Appearance before the Alberta Standing Committee on Resource Stewardship on its review of the Personal Information Protection Act

September 24, 2024
Edmonton, Alberta

Opening statement by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Good morning. Thank you, Mr. Chair, and members of the Standing Committee on Resource Stewardship, for inviting me to offer my observations for your review of Alberta’s Personal Information Protection Act.

I am pleased to have this opportunity to highlight the context of federal privacy law reform and how the interoperability of privacy laws benefits both consumers and businesses.

In May, I provided a written submission to your committee, which will form the basis for my remarks today.

I want to begin with an overview of my role. As Privacy Commissioner of Canada, my mission is to protect and promote individuals’ fundamental right to privacy. This includes overseeing compliance with both the Privacy Act, which applies to federal institutions’ collection, use, disclosure, retention or disposal of personal information, and the Personal Information Protection and Electronic Documents Act, or PIPEDA, which is Canada’s federal private-sector privacy law.

We live in a rapidly expanding environment of emerging technologies and business models that leverage the use, collection, and disclosure of personal information.

These advances bring many benefits for our lives and the economy, but they also introduce new privacy risks that make protecting privacy more important and challenging than ever.

The three pillars of my vision for privacy, which I outlined at the beginning of my mandate two years ago, reflect this environment. They are:

1. Privacy as a fundamental right;
2. Privacy in support of the public interest and Canada’s innovation and competitiveness; and
3. Privacy as an accelerator of Canadians’ trust in their institutions and in their participation as digital citizens.

These pillars reflect the reality that Canadians want to be active and informed digital citizens, and should not have to choose between this participation and their fundamental right to privacy.

These pillars are woven into the strategic priorities that I announced earlier this year and that will guide the work of my Office for the next three years. The priorities are:

1. Maximizing the impact of my Office in fully and effectively promoting and protecting the fundamental right to privacy;
2. Addressing the privacy impacts of new technologies, including generative AI; and
3. Championing children’s privacy rights.

My strategic plan includes investment in partnerships and joint initiatives with provincial and territorial data protection authorities. I am so proud and grateful for the excellent relationship with my provincial and territorial counterparts, and for the close collaboration with Commissioner McLeod and the Office of the Information and Privacy Commissioner of Alberta.

Interoperability of privacy laws

Canadians need and expect modernized privacy laws that support innovation and enable them to enjoy the benefits of technology with the reassurance that their personal information is being protected.

The interoperability of privacy laws, both domestically and internationally, is a key factor in that assurance. It is essential to fostering Canadians’ trust that their personal information will be protected, no matter where their data resides or is transferred.

Interoperability also benefits organizations, as it can simplify regulatory requirements and reduce compliance costs. This facilitates innovation and competition for Canadian businesses. Organizations benefit from the clarity that is provided by joint regulatory guidance.

PIPEDA sets national standards for privacy practices in the private sector, but organizations may be exempted from the application of PIPEDA with respect to the collection, use, or disclosure of personal information that occurs within a province where a provincial law that has been deemed to be substantially similar to PIPEDA applies.

Alberta, Quebec, and British Columbia currently have private-sector privacy laws that have been deemed substantially similar to PIPEDA. This means that in many circumstances, the provincial law applies instead of the federal law.

Having substantially similar laws allows me to work closely with my counterparts in Alberta, Quebec, and British Columbia, on activities such as joint investigations and guidance for organizations to help them with compliance.

My colleagues and I have a Memorandum of Understanding that sets out a framework to support collaboration to leverage resources, increase knowledge-sharing and ensure consistent and efficient oversight of private-sector privacy in Canada.

Joint investigations have included cases such as Clearview AI, Facebook Cambridge Analytica, Tim Hortons, and, more recently, OpenAI and TikTok, as well as another ongoing investigation into a company that offers background check services, including tenant screening services to landlords.

We have also worked together to draft joint guidance, such as our principles for responsible generative AI technologies, which we issued last December.

I also place a very high importance on forging international partnerships, recognizing that interoperability and harmonization at the global level is important to facilitate commercial exchanges of personal information across borders.

In January of this year, Canada’s adequacy status under the European Union’s General Data Protection Regulation was reviewed, with the European Commission finding that Canada continues to provide an adequate level of protection of personal information transferred from the EU to recipients subject to PIPEDA.

In its report, the European Commission recommended enshrining in legislation some of the protections that have been developed at the sub-legislative level to enhance legal certainty and consolidate new requirements, such as requirements for sensitive personal information.

The Commission noted that it intends to closely monitor future developments in Canada.

Next month, I will meet with the Roundtable of G7 Data Protection and Privacy Authorities. We have been gathering since 2021 to discuss regulatory and technology issues and developments and have issued common positions, for example, last year in Tokyo, we released a joint statement on generative AI under the Japanese DPA presidency. The group has committed to working to foster future interoperability, where possible, in order to achieve a high level of data protection, and facilitate data free flow with trust.

Next year, as Canada assumes the G7 presidency, I will take on the presidency of the Data Protection and Privacy Authorities Roundtable. I look forward to hosting my G7 colleagues in Ottawa and helping to advance important collaborative initiatives during Canada’s presidency.

Other examples of international cooperation include this year’s Global Privacy Enforcement Network Sweep. The OPC was one of 25 privacy authorities from across Canada and around the world that reviewed more than 1,000 websites and mobile apps. We found that 97% used one or more deceptive design patterns that could influence individuals into giving away more of their personal information online.

My Office also helped to lead the drafting of a statement on data scraping with members of the Global Privacy Assembly’s International Enforcement Working Group last year. The statement prompted an instructive dialogue with some of the world’s largest social media companies.

Another Global Privacy Assembly working group which I chair recently launched an international Privacy and Human Rights Award. This award will celebrate exemplary work by an individual or organization to promote and protect privacy and other fundamental rights. The inaugural award will be presented at the 2025 RightsCon Conference in Taipei in February.

The Digital Charter Implementation Act, 2022

On June 16, 2022, the Government of Canada tabled Bill C-27, the Digital Charter Implementation Act, 2022, which would repeal Part 1 of PIPEDA and enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.

The Bill has been going through clause-by-clause consideration by the House of Commons Standing Committee on Industry and Technology, or INDU.

Bill C-27 would maintain PIPEDA’s approach to substantial similarity. As under PIPEDA, the Governor in Council would determine whether the privacy legislation of a province is substantially similar to the CPPA.

Under C-27, the Governor in Council may also make regulations establishing the criteria and process for making, or reconsidering, a determination of substantial similarity.

In many ways, Bill C-27 is an improvement over PIPEDA. Bill C-27 establishes stronger privacy protections for individuals and creates incentives for organizations to comply while allowing for greater flexibility to innovate.

Encouraging innovation in a privacy-protective manner will help increase individuals’ privacy and control over their personal information, as well as their trust and ability to realize the benefits of the online economy.

In April 2023, I made a submission on Bill C-27 to INDU with 15 key recommendations that I believe are necessary to better protect the privacy of Canadians while supporting Canada’s innovation and competitiveness.

I would note that my submission on Bill C-27 discussed many of the topics that are raised in the document that was posted by this Committee entitled “Emerging Issues: The Personal Information Protection Act.” These include consent, de-identification and anonymization, privacy impact assessments, administrative monetary penalties, automated decision-making, the right to erasure, and data portability.

I am pleased to offer some more detail about these recommendations, as considerations to support your review of Alberta’s Personal Information Protection Act.

For instance, in the submission on Bill C-27, I recommend expanding the list of violations qualifying for financial penalties.

I also recommended requiring organizations to build privacy into the design of products and services, and to conduct privacy impact assessments, or PIAs, for high-risk initiatives.

PIAs can help organizations demonstrate that they are accountable for personal information under their control, ensure that they are in compliance with the law and limit the risk of privacy breaches.

In my October 19, 2023, Parliamentary committee appearance on Bill C-27, I also highlighted PIAs as a particularly critical measure in the context of artificial intelligence and other high-risk initiatives that may have a significant impact on individuals.

Achieving commercial objectives and privacy protection are not mutually exclusive. Privacy can be an accelerator of Canadians’ trust in the digital economy, rather than an obstacle to innovation and competition.

However, in those rare circumstances where the two are in unavoidable conflict, fundamental privacy rights should prevail.

That is why my first recommendation with regard to Bill C-27 was to recognize the fundamental right to privacy in the law, in both the preamble and purpose clause of the CPPA, and to embed the preamble in the Acts that would be enacted.

I was pleased to see the INDU committee reflect this recommendation, adopting an amendment embedding the preamble in the CPPA and recognizing the fundamental right to privacy in the Bill.

Another of my key recommendations was to amend the preamble to recognize the importance of children’s privacy and the best interests of the child.

INDU has also adopted this recommendation.

Including the best interests of the child in the preamble will encourage organizations to build privacy for children into products and services, from the start and by design, and serve as an important interpretive tool.

The addition of children’s privacy to the framing section of the legislation is especially encouraging, as it reflects the recommendations made in the Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight on Putting the best interests of young people at the forefront of privacy and access to personal information.

INDU has also amended the Bill to include definitions for “lawful authority,” “minor,” “profiling,” and “sensitive information.” They have also notably amended the definition of “personal information” to include inferred information. These amendments will help to clarify organizations’ obligations under the law.

As clause-by-clause consideration of Bill C-27 continues, I hope to see INDU continue to implement my recommendations and those of other stakeholders to strengthen the Bill.

Conclusion

Your review of PIPA comes during a pivotal time for privacy law reform in Canada. Fostering consumer confidence in organizations’ responsible use of personal information is critical in helping position Canada as a global leader in privacy.

I believe that a strong, harmonized federal-provincial-territorial privacy regime based on common principles will help to achieve this goal.

I would now be pleased to answer questions.