Appearance before the Standing Committee on Industry and Technology (INDU) on the Study of Bill C-27

September 28, 2023

Ottawa, Ontario

Opening statement by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Good afternoon, Mr. Chair, Members of the Committee,

I am pleased to be here today to assist the Committee in its study of Bill C-27, the Digital Charter Implementation Act, which would enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). I am accompanied by Michael Maguire, Director of PIPEDA Investigations and Lara Ives, Executive Director, Policy, Research & Parliamentary Affairs.

I would like to begin by saying that I welcome and am encouraged by the introduction of this Bill.

My Office has long advocated for a modernization of both PIPEDA and the Privacy Act because Canadians expect and deserve modern privacy laws that will protect their fundamental right to privacy while supporting the public interest and innovation. In many ways, Bill C-27 is an improvement over both PIPEDA and the former Bill C-11.

The Bill addresses a number of concerns that were previously raised by my Office and others. For example, it requires that information used to obtain consent be in understandable language; it provides my Office with order-making powers; and it includes an expanded list of contraventions to which administrative monetary penalties may apply in cases of violations.

The introduction of the AIDA would make Canada one of the first countries to regulate AI, which is important given the technology’s potential risks. Although the AIDA does not specifically address privacy risks, the CPPA would apply to the processing of personal information within AI systems.

Bill C-27 is a step in the right direction, but it can and must go further to protect the fundamental privacy rights of Canadians while supporting the public interest and innovation. We have tabled with the Committee our written submission setting out 15 key recommendations with the changes needed to improve and strengthen Bill C-27. These are based on the three themes of my vision for privacy, which are:

1. Privacy is a fundamental right;
2. Privacy supports of the public interest and innovation; and
3. Privacy is an accelerator of Canadians’ trust in their institutions and in their participation as digital citizens.

I will highlight a few of our recommendations in this opening statement but would invite Committee Members to also consult the full submission.

Under the theme of privacy as a fundamental right, we recommend strengthening the preamble and purpose clause to explicitly recognize privacy as a fundamental right, and highlight the need to protect children’s privacy and the best interest of the child, so that these important principles inform the interpretation of all aspects of the legislation. We also recommend that an organization’s purposes for collecting, using or disclosing information be specific and explicit, and that penalties be available in cases where the personal information of Canadians is collected, used or disclosed for inappropriate purposes. The requirement to have appropriate purposes is a core requirement of the Bill and effective remedies should be available to ensure that it is respected.

Under the theme of privacy in support of the public interest, we recommend that organizations be required to implement privacy by design and that Privacy Impact Assessments be prepared in high-risk cases. This would be an important protection that would apply to high impact AI systems. We also recommend that the definition of “de-identified information” be modified to include the risk of re-identification, and that the government’s authority to issue certain regulations be more narrowly defined. On this last point, I would note that the Bill currently gives the government the unduly broad ability to completely remove activities from the scope of the Act, and to allow new exceptions to the consent requirement for business activities without having to show that those activities are necessary. We also recommend that Canadians be given the right to request an explanation when an AI system makes a prediction, recommendation or decision that affects them.

Under the theme of privacy as an accelerator of Canadians’ trust, and in order to ensure that most cases can be resolved quickly and without the need for lengthy legal processes, we recommend that my Office have more flexibility in negotiating and enforcing compliance agreements and in cooperating and communicating with other regulators. This is important in many areas but will be crucial when dealing with AI and generative AI. We also recommend that challenges to decisions of the proposed new Data Protection Tribunal be brought directly to the Federal Court of Appeal in order to ensure timely and cost-effective resolutions for all parties. We note that, as an alternative solution to achieve these goals, reviews of my Office’s decisions could be done by the Federal Court instead of the Tribunal.

In the last budget, the government proposed temporary funding for my Office of $6 million over two years to undertake more in-depth investigations of privacy breaches and improve response rates to privacy complaints, as well as $15 million over five years to operationalize new processes required to implement the proposed CPPA. Should Parliament adopt Bill C-27, it will be essential that my Office be properly resourced to fully and effectively take on important new responsibilities, especially those focusing on prevention. Otherwise, these costs will be borne by Canadians and by businesses themselves.

While our recommendations focus on the CPPA, some of them would also apply to AIDA. For instance, I note that AIDA provides significant authority to the government to define key aspects of the law by way of regulation. This would include, for example, determining what does and does not constitute justification to a discriminatory AI decision for the purposes of the definition of biased output. The government could also establish criteria through regulation for the purposes of defining a high impact system, or determining measures with respect to the way that data is anonymized, and how that data can then be used and managed. Given that all of these could potentially have privacy implications, it will be important to ensure that there is a formal mechanism for my Office to be consulted in the drafting of these regulations. Our recommendation to allow for greater coordination and collaboration between my Office and other regulators would also be essential in dealing with the privacy impacts of AI.

In conclusion, privacy law reform is overdue and must be achieved. Our recommendations aim to ensure that Canadians have privacy laws that recognize their fundamental right to privacy, while allowing them to participate fully in the digital economy, support innovation, and position Canada as a leader in this important and evolving area. I note that many stakeholders are also putting forward submissions and I thank the Committee in advance for the critical work that it will do in its review of this important Bill and in ensuring the protection and promotion of the privacy of Canadians.

Thank you for your time. I would now be happy to answer any questions that you might have.