathered internally through your customer base or whatever, you don't need it anonymized unless you're sharing it in some way.
    The use cases for anonymized information would vary, but I think there is an understanding that information can potentially be still rendered useful either within the organization or outside of it, because, even within the case of identified information, it needs to be prescribed to the purposes for which it was collected. The law specifically states that people should minimize information only for its most necessary uses.
    Even in the case of one's own organization, there would be, potentially, use cases for which anonymized information might still be valuable but wouldn't rise to the level of providing either de-identified or identifiable information to those parts of the organization, because there's not a use case specific to why it would leap to that level. Particularly, in increasingly large and aggregated datasets, they can have value without necessarily needing identifiable information.
(1155)
    As an example, I'll just draw on my past life as a retail marketer.
    I would be a member of a coalition program, one like air miles. We would collect and get access to the data of what our customers would be using air miles for and how it would impact the sales, but we also could get access to data from air miles more generally, like what people of certain profiles are doing, but it wouldn't necessarily be with an individual identifier on it. It would be people in a certain income bracket or geography or whatever who have these other purchasing patterns so I could draw some conclusions.
    That's a case where I might be buying or getting anonymized data as a marketer. Is it that kind of thing?
     Yes. I think the use case would determine whether or not that information was de-identified or anonymized. I think that in many cases where people think they might be dealing with anonymized information, they're actually dealing with de-identified information.
    It all depends on what their terms of use are when they signed up for, in this case, air miles or something else.
    Well, no, it actually depends on the techniques that have been utilized to strip out any personal identifiers. A de-identified set, like a loyalty program, may still have enough discernible information to actually constitute itself to be de-identifiable. It would not rise to the level of anonymous information; it would actually still be considered to be de-identified.
    That's a great point. We had testimony from organizations, like the Canadian Marketing Association and others, here before the committee that said it's impossible to anonymize and that this definition was too strong. We heard from others, like the Privacy Commissioner and others in the privacy space, who said that it actually is but that it's just not strong enough language.
    The idea is to get it to the point where it's impossible to reidentify. However, you said a few moments ago with regard to this point that it's almost impossible. The purpose of the government is not to get it to impossible but to almost impossible.
    What do you see as the difference?
    I think you'll see in G-2 the construct of “reasonably foreseeable”, which is another reason why we believe that “generally acceptable best practices” is an important construct because the continued availability of other sets of information, other techniques and other kinds of computational tools may take what was believed to be anonymized and actually shift it to a world in which it could be. This is why continuous conformity to generally acceptable best practices and a standard of “reasonably foreseeable”—which is “I couldn't have imagined this was possible”—are the two nuances I'm introducing or suggesting are important when thinking about anonymized information.
    In the Privacy Commissioner's submission to us on this issue—MP Masse only read a small part—he goes on to say, in talking about this issue:
As currently drafted, organizations could anonymize personal information using “generally accepted best practices”.
    That's the term we're discussing here.
    He goes on:
However, there is no explanation of what these practices are or what would be considered “generally accepted.” Including this language opens the door to the possibility that some organizations might rely on anonymization techniques promoted by certain experts or groups that are insufficient for a given dataset.
    Liberal members, the government and yourself have used CANON as an example of an organization that would provide guidance. I've met with a number of the members of CANON, which include the big five banks, Rogers, Telus, Loblaws, Sun Life, Microsoft, the CRA, Canada Post, StatsCan and Health Canada. I look at those big corporate entities, and I know that when I met with those big corporate entities, they weren't interested in a narrowcast of a tight definition because it's not in their interests to be able to be restricted in that way. If you remove this section, I think it puts more onus on organizations to focus on what the Privacy Commissioner says and interprets. As we talked about at the last meeting around the best interests of children, the Privacy Commissioner has the responsibility under the provisions of this act to provide guidance to organizations on these areas, does it not?
(1200)
    The Privacy Commissioner has the capacity to issue guidance on matters related to the implementation of the consumer privacy protection act.
    That's right, and that's what he goes on to say in his submission:
the CPPA includes a number of mechanisms for the [Office of the Privacy Commissioner] to assist organizations in meeting their obligations, including providing guidance on privacy management programs, developing guidance materials, and reviewing and approving codes of practice.
    I'm not interested that much in what are generally accepted best practices by industry associations. I'm more interested in the power of the guidance of the Privacy Commissioner. I'm reluctant to support a provision that allows anonymization to be watered down to “almost impossible but maybe possible” because the language is given there to allow outside industry associations to set the standard and not the Privacy Commissioner. Wouldn't you agree that the Privacy Commissioner is the appropriate office to set these standards, not private sector organizations?
     I think you'll find no dispute that the Privacy Commissioner is the ultimate interpreter of the enforcement of the act.
     As it relates to the techniques utilized for the purposes of anonymization, there are important voices to include, such as those of academics, who are party to some of what has been encouraged in this space, and those of Statistics Canada, Health Canada and the Public Health Agency of Canada. All of these contribute to the view that acceptable best practices can be established and upheld within this remit.
    Doesn't the Privacy Commissioner have the responsibility, though, to talk to all of those groups in developing the policies and guidelines?
    The consultative obligations of the Privacy Commissioner are at the Privacy Commissioner's discretion.
    Again, my preference.... I guess this is where I'll leave it. I'll just restate that I'm not sure an organization like CANON—which is dominated by the big five banks, the big oligopolistic telephone companies, the insurance companies and the large data miners globally, like Microsoft—is the guide I want to see driving the policies of Canadian privacy law.
    Thank you, Mr. Chair.

[Translation]

    Thank you, Mr. Perkins.
    I'm going to turn it over to Mr. Vis.

[English]

    Before I do that, I just want to remind members, as we're discussing NDP-2, that if NDP-2 is adopted, G-2 cannot be moved because there is a line conflict. I highlighted that last time. I just want to make sure it's on everybody's mind.
    Mr. Vis, the floor is yours.
    That's very helpful, Mr. Chair.
    Building on this important discussion about widely acceptable standards, earlier today, Mr. Schaan mentioned that the best practices line, which has taken up the majority of the last hour, is included in Quebec's privacy law.
     Is that correct, Mr. Schaan? Is that why the government is adopting that language?
     That's not the sole origin, but it is noted that it is one of the benefits of accepting this language.
    Thank you.
     In clause 2, under the “Purpose and Application” section of the bill on page 8, it reads:
For greater certainty, this Act does not apply in respect of personal information that has been anonymized.
    I think the debate we're having right now is one.... We heard from witnesses like Ms. Scassa, who talked about the almost impossibility of de-identifying data based on the best practices that exist out there, and how we can never be 100% sure. That was very clear. She outlined that the department seems to be very much on the side of some of those big corporations that want as much leeway as possible in the design of anonymization and de-identification to protect their corporate interests and business interests. That's fine. That's their objective, and I acknowledge that, regardless of whether or not I agree with it.
    However, if we're making a comparison with the Quebec law, does the Quebec law exempt anonymized data from the scope and application of the bill?
    More specifically, is there greater certainty in Quebec's law that would not apply in respect of personal information that has been anonymized? Is there something in Quebec's legislation like what we have on page 8?
(1205)
    The Quebec law states that if it's anonymized by the definitions contained in the regulations, then it is out of the scope of their privacy law.
    In Quebec's law, de-identified data does not apply in this—
    It's anonymized data.
    It's anonymized, but not de-identified.
    Anonymized data as set out is outside of the scope. Once it's been deemed anonymized, it is outside of the scope of the Quebec privacy law. That's similar to what would occur in the case of the CPPA.
    Thank you.
     Thank you, Mr. Vis.

[Translation]

    I'll now give the floor to Mr. Garon, who is the last person on my list to discuss NDP‑2.
    My question is a follow‑up to the conversation we had about aligning with the Quebec legislation. We've discussed it privately as well, but we can do it openly.
    According to the federal government, the Quebec legislation refers to best practices. That's true. The Quebec legislation does refer to best practices. Consequently, according to the government, Bill C‑27, in its current form, would be consistent with the Quebec legislation.
    That statement seems to me to be absolutely false. Although the Quebec legislation does refer to best practices, companies will have to anonymize and de‑identify data in accordance with the terms and conditions established by the Government of Quebec, by regulation.
    Let's agree on the fact that there are best practices, that's one thing. However, it isn't enough to include those words. Mr. Masse said so as well.
    We talked about the Canadian Anonymization Network, or CANON network. It's important to note that this is a lobby group. It's a collection of companies. To be able to come and speak to us here, to meet with members of Parliament, members of that network must be registered in the Registry of Lobbyists.
    I'm not at all convinced that the industry won't set its own standards in this area. I think that's clear. This is in no way consistent with what is set out in Quebec's Bill 25. The government has no authority to establish criteria by regulation. I'll need to be convinced of that, but it will be difficult.
    Thank you very much, Mr. Garon.
    We'll go to Mr. Turnbull, followed by Mr. Vis.

[English]

     I wanted to bring in NDP-2, and G-2, which is another amendment the government has proposed. I think you all have it. If NDP-2 is voted through, then G-2 is no longer able to be moved.
    I want to bring this in because it perhaps has an impact on the debate we're having and the alignment with Quebec's law, which I think Mr. Garon is rightfully pointing out.
    Just understanding why "reasonably foreseeable risk" is something that is needed in order to align with Quebec's law, Mr. Schaan, can you comment on how that concept is relevant but also on how it strengthens privacy protection?
    We have consulted a number of experts, including academics and privacy researchers, and the concept of reasonably foreseeable, which is a well-established principle in law, is a necessary construct. It's mentioned almost 50 times in the existing PIPEDA, which we believe regulators and courts are adept at interpreting. Not including that term would have a potential chilling impact on the use of the technique, which ultimately leads to negative outcomes for privacy protection. We think there should be increased uses of anonymization to try to render as much of the information utilized in that format rather than unidentifiable or de-identifiable formats because of the privacy-protecting value of that.
    In fact, using anonymized datasets could help in a number of heavy data user applications, including potentially in the space of AI.
    That's our view of why reasonably foreseeable is an important construct.
(1210)
    I understand. I'm not a lawyer, but I understand that the concept is very well embedded in the law, so "reasonably foreseeable" is quite well understood. Can you speak to that?
    As I noted, reasonably foreseeable has been included in a number of statutes, but it has a strong interpretive value that's been added to the existing private sector privacy law in PIPEDA. It appears there many times and is understood as a construct that can be tested by both regulators and courts as to whether or not it was understood by the individual at the time and whether or not they had taken appropriate measures to anonymize the information.
     Does it raise the bar on the obligation set out in the act for companies to abide by if we add “reasonably foreseeable”? It seems to me it raises the bar even further. Would you agree?
    I think what we're pointing to with both “reasonably foreseeable” and “generally accepted best practices” is to further test the assumption that someone could just say, “Well, I anonymized it. To my mind, it was anonymized.” Then we could say, “But was it reasonably foreseeable that it was anonymized? Did you actually test it against the available technologies and what was out in the field? Then, under generally accepted best practices, did you draw on the very best tools to ensure you were actually rendering it un-reidentifiable?” I think both of those elements do raise the bar, because they suggest yet again that someone can't just throw up their hands and indicate that to their mind it was anonymized.
    What's the argument for building in “generally accepted best practices” and “reasonably foreseeable”? I understand both may align with Quebec's law, notwithstanding Mr. Garon's point, which I think is a very good one, that perhaps embedding a requirement for things to be specified in regulation may strengthen it further and address some of the concerns from my colleagues across the way. I think they have all expressed the same concern that industry shouldn't be setting the standards for itself and that perhaps, in fact, there should be a regulation. Can you speak to that?
    I'm sorry for going on and on. I have a tendency to do that sometimes. To be clear, the question I was asking was what's the argument for having “generally accepted best practices” and “reasonably foreseeable”?
    “Reasonably foreseeable” aligns with the “generally accepted best practices” in the sense that if it is reasonably foreseeable, one has to draw on those generally accepted best practices on the anonymization front in that if you're holding both ends—that it is reasonably foreseeable but then you're also mandating that people be really up to date on the best practices for anonymization—you're essentially linking those two to say it was reasonably foreseeable in part because you're actually using the generally acceptable best practices.
    So they sort of mutually support one another. They're complementary concepts and they both align with Quebec's law, although there's one key difference. If we voted down NDP-2 and kept “generally accepted best practices” and we supported amendment G-2, which says “reasonably foreseeable”, that would align with Quebec's law, but the only element that wouldn't completely align would be having the regulation, the one that specifies both.
    Mr. Mark Schaan: That's correct.
    Mr. Ryan Turnbull: What I'd like to propose to my colleagues is that we vote down amendment NDP-2 and that we embed wording that includes that best practices would be defined in regulation. I have suggested wording for that if we get to amendment G-2.
    I do think we need “generally accepted best practices” in there in order for those to be defined by regulations. I think that addresses some of the concerns that have been expressed, which I think are valid concerns to have. If the concern is that industry groups can essentially define best practices however they want, this would address that and would essentially make it dependent upon regulation. I think that would strengthen it and certainly allow for consultation to be done. I think that would be very important, but the regulations would be set or those best practices would be defined essentially by the government and the OPC. I believe this would align with Quebec's law. Given the debate we've had, it's what I would propose as a compromise here.
    I hope we can vote down amendment NDP-2 together and then, in good faith, move a subamendment to G-2 that would strengthen it in the way I've suggested here.
    Thanks.
(1215)

[Translation]

    Thank you very much.
    Mr. Vis.

[English]

    On those points, I have two questions for clarification.
    As per my last question—and I might have missed it—did you say Quebec's law has a similar clause to clause 5 for greater certainty, like what we have on page 8 of the law, or was it solely in regulation that Quebec deems anonymized data as not being subject to its act?
     It's not the same clause. I'll turn to Ms. Angus to clarify, but it's the same outcome. The anonymized information is not subject to the act.
    Is that through regulation, or is that embedded in the statute?
Information anonymized under this Act must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.
    It is section 23 under the title “Destruction or anonymization”. When you get rid of personal information, you're either destroying it or turning it into anonymous information, so you can't reidentify.
    Once it's anonymized to a standard acceptable by the Government of Quebec, it is no longer subject to the statute, is that correct?.
    This is why it's in the same category as destructed information.
    Thank you.
    My second question relates to the broad discussion we've had, but it's a question that hasn't been asked yet. Does Bill C-27 provide for the scenario whereby data, once deemed anonymized under the possibility of new technology, is deemed to be reidentified?
    Would it be, therefore, subject to the act again if that data was reidentified? Is there a clause you can specify in the bill that addresses that scenario?
    That's one thing that generally accepted best practices do. They require organizations to ensure their information is anonymized in accordance with generally accepted best practices. Those practices evolve. For example, ISO has a standard on anonymization, and that standard may evolve.
    If you're no longer compliant with those generally accepted standards, your information is no longer anonymized pursuant to the act. It becomes identifiable, and, therefore, becomes personal information.
    Okay.
    I have a concern based on what the Privacy Commissioner said. I don't see why the term “anonymized” would preclude the use of best practices in a regulation.
    I'll stop right there.

[Translation]

    Thank you, Mr. Vis.
    We will continue with Mr. Garon, who will be followed by Mr. Masse.
    Go ahead, Mr. Garon.
    First of all, Mr. Chair, I would like to express some mild discomfort.
    The process that led us to the clause‑by‑clause study of this bill isn't clear. We know this, and it's been said many times. The department held private meetings. We haven't received a report or brief on the subject. We don't know what was said. It's difficult for me, as a parliamentarian, at times.
    I'm assuming the officials aren't doing this voluntarily. I don't know if they're defending the industry or not, but I get the impression that they're selling us Bill C‑27 much more than they're answering our questions. What's more, we don't know where the information they have comes from.
    This situation makes things difficult and undermines confidence in the witnesses we're hearing from today. For example, there's the question of harmonization with Quebec's Bill 25. Witnesses could have told us that this aspect can be regulated in Quebec and that it's in the legislation. But instead, they're trying to sell us on the bill. It's a sales pitch.
    I find it very difficult to accept the way the government has acted. We're working in good faith. I'm not filibustering, but we want to work in good faith, and parliamentary work isn't easy.
    The attitude of the witnesses may not be voluntary, but I urge them to make an effort, to answer questions much more than give us with a sales pitch. At the end of the day, we were elected by the people to study this type of bill. We can't know everything in detail about the bills of the ten provinces and three territories. In my last turn, the answer I got was to convince me that the current version of the bill is in line with what Quebec is doing. I find it very difficult to work this way. It's problematic in the context of our parliamentary work. Our work requires rigour. I just want to say that.
    Now we're trying to determine whether it's up to the industry to tell us what the best practices are and whether we can compromise on that. Mr. Turnbull showed me the subamendment he's proposing to amend G‑2. It proposes that “businesses must comply with best practices and with what has been determined by regulation”.
    I don't know if you've read that subamendment or not. We can ask ourselves whether this text gives the government the possibility of not regulating, of making the decision not to adopt regulations and, as in its current version, leaving the choice of best practices to the industry.
    Obviously, since the bill is already drafted like that, it implies that it would be the preference of the government, or of the current government, at least.
    Can the government make that decision? Can it table a regulation with no content?
(1220)
    Thank you for the question.
    It depends a bit on the specific words used in the subamendment. If we use the expression “prescrit par règlement”—I don't know if that's the right word in French—it requires the government to produce those regulations.
    I'd like to read you the text of the definition, and I'd like to know your opinion on it:
Anonymizing means irreversibly and permanently altering personal information in accordance with generally accepted best practices to ensure that there is no reasonably foreseeable risk in the circumstances that a person can be identified from the information, directly or indirectly, by any means, in accordance with the criteria and terms set out in the regulations.
    In concrete terms, what is the government's regulatory obligation?
    Worded that way, it says that regulation is necessary.

[English]

     It's required to be able to fully live out the clause, so the government would be under obligation to have the regulations in place to be able to further the effort.
(1225)

[Translation]

    From what I understand, the former privacy commissioner of Quebec also said that the current version of the bill had the weakness of allowing a government to regulate somewhat in a vacuum.
    I'm really trying to get a sense of what the right thing to do is.
    Mr. Masse's amendment says that, in case of doubt, the aggrieved person is always right. So the standard is very high.
    In the initial version of the bill, the government tells us that it will let industry determine best practices and that people will live with the consequences.
    We're looking for a middle ground in the compromise. I'm trying to understand the nature of the trade‑off from a regulatory perspective.
    Do you understand?
    No. Could you repeat that, please?
    If we remove the expression “best practices”, that imposes a tremendous obligation on businesses. The fact that the commissioner can determine, among other things, that a person has been wronged and should not have been identified gives him—and I think this is Mr. Masse's intention—substantial power. It's a very important protection.
    In the current version of Bill C‑27, it says that generally accepted practices would be determined de facto by the private sector. Mr. Turnbull's amendment proposes a compromise between the two.
    What I'm trying to get at, then, is whether the proposed subamendment to G‑2 gives the government an opportunity to shirk its obligation to regulate properly.
    Do you understand my question?
    I think so.
    I have three points on that.
    The introduction of the concept of “best practices” temporarily provides clear standards on how to properly anonymize data. It is specified in the regulations to provide clear standards on the use of the data and to provide guidance to the commissioner.
    It's also possible that the commissioner, through the actions he'll take to enforce the act, will contribute to the evolution of these concepts in all facets of the bill. The commissioner also has the ability to influence the definition of these concepts.

[English]

    That happens all the time, in the sense that with enforcement actions comes even further precision about how this will be understood. At the outset, there will be a commitment to use the best technology available. That will, then, get laid out in the regulation-making process, which is consultative by nature, and then further established in enforcement.
    Okay.

[Translation]

    Thank you very much, Mr. Garon.
    Mr. Masse, you have the floor.

[English]

    I think there are a couple of things that are very to important to reinforce. I know that we're talking a little bit about G-2 as well, which was introduced later on and apparently needs some fixing, but in the first argument the government had against this, they actually tried to use the Privacy Commissioner against the Privacy Commissioner. The Privacy Commissioner still stands by a suggested change for a lot of reasons and that hasn't altered.
    The second part was to use the fear factor with Quebec, which has been diminished in all important aspects. The reality is that the former commissioner of information in Quebec noted an important distinction in regimes. This could provide more protection for Quebec through the Privacy Commissioner.
    If we are going to move to some type of regulation, that also means taking this away from Parliament and putting it in the hands of others who are less independent. I cannot see, for the life of me, when we look at best practices, how it's then assumed that the Privacy Commissioner would have the worst practices. In fact, the Privacy Commissioner could actually have awesome practices; they could be quite different from those of the best practice argument. In some industries, in earlier times, best practices included things like seat belts being optional in cars. Those are different points in time where we've had a change, an altering. We have an important industry emerging here.
    Again, I think it's a philosophical thing. I do not want to let this go back to the government. It was interesting to hear the arguments about this, to keep this in here, from organizations that have on their board of directors Loblaws, Sun Life, Private AI, Telus, Microsoft, TD Bank, BMO, CIBC, RBC, Rogers, Magna and MetroLinx, a whole bunch of other lawyers and so forth, and that was the primary discussion used to actually support this.
    With that, I hope that we can move on to a vote. I think it's important that we have this philosophical point finished. I'm siding with the Privacy Commissioner, I'm siding with the public interest, I'm siding with that versus taking it out of our hands and giving influence to the backroom lobbying and other nefarious organizations that may not have the public interest at heart but have your information interest at heart.
(1230)

[Translation]

    Thank you, Mr. Masse.
    Mr. Williams is next, followed by Mr. Turnbull.
    Go ahead, Mr. Williams.

[English]

    Thank you, and I do agree that we need to get this to a vote.
    I think this is a really good debate because it looks at the core of what we're trying to protect here. I believe that when we introduce language other than the simplest language, especially for “anonymize”, we are actually introducing ambiguity in the fact that it is going to be the Privacy Commissioner and the courts that set precedence. As my colleague, Mr. Masse, just mentioned, it's going to be the Privacy Commissioner who's going to give best practices and the courts through precedence that will look at cases and then set those best practices for business.
    It's not up to the government to have an evolving list. The GDPR was mentioned. The GDPR, which we consider the gold standard for privacy, does not explicitly define “generally accepted best practices”. They say it aims to provide a broad framework that can adapt to evolving technologies and societal norms. They've removed it, not added it in. Parliament can in no way be as quick as business to protect it but also can in no way be as quick as business to ensure that it gets out of the way.
    If we want businesses to protect privacy, it's going to the Privacy Commissioner who has to be the be-all and end-all of what privacy is and how it's debated and how it's adhered to, and again, the courts would have the final say. But adding language in, including there's “no reasonable foreseeability”, because again we're not adding context to that, and adding “accepted best practices” without concrete context to that would be adding ambiguity to anonymization, which we don't want in a bill that is supposed to protect privacy for Canadians.
    So for both of those amendments we'll be voting no and hopefully we'll move on to the important parts of this bill.
    Thank you.

[Translation]

    Thank you.
    The floor is yours, Mr. Turnbull.

[English]

    It's not surprising.
     We've already had the debate. Mr. Williams, I respectfully disagree with the fact that you reference something about keeping up to date and evolving, which is exactly what the “generally accepted best practices” is designed to do. I've sent around a subamendment for G-2. Mr. Garon and I discussed it and he was referencing it and I wanted to make sure that every member had the wording.
    I have a point of order.
     Hold on just one second, Mr. Turnbull.
    Mr. Masse, you have a point of order.
    I understand you have some latitude that's necessary for this, but now we're trading notes on a future amendment without dealing with the current amendment in front of us. I think we have to deal with the amendment in front of us.
    Can I speak to that point of order?
    I'll respond to that.
    We do, of course, Mr. Masse. You are correct. We will, in any event, deal with NDP-2 before we go any further. However, given that G-2 is rendered moot if NDP-2 is adopted, I think it's fair to allow for a discussion of the amendments going forward as well, because they're impacted by that too. We're not going to vote on anything else before NDP-2, of course.
    That's fine. I appreciate your ruling, Mr. Chair. The only point I would make to that is none of that was ever introduced by the government until, basically, a few minutes ago. We've been dealing with this amendment for hours and hours, and even the original intervention by the government really didn't deal with this issue, but all of a sudden it's coming up now. Perhaps in the future we could have some more courtesy with regard to how we spend so much time on something and then see another thing come to fruition.
    It's duly noted, Mr. Masse. I appreciate your comment.
    I yield the floor to Mr. Turnbull.
    In this committee there are lots of things that are worked through on the fly. In this particular case, we're trying to create a subamendment that both aligns with Quebec and deals with some of the concerns committee members raised. I call that compromise, collegiality and a constructive process. Those are the intentions behind circulating that, so I take issue with the sentiments from Mr. Masse on that. It's actually a constructive way to move forward, and I think it deals with a lot of the concerns that committee members have brought up. Obviously, we can debate that. I think that, because G-2 hinges on the vote on NDP-2, it's perfectly legitimate to bring that up and have the conversations about how these concepts work together, all on the same definition of “anonymize”, and that's important.
     I don't know whether there's a path forward here, but I wonder, if we had a moment to suspend and consider the wording, whether we could find a path forward on what I've circulated and then come back and vote on NDP-2. Chair, I respectfully ask if committee members are willing to suspend for just five minutes to consider and to see whether we can find a path forward on both NDP-2 and G-2, and when we come back perhaps we can vote.
(1235)
    I'm inclined to allow a suspension for five minutes, and then when we come back we vote on NDP-2.
    Is that fair with everyone?
    Just to be clear on what we're doing, will we go in camera so that the public doesn't see what happens as we negotiate something behind closed doors, and then we'll re-emerge with a decision, after we've been in public all this time? I just want to be clear on how this will work.
    I understand, Mr. Masse, that Mr. Garon has read the text of the subamendment that was sent to committee members on the record, so that's essentially what will be discussed by members. The only reason I see is that members can really read the text, take some time to read it. Then, if we want to debate some more, we can always debate some more, but NDP-2 will still be, of course, on the agenda and ready to be voted on when we come back—in five minutes, I'd say, because we're already almost done with this meeting.
    We will suspend for five minutes for members to read the subamendment, and then we'll be back.
(1235)

(1245)
     We are back. I believe the white smoke has emerged, so Mr. Turnbull, go ahead.
    We had a good discussion among all the different parties represented and their vice-chairs. We discussed how we could work on a subamendment to NDP-2.
    Essentially, we would take out “generally accepted best practices”, but still include language on “reasonably foreseeable risk”. To add that back in, we would work on wording to return to the committee at our next meeting, so that we could move past this fairly quickly. That would mean G-2 would not be moved or would not be admissible.
    We'll do that work between now and the next meeting, so we can get past NDP-2 and move on. That's what we agreed to.
    The only other thing is that I know Mr. Perkins has a motion that he wants to deal with. We thought perhaps we could deal with that for the last 10 minutes, Chair, if you're okay with that.
    You're making my life and my job very easy, Mr. Turnbull. Thank you very much.
    We'll get to NDP-2 as amended at the next meeting.
    Mr. Perkins, the floor is yours for your motion.
(1250)
    Thank you, Mr. Chair.
    Thank you, MP Turnbull.
    I think there was a caveat there, which is that MP Masse wants to make sure he's comfortable with the wording since it's his original amendment to the bill. Thanks for doing that.
    We put a motion on notice last week. I won't go over schedule versus schedule 1 again, but in that discussion, we're talking about schedule 1 and schedule 2.
    One of the concerns we have around schedule 2 I talked about, but the deputy minister spoke to a group of lawyers at the TD Bank tower and basically said that the content management definition of “high-impact systems” would allow them to ask for and access AI algorithms in any content moderation that, I believe, he terms as “biased”.
    With that, I'd like to move the following motion:
    That, in relation to Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, and given that;
    (a) Simon Kennedy, the Deputy Minister of Innovation, Science, and Economic Development, was the keynote speaker at the “Business Leaders Breakfast” at McCarthy Tétrault's Strategic Advisors at the TD Bank Tower in Toronto, on November 7, 2023; and
    (b) given that the Deputy Minister read from a pre-prepared 20-minute speech discussing the department's most recent developments on the use of AI, which included discussions of moderating and prioritizing the social media content Canadians see for the purposes of combatting online misinformation through Bill C-27;
    the committee therefore order the production of (i) the draft speaking notes recommended to the Deputy Minister for use by his department in relation to the breakfast, and (ii) the final version of the speaking notes that the Deputy Minister relied upon during his appearance at the breakfast, and that these documents shall be deposited with the clerk of the committee, in both official languages, no later than—
    It said today, but I'm going to suggest April 22, 2024. That's a week from now. Perhaps somebody could give us an indication of whether that's enough time to get it in both official languages, since I'm not aware of whether it was produced in such language.
    We could obviously be flexible by another week, perhaps, on that date. Surely, with the translation resources available to the Government of Canada, the deputy minister's speech could be translated within two weeks.
    Thank you, Mr. Perkins.
    I have Mr. Turnbull, on the motion.
    We don't have a problem with this. I think the only thing was the date.
    Could we amend it to say “as soon as possible”? Would that be sufficient for the Conservatives?
    That way you're sure to get it as soon as we can make it available.
    Mr. Perkins.
    I understand they meant [Inaudible—Editor]. That's why I suggested the 22nd or perhaps a week later.
    I think that nothing focuses the mind like a hanging in the morning, so if we could set a date, that would perhaps be more appropriate to make sure the government works towards a specific date.
    I would suggest saying two weeks from now. If that's a problem, that could be conveyed to the clerk and we could seek another, more reasonable time.
     Okay, let's say May 1. Would that work?
    Mr. Rick Perkins: Sure.
    The Chair: Is there a consensus to amend the date at the end of the motion to May 1?
    Some hon. members: Agreed.
    (Motion as amended agreed to [See Minutes of Proceedings])
    The Chair: Okay, the motion is adopted. Thank you, Mr. Perkins.
    Thanks to the officials for joining us yet again today, and see you Wednesday.
    The meeting is adjourned.
(1255)
Publication Explorer
Publication Explorer
ParlVU