How Canada's Changing Privacy Landscape Will Impact Business, Consumers, and You

September 24, 2021

The Empire Club of Canada Presents

How Canada's Changing Privacy Landscape Will Impact Business, Consumers, and You

Chairman: Kelly Jackson, President, The Empire Club of Canada; Associate Vice-President, Humber College

Moderator
Alex Benay, Global Lead, Government Azure Strategy, Microsoft

Panelists
Vass Bednar, MPP, Executive Director, Master of Public Policy in Digital Society Program McMaster University
Éloïse Gratton , Partner & National Co-Leader, Privacy and Data Protection Group, Borden Ladner Gervais LLP
Dr. Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa, Faculty of Law

Distinguished Guest Speaker
Bill Abbott, Director of Data Policy & Research, TELUS

Introduction
It is a great honour for me to be here at the Empire Club of Canada today, which is arguably the most famous and historically relevant speaker’s podium to have ever existed in Canada. It has offered its podium to such international luminaries as Winston Churchill, Ronald Reagan, Audrey Hepburn, the Dalai Lama, Indira Gandhi, and closer to home, from Pierre Trudeau to Justin Trudeau. Literally generations of our great nation's leaders, alongside with those of the world's top international diplomats, heads of state, and business and thought leaders.

It is a real honour and distinct privilege to be invited to speak to the Empire Club of Canada, which has been welcoming international diplomats, leaders in business, and in science, and in politics. When they stand at that podium, they speak not only to the entire country, but they can speak to the entire world.

Welcome Address by Kelly Jackson, President, The Empire Club of Canada
Good afternoon fellow directors, guests, past presidents, and everybody else who is joining us today.. Welcome to the 118th season of the Empire Club of Canada. My name is Kelly Jackson. I am the President of the Board of Directors of the Empire Club of Canada, and Associate Vice-President at Humber College. I'm your host for today's virtual event, “How Canada's Changing Privacy Landscape Will Impact Business, Consumers, and You.”

I'd like to begin this afternoon with an acknowledgement that I'm hosting this event within the Traditional and Treaty Lands of the Mississaugas of the Credit, and the homelands of the Anishinaabe, the Haudenosaunee, and the Wyandot Peoples. In acknowledging Traditional Territories, I do so from a place of understanding the privilege my ancestors and I have had in this country, since they first arrived here in the 1830’s. Delivering a land acknowledgment, for me, is always an important opportunity to reflect on our human connection, and responsibility to care for the land. With the first National Day for Truth and Reconciliation to be marked next week, I am also reflecting on the stories of the land, and the people who have lived on it, and in particular the experiences of Indigenous children who were forced to attend Residential Schools. Many of those individual stories and experiences are untold, buried with them in the land; and many survivors who tried to tell those stories were not believed. As we work towards reconciliation, how we listen and learn from each other is ever so important. We encourage everyone tuning in today to learn more about the Traditional Territory in which you work and live.

I now want to take a moment to recognize our sponsors, who generously support the entire club and make these events possible, and complimentary, for our supporters to attend. Thank you to our lead event sponsor APIC, the Alliance for Privacy and Innovation in Canada, and thank you, also, to our season sponsors, Canadian Bankers Association, LiUNA, and Waste Connections of Canada. Your support is so deeply appreciated.

Now, I want to remind everybody participating today, that this is an interactive event. So, those attending live are encouraged to engage with our speakers, by taking advantage of the question box, by scrolling down below on your on-screen video player. We'll try to incorporate as many questions as possible throughout the discussion. If you require technical assistance, please start a conversation with our team, using the chat button on the right-hand side of your screen. We also invite you to share your thoughts on social media, using the hashtags that you'll see displayed on the screen throughout the event. To those watching on demand at a later date, and to those tuning in on the podcast, welcome.

It is now my pleasure to call this virtual meeting to order. I am delighted to welcome Alex Benay, Vass Bednar, Éloïse Gratton, and Dr. Teresa Scassa to the Empire Club’s virtual stage. Alex Benay is Global Lead, Government Azure Strategy at Microsoft, and will be our moderator for today's panel discussion; Vass Bednar is Executive Director of the Master of Public Policy in Digital Society Program at McMaster University; Éloïse Gratton is Partner, and National Co-Leader for Privacy and Data Protection Group at Borden Ladner Gervais LLP; and Dr. Teresa Scassa is Canada Research Chair in Information Law and Policy at the University of Ottawa’s Faculty of Law. The need for a modern and national approach to privacy protection is widely recognized, but there's not a consensus on what that should entail. So today, our panelists are going to share their points of view, on the many legal and practical implications of proposed privacy reforms, related to Canadian consumer rates and data collection; you can read their full bios by scrolling down your screen. I'd now like to turn it over to Alex, who's going to kick us off for the conversation. Alex, welcome and over to you.

Opening Remarks by Alex Benay, Global Lead, Government Azure Strategy, Microsoft
And you're very much Kelly, and thank you to all the work that the Empire Club does, and the resiliency that it’s shown, to bring all of our the important conversations online; and today is going to be no different. So, a couple of housekeeping things first, before we get started. First, I want to apologize for the atrocious facial growth on my face, it is to win a Halloween costume party—those of you know me are probably wondering what this thing is doing there, so thank you for tolerating it for the next hour. The other thing I would like to say is, we have 852 participants, which you could round out to about 1000 almost, if you really wanted to, that have registered for today's session, and it does show the importance of privacy in our day-to-day lives, both as citizens, as businesses, as government; you're going to see today that it's a very much a multifaceted conversation. We have three amazing panelists that are going to be able to dive into new technologies, and the impact on privacy, to the responses of government and Bill C-1 . So much ground to cover, not a lot of time, so we're gonna get right into this. So, maybe before we get started, though, I'm going to ask each one of our three panelists to answer two questions just to break the ice. So, the first one will be, why is privacy important; why should we care? And the second one will be, what is your favourite movie series of all time? And so—it doesn't matter, it could be Twilight, Lord of the Rings, Harry Potter, Star Wars, but what are what is your favourite movie series of all time? Because I'm pretty sure that's what the 852 people that are online are dying to find out in the next hour. So, two questions, why don't we start with Teresa first—I'm just gonna go left to right on my screen—Teresa, over to you.

Dr. Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa, Faculty of Law
Thanks so much, Alex, and I also want to echo your thanks to the Empire Club for hosting this event, and for the invitation to be part of it. So, why is privacy important? There's so many different reasons, but I think I'm gonna just focus on what has so often been identified as the core of privacy, which is the fact that it is a value that protects human dignity and autonomy. And I think that without privacy, we would suffer greatly as individuals, both in terms of our ability to make choices about our lives, free and informed choices about our lives, choices about what we do and don't want to participate in, how we want to be seen and known by others. And so, it contributes to that individual autonomy we have, as well as our basic human dignity. So, those are for me, you know, the central important points about privacy. Favourite movie series—acknowledging that I'm now sharing personal information—is Harry Potter, largely because of just the fun of having kids kind of growing up watching Harry Potter, and watching it with them, so.

Alex Benay
Great answer, I'm biased, so I’m gonna announce my bias on that one. So, Éloïse, your turn.

Éloïse Gratton, Partner & National Co-Leader, Privacy and Data Protection Group, Borden Ladner Gervais LLP
So, privacy is important for many reasons. It allows us to develop, to remain ourselves, it helps us protect our reputation—you know, now anyone can ruin somebody else's reputation with a single click, something to think about—it allows us to have healthy relationships with our family and friends. it gives us a certain amount of freedom and in some cases even you know, probably like physical and emotional security. So, definitely very important, fundamental right. Now, favourite movie series, you mentioned Twilight, the Harry Potter’s, these were both very good, to me, so it probably would be a tie between those two.

Alex Benay
Wow, all right, Harry Potter, slight lead here. So, yeah, Vass, over to you.

Vass Bednar, MPP, Executive Director, Master of Public Policy in Digital Society Program McMaster University
It sounds like we need a tiebreaker on Harry Potter. Um, we've heard how important privacy is, in terms of protection, and from an individual perspective. I think these conversations about privacy are super important too, because most of the time when we're talking about privacy, we are talking about power, right? The power to influence, and also, economic power. So, there seems to be some consensus in Canada that we need, you know, we want clear, enforceable guardrails, that better protects consumers, or better protects people, in this digital age, and that we want to do more to improve transparency. No surprise in this digital age that the internet is funded primarily by the collection, analysis, and trade of our data, all while we're trying to navigate that as individuals, which is a lot of work. In terms of my movie series, to be honest, I'm more Harry and the Hendersons than Harry Potter. I don't know if that's a series, so I will go with Scream, because satire, like, very much appeals to me. And, you know, I guess in that movie, they were also seeking to obstruct their person, which we can talk about in a privacy context, too. Just kidding. Happy to be here.

Alex Benay
Great answers. Great answers. So, now that the panelists are known to all of you through their movie series choices, maybe we, the first few questions I'm going to leave open to all three of you, if that's okay, just to set the stage. And there's 852 people that have registered, so let's assume we have different, various levels of knowledge on privacy. Also, I do want to declare, if you see me on my phone, it's because we're getting questions in through WhatsApp. So, I'm not being rude, I also wanted to just declare that, but the first question I'll leave open to any of the three of you: who governs privacy? Now Vass, you started touching on it a little bit, but who governs privacy in Canada? Like, who do we hold accountable? Who holds the pen on privacy in our country?

Éloïse Gratton
Maybe I can jump in. So, we have different sets of laws that regulate privacy. We have private sector laws that regulate what businesses can do, we have a federal law, which applies unless a province has adopted its own law that was substantially similar, so you have these laws in Québec, BC in Alberta. So, if you’re a business, and you have operations across Canada, you’re subject to these four private sector, data protection laws. Privacy is also regulated through provincial health laws in some cases, so if you're a health custodian, you may be subjected to these laws. Public sector laws also will regulate how the government can, you know, what they can do, and can do, with citizens’ personal information. And then on top of that, you have other laws that will provide, some include some privacy rights or privacy torts. For example, in Québec, we have the Civil Code, and you have a whole list of the type of, you know, situation that would be considered invasions of privacy. We also have a Québec Charter, that includes a fundamental right, the right to privacy. So, that was my little two minutes summary of the landscape.

Alex Benay
So, that was a long list as any. Did Éloïse miss anything? Vass, Teresa, anything you would like to add on who else governs privacy in Canada?

Vass Bednar
Well, if I could throw in a wildcard, I wonder where we'd situate the Appstore, or companies like Apple, in terms of their ability to regulate privacy? I'm being a bit facetious, but we're seeing some, you know, new rules, with new implications that can be quite powerful, and have pretty big ripple effect, in terms of ad expenditure, and people's autonomy. So, I would layer that in, but if I was writing an answer on a test, I would put everything that Éloïse said; I would try to memorize that instead.

Dr. Teresa Scassa
Yeah, and the one other thing that I would add to that is the Canadian Charter, which doesn't actually explicitly mentioned privacy, but the right to be free from unreasonable search or seizure has been recognized by the courts as protecting a right of privacy against invasion by government actors.

Alex Benay
So, I'm gonna ask less of a softball question and ask you three to comment on—so that was a lot of layers of governance, for a lot of people. Does the way, does federation hurt, or does it help privacy for an everyday Canadian citizen? What's your take on that?

Dr. Teresa Scassa
Yeah, maybe if I can jump in on that one, too. I wouldn't want to say it hurts or helps. We're a federal state, and that's, you know, how our constitution defines us. And there are a lot of good reasons to be a federation, as opposed to a unitary state, but it does make governance of privacy more complex, and I think we can expect it to get even more complex going forward. The drafters of the Constitution, oddly, were not thinking about AI, and the Internet of Things, when they divided the powers between federal and provincial governments. And the reality is that many digital issues, including privacy and data governance, for example, don't easily fit within our current constitutional framework, or easily fit in, you know, in the hands of either the federal government or provincial governments within that framework. That means that for some of these issues, we need federal, provincial co-operation, as well as interprovincial co-operation; and we all know that, some days, that's easier to achieve than others, and probably most days, it's actually quite challenging to achieve. And so, that can make things slower to develop, at a time when we want to move quickly; it can make consensus much harder to get, at a time when we need to have consensus on things; it can make interoperability, standardization, all of these things that we hear talked about in the digital context more challenging. In the privacy sphere, there has been really, I think, very good co-operation between federal and provincial privacy commissioners within the scope of their own jurisdiction. But more broadly over digital issues, I think it's a challenge.

Alex Benay
Thank you.Teresa, Éloïse, do you want to weigh on this one?

Éloïse Gratton
I think Teresa's answer was quite complete. Vass, maybe you have something to add?

Vass Bednar
Well, yeah, I think it's super complete, too, we're just like, “that was an amazing answer.” I can't help but think about what somebody named Alex Usher was tweeting about last night, which was—I won't say the word, but “F.U. Federalism.” You know, that are we in a Federalist context where one, we're seeing these privacy provocations from some provinces, right, that can be productive in terms of experimentation, in terms of stimulating more conversation, in terms of keeping some pressure or attention to the opportunity for Canada to potentially move forward with some version of a bill we previously saw. But yeah, it all comes down to where and how we're going to get consensus, and what the implications are of a new piece of provincial legislation, in terms of setting the norm or the standard, It absolutely does seem like it can be convoluted in the interim.

Alex Benay
So, I'm failing as a moderator if everybody's getting along. So, I'm just warning all three of you, we're going to try to get, we're going to try to spice this up as we go through. But the answers are amazing. Reminder to everybody to look at your QA widget, which is below the viewer on your screen to ask your questions, because there will be a Q&A session afterwards, so just a reminder. So in the context of the governance, and everything we've just finished talking about, whether, you know—I love how Teresa, your answer, it is not necessarily a pro or a con. But does privacy need reform in Canada? And if so, why?

Éloïse Gratton
Definitely, I'm sure we'll all agree on this, definitely. We have to keep in mind that our—at least for businesses, I'll speak for businesses, and perhaps others will touch upon other angles—but our private sector data protection laws, privacy laws, are based on a concept from the late ‘60s, early ‘70s, right? So we have to keep that in mind. So, at that point, with the advent of computer, it became easier to share information through automated database. And at that point, the fear was that personal information would be shared more easily, you know, between private sector, public sector, organization, and then used to make decisions. You know, you go to the bank and try to get a loan, they say no. Why? I have some information. Is this my information? Is it updated, you know, up-to-date information? Who sent it, who sent you this information? So, it was like, so at that point, privacy was defined as having individuals in control over their personal information. And our privacy laws are still, to this day, based on this definition, and this concept. So, you inform consumers, you know, about your practices, what you're collecting, how are you going to use this information? You get their consent, and you give them access to the information that you have about them, so that they can make sure that it's current information, it’s quality information. So, despite all the technological advances of the last 50 years, our privacy laws are still primarily based on a definition established in the early ‘70s. So, I think at this point, it’s unrealistic to expect every consumer to be able to keep control over their personal information. What would that entail? You know, reading every single privacy policy when you interact with a company, and understand it. These policies are increasingly long and complex, you know? So, definitely, that's one aspect.

Dr. Teresa Scassa
Yeah, and I agree with that. But I think we've also really gone from first generation of privacy protection, and we're now heading into this new realm. And what I would add to what Éloïse has said, is that we also are in a context in which businesses want data, not just to better understand their customers, but to innovate, to do new things with data, to build artificial intelligence applications, to, you know, to come up with some of the stuff that we are seeing now appearing in the marketplace. And a lot of that requires data, and many of the consumer-oriented applications require personal data. And so, businesses, at the same time that, you know, that the laws are dealing with, you know, managing customer data in the traditional manner that Éloïse has talked about, we're also seeing businesses wanting to have more freedom to use the data they've collected, and perhaps to collect additional data and use it in completely different ways that are not about managing their relationship with the customer, but that are about innovating or creating. And so, we're now, in data protection law reform, there's a lot of pressure to try and do both things in the same statute. To have a law that protects individual personal data and gives individuals control over it, but also that lets businesses have access to the data that they want to access, and use for a variety of different purposes, in ways that do not harm the individual. And I think that's a that's a real shift in terms of what data protection law is trying to achieve.

Vass Bednar
Alex, do you want me to disagree? I'm just kidding. I’d layer in a couple of comments. I'll try to give you an example, maybe, if it's helpful. I think both of those points are perfect, right? One, we've seen just a time lag, there's a regulatory gap of sorts. We're in this, kind of what Azeem Azhar calls the exponential era, cost of computing going down, Big Data moments; our governance institutions aren't keeping up, and they have to, right? So, this is the work of policymakers and lawmakers. Another challenge when it comes to individuals managing data, and kind of what's possible, and those very intriguing opportunities for innovation, is we see so much context collapse. And context collapse makes it difficult, in terms of maintaining that bargain between the consumer and the company. So, this is an entirely hypothetical example, but I use Microsoft Teams at work. It collects some cool information about me, how “super productive” I am, how distracted I am during most of my video meetings and my work hours, it gives me a notification says that “Vass, this is just for you; we are totally not sharing with your boss, no big deal.” Microsoft also owns LinkedIn. Is there a universe where there's a productivity score associated, not just with me, but people like me, in an aggregated, anonymized context, that Microsoft could then sell access to in some way? I was just trying to kind of come up with an example, but these are, maybe the, they're not necessarily thornier. They're interesting, they're creative. I can also see a universe where, when start-up founders are competing for cash or making their pitches, they want to have kind of evidence and data about the hours their workers keep, or how hard they're working. I'm being a little bit silly, but yeah, I think at the very basic level, we need privacy reform. Because we compete in new ways, we use data in new ways, we have a fundamentally different economy than when we first introduced these laws. And there's consensus that they're not serving us properly. But there's not quite consensus in terms of how we can serve both of those interests concurrently, in a satisfying and safe way.

Alex Benay
So, we've touched on this, all three of you have touched on it in a similar fashion, so, all agreeing that yeah, reform is needed. So, let's dive into Bill C-11, federally. What was it trying to achieve? Was it even a good bill? Everybody started hearing about it on the news and on the radio, and maybe wasn't quite aware of what it was trying to do, and like, people had very different opinions on this thing. So, I'll turn it over to any of you who wants to touch this. But what was it trying to achieve? What happened to it? Was it good, was it bad? Was, you know, and open question. And then we'll probably get into one or two questions from the audience already, because it's actually related to this conversation.

Dr. Teresa Scassa
Well, I can jump in terms of what C-11 was trying to achieve. I think it was trying to achieve an awful lot of things at once, and that was what made it such a challenging bill. And I think that may have been part of what created such a rocky road for the bill. So, it was trying to do the kinds of things that we've talked about, right? So, it was trying to bring the existing data protection law up-to-speed for a rapidly changed context, in which individuals were facing all sorts of new challenges with respect to how their personal information was being collected and used. It also was trying to create more space for businesses to use data, as well as to, sort of a concept that data from the private sector could also be used for public good, and in research carried out by public or private sector actors. And so, it was trying to do those things; at the same time, it was also trying to put more teeth into the bill, because there had been a lot of criticism of the fact that the bill didn't go far enough in terms of enforcement. But once you start to add very significant enforcement powers, then that raises questions about—because it was really a kind of a soft touch Ombuds model—that raises questions about the procedural fairness underpinnings of the bill. And so, it created these new structures, along with the new enforcement, that were controversial, too. So, there was a lot going on in that bill, plus it took PIPEDA and completely rewrote it from front to back. And so, you know, it was trying to do a lot of different things, very challenging bill. I think there were some very interesting things in there, as well as some things that were problematic. And there was a lot of discussion about this.

Alex Benay
Okay, great. Thanks, Teresa. So, Éloïse, agree, disagree?

Éloïse Gratton
No, I absolutely agree. I think there was some good things, you know, new individual rights, you know, the right to be informed of automated decision-making, the right to mobility, to portability, which is quite relevant for, you know, open banking initiatives. It was also a law that was trying to step away from the consent model to some extent. It included broader consent exceptions for, you know, certain legitimate business practices, provided greater flexibility to use the identified information. So, you know, back to what Teresa was saying, you know, trying to, allowing businesses to innovate and use data for research purposes. I also liked the enhanced opportunities for public, private partnerships, for socially beneficial purposes; so, tons of good things. I think, overall, the industry liked the bill, you know, it was not too burdensome, like they could live with the new fines and the new penalties; not a perfect bill, but they could live with it. Consumer groups, not so much, I would say. They felt perhaps it, on some level, it was not stringent enough; definitely not as stringent as Québec’s Bill 64 . So, they would, you know, these two bills kind of were proposed at around the same time, so they were compared. Yeah.

Alex Benay
So, you, this is actually a question from the audience, and so, you kind of teed it up perfectly, but what will Québec’s new bill—question from Grace, sorry—what will Québec’s new Bill 64 mean, for the privacy landscape in Canada? Is it appropriate to have privacy law patchwork, created by the provinces?

Éloïse Gratton
Well, you know, I think provinces are, you know, in the division of powers, I think privacy falls on the lap of the of the provinces, so, they're definitely entitled to have their, you know, provincial privacy laws. We can have a debate about this, but, you know, we're not going to solve this today. But I think, so I don't know if some of you know, but Bill 64 was adopted this week, actually. So, it's going to be coming into effect in phases. So, in one year, a few provisions will be coming into effect, and most of the provisions are coming into effect in two years. It's more aligned with the GDPR, definitely new enforcement tools. So, it's raising the bar, right? Definitely, I think for other jurisdictions. So, do I like Bill 64? I still have a few issues, I think there were a few mistakes that were made, that won't be easily operationalized. So, still have, I would say, quite a few concern with the bill, but definitely more aligned with GDPR and more stringent. Yeah.

Alex Benay
Okay. I'll keep going on some of these questions, because we have a lot so I'm sure I won't be able to make through all of them. But another one that's somewhat related to governance, and then maybe we'll switch gears a little bit afterwards, is, what are your thoughts on regulation of privacy on a municipal government? A lot of key issues, such as bylaws, regarding vaccine passports, or modernization of cities, are being run at the municipal level. Thoughts, reactions?

Dr. Teresa Scassa
Well, most municipalities are governed by public sector data protection laws, either the law that applies in the province generally, or in Ontario, for example, the Municipal Freedom of Information and Protection of Privacy Act would govern municipalities. So, there is privacy legislation in place for the municipalities. The public sector tends to play by slightly different rules from the private sector, where consent is not the determinative factor. The understanding is—well, there's a couple of theories there. One is that, you know, this is a democratically elected government with a mandate to govern, and they are putting in place policies, and so consent is not sought in that context. There's also the theory that consent is not freely given when you're dealing with government in any event, so it tends to focus more on the necessity of the implementation, rather than on issues of consent. But definitely there are privacy regimes in place for municipal actors as well.

Alex Benay
Okay. Vass?

Vass Bednar
I mean, I'm all for experimentation, right? So, like, fundamentally going back to, you know, was C-11, is it good or bad, what's the story? I think it was an interesting approach to a policy forum, right? Just put something out there, be ambitious, go big. Like, we live in a copy and paste country, we're not very bold, we're not brave when it comes to policy innovation, there's been a ton of wait and see on the privacy file, and we're seeing much more of it. So, to the extent that municipalities can move forward where it makes sense, you know, in their jurisdiction, I think that's important for Canada. And I think it's important for us not to expect, you know, we're not gonna get privacy policy reform perfect right out the gate, because look at the wonderful conversation and criticism that C-11 has stimulated over the past year, two years. What is time? I lost track of it.

Alex Benay
It's COVID time, I guess, it kind of blurs everything. So, another question from the audience, but Vass, you kind of touched on it with the speed of policy change—personally, having worked in the federal space with a majority government trying to change legislation, like, it’s a complicated and complex process. But the question from the audience is, what are your thoughts on the federal and provincial privacy commissioners? Should they have more, or less power to enforce privacy regulations?

Éloïse Gratton
They should have more powers, and I think many acknowledge this. And as a matter of fact, both C-11, and Québec Bill 64 was, you know, addressing these issues, you know, by allowing them to issue fines, and giving them new, and, you know, providing for new enforcement tools. So, definitely.

Alex Benay
Vass, you—Teresa?

Dr. Teresa Scassa
Oh, sorry, I was just gonna jump in and say that we haven't actually mentioned what's happening in other provinces yet, as well, but BC has been in the process of reviewing its private sector data protection law with the view to amending it, I think they've been holding back waiting for C-11, but they may not hold back any longer. Alberta has launched a consultation process, but they've got other things on their agenda right now, or on their plate right now. And Ontario seems to be moving very quickly towards private sector data protection legislation, and just closed a consultation on legislation in which they kind of showed a little bit of their hand, and looking towards a C-11 model. But I think in all of those jurisdictions, the idea of giving privacy commissioners more enforcement powers is on the table, and I think we can expect to see that across the board.

Vass Bednar
Alongside those potential new powers, I also hope we have a really good conversation in Canada about the investments that we're making in that enforcement capacity, right? So, we're seeing research coming out starting to evaluate the GDPR, that's basically demonstrating we haven't invested enough in data, DPA’s, the data protection authorities etc. Which means that, while they have a new, fairly robust kind of table setting piece of legislation, if we're not enforcing it consistently, if we don't have the power, then who cares what the fines are, right? Who cares what the powers are, if we're not able to actually satisfy what we've set out as policymakers, and kind of keep that bargain with both, again, both businesses, but also consumers, with citizens?

Alex Benay
Vass, you've touched on GDPR, so we might as well ask the global question. We talked about the Canadian landscape, how privacy is governed in Canada. Are there other country's laws or policies that influence the Canadian landscape, that influence how residents, or citizens, or businesses deal manage privacy issues?

Dr. Teresa Scassa
Well, I'll jump in. You know, I think we maybe start with the one that has influenced us the most, up until this point, and that's the United States. And the United States, right from the beginning of the, you know, the tech revolution, took a very laissez-faire approach towards privacy and data protection, and Silicon Valley was the heart of that revolution. And so, we had a proliferation of companies that were building business models on data, and were very poor, weakly constrained, when it came to what they could collect, use, and disclose, and the ways in which they could do that. And I think that that has, really, tremendously influenced the context in which we find ourselves. Now, we, you know, the idea, the talk there at the time was, you know, if you if you regulate too much, you're going to stifle innovation, and so let's let innovation happen, and we can worry about it afterwards. And so, we've lived that for a little while, and we've seen that there are some serious issues with that. And then more recently, well, first with the European Data Protection Directive, and then more strongly with the GDPR, we start to see a different approach, gaining a lot of traction, and a lot of strength internationally, in part through the somewhat extraterritorial impact of the GDPR. But I don't want to dominate this whole conversation, I mentioned those two players, and there are others as well. So, I'll just stop there.

Alex Benay
Éloïse?

Éloïse Gratton
Well, definitely certain jurisdiction have implemented more stringent laws, the EU GDPR, and it definitely has an impact on us. Like, one reason is that you can only share the personal information of EU residents with a jurisdiction that has laws that were found as being adequate. And if you don't, when you're based in Europe, you need to have other controls in place. So, it's a contractual measure, and there's other tools, you know, binding corporate rules, and so on. So, we passed the test, you know, a while back at the end of the ‘90s, beginning of 2000’s, we pass the test; they said, you know, PIPEDA, you know, is adequate under our standards. That was under the former directive, so we're going to be reassessed in the coming years. When the GDPR came into effect a few years ago, I think, you know, so that was our cue, okay, you know, if we still want to be able to exchange information, you know, and pass that adequacy test, we need to improve our laws, so definitely, that it has this kind of impact. And also, what we're seeing, we advise a lot of large businesses that have global operations. So, you know, more and more, it's like they have global policy. So, basically, they're complying, if they have operations in Europe, then you know, that this is raising the bar. So, definitely, it has an impact on our business as well. Another, maybe last comment, is that I think the GDPR has raised awareness amongst consumers as to the privacy rights that they may have. So, as soon as the GDPR came into effect, we've seen an increase in the request, you know, that businesses received to delete my personal information, to exercise the right to be forgotten—we don't even have these rights in Canada. But consumers were aware, you know, hey, I have some rights, and you know, I want to try to exercise them. So, definitely that there's an impact there.

Alex Benay
Vass, I saw you wanted to jump in earlier, do you want to?

Vass Bednar
No, not really. Just thinking about how we're a copy and paste country, and who we're going to copy and paste next.

Alex Benay
Well, so this—so, two questions related to business, then. And let's start with the first one. Verry complex Canadian governance, add international to it; do these kinds of regulations and laws help on the innovation side? Like how does this impact the innovation agenda, or company trying to innovate in a digital economy? Vass, maybe I'll turn that one over to you to start if you want.

Vass Bednar
Well, some of the conversations we're having concurrent to privacy reform are related to potentially reforming competition policy, right? Again, some of these privacy conversations, it's becoming muddled, and they're big, and they're important conversations. But as we navigate and negotiate how and when companies can use information that has been ostensibly volunteered to their company, we're thinking about what these new business practices are online, if they're new, if we've articulated them properly, and again, to the extent that they can be known to the people that have offered the initial information. So, I hope I'm helping answer your question. Earlier we touched on, you know, open banking as a kind of privacy-adjacent conversation, another place where people are thinking about what rights, or ownership, or entitlements they might have to the information that they offer. And in the in the kind of follow up to open banking in Canada, there's an interesting and important conversation there, that's relevant to the privacy conversation, which is just, you know, the distinctions and the boundaries between the information that is volunteered by the individual, either, you know, accepting that long terms of service, or through the cookies they consented to online, etc. and the derived information. You know, where, what's proprietary to a business, and what are you entitled to as an individual? Can you access, you do you have any rights of sorts—I use the word rights with like a very lowercase r—to kind of understand the way, or ways you've been profiled or categorized by a company. So, in terms of what it means for innovation, well, I think I think companies are savvy, and will still be empowered to innovate with the information that they have. I worry that we lack political courage to move forward on the privacy front, because we're worried that we might impede this thing called innovation. And frankly, we're so we're so desperate for it.

Alex Benay
Éloïse, Teresa, do either of you want to jump in on that? Lots of other questions if you don't—also perfectly fine.

Éloïse Gratton
Well, very quickly, I think by having a solid laws, it will, you know, provide, it will increase consumer confidence, we have to look at it that way. And also, I think businesses really need clear boundaries allowing them to innovate, you know, can you reuse personal information for research without consent? If so, how do you anonymize the information; do you make a distinction between anonymized information and coded information, you know. So, all of these issues are quite important for innovation, so I think if we get it right, we could actually help innovation, I think.

Vass Bednar
Alex, you're muted, or I can't hear you.

Alex Benay
I was doing so well.

Vass Bednar
It happens, it happens.

Alex Benay
I was the first one, we should have put a bet on it, anyways, we should’ve put some money on that. So, the question is now—and I lost it; oh, yes, here we are—if laws are segregated between federal and provincial, how does a company manage data when they do business across the country, and isn't even more complex if the company is operating outside of Canada? How do they function? And maybe I'll add a little spin to this, maybe a focus on small and medium enterprises as well, who, you know, don't necessarily have large privacy teams.

Vass Bednar
I mean, I think you can see the bar has been raised. A few years back, I was working at an AI and FinTech startup—I know when you put those words together, someone loses their wings—and the bar there was set by the CCPA. So, you know, with ambitions to have, you know, many online customers in California, those rules ended up sort of setting what the new baseline would be. But you're absolutely right to raise the cost of compliance, and kind of that patchwork being, perhaps, intimidating for companies, and maybe disadvantaging smaller enterprises that have less resources to invest in making sure that they are being compliant, or might be more incentivized to take a risk and evade those DPAs that may not have the teeth we thought they did, when it comes to the GDPR.

Alex Benay
Okay, thank you. Teresa?

Dr. Teresa Scassa
Yeah, what I would add to that, because I think that's right, and I think, you know, many of Canada's large businesses have already made themselves GDPR compliant, with the GDPR setting a higher standard than our own legislation, and so, if they can meet the GDPR standard, then they can surely meet our own. I think one issue that we may be looking at, going forward, especially as different provinces, as I mentioned, are thinking about amending their legislation and adding more significant enforcement powers to their legislation, and Ontario's thinking about its own new legislation, is that one of the things I've started to see is, you know, I think the idea used to be that things were divided between the federal legislation ,which applied in provinces that didn't have their own legislation, and also applied to interprovincial flows of data, as well as international flows of data, and then provincial legislation, which would apply within the province. And I think that the trend now is for provinces to increasingly assert concurrent jurisdiction, so that, if it's happening in the province, even if it's interprovincial or international, and has that dimension to which the federal law applies, the provincial law also applies. So, I think that this is something to keep an eye on as we go forward, and especially as the penalties become steeper, under both provincial and federal laws, that we might have a context in which you've got one breach or one problem, and more than one commissioner asserting jurisdiction, and looking to potentially impose penalties. I think, more room for collaboration and co-operation, and much more need for that.

Alex Benay
Good. Thank you. That's, all good points. I, one—because we're starting to get closer to the hour, so I'm going to try one last question that could hopefully create division this amongst our panelists, and there are questions coming in from the audience about this, and so, hard pivot now, let's talk about COVID. And so, lots and lots similar to Bill C-11, for a period of time, lots of discussion around privacy and COVID these days, whether it's how we fight COVID, interprovincial data, vaccine passports. What's the angle? Why are people so concerned around privacy in the fight against COVID? And can you look at, and can you pick out an example that kind of highlights that? I mean, I think the one that comes to mind, for example, is the vaccine passports, right? So, I’d be curious to get the three of your opinions on the impact COVID has had on privacy, and where do you see this discussion going?

Éloïse Gratton
Maybe I can talk about businesses, the challenges for businesses. So, it's about, so an employer has an obligation to make sure that they're providing a safe work environment. So, in this context, it could be acceptable for them to collect, you know, employee health information, to make sure that they protect their other employees. So, when COVID started, these were the type of questions that we were getting, you know, can I collect, you know, information about, you know, whether the person has been sick, whether they've travelled, were they in contact with someone else that had COVID? So, these were the kinds of issues that businesses had, and also, can I share this information? You know, if an employee has COVID, can I call their client and say, “hey, you had a meeting with this employee last week, and they were diagnosed,” you know, to protect the client. So, these were the kinds of questions or discussions that we would have. Another issue was the fact that employees started working remotely. So, a lot of employers were saying, “okay, well, I still want to supervise my employees.” So, we're getting a lot of calls from businesses wanting to implement, like, monitoring tools, you know, to monitor what employees are doing on their laptop. And a lot of these tools were coming from the US, so maybe they were legal in the US, but I was like, “you can't do this; would you be doing this at your place of work, do you have someone behind your employee monitoring everything they're doing?” You know, and some of these technologies were like, outrageous, you know, a pop up if you're not typing something for more than like, you know, you’re idle for like, 10 minutes, you get a pop up, like, “hey, back, get back to work,” you know? So, these were the kinds of issues that we had, you know, with businesses, and now there's been with the vaccine, you know, these are the kinds of issues that employers have to have to deal with. And it's a delicate balance, right? Collecting potentially sensitive information about employees health, and making sure that you're providing a safe workplace environment; it's a it's a delicate balance.

Vass Bednar
I'm glad you mentioned surveillance. I mean, I think, in the pandemic, the type of surveillance that has come to characterize low-wage service and retail work, spilled over very quickly into white collar work, you know, students as well, navigating these technologies, and individuals really wanting to appeal to our governance institutions to understand, okay, what are my rights here? How do I negotiate this as an employee? What's the trade off? You know, am I, is the expense of my privacy, or my comfort when I'm working from home is that so I can, you know, keep my job in what was a very uncertain labour market. And that relates to these privacy conversations in terms of, you know, proportionality and where we have, you know, do we have the right guardrails? I feel like there's one elephant in the room, when it comes to, or many, there's probably tons of elephants in this room—sidenote, great Halloween costume, if you want to be an elephant, anywhere you go, you're the elephant in the room—and that's, you know, we're coming out of this election. And to my mind, the election was kind of like one big, long, targeted ad, and the fact that political parties continue to be exempt from the new standards that we may be seeking to impose on private corporations, I think is really disingenuous. I think it's bad for democracy, and I think it's bad for public policy, if we're, you know, making inferences about what people will support, and starting to design platforms and directions for the country, based on the same kind of microtargeting that we're seeing people start to reject more and more, that that makes me nervous. And I think you see that coming through in my answer, which is not about vaccine passports. But now I will mute myself again. Bye.

Dr. Teresa Scassa
and I'm glad that Vass managed to squeeze that in, because we should have gotten that in somewhere else as well. There was nothing in Bill C-11 about the law applying to the data collected by political parties. There was nothing in the discussion paper, the white paper that the Ontario government put out about data protection law applying to political parties. And this is a big issue, and it's an important issue, and it's one that, you know, it's very easy for politicians to decide what they're going to put in bills and not in bills, and clearly there's a certain self-interest to not including data protection when it comes to political parties. But I think Canadians really need to be pushing their politicians to include that, I think it's a tremendously important issue, so I'm glad that we had that digression. If I could just say one other COVID-related privacy issue, I think both Vass and Éloïse raised some really important and interesting privacy issues in COVID, and then there have been so many, in so many different contexts, really important and interesting ones. But I think in some contexts, the privacy issues have also been, maybe a stand-in or shorthand for something else, and particularly around the COVID app, I think there was a lot of discussion about privacy in the COVID app, and a lot of concerns around privacy and the COVID app. The federal government ultimately went with the least impactful version of the app possible in terms of privacy. But I think that a lot of the privacy issues there, it seemed to me, were shorthand for lack of trust in government. Because at the same time people were talking about the COVID app, they also had all kinds of apps on their phone that were just harvesting data, you know, more data than individuals even knew, for purposes that they knew nothing about, and it was going all over the place. And so I think that a big part of that discussion was about trust. And one thing that we've seen, I think, throughout this pandemic, has been that there are some really important issues that we need to come to terms with as a society around trust, and trust in government, trust in authority, trust in science. So, I think that that was another thing that bubbled up within the debates around privacy and COVID.

Alex Benay
So, I really wish we had another hour, because I would love to unpack the political aspect of that. And then you started talking about trust, Teresa, I think we would need a whole other hour, so this is great. We are running up on time, so I'm going to ask you each one final question, the same question for all three of you. But first, I want to thank all three of you for, you know, a really great conversation—it's a good sign when my phone's literally hot right now—and that the hour just flies by, so thank you for all your amazing insights. The question I have is, summer's over, we're gonna get over Halloween, and then, you know, we're gonna get into the winter season, where a lot of the bills, and a lot of the things can happen, right? Like, it's obviously not going to happen in the dead of summer, and especially not in the context of an election. What's the wish list you have for governments during the legislative period? Like, what's the thing, one thing, you can only choose one, that you would like to see progress on, either from a policy or legislative perspective, to actually continue moving the privacy agenda forward, and Canada? And that one’s off-script, so I apologize, but you all agreed too much during the last hour, so here we are. Who wants to go first, Vass?

Vass Bednar
Okay. My dream wish list is that we will initiate a comprehensive review of Canada's Competition Act, because I do think there's a lot of important conversations about data and competition that are bound up in the conversation we're having about privacy. And we had a previous government commitment that we were going to get there, we can do it, we can be a courageous country, and we don't need to copy and paste everyone else, we can still do it in our unique Canadian way.

Alex Benay
Oh, great answer. Who wants to go next?

Éloïse Gratton
So, so it doesn't have to be realistic, right? It's like wish, you know, something to wish; it's simple wish. So, Québec, Bill 64 was adopted. and I just, I'm really disappointed with two issues. I think they got it wrong on two issues. One of them is cross border restrictions; it's more stringent than the GDPR, it's not realistic, I'm concerned that it will impact the Québec digital economy. So, and the other concern that I have with Bill 64 is the restrictions, well the privacy by default provision, the way it's drafted, 8.1, 9.1, is going to be—they didn't think it through, I think, to some extent, it's going to perhaps even limit innovation. The way these provisions are drafted, it’s up to the user to activate, you know, privacy settings, such as location tracking. Well, if you're downloading an Uber app, you don't want to have to go to your setting and, you know, and allow the app to locate you—that's the whole purpose of the app. So, they didn't think it through, and that, you know, if they could fix these two things, I think I can live with Bill 64, so.

Alex Benay
Okay, so we'll assume that your one thing was a bit of a modification to Bill 64, because that way—otherwise, you cheated and you got two in there, but the one thing, to either modify.

Alex Benay
There you go.

Alex Benay
Good, great, two great recommendations. And closing, Teresa?

Dr. Teresa Scassa
Yeah, I'd like to see a modified version of Bill C-11 reintroduced, and that it actually, you know, make it to committee this time, and get debated and discussed. I did a quick Twitter poll earlier this week, asking people what they thought was going to happen after the election with C-11. About 18% said they thought we'd see C-11 again, in it’s same form; 35% said they thought it was going to be a revised C-11, and the rest said, “don't hold your breath,” suggesting that it's just not going to be on the agenda. Well, I hope it's going to be the on the agenda, and I hope it will be a revised version of C-11, taking to account some of the concerns and criticisms have been raised, and that we move forward with this issue.

Alex Benay
Great. So, legislators beware; lots of work on the table, based on three wishes from our esteemed panelists. So, thank you very much, again, for your time. super amazing insights, lots of great questions from the audience. Kelly, I think I'm turning it over to you at this point for closing remarks.

Concluding Remarks by Kelly Jackson
Thanks so much, Alex. And thanks, Teresa, Éloïse, and Vass. That was a super fascinating conversation, you took us through lots of places, lots of jurisdictions, and, you know, for me, and just sort of now mulling this idea of a first-generation approach to privacy in a 5G world, and, you know, so how do you square that circle. So, thank you so much. I'd now like to turn it over to Bill Abbott, who is the Director of Data Policy and Research at TELUS. He is going to offer today's appreciate your remarks.

Note of Appreciation by Bill Abbott, Director of Data Policy & Research, TELUS
Thank you very much. And good afternoon, everyone. I'd like to thank Professor Bednar, and Professor of Scassa, and Éloïse Gratton, for their insightful comments, and Alex Benay for moderating—always an important task, even more so on a video session. And thank all of you; we have over 850 participants registered, thank you very much for being part of the being part of this discussion. Privacy policy and Canada is at a point of generational change and renewal. Finding policies that will work is not easy, but it begins with different perspectives engaging in a constructive dialogue and building understanding, speaking to each other rather than past each other. That's why the Alliance for Privacy and Innovation in Canada supports venues like this, the Empire Club panel, for an ongoing conversation about what privacy should look like the for the next generation. So, Vass, Teresa, Éloïse and Alex, really appreciate what you've been able to contribute to this conversation today. And thanks also to the Empire Club, for organizing and hosting the panel. And everyone, thank you for participating. I wish you a great, hopefully sunny, weekend. And back to you, Kelly.

Concluding Remarks by Kelly Jackson
Thanks. And thanks again to the panel and everybody joining us today, or tuning in at a later date. Our next event is taking place on October 4th, at 5 EST. It's a panel discussion, it's focused on the results of the recent federal election. We're going to have some people who can offer a bit of the flavour from the campaign trail, so “Tales from the Campaign Trail.” We hope you will tune in for that. You can find out more details and complimentary registration will be available at empireclubofcanada.com. This meeting is now formally adjourned. Thank you again, take care and stay safe.