Leaders of Canadian business associations expressed varying degrees of support for proposed privacy legislation reform before a parliamentary committee on Tuesday.
But Jim Balsillie, former co-CEO of Research In Motion (now BlackBerry), told the House of Commons Industry Committee that the Consumer Privacy Protection Act (CPPA) needs a serious overhaul before being passed.
He complained the CPPA has “a business interest carve-out that allows corporations to put the pursuit of profits above the interests of consumers. Businesses are allowed to determine what constitutes legitimate surveillance and behaviour modification to trample on fundamental rights, but are under no obligation to notify consumers how they are tracking and profiling them.“
Balsillie, who is founder of the Centre for Digital Rights, also said the proposed Artificial Intelligence and Data Act (AIDA) should be scrapped.
The two pieces of proposed legislation are combined under Bill C-27. Neither have much merit, Balsillie said. In fact, he compared the CPPA to a leaky bucket. Proposing AIDA without proper public consultation is like the government putting on shoes and then trying to put on socks, he added.
“C-27 turbocharges surveillance capitalism,” he maintained.
The package of bills “prioritizes the interests of large data monopolies and their ecosystem of [data] traffickers. It sets a dangerous precedent by allowing corporations to allocate to individuals, children and vulnerable groups the harmful economic, political, and social consequences of the data–driven economy. It normalizes and expands surveillance, treating human rights as an obstacle to corporate profits. C-27 requires a wholesale re-do.”
Liberal MP Francesco Sorbara asked Balsillie if the CPPA, which would replace the Personal Information Protection and Electronic Data Act (PIPEDA) that many businesses now have to deal with, is at least going in the right direction.
“It‘s like saying my bucket has 25 holes and that‘s better than 30 holes,” replied Balsillie. “If we get rid of 20 of the holes so we only have 10 left …. I think the nature of the digital and knowledge economy is non–linear in its harms for imperfection. It takes a small hole to drive a truck through. You need relative completeness [in laws], or somebody will escape through a small hatch.”
If we’re getting rid of 20 of 25 holes, at least we’re making progress, Sorbara countered.
“But you still have five holes in your bucket — and it’s not a bucket,” replied Balsillie. “It has to be complete.” The CPPA can only be fixed with comprehensive changes, he maintained, not by patching its holes.
Businesses have been thinking about preparing for the two pieces of legislation since they were introduced in Parliament over a year ago. They know that some form of overhauling of PIPEDA is necessary, in part because it may be declared offside of the European Union’s General Data Protection Regulation (GDPR).
As for AIDA, around the world, governments are looking at possible legislation because people are worried that advanced AI systems may make their jobs obsolete, or deny them jobs. As a result, business leaders want some sort of law — but one that doesn’t stifle new technologies.
Among Balsillie’s complaints:
— the CPPA says in some cases businesses don’t have to notify people how their personal data is being collected or used. That gives businesses too much power, Balsillie said;
— the CPPA also diminishes the protection of data of children and vulnerable persons, he said. “The omission of meaningful measures that curtail insidious surveillance and behavioural manipulation practices … are driving the current youth mental health crisis.“
–– AIDA creates an AI commissioner to oversee the act, but that person will report to the Minister of Innovation and not be an independent officer who reports to Parliament;
— AIDA also doesn’t give the right to individuals to contest AI-based decisions of businesses on the granting of insurance, or credit scoring, or education institutions on school admissions.
He got some support on scrapping AIDA from Siobhán Vipond, executive vice-president of the Canadian Labour Congress, who complained the proposed legislation hasn’t had a full public consultation, and it wouldn’t apply to the federal government and Crown corporations. That means it wouldn’t protect public servants, she said.
On the other hand, Sara Clodman, vice president, public affairs and thought leadership at the Canadian Marketing Association, urged speedy adoption of the CPPA with what she called “limited amendments.”
Similarly, Lorraine Krugel, vice president for privacy and data at the Canadian Bankers Association, asked for “targeted amendments” to the CPPA.
“We are concerned there’s a real risk of significant adverse consequences if the scope of certain provisions are not better defined and necessary exceptions aren’t included,” she said. “We want to avoid situations where organizations have to give too much information to be transparent to customers [as required by the CPPA]. For example, some things may result in online customers having ‘consent fatigue’ or ‘cookie banner fatigue” with no meaningful value to the consumer.”
Catherine Fortin LeFaivre, the Canadian Chamber of Commerce’s vice-president of strategic policy and global partnerships, said the CPPA should be passed as soon as possible. But she also agreed AIDA needs more public consultation.
The committee has grouped witnesses who largely want to comment on the CPPA to be heard first. Later, those who want to speak specifically about AIDA will be called. Some experts have already said passing a flawed AIDA is better than having no law, while others say AIDA should either be split from C-27 for extensive debate or completely withdrawn and started from scratch.
The committee hearings continue Thursday.