My appearance at the INDU Committee regarding Bill C-27

On November 9, I appeared before the parliamentary Standing Committee on Industry and Technology (INDU Committee) to provide comments in connection with the Committee’s review of Bill C-27, the Digital Charter Implementation Act, 2022.  The following are the speaking notes for my introductory comments, with certain additions.

Thank you for the invitation to appear before the Committee in its very important review of Bill C-27.

This Bill includes significant proposed amendments to Canada’s privacy laws at the same time as introducing a proposed oversight regime for artificial intelligence.  The AIDA (Artificial Intelligence and Data Act) component warrants focussed study by the Committee, separate and distinct from the needed focus on the privacy law amendments.  I will restrict my comments to the privacy components.

The proposed CPPA (Consumer Privacy Protection Act) represents a significant advance over the current privacy law – PIPEDA – which itself was introduced to respond to concerns with digital data.  However, as the Committee has heard from witnesses, there are significant areas of potential improvement that can make the Bill, and specifically the CPPA, better.

I am a privacy and regulatory lawyer.  My practice over the past 25 years has included advising private sector organizations, both for-profit and non-profit, as well as government and Crown agencies, addressing all relevant areas including individual privacy, employee privacy and health privacy.

In my introductory comments I will focus on one, very important, area of the Bill – de-identified and anonymized  information – hoping to provide some clarification as well as my thoughts regarding how the proposed provisions can be improved.

The proposed treatment of such information in Bill C-27 is critically important for two main reasons.  Firstly, it clarifies a category of information that while not being fully identifiable – and therefore available for specific uses without consent – still is deemed appropriate for protection under the law.  Secondly, it provides for a category of anonymized information that can be used more broadly – for research purposes, innovation and policy development – providing a way forward for using information that while initially identifiable may be converted into non-identifiable information in a manner that protects against risk of re-identification.

To achieve these ends, the CPPA defines these two categories of non-personal information as de-identified information and anonymized information.

The first category, de-identified information, is governed by all of the law’s privacy protections, subject to certain specific exceptions.  Conversely, the second category, anonymized information, is stated to not be subject to the law.  However, as I will mention, this stipulation is not the end of the story – the law will – and should – continue to provide oversight over anonymized information.

I have a number of recommendations for improvement.

De-identified information

With respect to de-identified information, the definition should be amended to stipulate that appropriate processes are required to ensure that no person can be directly identified from the information.  Also, it should include express reference to section 74 of the CPPA which addresses technical and administrative protections and section 74 should be amended to include as an additional criterion, the risk of re-identification.

Anonymized information

Secondly, the definition of anonymized information should be amended to make clearer the processes to be applied for anonymization.  In its Law 25, Quebec got it right in this area.  I recommend aligning with Quebec’s approach which stipulates that the generally accepted best practices for anonymization should be those set out in appropriate regulations.  Such regulations should include transparency, risks of re-identification, and accountability, as well as guardrails for downstream uses.

The Quebec law also recognizes that it is not possible, from a practical perspective, to say that any anonymized information cannot be re-identified.  This reality – that truly “anonymized” data is practically impossible for any dataset – should be reflected in the CPPA’s regime.   Again to align with Quebec, the provision should include language to the effect that in the circumstances it is reasonably foreseeable that the information no longer will identify anyone.

Additionally, there should be a requirement for the organization performing any anonymization process to conduct a re-identification risk analysis and to make this analysis available for review.  Such a requirement is included in Quebec’s proposed regulations governing anonymized information.

Regime of non-applicability for de-identified information

Thirdly, the regime of applicability and non-applicability of the law’s protections for de-identified information should be made clearer.  As currently written, the CPPA provides that de-identified information is personal information, except that for certain provisions such information will not be considered personal information.  This is the wrong approach.  Instead, as recommended by the OPC,[1] a simple statement should be made that all de-identified personal information remains personal information.

Also, the list of the excepted provisions is confusing, wrapping together those intended as exceptions to the general rules for consent with exceptions to the protective rules (such as the right to access), as well as the provisions mandating protective measures and prohibiting de-identification.

To make the non-applicability regime simpler and clearer the references to exceptions to consent as well as the protective provisions should be omitted entirely – they are not needed.  Further, the exceptions to the protective rules should be stated clearly as such and not as rules under which de-identified information is not considered personal information.

The exceptions should be reviewed and the approach adjusted.  There are arguments that the list should be narrowed consistent with the proposition that de-identified information remains personal information and that all of the law’s protective provisions should apply, unless there are strong, cogent reasons otherwise.[2]  An alternative approach would be to state that all of the law’s provisions apply to de-identified information except as may be provided by regulation, with appropriate stakeholder consultation to take place prior to any such regulations being published.

The Privacy Commissioner’s oversight of the anonymization regime

My final comment is to address a concern voiced by some stakeholders that the statute’s anonymization regime should be made expressly subject to oversight by the Privacy Commissioner.  In my view such a provision is not required. The Commissioner will have oversight over an organization’s compliance with the anonymization rules whatever they are.  In this regard, the law maintains residual jurisdiction for the Commissioner.  Also, and very importantly, if, in any circumstance, anonymized information becomes identifiable, all of the statute’s protective provisions again will apply with full vigour and the Commissioner will have oversight.

Summary

In sum, my recommendations are as follows:

Firstly, the definition of de-identified information should be made more rigorous, including addressing the risk of re-identification.

Secondly, the definition of anonymized information should be amended to make clearer the processes required to achieve anonymization, and that these should be set out in regulations, including a requirement for risk assessment.

Finally, the regime for applicability of the CPPA’s protections for de-identified information should be made clearer, in particular stating that all such information remains personal information.

De-identified and anonymized information is an important but somewhat esoteric area not only within this proposed law but generally within the privacy landscape.  I have sought to provide some insight into how the proposed provisions would work as well as recommendations for improvement.

I will be happy to elaborate and answer any questions that you may have regarding these comments as well as regarding any other provisions of the Bill.


For more information please contact:      David Young       416-968-6286     david@davidyounglaw.ca

Note: The foregoing does not constitute legal advice. © David Young Law 2023

Read the PDF: My appearance at the INDU Committee regarding Bill C-27


 

[1] Submission of the Office of the Privacy Commissioner of Canada on Bill C-27, the Digital Charter Implementation Act, April 2023.

[2] Consistent with the OPC’s recommendations; see: Submission of the Office of the Privacy Commissioner of Canada on Bill C-27, the Digital Charter Implementation Act, April 2023.