THE STANDING SENATE COMMITTEE ON LEGAL AND CONSTITUTIONAL AFFAIRS
EVIDENCE
OTTAWA, Thursday, October 2, 2025
The Standing Senate Committee on Legal and Constitutional Affairs met with videoconference this day at 10:30 a.m. [ET] to consider Bill S-209, An Act to restrict young persons’ online access to pornographic material.
Senator David M. Arnot (Chair) in the chair.
[English]
The Chair: Good morning, honourable senators. My name is David Arnot. I am a senator from Saskatchewan. I am the chair of this committee. I invite my colleagues to introduce themselves.
[Translation]
Senator Miville-Dechêne: Julie Miville-Dechêne from Quebec.
Senator Oudar: Manuelle Oudar from Quebec.
[English]
Senator Prosper: Senator Paul Prosper, Nova Scotia, Mi’kma’ki territory.
Senator K. Wells: Kristopher Wells, Alberta, Treaty 6 territory.
Senator Simons: Paula Simons, Alberta, Treaty 6 territory as well.
Senator Pate: Welcome. Kim Pate. I live here on the unceded, unsurrendered and unreturned territory of the Anishinaabe Algonquin Nation.
[Translation]
Senator Clement: Good morning, Bernadette Clement from Ontario.
Senator Saint-Germain: Raymonde Saint-Germain from Quebec.
[English]
Senator Dhillon: Good morning. Baltej Dhillon, British Columbia.
The Chair: Honourable senators, we are meeting to continue our study of Bill S-209, An Act to restrict young persons’ online access to pornographic material.
For our first panel, we are pleased to welcome, from the Office of the Privacy Commissioner of Canada, Mr. Philippe Dufresne, Privacy Commissioner of Canada; and Lara Ives, Executive Director, Policy, Research and Parliamentary affairs.
Thank you, witnesses, for joining us today. We will begin with your opening remarks, and then we will move to questions from the members. The floor is yours for five minutes or so.
Philippe Dufresne, Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada: Thank you, Mr. Chair and members of the committee. I am pleased to be here today to share my perspective on Bill S-209, An Act to restrict young persons’ online access to pornographic material. Championing children’s privacy rights is one of my strategic priorities and one that is shared by many of my domestic and international counterparts.
[Translation]
As you saw with the release of the findings last month from my joint investigation with provincial partners into TikTok, while the digital world presents many opportunities, it also brings many risks, particularly for young people.
It is essential that regulators, along with governments, industry and civil society, work together to prioritize the best interests of young persons, which includes their fundamental right to privacy, so that they are supported to be able to safely navigate the online world.
[English]
I would like to commend Senator Miville-Dechêne for her commitment and leadership on this important issue and for giving me the opportunity to discuss these issues with her.
I support this bill. During my appearance in May 2024 before the Standing Committee on Public Safety and National Security regarding a previous iteration of the bill, I provided two primary recommendations: one, to limit the scope of application of the bill; and, two, to make certain enhancements to the criteria for prescribed age-verification and age-estimation methods to ensure that privacy is protected.
I am very pleased to see that they have been incorporated in Bill S-209. The bill now stipulates that the Governor-in-Council must “ensure,” rather than “consider,” the criteria in question, which I believe is an important improvement. The added requirement to limit the collection of personal information to that which is strictly necessary for the age verification or estimation has also enhanced the bill from a privacy perspective.
[Translation]
Prioritizing privacy is a critical factor in protecting individuals to safely navigate the online world, which can also foster confidence in technologies, such as age assurance, and ensure that this bill can achieve its beneficial goal.
[English]
In the past year, my office has conducted an exploratory consultation on age assurance. The significant public interest in, and importance of, a well-considered approach to age assurance was reflected in the responses that we received from privacy and industry stakeholder groups, civil society, academia, technology policy think tanks and interested individuals.
[Translation]
I believe that it is possible to implement age-assurance mechanisms in a privacy-protective manner. My office is developing guidance on how this can be done.
[English]
In September 2024, I was one of a number of international signatories to a joint statement which noted that:
. . . age assurance is intended to protect children within the digital world, while they explore online and develop, not to block their access to the digital world.
I agree with comments from Senator Miville-Dechêne at second reading that “ . . . determining the precise scope of the bill in its actual operation is a delicate task.”
[Translation]
In this regard, should the bill be adopted, it will be important for my office to be involved in the review of regulation drafted by the government and we will be ready to assist in any way that we can to ensure that privacy and the best interest of young persons are protected in the implementation stage of this bill.
[English]
Thank you for the opportunity to provide these comments. I would now be pleased to answer your questions.
The Chair: Thank you.
[Translation]
Senator Miville-Dechêne: Thank you, Mr. Dufresne. I can only thank you for those remarks; we worked hard to find the precise words that would accurately reflect the testimony that the Standing Senate Committee on National Security and Defence heard in 2024.
That said, I want your reaction to the brief recently released by the Canadian Bar Association, which contains rather harsh criticism of my bill, namely that Bill S-209 does not include any measures to ensure that this data will not be collected and retained by the government, and also that the bill forces proof of age for everyone, ending anonymity and prompting people to provide ID or biometrics.
It is fairly broad criticism that also seems directed at a different version of my bill. What do you make of it? At some point, can we be satisfied, as you said, with the terminology used or must we once again reassure people who, as my colleague Senator Clement said yesterday, are losing confidence in institutions?
Mr. Dufresne: Thank you for the question. I think it is essential to always make an effort to reassure people and reinforce that confidence. That is a job for Parliament, for my office and for the community. I believe the Canadian Bar Association plays an important role by raising those issues.
Within the international community, what I am trying to achieve is a balance, so we do not put ourselves in a position where we say we are either protecting young people or protecting privacy; we want to achieve both.
My recommendations regarding the previous version of the bill were aimed at strengthening these elements, in particular by specifying that the process should only be carried out when absolutely necessary and that the information should be destroyed. So these protections are in place. There is the Privacy Act, which will also continue to apply, particularly with regard to cyberattacks and safeguards.
The government would have the power to issue regulations, and it will be important at that point for my office to be involved. This is one of the international practices we see. Privacy commissioners are not the ones regulating these areas, it is often online commissioners, but collaboration between institutions is essential.
Senator Miville-Dechêne: I have a brief supplementary question.
Does leaving these choices to the government and experts during the regulatory phase seem unusual to you or not?
Mr. Dufresne: I think that, when it comes to privacy, especially because we are dealing with very rapidly evolving technology, laws are often based on principles and, essentially, need to adapt later to technology that is developing much faster than the laws can keep up with.
Regulations are tools and guidelines that can be issued by institutions such as mine or specialized institutions; this is part of the process, and we often see this kind of practice, precisely because it is a challenge to keep up with technology, especially at the moment.
Senator Miville-Dechêne: It is very important to protect privacy, but are we forgetting that, in the current situation, children’s personal information on all these platforms is at risk?
Mr. Dufresne: During our consultation, we saw that there is concern about children’s safety, due to the impact on children when they visit some of these sites, and about protection of their personal information, their knowledge and understanding, and safeguarding their data. The goal is to achieve both of these objectives. That is why I and my colleagues at the international level made comments to the effect that the process must be rigorous, that the data obtained must be minimized, that it must not be used for other purposes, that it must not be possible to track people, and that it must be anonymous. All of these practices are essentially aimed at protecting young people, but also their privacy.
Senator Miville-Dechêne: Thank you.
[English]
Senator Prosper: Welcome to the witnesses.
I’d like to delve into some of your earlier testimony and that which flowed from your statement as well. You talk about balance, and with respect to the scope of the bill, it’s a delicate task to find that right fit.
I have two questions, because you commented on your involvement within the regulation aspect of it. You got into that a little with the previous question, but I’m curious: What other areas within the regulations are you going to note? You mentioned earlier guidelines potentially coming from your office.
You mentioned consultations that you have undertaken. As a second part of that question, could you share a bit on the extent of those consultations?
Mr. Dufresne: Right. We issued a joint statement in 2024 as part of an international working group on age assurance, for example, broadly talking about the fact that the information collected for age assurance must be limited to what is necessary for the purpose of age assurance, focusing on the best interests of the child and ensuring that there is accountability built in. With an effective age-assurance process, there is a balance of the protection and the measures. You should not use the same level of age assurance, for example, in a low-risk situation versus a high-risk situation.
These are some of the messages that we are hearing: the importance of having privacy by design and privacy by default. Something even more specific that has been coming up in Europe, including in France and the European Union, is the concept of having a third party that would do this assurance. So it would not necessarily be the website themselves; instead, there is a distance and a sort of zero-knowledge proof so you don’t have to share your identity but it is established that you are below or above a certain age.
Senator Prosper: Thank you.
[Translation]
Senator Saint-Germain: Thank you, commissioner.
My concerns relate not only to the ability to implement this bill, but also to the fact that, in my opinion, the bill lacks minimum legislative standards. My first question relates to paragraph 12(2)(b). Age-verification and age-estimation will be:
… operated by a third-party organization that deals at arm’s length from any organization making pornographic material available on the Internet for commercial purposes.
Do you have any reservations or criteria to suggest in this context? Will this be a private organization responsible for managing internet access and all authentication and age‑verification systems? As Privacy Commissioner, does this raise any concerns? Do you have any suggestions for making the law more binding?
Mr. Dufresne: The regulations also state that this must comply with best practices in the field of age verification. There are concerns about privacy. This limits data collection to what is strictly necessary. These elements must apply to third parties and to what will be acceptable under paragraph 12(2)(b). This is what we have seen internationally. Criteria will be established at a more specific level. Not just any system will be acceptable. It must be specified that the system must comply with these requirements on privacy, effectiveness, and anonymity.
Prototypes are currently being tested in some European Union countries. France and Spain worked on this. It is clear that we cannot give carte blanche to just any application. It is essential that this is done with rigour, that it complies with privacy principles, and that there is a mechanism in place to reassure people. I expect there to be sufficient detail in the context of these regulations. We are working on guidelines that will provide even more clarification.
Senator Saint-Germain: Are you confident enough in the current version that you are not concerned this law could be challenged in court, particularly with regard to the Canadian Charter of Rights and Freedoms?
Mr. Dufresne: In terms of freedom of expression?
Senator Saint-Germain: In terms of freedom of expression, yes, and also in terms of the right to privacy and effective security measures being taken. Basically, in terms of the merits of the law.
Mr. Dufresne: As I said in my introductory remarks, in this kind of situation, the government must consult with my office in drafting this bill and there must be active participation. The bill indicates a regulator will need to be designated.
In other countries, privacy commissioners are usually not the ones being designated to do that. We could be. However, digital regulatory bodies often have this role. I expect my office to be directly involved. This is not specifically stated in the bill. It could be. These are my expectations. That is what I will convey to the government. If that were not the case, it would be a cause for concern. The government is aware of my expectations. However, if there are concerns at this level, this could be clarified in the bill if necessary. The international practice is for regulatory bodies to work with the government.
Senator Saint-Germain: Are you suggesting an amendment to the bill so that your office is the designated authority for oversight?
Mr. Dufresne: It is up to Parliament to determine that. If the commissioner’s office is designated to administer this aspect, the necessary resources would have to follow. It is an important mandate. We will be ready to take it on, if necessary.
We already work closely with other regulators. Whether the mandate is given to the CRTC or to a new entity, we will work with them. We already work with the CRTC, the Competition Bureau, and the Copyright Board of Canada. We know that in the digital realm, there are several areas that will affect more than one regulator. It is essential that we be able to collaborate.
One of the amendments I requested, not in the context of this bill, but in that of the Privacy Act, is that I have the authority to conduct joint investigations with Canadian agencies, such as the Competition Bureau. This is a loophole in my enabling legislation that could ensure better collaboration. I hope that this will be addressed in a future modernization of the act.
Senator Saint-Germain: That is clear. Thank you.
[English]
Senator Simons: Commissioner, I have some concerns about the methodology of age verification. Senator Miville-Dechêne’s bill does not dictate how age verification should work, but we have been provided examples of how it is working in other jurisdictions.
In the United Kingdom, for example, one thing they are doing is using your banking information. You provide your banking information, and then they look at it and see what you buy and whether that suggests you are over 18.
One of the other methods is email-based age verification, where you provide the email address and the algorithm analyzes other online services where you have used your email to guesstimate your age.
I’m really uncomfortable with the idea of turning over that kind of private information to an age-verification system. Can you tell me whether you think either of those methodologies would work, or would you also have questions about how much of your most personal, intimate information you are being asked to turn over to a third party? It is not what pornography you look at, but I don’t necessarily want people looking at my banking records or seeing where I have used my various email addresses for services.
Mr. Dufresne: In our consultations, we have seen that there is a range of ways that you can establish your age. In fact, one of the changes in this bill is that it is not only talking about age verification but also age estimation. Age estimation will not be as precise; it will involve certain age ranges. There are a number of tools you can use for that.
What you described are tools that are possible, but the position we’ve taken is that it should be broad. There should be options given to individuals. It should use information that is the least intrusive necessary to establish that. There could be patterns of use. In the European Union, they are proposing different options: You could use this way or that way.
There needs to be an openness and also the general principle that you give as little as necessary. That’s established in the principles. The purpose is not to identify you; it is to establish your age.
So also pointing back to a —
Senator Simons: But you can’t do that. If somebody does a web crawl to see all the places that my email address pops up, that is going to identify me, is it not?
Mr. Dufresne: There are ways that it would be able to identify you, and there are ways that it would not. Those are some of the tools to look at. The app doesn’t need to know the name of the individual. There needs to be a way to establish that you are below a certain age, and we need to find ways to do that that will be minimally intrusive. That’s the work that’s going on internationally and in Canada, as well: identifying those tools.
But I agree. We’ve said this in our statement with provincial commissioners in terms of discussing digital identification. There should be options given to individuals. There should be a minimization of the types of information that are sought. It should not be done to centrally track and create a database but rather for that specific purpose. That is why there is the notion of data minimization: not using it for other purposes and, as much as possible, limiting the identification of individuals.
Senator Simons: But in the European Union, I understand that they are developing an app that is proprietary to them. As far as I know, Canada doesn’t have any such plans or capacity. So I would be turning over my information, and if there are commercial third parties that are verifying your age, they’re going to have such a depository of information. They will have everybody’s private banking information, private email information and commercial transaction information.
Surely, you can imagine that there is the possibility that this information could be hacked by outsiders or weaponized by the people who have it. We need only look at what happened with Elon Musk and DOGE to see what happens when a malevolent party has access to people’s information. The American government told their citizens that their information was private, and now it is in the hands of a private enterprise.
Mr. Dufresne: That touches upon the notion of retention of information: How long do you keep it? It is the information you receive and also whether you need to keep that information once you have established or estimated the age. I think the bill talks about destroying any personal information collected for age verification or estimation purposes once the verification or estimation it completed. That’s certainly an element. We don’t want any organization keeping information longer than necessary, precisely for the reasons you set out. This is one area where privacy law was ahead of its time, in a way, to deal with cyberattacks and privacy breaches. The longer you keep information, the greater the risk that you will become a target and the greater the damage if you are hacked.
So that notion of minimizing what you collect and also not retaining it any longer than necessary will be important.
Senator Simons: People will need to have public confidence in a commercial third party. I mean, 23andMe went bankrupt and all that information was sold.
Mr. Dufresne: This is where the framework becomes important in terms of the obligations, what is acceptable, what the requirements are and ensuring that there is accountability at the end. As you know, 23andMe was subject to an investigation by my office and the U.K. commissioner. We found shortcomings specifically in terms of how you safeguard information and what the passwords and security mechanisms are. So it’s absolutely the case that you can’t rely entirely upon and give free rein to an organization with respect to such information.
Senator Batters: Thank you, Mr. Dufresne, for being here and for all the important work that you and your office do to protect the privacy of Canadians every day. I am happy to hear that you were pleased with the amendments that were made to significantly tighten up this bill after a previous iteration.
Going back to the comments made in your exchange with Senator Simons, I was looking up that destruction provision. There is a provision in this bill dealing with the type of regulations that will be done for this — subclause 12(2). It says:
Before prescribing any age-verification or age-estimation method under paragraph (1)(b), the Governor in Council must ensure that the method . . .
— and it lists a number of things, but paragraph 12(2)(f) says:
destroys any personal information collected for age-verification or age-estimation purposes once the verification or estimation is completed . . .
So that is right in the bill regarding that issue.
My question to you, Mr. Dufresne, is this: There are a number of sizable international companies involved here in the sphere of internet pornography. Given that many of these companies don’t have much of a base in Canada, can we have confidence that our laws here will provide the necessary protections?
Mr. Dufresne: In terms of the application of laws, and certainly privacy laws, the interpretation is that if it affects Canadians, it applies. So the fact that an organization doesn’t have a head office or operations in Canada doesn’t exempt them from compliance with Canadian law.
We must ensure that the remedies are significant enough. I have been consistently asking for an amendment to and a modernization of privacy law, because one thing I lack as a regulator is order-making powers and the power to impose fines. That’s a gap, because those things influence how CEOs and boards look at risks and prioritizing investments. They are necessary. It is not that I want to be imposing those fines, but the mere possibility really focuses the mind of a decision maker.
That’s also why we need to have strong international collaboration in this space. It doesn’t just affect Canada but the whole world, and what happens around the world affects Canada. That is why I’ve been working closely with counterparts around the world. In fact, a few weeks ago, I was elected Chair of the Global Privacy Assembly, a group of all privacy commissioners around the world. One of the priorities I set out in that role was to protect children’s privacy and work to bring together international best practices. Canada can lead in that, but it is also so that we can raise the bar all over the world. That makes it easier to achieve enforcement and convince big global companies.
Senator Batters: Great. Congratulations on that. It is well deserved.
Regarding the gap in Canadian privacy law that you were just referring to — just so that everyone is clear on this — the amendment that you are seeking is not for this act but for the federal privacy act. Is that not the one?
Mr. Dufresne: That’s right: the Personal Information Protection and Electronic Documents Act, or PIPEDA. That amendment would be in this legislation, but this bill already has some financial consequences from the offence provision, so that’s not something that would come here. But it is highlighting the fact that Canadian laws do affect international organizations, but international collaboration makes it easier to enforce all over the world.
Senator Batters: Absolutely, yes. The amendment you’re seeking to PIPEDA would be something that would help you with all Canadian laws you are looking into.
Mr. Dufresne: That’s right. The reason why we’re working closely not only with other privacy commissioners across Canada and around the world, but also other regulators — competition, telecommunication, copyright and human rights authorities — is there are so many areas where privacy will be part of it. It may not be all of it.
Sometimes you have a specific regulator for online harms. In Australia, they have the eSafety Commissioner there to protect children online. We have a Privacy Commissioner. It’s important that those two regulators work very closely so we’re not at cross purposes. One of the earliest things I said as Privacy Commissioner is that I don’t want this to be a zero-sum game between the public interest and privacy or a strong economy and privacy. It takes a lot of work, but our citizens deserve to have both.
Senator Dhillon: Thank you, Mr. Dufresne, for being here, and thank you for your work and supporting this bill.
You are the gatekeeper for Canadians in protecting their privacy. Canadians can take some solace — or hope that they can — from the fact that you would not lend your support to this bill if there were any compromise to their privacy. Would that be a fair statement?
Mr. Dufresne: My role is to highlight privacy gaps and to make recommendations to improve things and strengthen privacy wherever I can.
That’s why I had indicated that there were some issues in terms of the scope and also the age-verification safeguards in the previous iteration of this bill. Today, I’m saying that those have been addressed by amendments regarding the definition of pornography, the role of the Governor-in-Council and precision about accidental or deliberate.
There’s been a narrowing there and a strengthening of the authorities and principles that have to exist for age verification. There’s authority given to the Governor-in-Council to bring further precision on things that should be out or in. The caveat that I’m highlighting in my opening statement is that it is important, and I will expect to be involved and consulted in those regulations because they will be bringing important elements into the implementation stage.
Senator Dhillon: Not to get ahead of the work here, but I would like you to hear your perspective on standards. When standards are independent insofar as there are third-party age-verification service providers, what do you believe those standards should be to ensure that personal data ultimately is destroyed securely and irreversibly? What mechanisms or assurances should be in place to allow individuals and oversight bodies to verify that their personal information has been destroyed?
Mr. Dufresne: These are the key privacy principles that apply to this space in terms of age assurance, but they apply generally to much of the work in privacy. These include making sure that you have necessity and proportionality, that you’re not getting more information than you need for your purposes; and making sure that your purpose is important, so the notion of it being risk‑based. This is perhaps a higher level of age estimation because it is a higher level of risk with respect to pornography.
The same type of age estimation or age verification might not be appropriate if you have a lower risk situation. In our consultation, for example, our view changed on that. We started from the principle that you should only use age verification in high-risk situations. We received a lot of feedback from groups saying it should be more nuanced and risk-based because we should not ignore even moderate risk to children; we should still protect them from that. The best interests of the child is a fundamental principle. We have added nuance to that.
Data minimization, necessity, destruction of information, not keeping it longer than is necessary and ensuring it is not used for other purposes are all very important. We must ensure that it is transparent, people understand what it is and is not for and that we have regime surrounding it. The notion of the Governor-in-Council being required to ensure those things is an important element. In the previous version, just considering those elements left too much leeway.
Senator Dhillon: You spoke about the regulatory part of this effort as well. You suggested that it may not be appropriate for it to land in your office. I may have misheard that, but if that was incorrect, do correct me.
Mr. Dufresne: I’m not saying it would be inappropriate. That is a decision for, in this case, the minister or the government. Different countries can take different positions on that.
In a number of cases, it will be the communications regulator, the telecom or a specialized online harm or e-safety commissioner. It has not been the norm to give this to the privacy regulator, but it’s not impossible. If this is the choice, we will fulfill that mandate provided we are given the necessary resources.
Senator Dhillon: You are king for a day. What is your recommendation?
Mr. Dufresne: My recommendation is to ensure that whatever process this takes, the privacy regulator, my office, is involved in terms of the consultation and the interplay with the government and whatever agency is given that responsibility.
Senator Dhillon: Thank you.
Senator Clement: Good morning, Mr. Dufresne. I’m always happy to hear your testimony. You’re always so cogent. It’s helpful. Thank you.
I want to come back to your comments around consultation and your answer to Senator Prosper’s question. It sounds like your consultations were extensive. Did they include youth groups and youth? I worry about young people being technologically ahead of most people and that there will be workarounds.
I’m just going to give an example: Lawyers use age verification or ID verification, but clients trust their lawyers and will send their information freely.
But when you have this on a pornography site, you will have young people very highly motivated to work around this. This bill is one thing. Given your work on the Global Privacy Assembly, what needs to be done in addition? What are other jurisdictions doing in addition to a bill like this?
Senator Miville-Dechêne told us the bill will allow for technological changes and advancements. But what more needs to be done to deal with the workarounds that will always be in play?
Mr. Dufresne: This is a sort of whole-of-society effort. The law and the age assurance will not solve everything. You’re right. People will attempt these workarounds.
Senator Clement: And not just young people — adults too.
Mr. Dufresne: That’s right. In the U.K., after the law came in, there was a big spike in downloads of VPN apps. There was also a spike in downloads of Yoti, an age verification app. There will certainly be instances of workarounds. This must be addressed with education, working with youth and working with parents. People will try to get around rules, and we need to think of ways to stop that. But it will protect kids who are accidentally coming upon this information.
The child that really wants to get around it may succeed in doing so. That shouldn’t be a reason not to have the regime, because the regime is really meant to protect, in many ways, kids who accidentally stumble on this. That won’t be impacted by the child who tries to get around that information.
That is one of the things we heard. To your earlier point, we did include youth groups in the consultation. One of the things we heard from them about is the impact of some of the problematic pornographic and otherwise violent sites on mental health and youth development.
In our investigation of TikTok, the findings of which I made public last month, we saw harms to kids in terms body image, confidence and the normalization of gambling.
There are many harms in that space, and we need to work as a society to educate parents and youth. I am about to finalize the selection of members of the youth council that I will be creating. We need to give voice to youth so that they can be heard and so that we can see what works, what doesn’t and how we can reduce the number of individuals who want to attempt the workarounds.
But virtual private networks, or VPNs, will continue to exist. They are privacy protective in appropriate circumstances. In this circumstance, I think, they are part of the effort to see how we can reduce this situation.
Senator Clement: Bravo for further youth consultation. Thank you.
Senator K. Wells: I have a few questions. Thank you for the informative conversation.
Just now, you mentioned TikTok and social media. We heard previously that social media is probably where young people are accessing most pornography, not through commercial sites.
To be clear, this bill as it’s proposed wouldn’t include social media and the privacy, health and well-being concerns that you’ve indicated and you’ve heard about from young people, right?
Mr. Dufresne: Right. The issues around social media’s impact on youth are a separate situation. This bill is about pornographic content.
Senator K. Wells: So much more work needs to be done around the social media space and other online harms that, for example, Bill C-63 from the last session of Parliament was trying to address?
Mr. Dufresne: Right. Again, our TikTok decision was not about pornography. It was about the fact that you have kids younger than 13 – 500,000 of them every year — who would go on TikTok and be detected after the fact, and there would have been information collected about them and ads sent to them, so the harm would have happened. That is a situation where we concluded that some form of age estimation or age verification must happen there to protect children.
We must continue to work together with civil society and other regulators to say, “Social media platforms are there and can bring good things, but how do we protect kids in this space?”
Senator K. Wells: And the algorithm that feeds them this violent, extremist, hateful and sometimes pornographic content as well — you are saying they are stumbling across it and may not even be intentionally seeking it out.
Mr. Dufresne: Right.
Senator K. Wells: More directly related to this bill before us, then, and the limited scope that it has, you mentioned that if your office were the regulator, additional resources would be required to support the implementation.
Do you have a sense of the cost of those additional resources — for staffing or regulation — and a ballpark figure?
Mr. Dufresne: I do not. We have not done the exercise of estimating that. We could, if that were to assist, but it’s not something that has been contemplated in the discussion.
We would certainly need it in terms of receiving complaints, issuing notices and following up. The bill provides for taking steps to the Federal Court, so all of those things require appropriate resources, whether it’s with us or another entity.
Senator K. Wells: I guess that hasn’t been fully explored. Is it millions? Is it tens of millions? What is the cost of implementing something with a narrow scope that still allows children to access much of the explicit pornographic material? Is this a drop in a bucket against a much larger issue that, at the end of the day, may have more symbolic value than actual, real-world value in stopping young people from being able to access or stumble across this explicit pornography?
Mr. Dufresne: I think that is a challenge that is part of our reality in the privacy space. Certainly, the scope of the work is immense. The organizations that we’re regulating have significant financial resources, much more than we ever could.
We have to be realistic with the public resources that are available and focusing on risk-based and targeted approaches.
At my office, one of the things that I have said is that strategic priorities are focusing on kids’ privacy and evolving technologies, but also maximizing impact. Not every case is going to warrant a big, long investigation. We’re trying to resolve things earlier, and we are trying to use promotional tools. We are trying to use prevention.
In a sense, that’s the spirit of this bill as well, the notion that the regulator would be able to give a notice and say, “Well, take it down.” And then you have some time to take it down.
It’s always better if you have education, prevention and promotion, even if it takes a reach-out from the regulator, and you leave the cases that go to court and require a long process to those where either there is no positive response from the organization or a new legal issue that needs to be clarified.
Senator K. Wells: I have one more small question, if I may.
I can’t quite recall, but you mentioned in your comments about a country — perhaps Australia — that has an e-commissioner for children. Is this something that you would recommend we have here in Canada? You said it would work alongside your office.
Mr. Dufresne: Well, I think if this bill is adopted, there will need to be an entity that is designated. The option for Parliament is going to be either give it to an existing entity or take steps to create another.
Certainly, the model of having an online digital regulator is something that exists in other jurisdictions. It exists in the United Kingdom, Australia and France.
What is important from my perspective as Privacy Commissioner is that I need to be working with those institutions, whatever they are. That is why we created the Canadian Digital Regulators Forum, working very closely with those colleagues. In fact, even at the international level, there is a grouping of cross-regulatory collaboration, and the Organisation for Economic Co-operation and Development, or OECD, is involved.
We’re really seeing more and more that unless you create a massive regulator that will have such a broad scope, individual regulators need to work together, and that is what we’re doing.
Senator K. Wells: It is interesting to me, since we’re talking about children’s rights and the rights to privacy, that in Canada we don’t even have a national children’s commissioner to coordinate and advocate, as you said, for the best interests of children throughout the federal government and across this country from coast to coast to coast. Maybe that is something we need to look at in the larger scheme of things: a permanent voice for children and young people in our country.
Mr. Dufresne: In the meantime, certainly a significant number of privacy commissioners — my colleagues in the provinces and around the world — have made children’s privacy a priority.
There isn’t a void, but there could be more.
[Translation]
Senator Oudar: First, thank you, Mr. Dufresne, for the quality of your presentation today and for your leadership. It has already been said in English, but I will say it again in French: You have been elected chair of all privacy commissioners around the world. Congratulations and thank you. Thanks to you, Canada is exercising this leadership in a remarkable way. I am very happy about that. Thank you also for what you said about your leadership on behalf of young people. That deserves to be highlighted.
I found that very clear this morning. Yesterday, I had several questions about the Canadian Bar Association’s brief, which we will hear later. You ultimately distance yourself from the content of that brief. You may not have had time to read it, as we only received it yesterday. I am pleased to see your conclusions.
I actually had the same question as Senator Batters about the territoriality of laws and the application of legislative provisions to organizations that do not have a Canadian border but are located elsewhere in the world. I understand that, with the cooperation of other countries, you are able to do what you can.
You mentioned an amendment. I wasn’t there at the very beginning of the work on the previous bills. You may have already submitted it at some point. I would be very interested in you sharing it with the current committee members. There are new members on the committee. I know that a law must not affect the budget—I know that this is the same at the provincial level, and I am familiar with the legislative rules that apply to both levels of government—but I would still be interested to see if there are any possible solutions that respect our own powers.
If you want to debate a bit, it seems to me to be a question of resources and budget allocation. Is there anything else that concerns you? What can we do about it?
Mr. Dufresne: Thank you for the question and comments. In the public sector, the enabling legislation is the Privacy Act. That act dates back to 1983. The act that deals with the private sector dates back to 2000. In both cases, this predates by far the very significant technological developments we have experienced. First there was social media, and now there is artificial intelligence.
It is high time that these two laws were modernized, both for the public and private sectors. The public sector, for example, has no necessity or proportionality. The government is given a great deal of leeway when it comes to the use of personal information. There is no obligation to conduct privacy impact assessments.
There are shortcomings, and they have already been pointed out. Our power to issue orders and fines makes us stand out internationally, but not in a good way. Some provinces, such as Quebec, British Columbia and Alberta, have the power to issue orders. Quebec has the power to impose fines. The federal government does not have this power.
In the meantime, I will use the law and the tools at my disposal. For example, we conducted the TikTok investigation with Quebec, British Columbia and Alberta. This approach made use of my powers and their powers. I conducted the investigation into 23andMe with the UK Commissioner. He has the power to impose fines and issue orders. For my part, I had more power in the investigation when it came to obtaining documents. So we combine our strengths while minimizing our weaknesses in order to achieve the best outcome for citizens. At the end of this investigation, my colleague imposed a fine on 23andMe, while I was unable to do so. This point was raised. People asked why Canada did not do the same. I responded by telling them that I did not have the authority to do so.
I think it is something that could easily be corrected by Parliament, and I hope that will happen soon.
Senator Oudar: I don’t know if this request was made in writing with the wording of an amendment. I would be interested to see the documents that were circulated. Perhaps they could be filed with the clerk so that all committee members can benefit. Thank you.
[English]
Senator Pate: Thank you, and I reiterate all of my colleagues’ congratulations. Thank you for your work.
Having been on the end of trying to get investigations done into government departments, I’m curious to know what the practical challenges will be for you in terms of enforcing this legislation. As you know, there are all kinds of ways to put up roadblocks to you being able to do your work. You and your department and I have seen many examples.
I’m curious — what are some of the roadblocks we can anticipate? Are there things we can recommend that would preclude some of those?
Mr. Dufresne: In the context of this particular bill, there are financial sanctions. There is the possibility of a recourse to the Federal Court. There is the notice. There is the intention of an order. So that process exists. The regulator given that responsibility will need enough resources and the ability to push this forward. The court system will also need to have the resources.
Often the challenge is resources in organizations. Certainly, my office has not received an increase in resources or staffing, despite having new responsibilities on, for example, cyberbreaches, which are massively increasing despite having artificial intelligence and technology moving forward. That is part of the issue. The other is the enforceability, the powers that you have — or the lack of power.
We need to look at ourselves internally, and I’m looking in terms of my office’s processes. Can we be more nimble? Can we push things faster? That is the point I made earlier about trying to get earlier results, sometimes not necessarily with a full investigation but with a commitment from the government or the organization.
It’s offering the right incentives for organizations to do the right thing more quickly and earlier, but also ensuring that you have consequences if they don’t. That is where, certainly, I would want to see improvement in terms of having faster outcomes for Canadians.
[Translation]
Senator Saint-Germain: I have a very specific question. Is there currently an age verification mechanism that you are satisfied with?
Mr. Dufresne: Australia has just conducted an in-depth study on this area, as they are required to do so under their law. The conclusion was that it is possible and can be done.
We haven’t done this verification yet, as there is no legal obligation to do so at this stage. Based on what I’m seeing internationally, I’m confident that technology can achieve this goal. We need to map out the process, set out the requirements, and ensure that corrections are made. However, I think it’s possible to do this with technology. Technology must be used appropriately to protect privacy.
Senator Saint-Germain: At that point, shouldn’t the criteria and guidelines you mention for achieving these objectives be included in the legislation? Furthermore, in order to be effective and enforceable, shouldn’t the implementing regulations wait until these technologies clearly exist and are to your satisfaction in this country?
Mr. Dufresne: If the bill is passed, the next step will be to ensure that the regulations are adopted by the government. Sufficient consultation and verification with the industry is needed to determine who will do this. Will it be a private or government solution? What will the requirements be? Enough time needs to be set aside to get this done. We’re seeing this in other jurisdictions. In Australia, rules are coming into effect to prohibit access to social media for people under the age of 16. The work is still being done. The rules should not come into effect immediately after royal assent. I believe there is a one-year delay planned, and we will have to make sure that’s enough time to do the work.
Senator Saint-Germain: Are you unsure whether this is sufficient, given the complexity of the verifications that have to be done?
Mr. Dufresne: It’s more up to the government and the regulatory process to ensure that the guidelines can be implemented. If there are concerns about this, a different effective date could be proposed by order in council or something similar.
[English]
Senator Simons: Commissioner Dufresne, I want to come back to the subclause that was cited by Senator Batters in the regulations, the age verification and age estimation methods in subclause 12(2). As I read this, the bill contains no statutory requirements or conditions that would apply to the third parties providing the age verification or estimation methods. It states, in regulation, “ . . . the Governor in Council must ensure that the method . . .” does all of these things and destroys the records in a timely fashion. But what is the enforcement mechanism?
Mr. Dufresne: There would be a number of enforcement mechanisms. One would be the privacy legislation itself. Organizations cannot retain information for longer than is necessary. There would be the possibility of a recourse under my legislation in that sense, as would be the case for any organization. They would be asked, “Why are you keeping this?” especially if you have a bill and a regulation that explicitly say, “You must destroy it. You must not keep it.” It would be very difficult for an organization to justify keeping it. They would be in noncompliance with the regulatory scheme.
That is where I would see the recourse — very much from a retention standpoint.
Senator Simons: What are the penalties or the consequences? If you hold an investigation and find someone in breach, what happens?
Mr. Dufresne: That is the other issue that I raised. I don’t have the authority to issue fines. I don’t have the authority to issue orders. If an organization is found in breach of privacy law, I make recommendations. They can follow them or not, but I can’t issue fines. If I wanted to have financial consequences, I would have to take action to the Federal Court. That’s expensive and lengthy, which is why it’s important to modify private sector privacy legislation, not just for this type of situation but for all situations.
Senator Simons: I agree completely. I want to return to this, then: Under this regulatory regime, where are the teeth that would give me assurance as a consumer that this data will be as private as the regulations actually call for? If you don’t have any enforcement mechanism and if all you can do is make regulations, how would this be functional?
Mr. Dufresne: These regulations would set out what is acceptable as a defence to an organization that is making the pornographic information available.
Senator Simons: But it is not about the organization. This is about the third party, because it’s not fair to blame Pornhub or X or whomever if the third party that the government designates is in breach. That’s not Pornhub’s or any other provider’s fault. It says here, “ . . . Governor in Council must ensure . . .” but what mechanism does the Governor-in-Council have to ensure that?
Mr. Dufresne: The mechanism would be a complaint through my office, and so we’re back to the gap —
Senator Simons: So all you can do is make recommendations. You can’t fine people.
Mr. Dufresne: Unless I take action in the Federal Court. There is the possibility of making a finding, then if it’s not followed, taking action in the Federal Court. We’re doing that in certain cases, and I’m not ruling it out in a case like this. You have a bill that’s not followed. You have regulation from the government. This may be an appropriate case for doing it, but I’m still going to call for law reform to have the ability to do it directly because, again, it gives us more time.
I will say this, and it comes up often: As much as I want the ability to issue fines and orders, and it is necessary, I don’t want to minimize the reputational impact on organizations of a public finding from my office. It has been my experience that organizations don’t want to have a public press conference held by the Privacy Commissioner, calling them out on practices, so it is not enough, but it is something. I want to make that point. Certainly, organizations in Canada are very mindful of that, but we absolutely need more in terms of fines and so on.
Senator Simons: Thank you so much.
The Chair: I have two quick questions, Mr. Dufresne.
First, Senator K. Wells has raised this issue, but if there is a designated entity and it is required, it will take some millions of dollars to actually fund and resource such an agency so that it will be effective and efficient. Is that fair to say?
Mr. Dufresne: I agree. You will have to provide resources to an agency to do this.
The Chair: Second, we’ve heard a lot of about reliance on regulations. What minimum privacy standards could be put into this statute, as opposed to in the regulations, to reassure Canadians that their data will be minimized and there will be no identity retention or cross-service linkage, and that this will support an independent auditor’s abilities so that adults’ information privacy is protected and Charter risks are reduced.
Mr. Dufresne: I think you have it in the principles set out there for the Governor-in-Council: the effectiveness, the arm’s‑length policy, the user privacy, the data minimization and the compliance with general best practices. I think having order‑making and fining powers for my office would not come from this bill. It would come from a separate bill on privacy legislation. That would be key.
If you wanted to strengthen the consultation and the role of my office in this, that could be added as an obligation, a duty to consult my office, in the drafting of those regulations.
We’re going to continue the work on our end in terms of privacy impact assessment. I mentioned that’s another element where we see strengthening the practices of organizations. This should be an obligation for all organizations under privacy.
The Chair: Thank you.
Senator Batters: I want to briefly return to this discussion about the regulations that the Governor-in-Council is responsible for to make all of these different determinations, as well as “must ensure.” What that provision says is “Before prescribing any age-verification or age-estimation method under paragraph (1)(b), the Governor in Council —” meaning the cabinet or the government “ — must ensure that the method . . .” has all of these different characteristics, including the part about destruction of information.
I would say another safeguard — in addition to the substantial one that you raised, the possibility of taking this to the Federal Court, which is quite a disincentive if the government did something like that — is that there’s potentially a political cost to pay at ballot box. Voters could potentially judge the government if they were to put something in place that is not effective and if they do not ensure all the safeguards a bill passed by Parliament requires.
Mr. Dufresne: I said in my opening remarks that changing this language from “consider” to “ensure” was an important improvement. You have highlighted some of the consequences that flow from that. It is a much more discretionary threshold if you just have to consider it. The language in this case is much stronger and limits the government’s scope accordingly.
The Chair: Colleagues, please join me in thanking our witnesses for their participation here today. It has been helpful. Thank you very much.
For our second panel, we are pleased to welcome Brian Hurley from the Canadian Council of Criminal Defence Lawyers, by video conference. As well, we have Christiane Saad, the Chair of the Executive of the Privacy and Access Section of the Canadian Bar Association. Thank you for being here. Please join me in welcoming both of these witnesses.
Mr. Hurley, we will start with you. You have five minutes or so, sir, to give a brief overview of what you want to say. Ms. Saad, you will have five minutes as well. After the two opening remarks, we will move to questions.
Brian Hurley, Criminal Defence Lawyer and Director, Canadian Council of Criminal Defence Lawyers: Thank you very much. I come to this from the perspective of a defence lawyer who has been working in Alberta for 32 years, doing nothing but criminal defence, and I want to indicate that I am concerned about any law that interferes with access to a lawful product or form of expression and puts private data of citizens acting lawfully in the hands of third parties.
I would add that my concern is heightened, not lessened, when we are dealing with a law that has the express noble purpose of protecting children. I would suggest that any law of this nature needs to address three fundamental questions, and those all need to be answered in the affirmative before you can move forward with such a law.
First, is the law necessary? Necessity has two fundamental parts. Is there actual harm? This is different than what I heard in the earlier presentation about the best interests of children. If we go down the path of “the best interests of children,” I would suggest that’s very dangerous and can lead to age verification for all sorts of lawful but potentially unpopular products on the internet. Is there a real and actual harm? I’m sure you have spoken to experts, and I have looked at some experts’ reports on real and actual harm from pornography. I certainly have had clients involved in criminal activity where psychologists suggested that a childhood addiction of pornography played a role. If that exists, then that’s a yes.
However, we also have to confirm that parents are unable, without government intervention, to regulate their children’s consumption of this material — not that parents are unwilling, but unable. I should add that I come to this as a father of four, all now in their twenties, two boys and two girls, and I concede that it is plausible that parents cannot control access by children.
Even if we answer that question in the affirmative, we come to the second: Is the law necessary? Does the law actually have a meaningful effect? Is it too easily sidestepped by VPNs and other means that make the law ineffective?
I am concerned by the previous presentation, which suggested the law is only addressing or protecting children who accidentally stumble on the material and then click off. Such a risk to lawful citizens’ privacy information is not justified by this. If this is a law that every 13-year-old boy — and I say that mindful that I have had both boys and girls — but every 13‑year‑old child can easily sidestep and we’re not doing anything other than putting privacy data at risk, then I have real concerns.
If the law is necessary and effective, then does its positive effect outweigh negative consequences that will likely flow from it? I am prepared — as I think most of us are — to assume that it has a necessary element to it and there is a concern. But I remain concerned with a preamble that mentions negative stereotypes and attitudes. This focus on ideas and broad scope concerns me with respect to laws down the road that may go after other things viewed by then-governments as objectionable on the internet — as fostering or encouraging negative stereotypes, attitudes or ideas.
I am mindful of whether it works, most importantly, and I note that we have not discussed Texas and Tennessee, which are actually doing this. I am concerned that perhaps not focusing on Texas and Tennessee is because of their politics. Is it working in Texas and Tennessee? Can every 13-year-old access pornography despite age verification that has been in place in those states for a number of months?
As an Albertan and a Canadian, I am concerned about overreach. We had our own Danielle Smith ban sexually explicit material from school libraries. I do appreciate Bill S-210 had “sexually explicit” and Bill S-209 has “pornographic,” and that’s an important change and improvement, but we have to concern ourselves with overreach.
I like the addition of clause 6 from the old bill that discussed “incidental,” but once again, this is somewhat vague and I have concerns. But the huge concern is the privacy interests of lawful citizens engaged in consuming lawful material, a lawful form of expression.
I am particularly concerned about paragraph 12(2)(d), when it comes to information and the retention of information, that indicates “ . . . except to the extent required by law . . .” Private information needs to be destroyed immediately. It should not be retained. Misusing or not destroying or misusing that information needs to be an offence in this piece of legislation if it moves forward.
We heard from our Privacy Commissioner about his limited power to deal with this. With respect, there is enormous value in information. We know that. Simply public shaming is not enough. Misuse of information should be an offence if this legislation moves forward. The information of a private citizen lawfully accessing something should be destroyed immediately.
Those would be my brief statements, and I will turn it over to my friend from the Canadian Bar Association.
[Translation]
Christiane Saad, Chair, Executive of the Privacy and Access Section, Canadian Bar Association: I would like to thank the committee and honourable senators for inviting the Canadian Bar Association. My name is Christiane Saad, and I am the chair of the privacy and access law section. Since I’m a mother of teenagers, this bill is particularly important to me.
We appreciate the changes and clarifications made since the introduction of Bill S-210, which clearly demonstrate your intention to allow flexibility while protecting young people and targeting sources of commercial pornography, rather than the internet infrastructure in general.
While we generally support Bill S-209 and its objective, we have concerns about its implementation, particularly with regard to the privacy and personal information protection issues that I will focus on.
One of the desired effects of this bill is to force distributors of pornographic material to implement prescribed methods of age verification and estimation in order to restrict access to persons over the age of 18. The preamble highlights the rapid evolution of technology and mentions how much more sophisticated it has become in determining the age of users to meet the needs of the bill.
However, as other witnesses have pointed out, the bill doesn’t contain any details on how the government will balance privacy and its protection, leaving these aspects to be addressed during the regulation and implementation stages.
Although it’s common practice to reserve implementation for the regulatory phase, in the case of this bill, this entails certain additional risks for the protection of personal information. Age verification and estimation are used to determine a user’s age, but they differ significantly in how they are applied.
Age verification involves direct proof of identity or even biometric data indicators, whereas age estimation could use AI and similar technologies to provide fairly accurate results, although this isn’t always the case. At the same time, this could preserve user anonymity, but it may not be as accurate as the first method.
However, without clear guidelines, these technologies open the door to the risk of excessive accumulation of critical data, secondary use such as training an artificial intelligence system, and even expansion of inferences with other personal characteristics.
The bill deals with data collection and retention. It has been mentioned several times that this data must be destroyed immediately after verification, but this has been done using broad terms based on information and data protection principles. However, some key details are missing that could help us set guidelines, such as the definition of a retention schedule or clarity on how quickly this data will be destroyed, the verification or enforcement mechanism, and also the storage location of the data that will be collected by these organizations. It should also be specified what solutions and options are available to users in the event of data mismanagement.
As a result, the bill leaves many safeguards essentially to future regulations by making enforcement and technical protections heavily dependent on implementation rather than the legislation itself.
If data are collected, Canadians need to have certain guarantees that their data will be protected when these techniques are used.
The bill also raises some concerns about the use of third-party organizations. We know that they may have developed better technologies, but we have concerns: Are they Canadian companies? Are they private entities? Where would the data they use be stored?
Obviously, because of AI and other technologies, we could see an increase in the risk of direct or indirect commercial exploitation of the information collected for the purposes of this bill. This raises several questions about certain functional abuses.
Finally, even though section 10 gives the federal court broad powers to order internet service providers to block certain access to organizations that do not comply with the law, such measures may lead to excessive blocking or even the removal of legal content, which could result in collateral censorship that may restrict or appear to restrict freedom of expression and access to information for some citizens.
For this reason, the privacy and access section of the Canadian Bar Association applauds this bill, but recommends that certain clarifications or amendments be made to address these concerns and reinforce the message of public confidence. Thank you.
[English]
The Chair: Thank you, witnesses. We will now move to questions, starting with the deputy chair, Senator Batters.
Senator Batters: Thank you. We appreciate you both being here and the comments that you have provided to us today. I have a couple of things.
First, Mr. Hurley, you mentioned those U.S. jurisdictions, including Texas. Our committee’s study did just start yesterday. Just so you know, we do plan to hear testimony about those and other international jurisdictions that have these types of situations so that we can properly understand them.
To both of you, this is a private senator’s bill; it’s not a government bill. The part that is set out is the mechanism to set out what the Governor-in-Council, the cabinet, must do as far as regulations and listing it as “must” and not “consider.” As the Privacy Commissioner was just saying, that’s something that gave him considerable comfort.
But in the past few years, we’ve had a number of government bills that are similar in scope to some of these types of things. We had Bill C-11; the online harms bill, Bill C-63; and the proposed cybersecurity act, Bill C-26, which is now Bill C-8 and has been reintroduced by the government. All of these had considerable overreach situations and parts that dealt with broad, principle-based terms, but then they left much to a regulatory phase that the government would develop in future years or who knows when.
Did you or your organizations or express these types of concerns about those types of bills? I will start with you, Ms. Saad.
Ms. Saad: Thank you for the questions. We are aware of this approach because we can’t plan everything originally in the law. But these regulations will support, later on, the application of the specifics of each of them.
However, the CBA, in previous submissions — not specifically for this one — did raise some concerns about overreach and leaving some of the specifics to regulations because sometimes it will take too long to effectively implement the required regulations. Depending on the type of consultation needed — as highlighted previously, for example, by Commissioner Dufresne — sometimes it’s a concern. We didn’t analyze it deeply for this specifically, but it was something that was raised by our group.
Senator Batters: Okay, yes. I was the critic of the cybersecurity bill previously, in the last Parliament, so I know that one allowed government ministers to order people “ . . . to do anything, or to refrain from doing anything . . . .” That’s as open-ended as it got. I am letting you know that it’s not just a much-smaller-in-scope private senator’s bill that has these types of concerns, but sometimes it brings in the entire mechanism of the government. And if they consider that type of manner is appropriate for those large items, it could well be, on a smaller scope, appropriate here.
Mr. Hurley, I put that same issue to you, if you could answer about those other types of large government bills.
Mr. Hurley: My friend from the CBA expresses the same concerns I would have as a lawyer and that my organization would have. We are always concerned about overreach and vagueness, and we’re always concerned about a bill with a noble cause.
I’m a parent — as I said, my four children are all adults now — but I would obviously support limiting access to child pornography for children. That’s a no-brainer. The issue is the overreach and the vagueness. In this bill, the issue is putting a lot of private information out there that could be monetized or weaponized. But, yes, my answer will be the same as my friend from the CBA’s.
Senator Batters: Sure. Obviously, you were just asked to be on this panel, but I don’t know if you had an opportunity to hear the testimony of the Privacy Commissioner. I can say from experience, he generally doesn’t provide positive comments about the privacy mechanisms of something unless he has a substantial level of comfort around them.
Did that give you some level of comfort? I am not sure if you were able to hear his testimony or not.
Mr. Hurley: I did hear his testimony. It offered me some comfort, but it also raised red flags for me with respect to his ability to enforce or penalize violations.
Like my friend from the CBA, I think if we are going to have third parties, Canadians must be the third parties controlling this private information. Also, we need the ability to control them, and the way you control a company is to fine them if they violate.
Also, if we are to assume that this pornography is a lawful product and lawful free expression to which adults are entitled, then if we’re going to have adults give up private information, it should be instantly destroyed once it is confirmed that they are an adult and are accessing this.
Any retention of that information, distribution, monetization or weaponization of that information should be punishable under this legislation and not left to some later legislation or privacy commission that doesn’t have the power to fine or take to task. There needs to be more teeth to it than that when it comes to the private information we’re gathering.
Senator Batters: Right. I think you might have also heard the Privacy Commissioner say that he feels that there is a gap in general in the current Canadian privacy law, and he’s long been seeking an amendment to allow him to have more powers to enforce. It’s not just a matter for this law but for all of these types of things.
I have one further question for you, Mr. Hurley. Something you just said maybe leads me to a different question, which I was glad to hear, because in your opening remarks, you seemed to express some doubt that viewing pornography may be harmful to children. You did just say something that made me wonder about that, but I would like to provide you with a chance to clarify that.
Mr. Hurley: As a parent, I make the very unscientific assumption from my experience that it is harmful to children, but I keep in mind that I’m a parent and not a scientist.
I have, in my 32 years of practice, encountered a couple of young clients who engaged in criminal activity, and when a psychiatrist or clinical psychologist assessed them, they said that one of the contributing factors was an addiction to pornography from a young age.
You are aware, no doubt, senator, of a number of studies out there that discuss the impact of pornography on children and the developing mind of an adolescent, and it is usually boys. I started my remarks by saying that I have both boys and girls, so I don’t generalize, but at times there are different experiences. There are also studies out there that suggest some of these studies are overblown and exaggerated.
We want to be careful with such an emotional, hot-button issue that we look at good science and base our decisions on that and not an emotional response. The emotional response here is instant for the vast majority of humans, but we want to look at the science as well.
I know that as a criminal practitioner, when I am involved in cases that are extremely emotional, it is easy to get bad science in there, because it is emotional and we want to accept that science. We have to be careful when we look at science. That is all I am saying.
I’m certainly not suggesting pornography is good for adolescent boys or girls, but I think we have to be careful with respect to the science we look at and look at it objectively.
Senator Batters: Perhaps we will need to have a little bit of discussion about the science, then, at this committee dealing with this, because I think there is a substantial body that has existed for quite some time about the dangers, especially regarding future criminal behaviour and that sort of thing, so maybe we’ll need to have a bit of a look at that.
Mr. Hurley: And I’ve seen it in practice.
Senator Batters: Thank you very much.
[Translation]
Senator Miville-Dechêne: Ms. Saad, I’ve read your brief, and I must admit that I feel you have interpreted the bill in a way that doesn’t necessarily correspond to the latest version. One of the things you say in this brief is that the bill imposes mandatory proof of age for everyone. However, that isn’t true. The bill suggests age estimation as a means of verification, which isn’t mandatory proof of age. It is age estimation through AI. So, this isn’t accurate.
You also say that Bill S-209 doesn’t include any measures to ensure that this data won’t be collected or retained by the government. There is no mention whatsoever in this bill of the government retaining data. It refers to private third parties.
However, there’s a sentence in paragraph 12(2)(f) that reads as follows: “destroys any personal information collected for age‑verification or age-estimation purposes once the verification or estimation is completed;”
You say there should be a destruction schedule. In a bill, which is something granular, do you want us to include a schedule with dates? The idea is to set out principles that will be articulated in the regulations.
You know as well as I do that technology is evolving, and the idea of writing six pages of precautions into a bill seems counterproductive, given how all these data are changing.
I’m trying to determine whether you have properly reviewed this bill, which, incidentally, has been applauded in this specific area by the Privacy Commissioner, who said that it contained reassuring elements. How can you say that there are no safeguards when the Privacy Commissioner says he is reassured?
Ms. Saad: We’re not saying that we’re against the bill. We applaud it, as I mentioned. We’ve raised some concerns that have come up within our working group.
Without imposing any proof of age on everyone, the way to put it is that it applies to all potential users. That’s what we understood from the bill. It applies to all potential users of these commercial pornography sites. That was the idea expressed there.
However, as far as the government is concerned, this hasn’t been enacted, even though it’s mentioned in the bill that the information will be destroyed immediately after verification. These were concerns generally expressed by members of our groups. What can reassure us about the fact that this data won’t be retained and reused, or even shared with the government in an agreement with third-party organizations?
So, those are the concerns that have been raised. That doesn’t mean that this is necessarily the intent of the bill, but those are the concerns we have heard.
Senator Miville-Dechêne: That reassures me a little. Mr. Hurley, I’ll turn to you on the issue of age 13. The Commissioner said that it’s true that many children discover pornography through pop-ups, that is, unintentionally, except that the numbers are still significant. In fact, 27% of 11-year-olds have access to pornography, as do 10% of 9-year-olds; 50% of children 13 and over have seen pornography. These aren’t small numbers.
You’re wondering whether it’s worthwhile to have a bill if it doesn’t work well or if it fails to control the VPNs. No bill is enforced absolutely. No bill is respected absolutely. The same is true for this one as for the others.
What we’re trying to do is send a message and convince as many people as possible that pornography is not for children, and in this case, children 13 years of age and under don’t often have access to a VPN, so they themselves could be protected.
Isn’t it worth having a bill to protect the youngest children who aren’t trying to circumvent the rules? Just like speed limits, which aren’t always respected, as you know, you being a lawyer.
Is it a valid argument to say that this bill will be circumvented, so it’s better not to do it?
[English]
Mr. Hurley: I think it goes into the weighing process of the bill, and it goes to my comment on effectiveness.
If the bill isn’t effective — and we have to look at Texas, Tennessee, Australia and other places that are doing this — if the bill doesn’t deter the motivated 13-, 14- or 15-year-old from looking at pornography because it is too easily circumvented, then I think that goes into how we balance the bill and whether the positive effects affect the potential negative effects.
If all we are blocking is the accidental viewing of pornography by children who don’t want to see it, that is still absolutely something we would like to block. That is not nothing. But where does that weigh if that’s all we’re blocking, because any motivated 13-year-old can get around it, versus the potential privacy concerns?
I’m not saying that keeping children away from pornography at a very young age isn’t a good idea. The question is this: If this is all the bill is affecting, and it isn’t effective at blocking anyone who takes steps to go around it, then do we balance it differently when we are considering potential negative effects?
I do like the changes you have made, senator, in paragraph 12(2)(a), with “ . . . highly effective . . .” instead of “ . . . reliable . . .” I also like paragraph 12(2)(b), which is new, and paragraph 12(2)(e), which is new, but I have concern about paragraph 12(2)(d) — “ . . . except to the extent required by law . . .” — when it comes to retention.
So I have concerns about retention and that penalties should be in place for those who misuse the data that is collected. As I said, I don’t disagree with the goal of stopping very young children from seeing pornography, but if the bill is too easily circumvented by VPNs, et cetera, then that goes into weighing whether we pass or support the bill.
[Translation]
Senator Miville-Dechêne: I would add that bills that attempt to regulate the internet are, by definition, bills that enter into a new domain and cannot control everything. Right now, Great Britain is struggling with the issue of the increasing number of VPNs. There are forces there that suggest that VPN distributors could also be asked to participate in this age verification. So there are solutions on the horizon.
The idea that a bill has to be absolutely flawless in order to pass muster on the internet seems to me to be somewhat unachievable and unrealistic.
[English]
Mr. Hurley: I don’t disagree.
I should let you know that when I looked at this a few days ago, my instant response as a father was that I liked this bill. Then I threw it out to a chat group of criminal defence lawyers and said, “I’m going to speak to this in a couple of days, and I like this bill. What are the concerns I should be looking at?” And I received a deluge of concerns. That helped me think about my approach to this, senator.
The Chair: We have about 20 minutes, so we have to be fairly concise.
Senator Prosper: It is a challenge being concise, but I will try.
Thank you to the witnesses.
At the risk of being redundant, I was listening to the dialogue getting into overreach and vagueness. I’ll start with Ms. Saad. I understand that there are specific concerns you expressed with respect to having legislation that is general in scope and that leaves certain things to regulations. You have concerns with respect to not being explicit and leaving it to later implementation, but generally, you and your organization are in favour of the legislation. Are those more or less caveats for us to take into account? Okay, great.
Mr. Hurley, relating to those points of overreach and vagueness, what I get from you is that the added component, just mentioned in dialogue with the sponsor of the bill, that there is this added feature of it not being effective and thus not being necessary. In addition to that, there were concerns with respect to having explicit provisions regarding the timelines on the destruction of personal information. You would be against this particular piece of legislation, correct? Or am I misstating your position?
Mr. Hurley: I’m still trying to balance it. As I said, when I first looked at it, primarily coming at it as a father, I thought it was a good piece of legislation. Then, a few dozen criminal defence lawyers began to put opinions in a chat group, and I thought they had legitimate concerns. Any restriction upon a citizen’s liberty becomes a balancing act. We are going to restrict a citizens’ liberty — taking a freely available, legal product that an adult citizen can look at and restricting their ability to look at it. We’re putting restrictions on citizens doing something lawful.
If we’re going to do that, why are we doing it? Okay, we’re doing it to protect children. Everyone is going to be on board on that. Let’s protect kids; that’s a good idea. However, are we effectively protecting kids? If we aren’t, why are we limiting adult access to a legal thing?
Not only are we limiting adult access to a legal thing, but we’re asking adults to provide personal information that could be misused. That’s a risk.
So we must look at all those things when we put in the balance of whether we support this bill. My opinion is still being formed on that, senator.
Senator Prosper: Thank you.
Senator Simons: Mr. Hurley, it is nice to see you Edmonton this morning.
I want to take advantage of your expertise as a criminal defence lawyer and look at clause 9 of the bill, which deals with notice. In paragraph 9(2)(c), we are told that, when a notice is issued, it must state, “ . . . the steps that the enforcement authority considers necessary to ensure compliance with this Act . . .”
It seems to me that there is no opportunity for the organization that’s alleged to have committed an offence to have any appeal regarding following those steps. Would that be an accurate reading?
Mr. Hurley: Senator Simons, I think this bill is sensibly regulatory and not criminal. That is one of the things I liked about it when I looked at it initially. So you may be better off speaking to an attorney who specializes in regulatory processes, but I do agree with your assessment of it.
Senator Simons: Okay. I did speak to an attorney who specializes in regulatory processes before I asked the question, which is why I seem smarter than I actually am.
It is a concern to me that if you’re put on notice, it would appear there is no opportunity to defend yourself from the conditions as they are applied.
Mr. Hurley: As a regulatory thing, the question is this: Do we go to a regulatory panel as a first step and then go to the courts? This goes directly to the courts. As I said, a regulatory administrative law lawyer may be better served to give expert advice on that.
Senator Simons: So then lets to go to the application to the Federal Court. In subclause 10(5), we see the phrase:
If the Federal Court determines that it is necessary to ensure that the pornographic material is not made available to young persons on the Internet in Canada, an order . . .
— may be given to basically block access to a website.
Do you think it’s appropriate for the Federal Court to determine if it is necessary to ensure that pornography is not made available?
Mr. Hurley: I read that differently. I read that as saying the Federal Court needs to make an order to ensure that the youth can’t access pornography.
Senator Simons: But that subclause is saying that it’s necessary.
Mr. Hurley: I read that as saying the internet service provider is not doing what they need to do, so an order is necessary to ensure the internet service provider does it.
I’m not sure what the French version of the legislation is, but perhaps that wording could be cleaned up a bit to make that clearer.
Senator Simons: I think it’s basically the same in French — the sense of it.
I have a question for Ms. Saad. One of the options that Senator Miville-Dechêne has talked about is facial estimation as opposed to recognition, but it would still require a person to show their face. I have to confess that I am perhaps old-fashioned in this way, because there are many things on your phone — you can have options for days — but I turn all of those off. Obviously, I am a public figure; my face is somewhat well-known, to the extent that a senator might enjoy some small modicum of celebrity.
We had witnesses in one of the earlier iterations of this bill from the United Kingdom. They talked about their plans to roll out facial recognition in the grocery store. It would be some sort of facial estimation to decide if you could buy beer or cigarettes. I worry about the creep of facial and biometric identification.
Can you talk about how confident you think Canadians should be about the risks to be perceived in sharing their face and their other biometrics in order to access all kinds of things?
Ms. Saad: Thank you for the question. When I raised concerns about the use of AI, it was one of the dimensions. I am not a technical expert in all of these technologies. There are serious concerns, but these are the tools, and they are evolving constantly. Even if we delete an image, we are rolling out new systems, and images that were uploaded to the internet or to databases, for example, could be reused later on without us realizing.
It is now easy to make inferences with other types of demographic information and have a good profile on someone.
These are serious concerns, and I’m not sure how much the general public is aware of them. We use them every day in all our devices, home devices, everywhere, and it is not uncommon now to see additional steps, whether with some government services or private examinations, for example, when we are being proctored. These technologies are being used.
So there is a dimension of educating people, but also one of how to control them and ensure that we are using them only for the purpose that was initially intended. This is where the principles that we discussed earlier are relevant.
[Translation]
Senator Saint-Germain: I’d like to thank Mr. Hurley and Ms. Saad.
Mr. Hurley, at the beginning of your remarks, you said that this bill had to answer three questions, which were essentially three fundamental principles, the first being the need for the bill and the second, its applicability. The more I listen to you, the better I understand; I’m trying to summarize by saying that the father and mother in you believe that the bill is necessary, but that the lawyer in you considers it unenforceable because it’s too vague, leaves too much room for regulation, is based on unknown technology, and could lead to numerous challenges in higher courts, particularly with regard to the Canadian Charter of Rights and Freedoms.
Do you really believe this bill is necessary? Is it absolutely necessary to legislate at this stage, given other options that may exist?
[English]
Mr. Hurley: Being an early adopter is always dangerous and has its pitfalls. We see that in all sorts of things, so I would encourage this committee to look at places that have implemented it and see what they’ve done. I’m always opposed to any bill that limits my personal freedom or the personal freedom of citizens. But I am prepared to concede personal freedom has a limit, and adult personal freedom sometimes must be limited for the protection of children, but it’s a balance.
We have to find a bill that works, that stops access to pornography for children and is effective in doing so. If it isn’t, then you’re limiting my personal freedom, as well as every other citizen’s personal freedom, for no good reason.
We have to look at real-world examples. It is wonderful to be a first adopter of something noble if you get it right and it works. In Edmonton, we bought a bunch of electric buses, which seemed like a great idea, but we were first adopters and they were lemons and it was a waste of taxpayers’ money. So it is a noble idea, but you want to have proven technology and something that provably works, and you want privacy guarantees that actually work and are enforceable.
I wouldn’t say I don’t support the bill, but I am concerned about the balance and a limit on lawful activity for adults.
[Translation]
Senator Saint-Germain: Do you also believe that this bill underestimates or interferes with the role of parents, and that it also underestimates the role of education in sexuality and civics, which is now accessible through primary and secondary education programs across the country?
[English]
Mr. Hurley: That is part of why my question included that we must be sure that parents are unable to regulate their children’s digestion of pornography — not just unwilling but unable. If we confirm that they are unable, then perhaps this bill is necessary. But just as Danielle Smith’s book ban was not popular with me — I’m quite confident I can deal with what books my children are reading, and maybe they should read The Handmaid’s Tale — I’m concerned with overreach and interfering with any parent’s right to control what their child sees or does and the government getting involved in that space. The government should only be involved in that space if a parent needs the help and can’t do it themselves.
Pornography is everywhere. My own parental experience is that we could control our children up to a certain age. After that, we had to assume that we’d parented them right, because by 15 or 16, they were certainly going to be able to get around any control we put on them. So we had to assume we’d parented them right and they would deal with things like pornography based on our parenting. Would I have liked some help to limit it? I think I probably would have, yes.
Senator Dhillon: Thank you. I appreciate your comments and thank you for being here today, and I also appreciate that you’re on board but have some concerns. Let me get to those concerns very quickly. You have stated that those concerns are largely around — and you will correct anything that I say here — information and retention of private information.
I think, Ms. Saad, you said that Canadians require certain guarantees that their data will be protected, and we also cited the bill as prescribed by law.
To that end, perhaps I’m taking some comfort in what the commissioner said this morning, but I put this to both of you: Do the privacy laws and acts that currently exist within federal and provincial statutes give you the confidence or comfort that those issues will be addressed when they come to creating guidelines and regulations?
Ms. Saad: I believe the commissioner addressed the issue quite eloquently. He raised the limits of his laws. We do have the framework and some tools in place. They may need to be improved, but we have some foundation. It is not perfect, but we do have a base.
Mr. Hurley: I would be more pessimistic. I don’t think the privacy laws are strong enough. When you look at the consumption of pornography, there will be an enormous amount of consumption and an enormous amount of data gathered by this for those who don’t sidestep the law through VPNs, et cetera. That amount of data has value and the potential for weaponization. You need to be very careful with that.
Senator Dhillon: Thank you.
Senator K. Wells: I don’t think we have yet discussed the subject of my question. I want to focus a bit on the age in the bill being 18 and under. We have talked about clear harms against children. We have talked about how older teenagers are maybe more technologically savvy and can find ways around this bill through VPNs. I know the CBA previously raised the issue of the disconnect between the age of consent and the age in this bill. Do you see the need for the age in this bill to change to match the age of consent? What would be the right age if it’s not 18?
Ms. Saad: For this bill, we haven’t looked at that particular aspect in this consultation. We can get back to you on that.
Senator K. Wells: I think it was an issue the CBA raised the first time.
Ms. Saad: Yes, but we didn’t have the time to look at it.
Senator K. Wells: I appreciate that.
What about from a criminal law perspective?
Mr. Hurley: It is a difficult question, and it is a concern. Certainly, we are encountering teenage boys and girls who are generating their own pornography and sharing it. That happens. That is a part of life for teenagers these days. We don’t have a perspective on it, senator, but it is an interesting issue. As you said, and as I said as a parent, you can certainly control your 9-, 10-, 11-, 12- and maybe even 13-year-olds. After that, you really have to hope you parented them correctly and they make sensible decisions, because your ability to control them on the internet is pretty much lost these days.
Senator Clement: Mr. Hurley, I want to summarize what I heard you say. You can tell me if I’m correct in my assessment, and then I might want Ms. Saad to react.
I will take you to paragraph 12(2)(a), which added, “ . . . highly effective . . .” You like that.
Mr. Hurley: It is better than “reliable,” yes.
Senator Clement: Then paragraph 12(2)(b) says, “ . . . operated by a third-party organization . . .” You mentioned you’d like to see it be Canadian. I just want your reaction to that.
Paragraph 12(2)(d) says, “collects and uses personal information . . .” but you would remove, “ . . . except to the extent required by law . . .” in paragraph 12(2)(d). And then paragraph 12(2)(f) says, “ . . . destroy any personal information . . .” You would add a punishment for those who don’t destroy personal information immediately.
Did I hear you correctly on all of those items?
Mr. Hurley: You did, senator, yes. This bill gives an enormous amount of information, given the volume of pornographic consumption, and an enormous amount of private information to someone. We need to be able to control that someone. We can’t control them if they’re not in Canada, and we need some bite in our control by having a penalty. I would see no need to maintain that information once we’ve verified that this person is, for example, a 57-year-old man.
Senator Clement: Thank you, Mr. Hurley. I’m just thinking about amendments, potentially — maybe, maybe not. I’m just trying to get you to be more specific. Thank you.
Ms. Saud, do you have a reaction to those comments? Would your association agree to that kind of change?
Ms. Saad: No, these are the changes that we proposed.
I have one comment regarding paragraph 12(2)(d). You mentioned removing, “ . . . except to the extent required by law . . .” if we are referring to this specific law only. That’s the only goal where we have the need to collect information.
Senator Clement: Right. Thank you.
Senator Pate: I know the time is short. In some ways, the genie is out of the bottle. We are way down the track on this. My question to both of you is this: What would each of you recommend? If not this bill, then what?
Mr. Hurley: For me, senator, it is more a technology concern and whether this bill can be effective. As a 57-year-old person, I’m the wrong person to talk to about technology. But it is a technology concern, and it’s also the enormous amount of information that will be gathered and a privacy concern, which also regards technology, and once again, I am the wrong person to speak to that.
Senator Pate: Okay. Ms. Saud?
Ms. Saad: I’m going back to what Commissioner Dufresne mentioned earlier, about consulting more. If we want to apply this law, what would be additional obstacles that we have not highlighted so far? How will we implement it? Maybe we should consult other groups or young people. I don’t know. Maybe we could consult the commissioner’s youth council, for example. It is not a one-group initiative. It is really this collaboration and the impact on all of society. These would be my recommendations.
Senator Pate: Thank you.
The Chair: That brings us to the end of this panel. Thank you, witnesses, for participating. It was very helpful.
(The committee adjourned.)