SoVote

Decentralized Democracy

House Committee

44th Parl. 1st Sess.
April 15, 2024
The Chair (Mr. Joël Lightbound (Louis-Hébert, Lib.))
  • 11:02:41 a.m.
  • Watch
  • Read Aloud
Good morning, everyone. I call this meeting to order. Welcome to meeting number 118 of the House of Commons Standing Committee on Industry and Technology. Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. In addition, pursuant to the order of reference of Monday, April 24, 2023, the committee is resuming consideration of Bill C‑27, an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other acts. Today we are continuing clause‑by‑clause consideration of the bill. I'd like to welcome back the representatives from the Department of Industry and thank them for joining us again. We have Mark Schaan, senior assistant deputy minister, strategy and innovation policy sector; Samir Chhabra, director general, marketplace framework policy branch; and Runa Angus, senior director, strategy and innovation policy sector. Colleagues, as you will recall, we were at amendment NDP‑2, which relates to clause 2. (Clause 2) Monsieur Williams, you had the floor when we were debating NDP-2. I'll give it back to you as we resume the clause-by-clause on Bill C-27.
216 words
  • Hear!
  • Rabble!
  • star_border
Mr. Ryan Williams (Bay of Quinte, CPC)
  • 11:03:56 a.m.
  • Watch
  • Read Aloud
Thank you, Mr. Chair. It's nice to see the witnesses again. I'm sure we'll see you a few more times before summertime. When we were debating this last week, we left off with talking about the definition of “anonymize”. Amendment NDP-2 was to take out the words “in accordance with generally accepted best practices” in that definition. We are in agreement with that. The main reason for that is that we need these definitions to be clear and concise. As it stands right now, organizations can anonymize personal information using commonly accepted best practices. However, the draft lacks clarity on these practices and what constitutes generally accepted best practices. The ambiguity allows for the potential reliance on anonymization techniques recommended by specific experts, which may not be adequate for a particular dataset. We want to talk to you on a couple of these points. This isn't very clear, and we believe that it has to be very clear. When we look at how this act is going to be enforced, it is by the Privacy Commissioner. The Privacy Commissioner has stated that he needs this definition to be clear and concise. With a lack of consistency in anonymization methods across different organizations and without clear guidelines on what constitutes generally accepted best practices, there's a risk of inconsistency in the level of data protection and a potential for the undermining of privacy standards. We have a few examples of where that has happened, and that's why we're looking at this. I think the bigger point, looking across the board, is that in what we've heard from witnesses there's been a difference between anonymization and de-identification. The problem I had and the problem we've had when we've talked to witnesses about de-identification was that in the definition it said that a risk of identification of the individual still remained. That's a major issue when we're talking about what we're trying to achieve here. In terms of privacy, individuals should have the right to have their private information not just de-identified, knowing that there's a risk of that information being reidentified, but to have their information completely anonymized or able to be protected under this privacy act. I want to give two examples of how this has happened in the past. All of us recognize that we have had our information breached, our privacy breached, on many different occasions. I get emails on certain apps and sometimes even my bank or Netflix will send an email that says, “Your information has been compromised. Please change your password.” This happens all the time. I'm going to give two examples, one American and one Canadian, of how this has happened and caused harm to consumers. In 2006 Netflix launched a competition known as “The Netflix Prize” offering a million-dollar prize to improve its recommendation algorithm by 10%. Netflix released a dataset containing movie ratings by anonymous users; however, researchers later demonstrated it was possible to reidentify individuals in the dataset using external information. In 2007, two individuals showed that, by combining the Netflix dataset with publicly available IMDb data, they could identify specific individuals and their movie preferences. This raised serious privacy concerns as it highlighted the risk of reidentification even when data is anonymized. In Canada, we had the 2011 Ontario Ministry of Health and Long-Term Care's data breach. In this incident, the personal health information of thousands of Ontario residents was compromised due to inadequate de-identification measures. The ministry had released health data to researchers for an analysis but failed to sufficiently anonymize the data, allowing individuals to be reidentified. As a result, sensitive information, such as medical conditions, treatments and hospital visits, became accessible to unauthorized parties. This breach raised serious privacy concerns and highlighted the importance of robust de-identification practices, especially when dealing with sensitive health data. The main point is we have to be clear and concise. We have to ensure that the Privacy Commissioner, who has raised concerns about this definition, does not see ambiguity whenever he's looking at this, but at the same time ensures that we have businesses that can't skirt the rules and be lenient with private data. I think that's the main point we're making. Mr. Schaan, I think I asked you some questions the last time we were here. I don't have the blues, so I can't see if I asked this already. I think I asked you about generally accepted best practices for anonymizing information. If I haven't, can you please answer that?
791 words
  • Hear!
  • Rabble!
  • star_border