My Appearance to discuss Bill C-27 (Federal privacy law – private sector)
I am delighted to have been invited by the House of Commons of Canada’s Standing Committee on Industry and Technology to appear before the Committee as part of a panel of witnesses in view of its study of Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts on Tuesday, October 24, 2023, from 3:30 p.m. to 5:30 p.m. ET in the format of a five (5) minute opening statement, followed by a Question-and-Answer session with the members of the committee.
You will find below my testimony (the introduction is in French, the testimony is in English).
Merci de l’invitation.
Je suis heureuse d’être ici aujourd’hui et d’avoir ainsi l’occasion de partager mes réflexions sur le projet de loi C-27.
Je suis associée chez Borden Ladner Gervais LLP et Chef national du groupe de pratique en protection de la vie privée. Pratiquant dans ce domaine depuis plus de deux décennies, j’avise des grandes entreprises du secteur privé provenant de diverses industries à l’échelle nationale. Ces dernières ayant souvent des opérations à l’international, j’ai aussi eu l’occasion de voir l’évolution du RGPD en Europe au cours des dernières années. Dans le cadre de la réforme actuelle, nous avons selon moi des leçons à tirer des réformes québécoise et européenne.
C’est à titre personnel que je comparais aujourd’hui. Bien que je témoignerai en anglais, je répondrai aux questions en français ou en anglais.
Today, I stand before you to discuss a matter of paramount importance – the reform of our federal privacy law. We find ourselves at a critical juncture where we have the unique opportunity to strike a balance that ensures the protection of our privacy rights while fostering an environment of innovation. In a rapidly evolving digital age, where information flows faster than ever before, our privacy is at an increasing risk. This makes it imperative that we reform our privacy laws to reflect the realities of today. However, data protection laws should not stifle the innovative spirit that has propelled us into the 21st century. Canada needs to remain competitive. Innovation drives economic growth, creates jobs, and improves our quality of life. It is the engine of progress. Striking the right balance between privacy and innovation is a complex task, but not an impossible one.
I will focus my presentation on the Consumer Privacy Protection Act (or “CPPA”) and on areas of improvement on certain issues potentially impacting innovation:
- 1. Legitimate interest consent exception. I absolutely welcome the introduction of a consent exception regarding specified “business activities” (listed in s. 18(2)) and for certain activities in which the organization has a “legitimate interest” under s. 18(3). This being said, this legitimate interest exception is actually narrower than the same exception under the GDPR. Moreover, C-27 provides no exception, nor any significant flexibility, as to the application of the consent rule to the collection of personal information collected from publicly available sources on the Internet. This prevents all organizations, including legitimate ones working on new products and services that may benefit the society – that need a large volume of information – to leverage data available on the web. In short, I submit to you that this “legitimate interest” exception should be more closely aligned with the GDPR legitimate interest legal basis to accommodate innovative types of business models while protecting the privacy interests of Canadians.
- 2. Limited scope of the “socially beneficial purposes” consent exception. Section 39 creates a new consent exception for disclosures of de-identified personal information to specific public sector entities, including government, healthcare and post-secondary educational institutions. Limiting this consent exception only to disclosures to public sector entities instead of public and private sector entities severely restricts its utility. Section 39 should authorize and facilitate responsible data sharing between a broader range of actors which may have access to talent and resources that they can leverage to pursue socially beneficial purposes.
- 3. Absolute standard for anonymization may not be appropriate. The CPPA introduces new definitions for the terms “anonymize” and “de-identify” which provide greater flexibility regarding the processing of these categories of information. However, the proposed standard for anonymization under the section 2(1) is more stringent than other recently updated privacy legislation including the GDPR and the recently amended Québec Private Sector Act. The CPPA should include a reasonableness standard instead of holding organizations accountable to an absolute standard that may be impossible to meet in practice. And as you certainly know, access to anonymized data sets, with legal certainty, is crucial to research and development performed by Canadian organizations.
- 4. Use of de-identified information for research, analysis and development purposes. Section 21 introduces a new consent exception for the use of de-identified information for “internal research, analysis and development purposes.” Restricting such use to internal uses may limit the collaboration and the fostering of research partnerships, preventing stakeholders to share datasets to create data pools that are broad enough for the production of useful and actionable insights. This section should authorize the use and sharing of de-identified information amongst different organizations.
I have submitted a short brief in French and English in which I provide additional details on these four proposed changes.
Innovation and privacy can coexist, and the responsible use of personal information can be the cornerstone of building new and exciting technologies while respecting our fundamental rights.
Thank you, and I welcome questions.
 S. 18(3) states that “An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use and (a) a reasonable person would expect the collection or use for such an activity; and (b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions. Conditions precedent (4) Prior to collecting or using personal information under subsection (3), the organization must (a) identify any potential adverse effect on the individual that is likely to result from the collection or use; (b) identify and take reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them; and (c) comply with any prescribed requirements.
 Article 6(1)(f) of the GDPR states that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
 Under the CPPA, to “de-identify” will mean “to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains” (s. 2).
 For data to be considered “anonymized” under the section 2(1) of the CPPA, it must be “irreversibly and permanently modif[ied]…, in accordance with generally accepted practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
This content has been updated on October 24, 2023 at 21 h 56 min.