Skip to main content

INDU Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content






House of Commons Emblem

Standing Committee on Industry and Technology


NUMBER 120 
l
1st SESSION 
l
44th PARLIAMENT 

EVIDENCE

Monday, April 29, 2024

[Recorded by Electronic Apparatus]

(1105)

[Translation]

     I call this meeting to order.
    Welcome to meeting number 120 of the House of Commons Standing Committee on Industry and Technology.
    Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders.
    Colleagues, I hope that you all had a good week in your constituencies.

[English]

     Before we begin, I would like to remind all members and other meeting participants in the room of the following important preventative measures.
     To prevent disruptive and potentially harmful audio feedback incidents that can cause injuries, all in-person participants are reminded to keep their earpieces away from all microphones at all times.

[Translation]

    As stated in the Speaker's press release sent to all members of Parliament today, Monday, April 29, the following measures have been taken to help prevent acoustic incidents.
    All earpieces have been replaced with a model that significantly reduces the likelihood of an acoustic incident. The new earpieces are black, while the old ones were grey. Please use only the approved black earpieces. By default, all unused earpieces at the start of a meeting will be disconnected. When you aren't using your earpiece, please place it in the middle of the sticker on the table, face down, as shown in the image. Please refer to the cards on the table for guidelines on preventing acoustic incidents.
    As you can see, the layout of the room has also been changed to increase the distance between the microphones and lower the risk of feedback caused by a nearby earpiece.
    These measures are in place so that we can carry out our activities without interruption and to protect the health and safety of all participants, including and especially the interpreters, whose work we greatly appreciate.
    Now, colleagues, here are a few things that I would like us to discuss at the end of the meeting.

[English]

     Mainly, they include an invitation for the minister on Rio Tinto and the main estimates. However, we'll keep that towards the end.
    Oh, you won't be here Rick. Okay. We can deal with it right now and try to get it out of the way.
     However, I see Brian first.
     I'd be interested to know if we, as the industry committee, can actually put a question in to House of Commons.
     The last time I asked for one of these earpieces, they were made in China. Maybe we should ask about these earpieces since we're talking about the quality of sound. They're the standard ones in the House of Commons. Perhaps, as the industry committee, we can ask specifically when these were manufactured, tested and delivered, and when the technology was provided for this. The piece I got in the House of Commons was created seven years ago. That's the manufacturing date, so perhaps that information might help our audio system.
    I have no objection to asking the Speaker for that information, and we can share it with the members.
     Mr. Vis.
     Unfortunately, I had to visit an audiologist two weeks ago here in Ottawa. The first thing they said to me was that we have to get rid of those horrible earpieces because they do so much damage.
     That's especially for the interpreters who have to wear them day in and day out.
    I'll ask the Speaker. I have no problem with that, and I see no objection. Thank you, Mr. Masse.
    With regard to our scheduling issue, as you know, before the end of May—as we agreed at the steering committee—we are to have another hour with the minister on Rio Tinto. We also have to invite him before the end of May on the main estimates. The clerk has asked for the minister to appear on both of these subjects. However, the minister, based on his very busy schedule, is only available on May 8 for an hour with the committee. I am seeking the guidance of the committee as to whether we should invite him on the main estimates and open the floor to all subjects or have him specifically on Rio Tinto.
     He's prepared to answer questions on both topics, but the time that he has to allocate to the committee is limited. I'm seeking guidance in terms of what I send out for the notice. I know it's not going to be satisfactory to members that we don't have the minister for one hour on Rio Tinto and for one hour on the main estimates. However, the most pressing one, to me, would be.... Well, actually, time is of the essence for both, but I would go with Rio Tinto. That's my personal opinion.
     I see Rick Perkins.
(1110)
     Thank you, Mr. Chair.
    I find it disappointing, because last year we gave the minister grace and didn't call him for estimates because of his travel schedule. He had lots of notice of this request, and lots of flexibility from this committee to get that done before they're reported back to Parliament—which is why they're the primary item that has to go, I think. There's no point in having the minister much after they're reported back to Parliament, so I ask that the minister reconsider and find two hours in his schedule—if it's not on that date, then at least two separate hours—to deal with both issues, as the committee requested.
    He has found a lot of time to visit U.S. politicians and be all over the world, but he hasn't had time to come to committee, which personally, I think, is disrespectful to Parliament and the work of this committee. I think he owes it to us to come for two hours, whether it's all at once or split into two separate periods. I request that the committee go back to the minister and say that we prefer for him to come for two one-hour appearances, as we originally requested.
     Okay, so in the meantime, given that we've agreed and out of courtesy for Jean-Denis—whose motion it was to do the two hours of Rio Tinto and we agreed to it—I would suggest that on May 8 we have the minister appear on Rio Tinto, and I will resubmit an invitation to the minister for main estimates.
    Mr. Chair, what's the date that the estimates are reported back to the House?
    It's the end of May.
    It's the end of May, so we'd have to find another hour before the end of May.

[Translation]

    Mr. Généreux, you have the floor.
    I have a great deal of respect for the minister, who obviously works extremely hard. However, in order to show respect for the procedure and for all the work that the committee must accomplish, he should at least come here for the two hours. He must appear if required to do so by the committee. I see no reason why he couldn't find two hours in his schedule. We see him making announcements all over the world. If he needs new batteries, we'll give him some. One thing is certain. He must appear if required to do so by the committee.
    I quite agree with you. That said, when the minister appears before the committee, I often have trouble getting him to leave, because he stays longer than planned.
    We'll try to work with him to see what can be done. In any event, I suggest that we invite him to appear on May 8 to discuss Rio Tinto and that we invite him back to discuss the main estimates. Even if the minister were totally unavailable between now and the end of May and the committee had already reported to the House on the budget, the minister could come a bit later, in June, to discuss it.
    Would anyone else like to comment?
    Mr. Masse, you have the floor.

[English]

    Just to speak briefly to this, the estimates are important too. As we're creating this Bill C-27 sausage, it's important to have the minister talk about the estimates because there's money in the budget related to Bill C-27, so the timing would be extra important this time.

[Translation]

    Thank you.
    Mr. Savard‑Tremblay, you have the floor.
    First, thank you for having me in this committee.
    We're prepared to agree to this taking place over two meetings, if necessary, on two conditions. First, two hours must be spent on these issues, meaning one hour to discuss Rio Tinto and another hour to discuss the main estimates. For us, this is non‑negotiable. Of course, we must also take into account the deadline for the committee to report the main estimates to the House.
    Two hours is the bare minimum for us, especially since the committee has already been flexible about the date.
    In this case, the best solution would be to meet with the minister to discuss the main estimates on May 8, and then find a later date between now and the end of the session to discuss Rio Tinto. I think that this would suit everyone. If members of Parliament have urgent questions about Rio Tinto, the minister can still answer them, even though he'll be there to talk about the main estimates. That way, we still have an hour to discuss each topic.
    That's what we'll do. Thank you, colleagues.
(1115)

[English]

    That brings us to our regularly scheduled programming on Bill C-27, and if I'm not mistaken we were on CPC-4.
    Mr. Masse, the floor is yours on CPC-4.
    (On clause 2)
     Thank you, Mr. Chair.
    Resuming at where we were discussing the age of 18 or 14 with regard to consent and everything, maybe you can do a quick summary. My biggest concern, if we are going to go with 18, would be how somebody who is 14, 15, 16 or 17 can champion themselves in terms of their data versus a potential guardian or somebody else who might have a different set of opinions about how that person's data should be handled.
    I'm looking at the process and how difficult it is for those individuals in that grey area, who perhaps would have to compete against somebody else who might have a different set of values or interests about the use of their data through the private sector, if that's something we could go to....

[Translation]

[English]

    I think it would be important to return to page 6 of the bill and clause 4 on “Authorized representatives”, where it clearly notes:
The rights and recourses provided under this Act may be exercised
—and then with the most important part here—
(a) on behalf of a minor by a parent, guardian or tutor, unless the minor wishes to personally exercise those rights and recourses and is capable of doing so;
    Essentially, the reversion is to the individual, so that 14-, 15- or 16-year-old who wants to steward their own personal information has the recourse to be able to do so, particularly if they're capable of being able to do so.
     It would be the determination of the receiving entity, the commercial actor that would be receiving the personal information, that would need to essentially challenge the assumption of the capability of the individual, which, in the first instance, is probably not the natural recourse, because the individual whose data you're holding is telling you what they want to do with it, and your gut is to go with it, essentially. It would only be if there were any concerns about the potential capability of that individual that would require the corporation to potentially reconsider the determination as to whether or not that person should have recourse.
     That's helpful.
    Let's just walk through this process. Say, for example, that a 17-year-old wants to determine that. The company—let's say it's Microsoft or whatever—would then have to challenge the capabilities of the individual. They would have to abide by the wishes of the individual. You'd have to abide by the individual first, and then the company would have to challenge that. Would it go to the Privacy Commissioner to determine? I'm just looking for the practical path.
    Essentially what would have to happen is that, first of all, an individual would be looking to actually direct the relationship of their data. By and large, what we're talking about here is recourse and rights. Let's imagine that it was the right to deletion or the right for data mobility. The company would be receiving direction from a 14-, 15-, 16- or 17-year-old in this particular case, who says, “I want you to do something with my information.”
     In the vast majority of cases, those rights and recourses aren't the primary uses of personal information. It's usually the relationship to consent, and you've provided that essentially at outset. This would be wanting to do something with it afterwards. The process would likely be that the individual would seek, via direction to the organization, to say, “I want you to delete my information”, or “I want you to move my information”.
    The company would receive that, and it would only be on some sort of expectation, or maybe belief, that the individual is incapable of being able to make that determination. My guess is that they would initially go back to the individual and indicate, “We're uncomfortable deleting your information because we're not sure you're capable of being able to make this determination.” Then they would need to be satisfied of the capability of the individual to be in line with the law.
    The commissioner would only get involved if there were ever an investigation that was of the mind that said, “We believe that you failed to live up to the rights of this individual.” The commissioner would investigate the company's reliance on either an authorized entity or the individual as it relates to the determination made about the personal information.
(1120)
    To conclude with this, I used to be an employment specialist for persons with disabilities, and there was the whole People First movement, because, for a lot of people, it had been determined that they weren't capable of certain things when they were capable. How would this apply with regard to persons with disabilities as well? That has tended to ebb and flow with societal standards, which at times have been rather poor in many respects. We've adjusted some, but it's still quite a bit of a challenge. How would it apply for persons with disabilities?
     Mr. Chair, that's where the second portion of the “Authorized representatives” kicks in:
The rights and recourses provided under this Act may be exercised
(b) on behalf of an individual, other than a minor, under a legal incapacity by a person authorized by law to administer the affairs or property of that individual;
    These would be legal determinations made on someone who has been determined by the courts to no longer be capable of managing their affairs and for which there would be an appointee who would be governed by that.
     Yes, because, also, like I mentioned, there are persons with dementia and people living longer and so forth. There are other types of mental health challenges that are probably going to get more complicated or to at least be inclusive of mainstream society, because it's more than just persons with disabilities now. It's also persons who will develop memory issues. Okay, that part (b) will cover this.
     I'm going to conclude with this. I have one last question, because originally the motion from the Conservatives was age 14. Then it was moved to age 18, and I understand the reasons for it, but there were a lot of other submissions for 14 that came in from us. Have I missed anything other than that in terms of other testimony that has come in to move it to 18? Or has it been still more soundly represented at 14?
     I think the committee heard from a number of representatives. Fourteen was requested by a number of industry stakeholders. I think you've heard some testimony and some considerations from us as officials that the 15- to 18-year-old area still contains a lot of potentially sensitive information. By moving to 18, you essentially scope in a greater degree of information that is still likely to be sensitive in the same way that information for a minor under 14 would be.
     I think the summary is probably the same. You've heard testimony to the effect of why 14 would be useful, particularly from industry, but I think there are also considerations that have been raised about that 15- to 18-year-old range, where it's highly likely that someone is still potentially consenting to information that they may still want rights and recourses to be able to effect as sensitive.
    Great.
    Thank you, Mr. Chair, for the time. It's been very helpful to get to the comfortable zone of supporting this amendment. I think it's appropriate.

[Translation]

    Thank you, Mr. Masse.
    Mr. Généreux, the floor is yours.
    Thank you, Mr. Chair.
    Does any other legislation in Canada provide for authorized representatives for young people under the age of 18?
    At this time, no federal legislation defines the age of minority or majority. The only age defined is the voting age, which is set at 18. However, that has nothing to do with the concept of majority.
    Bill C‑63 on harmful content online is currently proposing that the age of majority be set at 18 in the digital world.
    That said, right now only the provinces and territories, based on vital statistics, determine the age of majority and minority in Canada.
    The Canada Elections Act is clear. Minors are people under the age of 18. If I'm not mistaken, under this legislation, young people aren't adults before the age of 18.
(1125)
    A citizen's voting age is determined solely by a government decision. It isn't really related to the concept of the age of majority or minority. No section of the Canada Elections Act states that only adults can vote. The voting age is simply set at 18. In this context, the age of minority or majority isn't defined, nor is the concept of a child or adult. It's just about the ability to vote.
    I agree. However, it's also a concept to set, in a bill of this nature, the age of majority at 18, meaning the age up to which people are subject to privacy legislation.
    I've had conversations with people of various ages about the age at which individuals can make decisions for themselves. Of course, the answers differed, because the views vary from person to person.
    I'm thinking back to the early 20th century, or even to 35 years ago, when the Internet didn't exist. I don't know how old you are, but I'm 62. We didn't have the communication tools 25 years ago that we have today. Does this make us smarter? I'm not sure. When we were teenagers, we didn't have the same tools. These days, a number of young people have access to these tools from a very early age. In some cases, it's almost dangerous. In my opinion, having access to these technological tools doesn't make young people any more responsible.
    Based on my conversations on this topic, the age of 18 is still a given, in theory. The legislation could say 14, 15 or 16. However, 18 is the generally accepted age in western countries. In a way, it's only natural.
    We propose that the bill set the age at 18. This isn't binding. Obviously, it would require young people to obey the law. However, it would give us greater leeway. When we legislate, we must think about young people who are more sensitive, more open to attack, in a way, or more naive. No matter what we call them, we have a duty to protect these young people. In a way, we play the role of guardians of these young people. For that reason, we think that this amendment is important, even though Quebec's law 25 sets the age at 14.
    In terms of consistency or compatibility, I would like to know the age established in various pieces of legislation both in Canada and abroad in the United States or the European Union.
    At the international level, a number of approaches establish rights and responsibilities with regard to children's personal information. For example, the children's code in England sets the age of majority at 18. The Canadian bill is perfectly compatible with this approach.
    We must acknowledge that, for the purposes of this bill, age matters because any information concerning children or minors is sensitive.
    Compatibility won't really be an issue. The organizations in Canada will comply with the provisions set out in Bill C‑27, which recognizes the sensitive nature of children's information. Since Canada sets a high standard, this lays a good foundation for complying with all the other legislative approaches in different countries. If the provisions set out in Bill C‑27 are adhered to in Canada, the organizations can comply with the legislation in effect in England, and maybe even in the European Union.
(1130)
    In this case, wouldn't the age limit of 14 be too restrictive?
    Obviously, in our view, 14 isn't old enough. The personal information of teenagers aged 15 to 18 is also sensitive.
    Okay. Thank you.
    Thank you, Mr. Généreux.
    Mr. Savard‑Tremblay, the floor is yours.
    I just want to clarify something to make sure that I understand the amendment.
    First, you compared the bill to practices in other parts of the world. I should point out that, in Quebec, the age is 13. It's even lower than the originally proposed age of 14.
    Suppose a young woman or young man wanted to have negative information about themselves removed. According to the amendment, I gather that they would absolutely or quite likely need to do so through their parents. Is that right?
    I gather that, if this amendment is adopted, the rights and remedies will fall to the parent or guardian when the minor child lacks the capacity or desire to exercise them. However, if the teenager has the capacity to do so, they can exercise their rights and remedies.
    I just want to make sure that I understand. How is “capacity” legally defined?
    This term is widely used by the courts. There are precedent‑setting capacity tests to determine, based on certain factors, whether a person has a certain capacity.
    Thank you.
    Since there are no further comments on amendment CPC‑4, we can vote on it, unless there's unanimous consent to adopt it.
(1135)

[English]

    I would like a recorded vote.

[Translation]

    We'll proceed with a recorded vote.
    I should point out that, when moving his amendment, Mr. Vis changed it so that the age would be 18 and not 14 as it appeared in the paper version submitted.
    (Amendment agreed to: yeas 10; nays 1 [See Minutes of Proceedings])
    Thank you, colleagues.
    This brings us to amendment CPC‑5. Before Mr. Perkins moves it, I must inform you that…

[English]

     Are you not moving CPC-5, Mr. Perkins?
     Yes, Ryan is.
    Just before Mr. Williams moves it, I want to inform members that should CPC-5 be adopted, BQ-1 will be inadmissible due to a line conflict.
    I'll let Mr. Williams move CPC-5.
     Thank you, Mr. Chair.
    I want to reference all amendments, because I think they're really important. In this discussion, when we're talking about personal information, we have our first amendment, which talks about including inferred information about an identifiable individual. However, I think it's important in my discussion of this that we also recognize some of the other amendments. Perhaps through this discussion—I know there will be a vote—out of four, I think we can probably come to an agreement of some kind of consolidation of this, as we've done with past amendments.
    I'll start with what we're talking about. We talk about personal information as “information about an identifiable individual”, but when we're talking about AIDA and the age of AI and big data, we've identified that we also need to make mention of inference.
    The Privacy Commissioner has said:
...inferences can lead to a depth of revelations, such as those relating to political affinity, interests, financial class, race, etc. This is important because the misuse of such information can lead to harms to individuals and groups in the same way as collected information—a position confirmed by the Supreme Court in Ewert v. Canada. In fact, as noted by the former European Article 29 Data Protection Working Party, “[m]ore often than not, it is not the information collected in itself that is sensitive, but rather the inferences that are drawn from it and the way in which those inferences are drawn, that could give cause for concern.”
    He continued:
General support for the idea that inferences constitute personal information can be found in past OPC decisions and Canadian jurisprudence. For instance, the OPC has found that credit scores amount to personal information (PIPEDA Report of Findings #2013-008, among others), and that inferences amount to personal information under the Privacy Act (Accidental disclosure by Health Canada, paragraph 46). This is also consistent with the Supreme Court’s understanding of informational privacy, which includes inferences and assumptions drawn from information.
    We've had the Privacy Commissioner give past cases on this.
     He continued:
In light of these conflicting viewpoints, we believe the law should be clarified to include explicit reference to inferences under the definition of personal information. This would be in accordance with modern privacy legislation such as the California Consumer Privacy Act (CCPA)...
     Looking at this, I normally note the GDPR as being the gold standard. We think the California example is the better example for personal information.
    To go further into that, when we talk about personal information, one limitation of the definition is its broad scope, which can encompass a wide range of data, including information that may not always directly identify an individual. This can lead to ambiguity and challenges in determining what constitutes personal information, especially in cases where data points are combined or analyzed in aggregate.
     Additionally, the definition may not adequately address emerging technologies and forms of data, such as IoT devices or anonymized data—as we've talked about before—that could potentially be reidentified.
    Besides the inclusion of inference, to improve the definition to look more like the California example, it could include specific criteria or examples to clarify what qualifies as personal information. Additionally, incorporating provisions for emerging technologies and data types would enhance its applicability and reference.
    To look at how it's defined in the California code, this is how it reads right now. Personal information includes, but is not limited to, any information that directly “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”.
     It then includes examples, which I think are really important. It says this includes, but is not limited to, names, postal addresses, email addresses, social insurance numbers, driver's licence numbers, passport numbers, financial account numbers, credit card numbers, biometric information, geolocation data, Internet protocol addresses, device identifiers, browsing history and any other information that could be reasonably used alone or in combination with other data to identify an individual or household.
    We talk about how it's much better to talk about human information when we talk about privacy, because it refers us back to human beings, but giving examples allows the Privacy Commissioner, when looking at cases, to look at exact examples, and then in a court of law to have those more defined.
    Mr. Schaan, I'll start with you. Starting with the inferred information as defined in this amendment we're talking about, does it constitute the same protection as personal information throughout the entire bill, even with this proposed amendment?
(1140)

[Translation]

    Mr. Chair, I want to thank the member for his question.

[English]

     As we understand it, CPC-5 codifies the existing interpretation of “personal information” by the OPC—which, as the member has noted, has also been codified by the Supreme Court—that includes inferred information, so we see this as consistent with the current approach. It codifies it in law as it is currently, both jurisprudentially and as understood by the regulator.
    You might have answered my question already, but with this new definition, is personal information still regulated to appropriately reflect the inclusion of inferred information as it exists in the California privacy act and Australia's Privacy Act?
    “Inferred information”, as codified in this way, would be consistent with a number of international best practices on the understanding of personal information, including California, but also the EU's GDPR and Quebec's law 25.
    I know we're looking at this clause, but also that, as before, the discussion was that if this clause were to go through it would take away the other three amendments...clauses. Given the discussion that I introduced of looking at the California section of the privacy act, identifying certain use cases for personal data, would that fall in line with what you think would strengthen this bill?
     Mr. Chair, I think this is one zone in which the devil will very much be in the details. I think we've had discussions at this committee before about exhaustive versus non-exhaustive lists, and where lists are indicative but not exclusive. Insofar as an amendment suggests what personal information is, we see that as actually limiting because right now the definition, including with this amendment, will still be quite broadly interpretable in the sense that it means information about an identifiable individual, and then the amendment would amend that definition to ensure that it expressly captures “inferred”. However, if it started to go into a list of potential technologies or zones, it would very much depend on the construction, because sometimes, due to the construction of some of those amendments, it actually becomes a definitive list, which means it's not further expandable over time. You have to word it appropriately to ensure that this is indicative and illustrative, not exhaustive. This is a zone in which OPC guidance and jurisprudence can often fill that gap—particularly as it could then keep up with the times and the technology—rather than hardwiring things into the legislation that might not stay current.
     I agree with that because I think that in the past we've disagreed within regulation, which may not define. However, could we use the words “such as”? Is there language that would allow that list not to be limited and exhaustive, as you point out?
    In broad strokes, things that say “includes but are not limited to” can be helpful in some of those indications. However, I'd have to see the specific wording because the challenge is that you want to make sure you aren't narrowing or closing to just the things that you are then about to list.
    Through you, Mr. Chair, we have NDP-4. We bring this up now because if we pass this first motion, we eliminate it. It does have wording in that, including:
individual that can be used to identify them, directly or indirectly, and includes their name, an identification number, location data, an online identifier or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
     However, what we're looking for, then, is something that says, “such as” or “could include”. Isn't that right? That's probably the wording we're looking for.
(1145)
    I'll turn to my colleague, but you're right: Currently our worry about NDP-4 is that it would be seen as a closed list because it has “includes” and then lists things, as opposed to something like “includes but is not limited to”.
    I turn to Mr. Chhabra.
     I think it's important to recognize as well that the formulation of the list can be done in a way that unintentionally narrows. In this case what we're looking at specifically, in addition to the issues that Mr. Schaan mentioned, is that it might unintentionally reduce the range of personal information because it specifies only that which is used to identify an individual. That could exclude a series of very important buckets of information that are currently considered as being personal information under the act. An individual conducting certain types of searches or visiting certain types of websites online might not be information that identifies that individual, but it is about that individual.
    The current definition of personal information is information about an identifiable individual, versus here in NDP-4, which has information “that can be used to identify them, directly or indirectly”. This goes back to Mr. Schaan's point about constructing the definitions in the manner that is the most inclusive and as broadly as possible to allow for jurisprudence to evolve and for the OPC to issue guidance to enable better understanding within the industry about what's meant, but without locking us in at the legislative level.
     If you go back to the California code, it says, “Personal information includes, but is not limited to” any information that directly “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”. It's a longer definition before they list the examples.
    Should we be looking for that kind of a definition? Again, we're talking about “inferred” on one side. However, again, when we look down the list, I think it is the Bloc amendment that talks about including “an identifiable individual or group”.
    If we look at the California code, we see that they've really nailed that first part of the definition. Would that be something that would encompass all of the amendments that we looked at?
    Right now, that work of the lengthy California description is being done by the word “about” in the current PIPEDA, and “about” has been sufficient, from a court perspective, to get at a wide range of inferred and direct information about individuals. It's how the court ruled on information related to inferred data. It's how the court ruled on things like IP addresses. Therefore, “about” has been sufficient, jurisprudentially and from a guidance perspective, to get to all of the things that California has tried to do with a much longer list.
    Of course, the problem of going to a much longer list is twofold. First, you're shifting from “about” to something else. The courts have tended to have a rational kind of approach to say, “You did that on purpose,” so clearly.... What is it that's different between “about” and this new list that suggests you weren't happy about “about”? Second, the worry then, of course, is whether—because it's now a much longer list—it is exhaustive. Is it now seen as potentially overly narrowing, whereas that was all being done by “about” and got to good places, both through the OPC and the courts?
    This is always the concern with potentially inserting something that adds more words: it potentially doesn't actually do more work than “about” already does in the current definition.
    Mr. Chair, I'm going to let others chime in so that we can see what the other parties are thinking.
    Thank you, Mr. Williams.
    I'll just make a point of clarification, which you've mentioned. If CPC-5 is adopted, BQ-1 cannot be moved, but NDP-4 and NDP-5 could still be moved.
    Mr. Masse.
    Thanks, Mr. Chair.
    I think we're playing a game of snakes and ladders here as we go back and forth with all the different numbers. I think what's happening here is that we're trying to make it better, but we don't want to make it worse. I appreciate the Conservatives' bringing this amendment forward. If we go with NDP-4, though, and insert “but not limited to”, would that be a better fix?
    No.
    Okay. That's what I want to hear. We're trying to get to the same place here, so please be frank.
(1150)
    Indeed.
    Unfortunately, the construction of NDP-4, as Mr. Chhabra says, uses “used to identify them”, as opposed to the current definition, which is “about” them. “About” does more than “used to identify” does. “About” suggests a generality around you, which is where inferred information got read in by the courts. Therefore, if we go back to “identify”, if it was individuals that can be used.... The construction is challenging because you need to keep “about” somewhere in there so that you can get at the broader construct.
    If we're looking to bolster what we're trying to do here, which amendment should we be constructing on? We've ruled out NDP-4, which is fine.
    Again, I think we're all trying to get to the same spot.
     CPC-5 avoids that challenge. NDP-5 also avoids that challenge. BQ-1 and NDP-4 shift the construction. BQ-1 introduces this construct of group rights, which I think would vastly alter the definition of “personal information” that is currently understood in our jurisdiction or others.
     So we're really looking—and please say no if I'm wrong—at the one currently in front of us, NDP-5, as being the better of the options going forward.
    Amendments CPC-5 and NDP-5 both codify the inclusion of inferred information without breasting a definition of personal information being solely that which is used to identify, because, again, identification is only one half of the battle here. It's also the inference or the generalities about someone that go beyond just the pure precision of identifying.
    From those two choices, is there one that's preferable?
    I think they are both workable. We have amendment CPC-5 in front of us.
    That's fine. Again, it's about getting the result. I think NDP-5 is better, but we all want to get to the same space.
    Thank you very much. That has been very helpful. I will turn the floor back to the chair.

[Translation]

    Thank you.
    Mr. Turnbull, the floor is yours.

[English]

    I will be quick.
    Our position is that amendment CPC-5 is something that can be supported, but based on, I think, Mr. Williams' questions, inferred information may already be included in the interpretation of PIPEDA and the EU GDPR.
    Is that not correct, Mr. Schaan?
    Yes. The current interpretation by both the OPC and the courts is that personal information as defined in PIPEDA currently, which is being ported to CPPA, includes inferred information.
     So including it doesn't really add a whole lot, except maybe for greater certainty, as you all say sometimes. I know that's a term that comes up in this committee a lot. It may actually improve the bill ever so slightly in terms of just being a bit more explicit that inferred information is included. Would you say that's sort of—
     That's correct. It takes the current legal and regulatory approach and ensures that it's legislated.
     Okay, great.
    I appreciate all the questions on the other amendments that have been proposed, and maybe we'll get into those in a moment, but maybe we can vote on this one. I'm certainly prepared to support amendment CPC-5.

[Translation]

    Are there any other comments?

[English]

    Mr. Van Bynen, go ahead.
    I want to clarify. I think there was some discussion about including the words “but not limited to information”. Is that something you had indicated earlier, Mr. Schaan, that you wanted to see included in that amendment?
    I think in the formulation in CPC-5 that's not necessary, because it still says, “about an...individual” and so—
    Thank you.
    I see that there are no other comments, so I will call amendment CPC-5 to a vote.
(1155)
    (Amendment agreed to: 11 yeas; 0 nays)

[Translation]

    Thank you, everyone.
    Since amendment CPC‑5 has just been adopted, amendment BQ‑1 is now inadmissible due to the line conflict that I referred to.
    This brings us to amendment NDP‑4.
    Before giving the floor to Mr. Masse, I just want to inform him that, if amendment NDP‑4 is adopted, amendment NDP‑5 can't be moved, due to a line conflict, once again.

[English]

    You're going to have to choose which one you want to move, because if NDP-4 is adopted, then NDP-5 cannot be moved.
     Mr. Chair, I think we have had a good amount of discussion. I can drop amendments NDP-4 and NDP-5. I'm comfortable with the discussion we've had and with working that through.
    Okay, so they are not moved.
     I don't think we've ever gone this fast before. Let's keep it going.
     That brings us to amendment CPC-6.

[Translation]

    Mr. Généreux, you have the floor to move amendment CPC‑6.
    Thank you, Mr. Chair.
    Amendment CPC‑6 adds, after line 31 on page 5, the following definition of the term “profiling”:
Profiling means any form of automated processing of personal information consisting of the use of personal information to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual's performance at work, economic situation, health, reliability, behaviour, location or movements.
    In his brief to the committee on Bill C‑27, the Privacy Commissioner of Canada pointed out a gap in the bill. He said that, “unlike the European Union's general data protection regulation (GDPR) and other modern privacy laws in California and Quebec,” Bill C‑27 doesn't contain any provisions requiring organizations to take protective measures against profiling carried out by automated decision‑making systems. As drafted in the bill, the obligations would apply to organizations only when they use automated decision‑making systems to make decisions, recommendations or predictions about an individual. However, as the commissioner stated, “while profiling may be implicitly included in recommendations or predictions, not including it explicitly in the [proposed legislation] could create unnecessary ambiguity resulting in a significant gap” in terms of privacy. As a result, “often‑opaque activities such as data brokering—selling or … making available datasets about individuals which they will typically be unaware of—may not have the same needed transparency.” It's also unclear “if the obligations would apply to personalized digital environments,” such as the metaverse, in this case Facebook.
    Although Bill C‑27 as currently drafted doesn't include any reference to the term “profiling”, the Conservatives are moving two amendments that use the term. As a result, this definition must be added.
    Amendment CPC‑6 seeks to add a definition of the term “profiling” to the bill in order to support other Conservative amendments that use the term. These amendments seek to allow individuals to file an appeal against automated decisions made about them when they have been profiled, and to introduce a requirement for organizations to explain, in plain language, how their automated decision‑making systems profile selected groups.
    With your permission, Mr. Chair, I would like to ask the witnesses a question.
    The Privacy Commissioner of Canada and stakeholders from the Centre for Digital Rights have expressed concerns about the current gaps in decision‑making.
    Are there currently any other gaps in the bill related to automated processing or decision‑making?
(1200)
    Although there is no definition of the term “profiling” in the bill, we feel that this concept is already included in the obligations and requirements for automated decision systems. However, if there was a desire to explicitly state that automated decisions include possible profiling, I think that would be a good addition to the bill.
    The European Union's General Data Protection Regulation and other statutes make distinctions about profiling in terms of group settings.
    As far as personal information is concerned, are there other clauses of the bill that do not take into account an individual's option to opt out when a group of which they are a member chooses to register? In other words, when a person is in a group, is it possible for them to withdraw from that group?
    Bill C‑27 gives individuals the right to request that personal information about them that is presented in a form that still makes it possible for them to be identified be deleted from a database.
    However, as we discussed in the beginning, if that information is anonymized, there is no more information about an individual, so there is no need to make such a request.
    Profiling is not defined in the bill, even though we know very well, indirectly, that it occurs. I would even go so far as to say that racial profiling is very important for a number of service providers who do mass data collection. I don't want to get into a debate, but we have seen on a number of occasions—in Montreal in particular—the whole issue of racial profiling in the public safety file.
    Inevitably, individuals find themselves associated with certain groups that are profiled based on elements of their private life, such as race or age. Could the lack of an extremely explicit definition of profiling in the bill put these individuals at risk, since they are profiled without even knowing it and will, therefore, not have the opportunity to challenge the law going forward, in one way or another?
    That's a good question.
    As we were saying about the previous amendment, personal information refers not only to information used to identify an individual, but to all information that relates to that individual. So that really includes the concept of profiling. If information about an individual is kept in a database and is used to create a profile, or even if certain providers use it for marketing or advertising purposes, it is still personal information about an individual, so that individual still has all the privacy rights and remedies.
    Since inferred information is included in the definition of personal information and there is a proximity between the concept of inferred information and the concept of profiling, that concept would, therefore, also be included.
    As my colleague just said, if this information is used to create a profile, it is also used to infer information about an individual based on their membership in a group.
(1205)
    Then I gather that you are not opposed to our proposal to include this definition in the bill. We think this is essential. Would you agree with that?
    We feel that the definition proposed in the bill already includes the notion of profiling, but it would not be a bad thing to add that concept to it. It would be all the more useful, since other amendments that the Conservatives wish to propose are based on the concept of profiling.
    According to our interpretation of the bill, the definition already includes this concept, but it would be good to add it for clarification.
    Thank you.
    Thank you very much.
    Mr. Turnbull, go ahead.

[English]

     My understanding from the last exchange is that the concept of profiling activities is already included in the bill.
    Is that right, Mr. Schaan?
    That's correct.
    It's the construct around automated decision-making models...there are specific requirements for that included in the bill.
    Is that right?
    That's right.
    Could you briefly describe what those requirements are?
    They're transparency requirements. Essentially, organizations using automated decision-making systems, ADS, have to tell users that they're using them. Once a decision is made using such a system, an individual can also ask for that decision to be explained. How exactly was that personal information used to make a certain decision using an ADS?
    Those are the two requirements with respect to ADS.
    Got it.
    Is the inclusion of this definition going to create any problems in the interpretation of the bill? Is there any confusion that it could create?
    We don't see any confusion. It adds an interpretation that already exists within the law, but is not at odds with the current interpretation.
    It's similar to inferred information, which was already included in the bill, in a way, but adding it explicitly doesn't necessarily harm the interpretability of it.
    That's correct.
    This is not a hill we're going to die on. We'll support you.

[Translation]

    Thank you very much.
    Mr. Vis, you have the floor.

[English]

     I'm going back to the good work this committee's done on putting the best interests of children as a paramount concept at the onset of the future legislation.
    I'm thinking in the context of my four-year-old son. Does the department acknowledge that companies seek to profile children who may get a hold of their parent's iPad and want to buy the latest PAW Patrol? PAW Patrol is everywhere. It is a known fact that companies that have access to the PAW Patrol licensing are profiling and trying to get parents like me to buy some really crappy toys that fill up my basement and I find underneath my couch.
    I'm bringing it back down to reality.
    Obviously, profiling as a function of taking personal information, automating that in some ways and then using that to market to an individual would require the individual to be informed of the fact that there's an automated decision-making system at play and also to know what personal information is being utilized to make that determination.
    Because we've determined that children's information is sensitive, corporations would be required to adopt appropriate privacy management programs to ensure that the sensitivity of the information, for instance, of your four-year-old, is not utilized in inappropriate ways. It's on how they are protecting that and linking it. Linking it to your information, for instance, could be acceptable in certain circumstances, but it would need to be clear in terms of how consent was offered and how it was dealt with.
    When and if Bill C-27 is passed, would the bill provide the safeguards needed with some of the amendments already passed to stop that current commercial practice?
(1210)
    That would be very much dependent on the use cases related to what was consented to and how.
    Is that based on the example you just gave about what an obligation of a corporation would be?
    Again, this is not knowing what the initial service agreement was with the individual. When the information was actually collected, when the account for your four-year-old was first generated they had to tell you in plain language, which Bill C-27 will require, “This is what we're going to do with your information, are you comfortable with that?”
    First of all, it's a four-year-old, which means you're making that determination. I'm sure your four-year-old is probably very clever, but they probably wouldn't meet the capability tests struck by the Supreme Court to make determinations on their own. You would be making that determination to say that you are willing to hand over this information.
    There's guidance on that, in terms of what then occurs. It would be very much determined by what you said yes to. They could come back to you to say, “It looks you might be in a household that accompanies a four-year-old. I bet you probably really like PAW Patrol. Maybe you should watch or buy more of it.” It would depend on what you originally consented to.
     There is another scenario that I'm concerned about.
    My kid has an iPad—don't judge me, please. Sometimes they get to use that on the weekend, whatever, it happens, and those things happen with PAW Patrol. I know Bernard is laughing because it's the same with his grandkids. That's a fact; I've been to his house and I've seen PAW Patrol.
    The other scenario is that, in my household, I have an Amazon Alexa. Again, don't judge me, but this is the life I live. My children put on all sorts of wild music like these frog songs right now. I can't get over them. It's also my iPhone and my Samsung. They listen to me as well, and it all seems to be tied together.
    On Saturday night we were cooking Filipino food, and my wife was telling my children why we were doing this a certain way, because that's what she does, and it's part of her culture. The next day on Facebook, we saw reels of Filipino cooking. That is a fact, and it happens to everyone. My reels are often rugby, politics and Filipino food, so there you go.
    The other scenario I'm concerned about relates to children. I don't believe that this law is going to stop all of the things that all of us get concerned about when it relates to children. All of these things are being said in the context of a home, and most of us probably have a Google or Alexa-style device in our household, as they're ubiquitous now. We're not going to be able to stop all types of profiling even if we have very strong safeguards and clear language in the bill, because there are so many ways that corporations will be able to circumvent the intention of the law. It's going to take court cases to go to the next step in protecting kids.
    Would that be a fair assessment?
    Continued guidance and jurisprudence help flesh out the responsibilities that will be borne out or that are being identified and adopted through this piece of legislation. By making the broad parameter that children's information or the information of those under the age of 18 is sensitive, thus requiring a higher bar for its treatment, protection and use will get fleshed out by guidance and by jurisprudence as to how companies have to interact with that obligation.
    The degree to which modern and new technologies...and this is why it's very important that the law remains technologically neutral, means that there will be new tools that will allow for this information to be used in ways that we don't anticipate right now. Broad definitions, like personal information is information about someone or that an automated decision-making system is a decision that uses information to automatically make a determination about you, are useful because it means that people are held to those standards.
    I concur that each of these use cases is going to be very particular to what you signed up for, what you agreed to, what you said and what's happening to your personal information. The general constructs that we're getting, particularly today, include inference and the roles by which your information may live in a broader dataset that is still being used to make determinations about you. This means you may have some recourse or right as it relates to your privacy therein.
(1215)
    Thank you, Mr. Chair.

[Translation]

    Thank you, Mr. Vis.
    Seeing no further discussion on amendment CPC-6, I'm ready to put it to a vote.
    Having said that, I see that Mr. Masse and Mr. Williams are not here right now. In that case, we could proceed by consensus.

[English]

    Is there a consensus around the room on CPC-6?
    (Amendment agreed to)
    The Chair: This brings us to CPC-7.
    Mr. Masse and Mr. Williams, we adopted CPC-6 by consensus. I hope it's fine with both of you. If it's not, it's done already.
    On CPC-7, I have Mr. Perkins, but I'm guessing it's someone else on the Conservative side moving it.
    Mr. Vis, the floor is yours.
     I didn't think we'd get this far today.
    This follows nicely the good dialogue we just had with Mr. Schaan regarding how implicit or explicit this bill actually becomes. CPC-7 proposes to define sensitive information:
sensitive, in relation to information, includes any information pertaining to an individual that reveals
(a) their racial or ethnic origin;
(b) their political opinions, religious or philosophical beliefs, trade union or political membership, or political contribution history;
(c) their sexual orientation or sexual habits;
(d) genetic data or biometric data that can uniquely identify them;
(e) their health condition, including any treatment or prescription on their medical record;
(f) government identifiers, such as their social security, passport or driver's license numbers;
(g) the content of their electronic devices, including messages, images, address books, calendars and call history;
(h) their passwords; or
(i) financial data.
    Bill C-27 makes several references to the terms “sensitive information” and “sensitivity” without providing definitions for the terms. This approach is incredibly problematic for consumers and businesses if the definition is left to interpretation, with the obvious risk that some information will be regarded as sensitive data and other information as not, and those interpretations will vary. To resolve this issue, stakeholder groups and the Privacy Commissioner have advocated for a clear definition of the term, outlining a list of items legislators constitute as sensitive information.
     I note that, in committee testimony on October 31, the Centre for Digital Rights stated:
At the moment, the definition of sensitive categories of personal information is left open and the words “sensitive” and “sensitivity” are used throughout Bill C-27 without definition (with the exception of minors). Thus, the definition is left to the organization with the obvious risk that some sensitive data will not be regarded as such, and that interpretations will vary.
    This is a key element that differentiates the CPPA from other modern privacy laws like the EU GDPR and those found in California and Quebec:
So as to provide certainty for Canadians and Canadian businesses, and to align with both Quebec's Law 25...Bill C-27 should define “sensitive information” first by establishing a general principle of sensitivity followed by an explicitly open-ended list of examples....
     The Office of Privacy Commissioner, in its submission to our committee, stated:
That a definition of sensitive information be included in the CPPA, that would establish a general principle for sensitivity followed by an open-ended list of examples.
    In the GDPR, article 9, paragraph 1, it states:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
    It's very clear we relied heavily on the GDPR example in putting forward this proposed amendment.
     I note that the Canadian Research Insights Council, on May 9, stated:
Bill C-27 could offer more protection for minors, for which the Bill is nearly silent. Bill C-27 indicates that information with respect to minors be considered sensitive information but offers no definition of minor nor sensitive information.
    Australia's Privacy Act follows a similar line of language to the GDPR.
    In America, the American Data Privacy and Protection Act outlines a whole suite of matters related to their definition, including:
(i) A government-issued identifier, such as a Social Security number, passport number, or driver's license number....
(ii) Any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis or health care condition or treatment of an individual.
    The list includes financial information and:
(iv) Biometric information.
(v) Genetic information.
(vi) Precise geolocation information.
(vii) An individual's private communications....
    The list includes passwords, sexual orientation or:
(ix) ...sexual behaviour in a manner inconsistent with the individual's reasonable expectation regarding disclosure of such information.
(x) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual's device....
(1220)
     It includes non-consensual intimate images, information that reveals the video content or services requested or selected by an individual, and minors' information.
    I'll go on.
    Daniel Konikoff from the University of Toronto stated:
The term “sensitivity” appears often throughout the CPPA, yet it remains undefined in the Bill's glossary. Bill C-27 should follow global standards and explicitly define sensitive information to capture the above-mentioned categories with an emphasis on biometric information, which is at the core of an individual's identity. The EU AI Act is already ahead of the curve on this, explicitly defining biometric data in a way that acknowledges its sensitivity, its unique capacity to identify a person, and the importance of consent in systems that identify based on “...physiological, behavioural and psychological human features”....
The CPPA's failure to capture biometric data as sensitive information leaves far too much up to interpretation, and may lead businesses to establish inadequate protections—or none at all—for information that merits stronger safeguards. Without this definition, other sections of the CPPA—such as 53(2) and 62(2)(e), which refer to retention periods for sensitive personal information, or 57(1), which pertains to establishing safeguards proportionate to the sensitivity of the information—are left open to interpretation.
    California follows the federal law in America, which provides much of the same language in terms of sexual orientation, racial or ethnic origin, or religious or philosophical beliefs.
    I'll note that the Canadian Civil Liberties Association outlined that sensitive information remains undefined in Bill C-27. It said, “Parliament should follow international standards and explicitly define sensitive information to better protect special categories of personal information.”
    Bill C-27 defines “personal information” as “information about an identifiable individual.” According to the European Union's General Data Protection Regulation, personal information includes names, ID numbers, “location data, an online identifier or...factors...to the physiological, genetic, mental, economic, cultural or social identity” of the person.
    I think there is ample testimony from business and civil liberties groups as well as the Privacy Commissioner outlining the need to have a definition in there. At the same time, I acknowledge some of the rationale we've heard from the department about the nature of lists. However, I also relied heavily on the expertise of the Privacy Commissioner when putting this forward. Our intention behind it is to avoid broad interpretation if and when this bill is enacted and becomes the new standard for Canada.
    Thank you, Mr. Chair.
(1225)

[Translation]

    Thank you, Mr. Vis.
    On my list of speakers, I have Mr. Savard‑Tremblay, followed by Mr. Turnbull and then Mr. Gaheer.
    Mr. Savard‑Tremblay, you have the floor.
    Thank you, Mr. Chair.
    I would just like to move a subamendment, which consists in adding the following element:
(j) any other information violating the fundamental right to privacy.
    Mr. Savard‑Tremblay, would it be possible to send us your subamendment in writing, in both official languages, if that has not already been done?
    Yes, we're working on it.

[English]

    Mr. Chair, I'm sorry if I missed this earlier when you stated it. What's the relationship between CPC-7 and NDP-6?
     There is none.
    It's being sent around to the clerk, then to members, but you've all heard it. There's a subamendment that has been moved by Mr. Savard-Tremblay.
     I'll open the floor to debate the subamendment, which we have to deal with before we can go back to the amendment per se.
     Mr. Turnbull.
     Thank you, Mr. Chair.
    If I understand the intention of Monsieur Savard-Tremblay's subamendment, it would be to add “any other information that would be a breach to the fundamental right of privacy” on to the long list of factors that are there.
    Is that correct?
    Essentially that list would be deemed inexhaustive and would include “any other information”.
     That's just a clarification question. I think I'm understanding correctly.

[Translation]

    Thank you.
    Mr. Savard‑Tremblay, do you want to answer your colleague's question?
    The current list is probably intended to be exhaustive, but I think we need to give ourselves the possibility to add to the list other types of information that could violate the fundamental right to privacy.
    I think that speaks for itself. If necessary, it will provide another basis for interpretation in the event of litigation, for instance.

[English]

    Thank you.
    I guess what I'm struggling with is that this section that's being amended is adding factors or categories of types of information that would then qualify as sensitive and would then require express consent in all circumstances.
    Is that correct, Mr. Schaan?
    Could you maybe clarify for me if I am interpreting this correctly?
    That is correct.
    Are there any concerns with, for example, financial information or biometric data that would pose potential risks in terms of over-regulation?
    I just wonder if this is something that financial institutions, for example, are used to dealing with.
    I'll start and then I'll turn to my colleague.
    I think that generally the broad ambition of making sure the information that is quite personal in nature holds a high degree of protection by commercial actors is a shared ambition for the entirety of this piece of law.
     The rationale for why we have a definition of “personal information” and what's being proposed here as “sensitive information” is that there is some information that is personal in nature that is not sensitive. Ideally, while we get as precise as possible for corporations to understand their obligations, we leave room for two things: the first is for the OPC to have capacity to kind of continually interpret and understand the changing nature of information, while the second is to allow for context to inform information.
     In many cases, some of these identifiers are not seen as personal information per se. My address, unless I've restricted it in various formats, is not always sensitive in the sense that it can be found in all sorts of public directories and various other sources.
    However, the fact that it might be linked to data about the sale price of my house, for instance, which suddenly includes financial information, is now complexifying the use case of that. For the person who is in possession of my address, that's now sensitive. They should be treating it as such, and I should be able to offer express consent for the use of that.
     I'll turn to Mr. Chhabra, but this is where I think we would want to make sure we're getting at all three of those ambitions: one, that we've made a distinction between sensitive information and personal information, recognizing that some information is in fact more sensitive and more in need of protection; two, that we've left room for OPC guidance; and three, that there's some room for context because information is not necessarily always the same in every single situation.
    With that, I'll turn to Mr. Chhabra.
(1230)
     Thanks very much.
    Just to follow up on Mr. Schaan's points, the way we read CPC-7, it would establish very broad categories for sensitive information that go beyond what is currently contained in the EU's GDPR or found in the Privacy Commissioner's own bulletin on sensitive information.
    It doesn't allow for a contextual analysis or what defines sensitivity in a given scenario. An example of that would be that the GDPR does not identify financial data as being universally sensitive; I think that was the nature of the question.
    That's also aligned with findings of the OPC and Canadian courts, which have stated that not all financial information is sensitive, and that sensitivity depends on the circumstances.
    In a case called Royal Bank of Canada v. Trang in 2016, the Supreme Court found that the degree of sensitivity of specific financial information is a contextual determination.
The sensitivity of financial information [in that case, the current balance of a mortgage] must be assessed in the context of the related financial information already in the public domain, the purpose served by making the related information public, and the nature of the relationship among the mortgagor, mortgagee, and directly affected third parties.
    That case was cited, as well, by the Privacy Commissioner's updated guidance on the meaning of sensitive information, which was published in 2022. It illustrates scenarios in which there may be very valid and important reasons for the sharing of certain financial information under certain circumstances, but to declare all of it sensitive would not allow for that contextual understanding.
    Thank you for that clarification.
    Just to follow up on that, what I'm inferring from this is if you're deeming all of these categories of personal information as essentially sensitive information, you're raising the bar to require express consent in every single circumstance, which eliminates any room for context dependence to be considered.
    What would the potential burden be on industry that probably functions right now to do all kinds of things that we.... I think we take for granted how the sharing of information is necessary in order for some of the services that we consume regularly and that are highly convenient to us...and if we raise the bar so high, I am concerned that many of those services we currently rely upon will not be convenient anymore.
    In other words, those companies will have to come back to us for express consent on a lot more things than maybe we would really intend by making this change.
    It seems to me there's a high risk of unintended consequences of over-regulation here. I just wanted to check, Mr. Schaan, whether you agree with that and whether you can give us any examples; I'm struggling to think of one.
(1235)
    Mr. Chair, indeed I think the desire here is to make sure there are appropriate protections in place for information that is truly sensitive.
    The challenge, of course, when putting out a list is that we've assured ourselves that every instance of the utilization of the categories in that list would always meet the test of requiring express consent. As noted, something like financial data, for instance, can actually be widely construed and may not always necessitate express consent in every single one of those instances.
    I think the challenge for a commercial organization in possession of some of this personal information is that, if they're actually in receipt of this bill and trying to think about implementation, suddenly there's a whole bunch of potentially new interactions they may need to have to implement some of this.
    Some of it is potentially going to get very much in the way of existing business processes. That's not to say that we don't want to rule out harmful business processes, but for some of these there may be a better way to make sure sensitive personal information is defined and understood at a broad level, and yet not remove those two things that I suggested were important. One was room for guidance, and the second was context in some situations. De facto calling it sensitive in every instance may not actually be accurate to what it does in a particular instance or situation.
    I'll turn it over to Mr. Chhabra.
     I'll jump in with a short example here.
    There are circumstances in which pieces of information, such as purchase data, might not necessarily be considered sensitive in a given context but might in another context—for example, an individual purchasing food items or health products that could relate to a medical diagnosis. In other words, the inferred information that can be captured, based on something that on the face of it seems to be pretty innocuous, could in fact be quite sensitive data. That's why it's so important to maintain this contextual awareness element in the bill and in the way it's interpreted and then applied by the OPC.
    Just to follow up on that, let's say some of the information included in this list is not necessarily deemed sensitive in all circumstances. Does that mean it's necessarily unprotected information? I don't think that is the case, right? I mean, it's still considered personal information; it's just that not in every circumstance would it require express consent to be collected, utilized, etc.
    But there are still some pretty significant requirements in this bill that would be obligations on the companies that are collecting and using that information, even though it wouldn't necessarily in every circumstance be deemed sensitive. Is that not correct?
    That's right. What CPPA aims to do in broad strokes is to ensure that there is a high threshold of privacy protection for all personal information utilized in a commercial context and that there is significant and meaningful enforcement of obligations related to commercial entities that interact with personal information.
    What “sensitive” aims to ensure is that there's a concentric circle or an inner circle of very protected data for which there are security protocols in place and much higher privacy protections, including about how they got that information in the first place, notably through some form of express consent. It's not the Wild West or Fort Knox. Ideally, it is a highly constrained utilization where it makes sense in how it's utilized, and then very constrained because of the nature of the information at play.
    That makes a lot of sense. I know that we haven't gotten to those parts of the bill, so it's easy to reflect on definitions at the point we're at and not consider the very high number of requirements and obligations that companies would be under, given all the personal information that they may use. That's interesting.
    If we add Mr. Savard-Tremblay's subamendment to this list, now we're going to “any other information”. I think that almost collapses that outer circle to include almost anything as sensitive information. I see that as being a very high risk for unintended consequences.
    Mr. Schaan, could you comment on that?
(1240)
    Certainly, the insertion of the fundamental right to privacy in the bill itself suggests that the fundamental right to privacy applies to personal information. If we add in a category that is then now sensitive—that is, all information for which there is a fundamental right to privacy, which, by the preamble, is all personal information because of the nature of how we've set out the fundamental right to privacy—then there is no distinction anymore between personal information and sensitive information. All information is sensitive. All information must be treated as such and therefore requires express consent.
    That would have a major implication for the other parts of this bill—in other words, that all personal information already comes with a number of different standards and obligations. That would essentially change the nature of the bill quite considerably, would it not? What would be the impact if Mr. Savard-Tremblay's subamendment were to pass?
    If all personal information is sensitive information, essentially there is no other means by which a corporation can ever access information except through the express consent of the individual. When we think of just the sheer volume of personal information in a commercial context that is provided, I'm not sure how one could implement it.
    So you're saying it would not be implementable. It would essentially make this bill—what? What would be the impact?
     It would fundamentally shift business practices because if corporations had to rely on express consent for every single collection of personal information.... That's not how the market currently operates.
    Each bit of personal information derived from....
    I should have warned you all in advance, but my parents are visiting from Winnipeg. I don't wear a—
    Congratulations.
    An hon. member: It's the only way they can see you because we have you here all of the time.
    Exactly. It was my way of making sure that you all were nice today.
    Voices: Oh, oh!
    Mr. Mark Schaan: Exactly.
    For my mom's Fitbit, each piece of data is a piece of personal information related to her activity. If she was required to provide express consent every time that personal information was provided back to the organization, she'd be on her watch all day clicking “yes” because every single one of those pieces of information requires express consent. That is because the definition is that if information is subject to a fundamental right to privacy, then that's all information. We said in the preamble that the purpose of personal information is that people have a fundamental right to privacy, which means the privacy related to their personal information.
    Now, we then mitigate that and enable it through all of the provisions of the rest of the act that say how that plays out in various situations. Sometimes it's through express consent. The act talks about ways in which you can potentially have a legitimate interest and ways in which you can potentially ensure that there are exceptions to consent. However, none of those play out if all information is sensitive because, essentially, you then need to expressly say “yes” every single time.
    That sounds to me like it would defeat this bill in the sense of the intentions of it. It would also be very annoying for almost everybody out there who uses services that require the sharing of personal information, including your mom and myself with my Apple Watch.
    I'm sure there are many other examples, if you universalize that across our entire economy, that we probably take for granted to some degree, but I think it would be a major imposition on business functioning in order to offer the value that we normally experience from those services.
(1245)
    One of the goals of the proposed legislation is to minimize consent fatigue and to maximize consent with regard to where it is truly important and is understood to be important. If you have to expressly consent for every use of the information that you're providing to a corporate entity, then, potentially, we actually significantly raise the bar for consent fatigue. People get tired of saying yes or no, even if it's in plain language.
    By trying to actually constrain it to that for which it is most necessary.... We understand the intent of CPC-7, which is to try to say, “Let's put some flesh on the bones of what is actually sensitive and where those cases are.” We have noted that, potentially, the categories might be too broad or might lack some of that context, and that maybe there's a better way of getting it. The construct that there is sensitive information.... It clearly exists. What kinds of contours can we put around it without boxing out the possibility of saying that everything requires consent or that consent is always the case for every single type of information, even though there are different uses of types of information, some of which might be sensitive and some of which might not be?
    Thank you for that.
    I don't know whether Mr. Savard-Tremblay intended for that to be the case, but after hearing the clarifications made here, I think it seems that this subamendment is not going to have an overly helpful effect at achieving the policy objectives of this particular bill. I'm wondering whether we can vote on that.
    I know my colleague, Mr. Gaheer, was on the list to offer some thoughts on the original motion that the Conservatives put forward, which we hope we can get to today.
    Thanks.
    Thank you, Mr. Turnbull.
    In the meantime, we're still on the subamendment until I've exhausted the list of speakers.
    I have on my list Brad Vis and Mr. Savard-Tremblay.
    Just so you know, we have a motion by Mr. Williams that he'd like to move towards the end of the meeting, so at about five minutes to 1:00, we could move on to Mr. Williams' motion.
    Mr. Vis.
    I'll provide a general comment.
    I don't believe this subamendment was put forward with ill will, but I would accept some of the rationale about its being overly broad in this context. On the CPC side, we're going to be voting against it.

[Translation]

    Thank you.
    Mr. Savard‑Tremblay is next on my list, but I see that he is currently talking to Mr  Williams.
    Mr. Savard‑Tremblay, you now have the floor.
    Thank you, Mr. Chair. I thought it was my colleague's turn.
    I would have liked to be able to speak about 20 minutes ago to prevent people from talking about my subamendment for nothing, as I finally decided that I wanted to withdraw it and propose something else.
    Just a moment, Mr. Savard‑Tremblay.
    Do I have the committee's unanimous consent for Mr. Savard‑Tremblay to withdraw his subamendment?
     Some hon. members: Agreed.
    (Subamendment withdrawn)
    We'll go back to you, Mr. Savard‑Tremblay.
    Based on the discussion I've heard, I believe that, rather than adding item (j) to amendment CPC-7, it would be much more accurate for this item to be at the end of amendment NDP-6. I'm just throwing that out there. I'm not sending it to you in writing, since you already have it.
    So it would become the end of the wording proposed in amendment NDP-6, replacing “personal information in respect of which, due to the context of its use or disclosure, an individual has a high reasonable expectation of privacy”.
    I think that would clarify everything, in addition to addressing all the fears and considerations we heard about the subamendment I had proposed previously.
    If I understand correctly, point (j) would become another subamendment that you would propose. Is that correct?
    Yes. This subamendment that I would propose would eat into the end of amendment NDP-6.
    I invite you to send the text of the subamendment to the clerk so that we can debate it.
    There's not much time left in the meeting. I will still let you finish your remarks, Mr. Savard‑Tremblay, if you have something to add. That said, I think we have clearly understood the subamendment you are proposing: It's about replacing the end of amendment NDP-6 with what you had proposed to add as point (j) to amendment CPC-7.
    The wording will be sent in writing to the clerk and then sent to the committee members, and we can debate it next time. Since we have only 10 minutes left in the meeting, if it's okay with you, colleagues, I move that we end our clause-by-clause consideration of the bill here.
(1250)

[English]

    We'll come back to the subamendment proposed by Mr. Savard-Tremblay when we get back to the next meeting, because I'd like us to have enough time for Mr. Williams' motion.
    Mr. Williams, go ahead.
    Thank you, Mr. Chair.
    We have circulated a motion.
    Mr. Chair, you'd think for $15 billion of hard-earned taxpayer dollars that Canada would get supply chains for batteries, some manufacturing jobs for car parts or even a steering wheel. In Windsor at Stellantis—and I know we've talked about this before—we have $15 billion going to this plant. We had news from the union, from the CBTU members, this week that at this plant they're still seeing foreign workers employed over Canadian workers. We've made noise before about how we think Canadians should have been offered these jobs. For $15 billion, Canadians should have been put front and centre. We worked with the unions to make sure these were good jobs for Windsorites. This is a plant in Windsor, and we want the good people of Windsor to have these jobs and to be working in this plant, especially for this amount of money. We are still hearing from the union that foreign workers rather than Canadian workers are still working in jobs that were promised to Canadians. At Stellantis they're even asking their Canadian suppliers to sponsor foreign workers and refugees to perform the work when there are more than 180 Canadian ironworkers and millwrights sitting at home unemployed. This is a very concerning problem right now for this government.
    What we're asking for in this motion, Mr. Chair, is:
That, in regard to the government's EV battery plant subsidies, the committee invite the CEOs of Stellantis N.V., LG Energy Solutions Ltd. and NextStar Inc., and the Minister of Innovation, Science and Economic Development Canada to answer questions no later than Friday, May 17, 2024.
    Thank you.
    Thank you, Mr. Williams.
    Mr. Masse, go ahead.
     Thank you, Mr. Chair.
    Thank you for the motion that's been brought here. I would add an amendment to include Minister Vic Fedeli from the Province of Ontario. There is a fifty-fifty partnership going on with regard to this investment, and to not have the province would be egregious in many respects, because it is also responsible for allowing and following up on who's on site through the labour code.
    We've had some allegations with regard to the type of work that's being done there. Why would we leave out the province? It would be, in my opinion, a missed opportunity to understand what's actually taking place and to clear the air. This follows another Conservative motion that's being looked at by the OGGO committee as well. This one's a little more specific to my riding, and I think the more transparency we can have, the better.
    I move an amendment to include Minister Vic Fedeli, as well as any other provincial operatives, to enforce the contract. Again, this is a fifty-fifty deal that's being done, and it would be odd to exclude the province from doing this.
    Thank you, Mr. Masse.
    We have an amendment to the motion on the floor to include relevant provincial counterparts for the deal that's pertinent to the motion.
    Are there any comments on the amendment proposed by Mr. Masse?
    Mr. Turnbull.
    I don't particularly have an issue with the amendment to the motion. I'd speak to the motion with the amendment. I think—
    Mr. Turnbull, I'm sorry. We have to deal with the amendment before we can get back to discussing the motion.
     I have a sense you might disagree with the motion, but do we agree with the amendment that's proposed, and can we get back to the debate on the motion?
     Mr. Williams, please go ahead.
    The main premise of this motion was to get support for getting the CEOs here. We haven't heard from them and we haven't had any reaction. The union is saying it's not heard back from the CEOs on any level.
    We've had the minister here. When we have discussions about getting the minister here for other items...we can't ask the minister about those items when the minister's here.
    This is primarily to get the CEOs here, in front of the committee. The province can probably talk about the process and what's happened on its end in terms of trying to work with these companies. It's going to see this as an investment. I'm sure it's also going to work on behalf of the unions, so I don't see it as being detrimental to this.
    The premise of this was to have the CEOs here. They're the companies that promised that Canadian workers would get Canadian jobs, and they're not.
    I'm indifferent to the amendment, but it's not the focus we wanted. We want to focus on the companies that need to answer why, when they are receiving hard-earned tax dollars, they are not putting those hard-earned tax dollars to work for Canadian jobs instead of foreign jobs.
(1255)

[Translation]

    Thank you.
    Mr. Savard‑Tremblay is next. I remind you that the debate is still on the proposed amendment to the motion.
    Yes, I want to speak to the proposed amendment.
    Far be it from me to get involved in what is going on in Ontario, but the crux of the matter is precisely the fact that, in my opinion, the provinces are accountable to their people, not to the House of Commons. So I would be inclined to oppose this amendment.
    Okay.
    I don't think there are any other speakers. I would suggest that we vote on the amendment and then come back to the motion.
    (Amendment negatived: nays 10; yeas 1)
    Unfortunately for you, Mr. Masse, your amendment was defeated.
    That brings us back to the motion as presented by Mr. Williams.
    Mr. Turnbull.

[English]

     Thank you, Chair.
    I just wanted to say we had a very detailed subcommittee report that came back to the committee. We had agreed on a set schedule. We have quite a lot of business that we've prioritized and we've even wedged in some additional meetings to make sure that everybody has opportunities to study their various topics.
    Obviously, Conservatives, we know that you are bringing a new motion every single week with a timeline that seems to want to delay Bill C-27 work. I'm not saying this isn't an important topic. I don't want you to hear it that way.
     I notice, though, Mr. Williams, Honda isn't even included. You started by talking about Honda and it is not even in the motion you brought, which is kind of strange.
    Regardless, I think that our committee calendar is completely full until the end of June when we break for the summer, so I would say that we stick to that. We reached consensus with the Conservatives around having an additional meeting on SDTC. If you want to have this instead of that, I think that's an option you could consider, but when you bring a new topic every single week that is supposedly urgent, I would just say that you've got to prioritize at some point and say what you really want to study.
    I think we've all agreed Bill C-27 is taking priority. We're digging in; we're doing some great work together. We want to keep that momentum going. Maybe you can wait until the fall to study this or swap out SDTC. That's what I would humbly suggest as an alternative.
    Thanks.
    Thank you, Mr. Turnbull.
    Mr. Masse.
     Thank you, Mr. Chair.
    I'm really disappointed in this committee and the members for moving a motion like this without including the most important partner involved in this investment in Windsor and that is the Province of Ontario, which has not been addressed here. I understand the Bloc's position with that, but, at the same time, it's going against the province's opportunity to have its voice here at the table as opposed to its voice being used and abused.
    If you watch the Honda announcement that took place, it was just an unbelievable compliment session for half an hour, but it also included the fact the Province of Ontario has been a fifty-fifty partner with the federal government with regard to all of these investments, including the Windsor one. It had to be done twice, because the original investment was not the same as the current ones that were offered, and it was obviously going to walk away from the table at that point in time.
    For us not to have the province is kind of startling. Perhaps there's more to be learned from either the federal Conservatives or the federal Liberals with regard to why they don't want the province here to describe specifically how it went about creating decisions that are different for each plant. Stellantis, Volkswagen and Honda are all different, but they're all involved in constructing the new facilities and they have different contracts available to them, not only with regard to subsidies. Whether it is direct cash or direct subsidies to the battery development later on or whether it is the labour, it all is enforced, at the end of the day, by the Province of Ontario, because it has the Ministry of Labour, and it has the jurisdiction.
    That we would want to work against the provincial jurisdiction to provide this type of opportunity to highlight what it is doing is bizarre and twisted, to be quite frank. How do you have a full partnership in front of us here to describe what's going on, including Stellantis or whoever else, when you don't even have the second half of the chapter there? It makes no sense whatsoever, and it's not going to lead to a solution. We're going to have letters and allegations from a number of different sources.
     I appreciate the union coming forward on this, because it is on the ground floor right there, but it is also the one having to bring complaints to the Province of Ontario.
    It's unbelievable that we would consider bringing it forward, again without Doug Ford's representation here at the table, given the massive subsidies it is putting in. Basically, I can't support some type of fishing expedition that's not going to end in a real result for workers, and that's what we want. We want the workers to have the real result.
    If you remember correctly, when this first came into place last year, I said that the Stellantis project should have been the vessel to create the training and opportunities for the new places that are getting the investments now, because it was the forebear of all those things. I was there for the groundbreaking of the Stellantis project, and at the time nobody talked about foreign workers, not the federal government nor the provincial government. Because of our trade agreements and because of the way we've laid things out, it has left us basically susceptible to a number of practices that are continuing to antagonize the process of what we need to do as a country, which is to fight for good auto jobs.
    Without that element as a part of it, in terms of having the federal government and the provincial government here, I find it not only just a missed opportunity; I find it disrespectful to the province. I find it disrespectful to the workers. I find it disrespectful to the citizens of Windsor who want clarity. I think it's unfortunate.
     If we want to continue to use this as a political football, that's fine. If some partisan agreements that have been made, I guess, between the Province of Ontario and the federal government are too sensitive to talk about here, they are not going to go away. If we want something to go away or to be resolved, then we have to have the people here who are making the decisions and are the true partners. Again, this is the Province of Ontario, the federal government and all the companies involved, including the unions, that should have a voice here as well. Leaving them out is just unacceptable.
(1300)
    Thank you, Mr. Masse.
    Do I have any other speaker on the list or can I put the motion to a vote?

[Translation]

    We'll go to a vote.
    (Motion negatived: nays 6; yeas 5)
(1305)
    That brings us to the end of the meeting. Thank you, everyone. We'll see each other again on Wednesday.
Publication Explorer
Publication Explorer
ParlVU