moved that Bill , be read the second time and referred to a committee.
He said: Mr. Speaker, it is with great pleasure that I rise today to discuss Bill , the digital charter implementation act, 2020.
As members know, data and digital transformation is completely changing the way we access information, buy goods and services, connect with each other and live in our communities and cities. This digital transformation has been accelerated by the pandemic, and we are seeing more Canadians moving their activities online. Canadians are using more digital services and sharing more data online than ever before. They want to know that their personal information will be safe and that they are protected.
Recently, the Privacy Commissioner surveyed Canadians and found that the vast majority of Canadians, 92% of them, are concerned about the protection of their privacy, so this is an important issue to many Canadians. That is one of the reasons why last year I launched the digital charter, a set of 10 principles that lay down the foundation that will allow us to build an innovative, digital economy that is inclusive, people-centric and built on trust.
The principles of Canada's digital charter give Canadians more control over their data while helping Canadian companies innovate, grow and create quality jobs for middle-class Canadians across the country.
I would like to take this opportunity to remind members that the principles of the digital charter were very clear, and they focused on control and consent. Canadians will have control over what data they are sharing and who is using their personal data and for what purposes, and will know that their privacy is protected. This is one of the key principles we laid out in the digital charter.
Transparency, portability and interoperability will enable Canadians to easily manage access to their personal data and to transfer it without undue burden.
Data and digital for good is another principle that was laid out in the digital charter. The Government of Canada will ensure the ethical use of data to create value, promote openness and improve the lives of people at home and around the world. How can we harness data to solve problems?
Another key element was strong enforcement and real accountability. There will be clear, meaningful penalties for violations of the law and regulations that support these principles so that Canadians can rest assured that their privacy will be protected.
As members will see, the principles of the digital charter are firmly embedded in the legislation before us today. On top of this foundation sits three pillars: consumer control, responsible innovation and a strong enforcement and oversight mechanism.
Let me begin with outlining how Bill would give Canadians more control and greater transparency in the manner in which companies handle their information. It would do this by introducing important rules for consent, the right to delete information, data mobility and algorithmic transparency.
With regard to consent, Bill would enhance consumer control by requiring organizations to get meaningful consent from Canadians. This means individuals would get specific information in plain, simple language, not the 30-page legal document that no one reads. This, in turn, would allow individuals to make meaningful choices about the use of their personal information.
To make consent more meaningful and move away from lengthy agreements that, as I said, no one reads, we are introducing a new exception to consent for the collection and use of information for standard business activities that would be reasonably anticipated by individuals.
Here is an example in plain language. When a customer buys something from a company and gives that company their address, the company can give that address to a delivery company so the customer can get the product they paid for.
Under the law, that company would need to be transparent about how it uses personal information so that consumers are made aware of this and that the Office of the Privacy Commissioner can review these practices.
The second element I want to talk about is the right to delete information. Bill would allow Canadians to withdraw their consent and demand that data be deleted. When individuals no longer want to do business with an organization, that organization must stop using their information and must delete it permanently if it is asked by individuals. This would, for example, allow a Canadian to demand that a social media site delete their profile. It is very simple, but very powerful.
The next area the bill highlights is data mobility. To improve their control further, individuals would also have the right to direct and transfer their data and information from one organization or entity to another organization or entity in a very secure manner. Bill would do this by enabling regulations that establish frameworks for secure transfer and interoperability. This approach would support innovation in areas like open banking, where a common technical approach could allow Canadians to take advantage of the consumer-directed financial marketplace in a more secure way.
Another area the bill touches on, which was highlighted through extensive consultations, is algorithmic transparency. In the area of consumer control, Bill would improve transparency around the use of automated decision-making systems, such as algorithms and AI technologies, which are becoming more pervasive in the digital economy.
Under Bill , organizations must be transparent that they are using automated systems to make significant decisions or predictions about someone. It would also give individuals the right to an explanation of a prediction or decision made by these systems: How is the data collected and how is the data used?
This is a brief summary of what is found in the first pillar of this legislation under more consumer control.
The second pillar of Bill is enabling responsible innovation.
The digital economy creates significant opportunities for Canadian businesses. Digital activity accounts for 4.8% of Canada's GDP, and when it comes to research and development in this country, no other private sector industry outperforms Canada's information and communications technology sector.
Investment in data has climbed as high as $40 billion. Across the economy, Canadian companies' data is worth as much as all other intangible assets, such as software, research and development, and mineral exploration rights combined. Therefore, we can see the potential of data not only today, but going forward.
Globally, we are seeing unprecedented growth in the technology sector, growth that is only going to pick up as artificial intelligence continues to grow and have a more meaningful impact in our lives. According to some estimates, AI is going to contribute an additional $13.7 trillion to the global economy by 2030.
The government also understands the importance of giving companies clear rules that enable them to innovate while still protecting Canadians' privacy.
Trust is the cornerstone of economic growth and innovation. When Canadians are assured that their data and privacy are safe and protected, it creates space for the kind of innovation that benefits everyone.
Our government believes that greater trust and certainty in the digital marketplace will empower small businesses and entrepreneurs to create news jobs and opportunities, expand their operations and better access the global marketplace.
It is also important to note that the new legislation would help small businesses prosper as well by ensuring that rules for data and privacy are fair, clear, enforced and flexible enough to meet the needs of smaller organizations.
One area that does that is the codes of practice and certification systems. To enable responsible innovation, Bill would create a framework to recognize the use of codes of practice and certification systems. This would help organizations both comply with the law and demonstrate their compliance, which, in turn, would support innovation and provide an important balance to a strengthened enforcement regime.
Organizations would be able to apply to the Privacy Commissioner to approve a code of practice outlining how the act's general requirements apply in a particular sector or activity. This would give businesses some certainty that if they are following the code they are in compliance.
I also want to highlight de-identified information. Bill C-11 would also clarify how organizations are to handle de-identified personal information. This would enable an important mechanism for both privacy protection and innovative uses of data, which would benefit many small businesses.
Lastly is data for good. In this area, it is important to note that under the second pillar of enabling responsible innovation, Bill would recognize an exception to consent for socially beneficial purposes in order to clearly allow organizations to support innovative data initiatives such as data trust, which is pursued by a range of public institutions, including hospitals, universities and libraries. There is so much potential with data trust because it can enable us to unlock some of the opportunities that exist to solve some problems across our society.
The next element I want to talk about is strong enforcement. Perhaps more importantly, the proposal would significantly strengthen the enforcement and oversight regime. This is critical.
With this proposal, we will have some of the toughest financial penalties in the world for violating our laws.
Currently, the Privacy Commissioner has little ability to enforce his recommendations on organizations that are non-compliant, other than seeking a hearing by the federal court. Under Bill this would change. The legislation would introduce a strengthened privacy regime that would be overseen by a more powerful Privacy Commissioner, with appropriate checks and balances in place.
The Office of the Privacy Commissioner would have broad order-making power, including the power to force an organization to stop collecting or using information and delete it. If the Office of the Privacy Commissioner found out that data was collected without appropriate consent, he would have the ability to do this.
As well, the Privacy Commissioner would make sure there is strong and meaningful consequences for organizations that do not comply with the law. The Privacy Commissioner would have the power to recommend administrative monetary penalties of up to $10 million, or 3% of global revenues, whichever is higher. The range of serious criminal offences would also be expanded, with a new maximum fine of up to $25 million, or 5% of global revenues, whichever is higher.
The legislation would introduce the new personal information and data protection tribunal, which would review appeals of the commissioner's orders and levy penalties.
This new administrative tribunal will help ensure procedural fairness in how the commissioner applies the new and enhanced enforcement powers. It will provide individuals and organizations with easier access to justice through a less formal mechanism for appealing decisions.
This enforcement regime would recognize that early compliance with the act remains critical and that is the key part. Early compliance will remain critical for the protection of Canadian privacy. We need to build on the commissioner's existing abilities to secure early resolution through compliance agreements. We want to make sure that Canadian companies actually comply with the legislation.
This new regime would see stronger collaboration between the Privacy Commissioner, stakeholders and implicated institutions, including federal organizations. When the commissioner is developing that guidance, it is important to have that level of collaboration. This will ensure there is a strong alignment between the law and how it is explained and enforced, and help avoid confusion for those trying to follow it. Again, this will provide further clarity.
To summarize, the third pillar of Bill , strong enforcement and oversight, would introduce an escalating model that provides incentives for organizations to comply early. The focus is on compliance. Strong penalties will exist if they do not follow through. There will be a new tribunal to ensure the process will be fair, transparent and accessible for businesses of all sizes.
The three pillars of Bill work together to provide what Canadians need to engage in the digital economy: strong and enforceable protections for personal information, along with clear rules for businesses to follow as they innovate and deliver new products and services.
It is also important to note that the legislation would help protect the privacy of Canadians, while strengthening the ability of Canadian businesses to compete globally. This positions Canada to succeed internationally.
When PIPEDA was introduced in 2000, it was considered a global leader among data protection laws. In 2002, the European Commission found that PIPEDA provided adequate protection relative to EU law. The finding of adequacy gave us an international edge by allowing us to have free flow of data between Canadian and EU companies.
More recently in 2018, the EU brought into force its GDPR, the general data protection regulation. Since then, the EU has been reviewing Canada's adequacy against the GDPR. They have made it clear that we must reform our privacy regimes in order to maintain our advantage when it comes to this status. I believe the legislation would achieve GDPR adequacy while maintaining the made-in-Canada approach.
Lastly, I want to conclude by mentioning stakeholder reactions. This approach reflects years of public study, consultations and collaboration. It builds upon the fundamental work of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, as well as important deliberations in the other place.
I can tell members the legislation has gained support from a wide range of stakeholders. Goldy Hyder, the president and CEO of the Business Council of Canada, spoke positively about this. Michael Geist, who is well recognized in this area of expertise, said this is “Canada's Biggest Privacy Overhaul in Decades”. OpenMedia calls Bill “a big win for privacy in Canada.”
We know that Canadians will continue to use digital services that require the use of their personal data, and we know there is no turning back.
I will conclude with this last remark.
As the COVID-19 pandemic continues to increase our reliance on the digital economy, Bill will help Canadians embrace this new world, knowing that their personal information is protected and safe.
Madam Speaker, today I am rising on Bill , an act to implement a digital charter for government. This is an auspicious moment for Canada, because we are well under way in the digital age, and the need for clarity and concrete action to protect Canadians' privacy is a paramount need. While it is critically important, we also have to remember the need to protect small and medium-sized enterprises and to ensure that Canada can remain globally competitive as a jurisdiction for technology, data and innovation. I am concerned by some of the trends we have seen over the past few years, with Canada falling behind our global competitors, and I am concerned that some parts of this legislation could put us behind.
I am also concerned that we are falling behind when it comes to security. It is great to talk about protecting Canadians' privacy and putting in consent-based rules, but in an age of quantum decryption and computers that can break 120-bit encryption, if our security cannot be protected, then all the consent laws and privacy protections in the world are not going to mean much.
I want to break down this bill into simple terms. They talk about plain language in the bill, and so I am going to try to speak in as plain a language as I can, when dealing with a matter of this technical nature. I want to talk about some of the challenges and, I will grant the government, some of the opportunities that we foresee with this legislation. I want to also thank and recognize the work of the ethics and privacy committee in the previous Parliament, under the able chairmanship of my colleague from . Many of the recommendations we have seen in this legislation come from the committee's report, so I think that shows Canadians that committees really do matter in the House, and that they can make a positive impact.
As I said, one of my chief concerns with this bill is its impact on small and medium-sized enterprises. It has been said for a number of years that data is the new oil. For many emerging enterprises, access to data and the ability to use this data will be the determining factor in whether they are successful or not. I do not need to say, but I will, that small and medium-sized enterprises are the lifeblood of our communities, and increasingly we are seeing how vulnerable they are, especially during the pandemic.
We have to consider the context of this legislation within the economy and the economic structures that the Liberal government has created over the past five years. We have seen an unrelenting attack on small and medium-sized enterprises, starting with hikes to Canada pension plan premiums. These hikes will continue even this January, in the midst of a pandemic. When companies are closing their doors and laying off workers, the government is looking at increasing costs even further for employers and employees. It is just not acceptable.
The Liberals in the past accused business people of being tax cheats when they utilized exemptions under the tax code. They decided to take it one step further by hiking taxes and removing these exemptions for many family-owned businesses, including for a lot of businesses and farm families in my riding. With this legislation, they are adding yet another layer of red tape that will force many onerous requirements on small businesses. I recognize that many of these requirements will be very helpful when we are talking about large businesses, and they have the resources to maintain these privacy requirements. I found it interesting that the was talking about the right to delete oneself. On many social media platforms that has been the case for a number of years, so it feels like with this legislation the government is trying to catch up to what businesses are already largely doing. However, we see that small enterprises are increasingly reliant on technology and data.
In this legislation, there are a number of new requirements. There is a certification requirement and a requirement for businesses to designate somebody in their business to be the privacy watchdog. Businesses have to maintain databases and be ready to respond to customer requests or investigations. When we talk about very small businesses, which could have only two or three staff or maybe a sole proprietor, to add this new layer of red tape is really going to create a lot of challenges for them.
Ironically, it would actually benefit big businesses because when small businesses have more red tape, they might decide to no longer stay in business. Therefore, we will see even more consolidation among the big players: the Amazons, the Walmarts and companies that are large collectors of personal data. Our thriving, innovative start-up economy will start to be strangled under this legislation.
I hope that when the government is considering amendments at committee, it consults with small businesses. I encourage it to consult with the CFIB to look at the challenges small businesses are going to face, and to try to come up with some sort of threshold to ensure that small businesses are not unduly burdened.
I appreciate that this bill is largely targeted at major corporations and tech giants that use massive amounts of personal data for everyday business. We know that these companies have the capacity to do better in protecting our privacy. I hope that this legislation can spur further commitments to protect Canadians' privacy. However, as I said, it concerns me that these large corporations largely have already implemented a lot of the things that the government is talking about. They have the human resources, legal departments and the endless ability to tap debt markets, bond markets and stock markets to finance these changes. Frankly, small businesses do not.
I asked the a question, which he really did not answer, about data portability and the impact on small and medium-sized enterprises. The minister couches it in terms of consumers having the right to ask for their data to be moved from one organization to another. It seems like a really great thing, but I cannot think of too many situations in which a regular Canadian would be the person initiating that conversation. However, I can see where a bank would, for example, when dealing with its insurance arm. Many large Canadian banks also have insurance companies.
There has been a fence put around these companies to ensure they do not become too big and anti-competitive. Information cannot currently be shared between insurance companies and banks owned by the same company, but through this legislation, the insurance company just needs to provide a plain-language document asking clients if they want their information to be shared with its banking arm. With the massive amount of data that insurance companies and banks have on Canadians, we can see how quickly they could possibly use this as a predatory practice to increase, consolidate and suck customers away from small and medium-sized insurance companies.
When I drive through my riding of Sturgeon River—Parkland, I am proud to see about a dozen small and medium-sized insurance businesses for auto, home and life insurance. There are tens of thousands of Canadians employed in this important industry, and they are not all working for the big banks. I really am concerned that this legislation could make our marketplace much less competitive, so I hope the government considers that impact as well.
My next point is about enforcement. I am really skeptical about the government's ability to deliver for Canadians. We see, in spam legislation and other legislation, that a lot of words are not being put into action and there are consequences for actions that are not being followed through on.
Similarly, this legislation packs a lot of firepower. It talks about threatening $10 million in fines, or up to 3% of global revenues. It is the toughest in the G7, as the government has said, but I wonder what power the government really has to compel payment. When we talk about potential serial abusers of our private data, we are talking about massive multinational corporations with billions in revenues.
I wonder if we can anticipate similar challenges as those faced by France when it attempted to collect taxes on digital giants from the United States. These included a challenge at the World Trade Organization and retaliatory tariffs on French products.
I wonder if the Liberals have given any thought to the potential consequences of trying to collect large fines from these companies. Does the government anticipate that our trade competitors are going to let these challenges go unanswered when we try to collect? Have the Liberals considered the consequences that this could have on the Canadian economy, and are they ready to be open about this very real threat? I am not saying that this is not something they should pursue, but we need to know what the potential consequences are before moving too quickly on this.
Canadian innovators are at the forefront of technological advancement, and I think that is something we can all be proud of. However, a concern that has been brought to my attention is the protection of proprietary algorithms by start-up tech companies that rely on data. Some of the provisions in the bill would enforce algorithmic transparency, which sounds great for consumers, but I see that it could be used by business competitors to expose sensitive, confidential and proprietary information.
Has the government considered the consequence of what these actions would do to our start-up companies that want to keep their algorithms proprietary and confidential? A company may be in a situation where it is looking for a buyout at a later date and needs to build up to the point where it can really get the value it believes the company is worth, but if this algorithmic transparency could be used by its competitors to investigate the use of its algorithms, it could possibly be used to steal things that are patent-pending or as leverage in a negotiation for a buyout. I would like to see more stringent protections for our nascent technological sector, to prevent their algorithms from being exposed.
Next, in the bill, the minister sort of alluded to the exemption for socially beneficial purposes. We need to drill down and explore the idea. The provided some examples: government, health care agencies and education. I do not think many Canadians could really object to these organizations being exempted, but one point named organizations that exist to promote environmental protection.
We believe in strong environmental protection, but are we possibly talking about environmental charities that may have a political arm or an agenda in an election? Are they going to be exempted to use Canadians' data in any way they see fit? What potential consequences could this have on keeping our elections free from foreign influence or ensuring transparency in political communications? I would really like to get a clearer idea of what the government means when it is talking about socially beneficial purposes, because we are living in an age, as the member for said, when there are data wars. If organizations are misappropriating this data, using it to influence our elections and our democratic process and being provided an exemption, we really need to explore that.
Next I want to talk about the 10 pillars of the digital charter that the government has brought forward. We know that a charter, as any statement of values, is really only as good as the resources and enforcement behind it, so I want to highlight a few of these pillars and address some concerns that I have.
Pillar 1 talks about universal access: “All Canadians will have equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills.” As my colleague for was saying, too many Canadians, the fourth coast as some would say, even in relatively urban areas, say that we are far from accessing high-speed and reliable broadband services.
For years, successive governments have pocketed billions and billions of dollars from spectrum auctions. They have been announcing and reannouncing, and in some cases reannouncing a reannouncement, on enhanced rural broadband. The Liberals have promised the universal broadband fund as their solution. They even claimed that they topped it up by another $750 million a few weeks ago, but communities in my riding who recently applied for the universal broadband fund were told that they did not qualify.
I come from a fairly rural riding, and people were basically told that, according to the data, the Internet in their communities is fast enough. That is not acceptable. They should try explaining that to farming families in Sturgeon or Parkland County, or try telling that to people living in Stony Plain, Gibbons and Morinville.
We still have movie rental stores in my riding. I asked somebody how these movie rental stores stay in business, and the fact is, the Internet is so bad, the only way for people to watch movies is to go to their local movie store because they cannot access Netflix and all these other great things.
We are talking about a pandemic right now, and increasingly parents are wanting to supplement their children's education at home. They cannot access their education. A principal of my local high school, Onoway Junior/Senior High School, lives less than one mile away from the high school. The high school has high-speed Internet that is connected by the Alberta SuperNet, but less than a mile away the principal cannot get any Internet services.
The government is saying their Internet is fast enough, and that they do not qualify for the universal broadband fund, but, if we do not qualify, then I do not know who qualifies. This is unacceptable. It is time for the Liberals to put real funds behind real action to deliver broadband access to Canadians in rural and remote areas.
Pillar two of the digital charter is safety and security. It reads, “Canadians will be able to rely on the integrity, authenticity and security of the services they use and should feel safe online”. This is yet another great promise that the Liberals have failed to deliver upon.
I remember over the summer, when scammers used Canadians' personal information on the Canada Revenue Agency website to access CERB payments. These were not foreign actors we were talking about. These were private actors using information that they could get their hands on to breach Canadians' accounts, and this breach was so bad that it even forced the CRA and the Service Canada websites to shut down.
Thousands of Canadians who wanted to were unable to access the CERB, and all the useful services on those websites, because the government has not put security as a priority. Security must be central to digital government and to our digital economy. I appreciate that the government wanted to get those programs out quickly, but we are increasingly seeing the consequences of not building in security from the foundation up.
It was not just the CERB program that was hacked. In February, news broke that the National Research Council systems were hacked, mainly the health research databases. This cyber-attack was caused by ransomware. The hackers used the ransomware to try to extract payment from the government. Every year the National Research Council collects information on more than 25 million health care consumers across the U.S. and Canada. The National Research Council was also hacked in 2017 by state actors.
This continues to be quite a substantial threat. Hospitals and other information technology services are increasingly being targeted by these kinds of crimes. Since 2016, according to a cyber-threat assessment, there have been 172 attacks on individual health care organizations with costs topping $160 million. Those are just the attacks that are known about. It causes one to wonder how many attacks have not even been discovered yet.
It gets worse. Despite the multiple data breaches, the protection on critical infrastructure plan has not been updated in this country since 2009, despite major technological advancements. I alluded earlier to the Manhattan project of data decryption and quantum computing, which we are seeing out of countries like China. They threaten to blow open all of our current encryption technologies. It shows us that the plan is even more critical.
Thank you, Madam Speaker.
I provided a brief overview of this issue because safeguards have already been implemented in over 30 countries. Our friends in the European Union have been taking the bull by the horns since 2016, and I think we should follow their example.
I applaud the introduction of this bill. It was about time. I would also like to talk about a few things that I look forward to studying as soon as possible at the Standing Committee on Access to Information, Privacy and Ethics.
It was proposed that the commissioner be given additional powers. This bill proves that this proposal was taken into account. The commissioner will be able to impose major penalties. Currently, as all those who grabbed the bull by the horns know full well, businesses are responsible for protecting personal information or face penalties, which vary from one country to another. This bill introduces a 3% penalty, which means businesses such as Facebook, a company worth several billion, could pay up to $10 million if they do not properly protect personal information.
I am also very happy with another part of this bill, which came up earlier, about consent to use and transfer our data. Businesses and organizations that have our data must always have our consent. That is crucial, and I am happy about it.
Once again, I congratulate the government on giving the commissioner the power to issue orders.
However, there is one thing I am very concerned about, and it has to do with organizations such as banks that are under federal jurisdiction. I think that if there is one organization that should lead by example and demonstrate that it is protecting data and working to prevent fraud, it should be the government.
The first time I read the bill, I did not see anything about the government fulfilling its obligations. My hon. colleague talked about this earlier. Many people in Laurentides—Labelle have told me they are worried about finding out at tax time that someone claimed CERB using their name. People have even told me they tested it. They applied, and their application was approved. These are people who are receiving employment insurance benefits.
There are also those who, upon opening their account, discovered that they were victims of fraud. These people have followed up and filed a complaint. Unfortunately, it takes a long time for them to hear back, and some people never hear back. I feel that this bill should also include a requirement to support those who have been victims of fraud and help them through the process.
Right now, it is about prevention and punishment. Let me explain prevention, which is very simple. Prevention is making sure all the necessary elements are in place to validate a person's identity.
However, this bill does not propose a complete reform of the ID authentication processes for individuals through organizations or the government.
Several countries have already taken action and instituted two ID authentication processes. The first involves confirming what the person knows. However, if an individual's personal information is known and their data are open, anyone can immediately commit fraud using their name.
The second involves confirming what the person has using various tools. Some apps already use text message authentication, for example. Sometimes the person has to place a call from their home. This is another important authentication process.
Several countries use other authentication processes based on even more personal information, such as voice recognition or fingerprints. Close attention will have to be paid to facial authentication to ensure that all rules are followed.
I look forward to taking part in the committee deliberations. I welcome this bill, but it needs to be amended properly.
Madam Speaker, since there are no other questions and comments, I believe that shows that my colleague was very clear. I will try to be clear as well. The bar is high, but I will try to meet it.
Generally speaking, as my colleague said, this bill represents a step forward and addresses several of the Privacy Commissioner of Canada's requests. Quebeckers were profoundly shocked by the Desjardins data breach. It was a very significant event. However, it was not the only one. Similar incidents occurred in 2017 and 2018, and there have probably been dozens more that we are not aware of. In fact, when a bank's data is stolen, the bank is required to inform the police and the Privacy Commissioner of Canada, but it is not required to inform the public or even its customers.
We like this bill because it sets out a series of principles relating to the collection and sharing of personal information by companies: free and informed consent for the collection and use of data; the ability to allow or deny the transfer of data to another company, such as between two financial institutions; the ability to withdraw consent or request that data be deleted; transparency about the use of algorithms that use personal data; and stricter criteria for the use of de-identified data. This bill also gives real powers to Canada's Privacy Commissioner, sets out significant penalties for non-compliance, and creates the personal information and data protection tribunal. All of that is great.
Unfortunately, the problem is that the bill omits one extremely important element, and that is protecting people's identity online to prevent fraud due to identity theft, especially during financial transactions. We know that Europe has brought in a whole suite of regulations to force financial institutions to verify a person's identity before authorizing a transaction. There is nothing like that in Canada, and this bill does not have anything of the kind either.
The federal government is not properly verifying individuals' identity before authorizing electronic transactions. We know that the challenge is to prevent data from being stolen and used to commit fraud. Having personal data stolen is unpleasant enough, so all measures must be taken to ensure that the data are not then used for fraud.
The debate in Ottawa over the massive data breach at Desjardins mainly revolved around social insurance numbers. We know that several people would like to change their social insurance numbers, but under the current system, they cannot do so unless they become a victim of fraud resulting from identity theft.
In addition, the federal government has received a number of requests to redesign the social insurance card to make it harder to counterfeit, similar to what Ottawa did with passports after the September 11, 2001, attacks, at the request of the United States.
These two requests are perfectly reasonable. The Bloc fully agrees and is asking Ottawa to follow up. However, that alone will not stop fraud.
The best way to prevent identity theft is to make sure that the person who is making the transaction is indeed who they claim to be. This goes without saying. There are three ways to verify a person's identity.
First, a person can be identified based on what they know, namely personal information such as their name, address or social insurance number. However, as cases of identity theft are on the rise, it is getting harder and harder to accurately identify someone. In other words, our private information is no longer private when everyone can find out almost everything about us. Fraudsters can simply use this information to create a fake ID, and they are set.
Second, a person can be identified based on what they have, such as their computer's IP address, which the institution can recognize if the transaction is being conducted from the person's home, or their cellphone, to which the institution can send a secret code via text message.
Third, a person can be identified based on who they are. The institution can use technologies that recognize a person's physical characteristics, such as their voice, their facial features, through the use of facial recognition, their digital fingerprints, which are increasingly being used by cellphones, or their handwritten signature.
Europe adopted regulations in 2016 requiring financial institutions to use at least two of these three ways to identify someone before authorizing a transaction. Banks in Canada are under no such obligation. If they believe that the control mechanisms will cost more than the losses they are currently incurring in fraud, they are better off doing nothing. The banks will not pay for controls that would be more costly than the fraud. That is simply profit-driven logic.
Many members have probably had the experience of having a store issue a credit card on the spot, based solely on the personal information we provide. We just have to give our phone number, address, and so on, and that is all it takes. This practice really opens the door to fraud, and it has to stop.
We believe that the banks must be forced to tackle fraud. That is the solution that we are advocating. We are going to propose possible approaches. As my colleague was saying, we are going to support the bill, but we will be bringing forward amendments. We will have concrete, constructive and coherent proposals when the time comes to study the bill in detail.
We will propose ways to combat identity theft, such as by drawing on the European regulations I was talking about, in order to force the banks to bring in robust processes to verify people’s identity before authorizing a financial transaction. We will also propose to increase fines in order to encourage banks to better protect their customers’ personal information. We will propose that banks be required to submit a detailed report, as part of their annual reporting, on the number of identity thefts and the resulting losses.
We will also propose a requirement to contact any person whose identity has been fraudulently used within the organization, regardless of whether an account was opened or not. As I said earlier, there is no such obligation in place and it must be brought in. There is also an obligation to cover the costs paid by victims to recover their identity. These costs must be covered by the banks, which are rolling in a lot more money than individuals and most of their customers.
There also need to be anonymous tip lines for employees who are aware of unreported identity theft, as well as protection for whistleblowers. There is currently a void when it comes to whistleblower protection, as in virtually all areas. I am getting a little off topic, but the House will have to deal with this issue as well.
Ottawa also has to look in its own backyard. Beyond the banks, the same anti-fraud controls need to be imposed on the federal government itself. Bill applies only to private businesses. It does not apply to the federal government. Currently, Ottawa’s online identity controls are clearly inadequate. Before authorizing a transaction, the government does not take all the necessary steps to ensure that a claimant is who they say they are.
Since last spring, there have been numerous cases of identity theft. These include Canada emergency response benefit claims made in other people’s names and tax refunds being redirected to other accounts. Some people will not find out that they have been victims of identity theft until they file their income tax returns. It has not yet happened yet, but it will soon. In a few months, many people will discover that they have been victims of fraud. Right now, they have no idea. This is absurd, and it is unacceptable.
Again this fall, thousands of taxpayers lost access to their Service Canada account, which prevented them from applying for employment insurance even though they lost their jobs because their region was going back into the red zone.
It is all well and good to introduce a bill on the management of personal data by private companies. I want to stress that we agree on this bill and that we will vote in favour of it. That part is settled.
However, Ottawa needs to clean up its own backyard as soon as possible and take immediate action to combat identity theft. We are saying yes to regulating private businesses, but we are also saying yes to regulating Ottawa and the banking industry.
Madam Speaker, I am pleased to participate from my office in this important debate on Canadian privacy. The bill would enact the consumer privacy protection act and the personal information and data protection tribunal act. It would also make consequential amendments to other acts. We are debating a fairly complicated subject, but one that has been warranted for many years.
The New Democrats have been calling for a modernization of our privacy laws and our consumer protection laws for about a decade. Most recently, our efforts have resulted in a digital bill of rights' discussion across Canada in which we have been at the forefront and have pushed hard to have some of these rights discussed, not only in the public forum but also in the chambers of Parliament.
We have witnessed the world move on. We have seen the Privacy Commissioner identify Canada as backwater when it comes to protecting privacy and the capabilities of the modern world. With COVID-19, we see further online activity among Canadians and further vulnerabilities for not only individuals but for our families, schools, businesses and even Parliament.
The New Democrats have a different position from other political parties. We believe that people's human rights are connected to their digital rights. People's online presence and the digital footprint they leave in the wake of the business they have to do is just as important as their physically enshrined rights as a human being.
When we look at what is taking place, even with COVID, and the ability of people to participate online, we have seen the failings of two decades of Liberals and Conservatives to connect Canadians, all the way from Maxime Bernier's program, launched as a Conservative minister, to most recently where we are struggling and scrambling to get Canadians connected.
One of the other things the New Democrats talk about is the affordability of participating in this democracy and not only with respect to one's participation on a regular social basis. As governments have moved more and more services away from brick and mortar to online, we have seen the exposure of Canadian privacy. We have seen that even within government resources, everything from social insurance numbers to other types of breaches that have taken place. We have seen this in the private sector as well.
Canada has often lagged in the private sector, not only in oversight but also in the punishment of those who take advantage of people in the new digital age. In our digital bill of rights, which we presented more than two years ago, we talked about not only personal data being protected, but also how people were being manipulated through the services provided online. For years and years our philosophy has been net neutrality. I will highlight a few new problems with the bill which could derail that type of philosophy and could stream Canadians to more vulnerabilities.
There are all kinds of examples of how Canadians have been abused. Whether it be Yahoo, Ticketmaster, Marriott or Equifax, the list goes on and on. Most recently, a heightened example of this, which created a lot of attention across the world, was Facebook and the outright manipulation of people's personal data. People were being used as pawns without even knowing what their rights were or being protected from that.
Again, Canada's laws do not allow our Privacy Commissioner to come down hard on some of these giants. Governments in the past have been too close with the web giants and have not allowed Canadians to have the proper recourse when data breaches have taken place.
The personal information and data production tribunal act being proposed by the government would create a number of potential false promises for accountability. It has a low threshold of involvement of those who would be appointed to the tribunal.
First, we have to get past the notion that these types of political appointments will be free and clear of all political and business-type leverages to select the tribunal. Second, we have to assume the tribunal can be fair, quick and just in its cases. Third, baked-in problems with regard to the role of the tribunal create some concerns. The first is that the tribunal could overturn the Privacy Commissioner in many respects and it would go to a judicial process, which could take years and years to settle cases that may no longer be relevant to Canadians.
There is also a low threshold for the inclusion of some of the appointments. There is no requirement for a Superior Court judge and only one judge is allowed in maybe a one-to-three-member panel or a one-to-six-member panel. These things need to be fixed.
Something I want to further explore is more powers for the Privacy Commissioner. The Privacy Commissioner has been very clear in asking for more resources and supports over the last number of years to deal with privacy breaches that have occurred and also to bring in more accountability. It is in our business interests, not only our interests as individuals, families and all of the institutions but in business interests, to have a clear process so the bad actors in this environment that are doing harm to Canadians and other businesses are not rewarded.
One thing I am most proud of accomplishing as a member of Parliament was ending the tax deductibility of corporate fines and penalties. That was about 15 years ago. In the past, if a business was caught doing something illegal, it was able to write off part of the government fine as a business-related expense. I was able to champion a change to that.
Businesses that were doing illegal activity and influencing competition were using it as a loss leader. They would essentially get millions of dollars in fines and penalties, everything from drug companies to those getting environmental fines and penalties, and they would apply for that money back at tax time. It was a way for them to undercut the competition that was doing the right thing. That is what I am concerned about with the tribunal. It would have the capability to influence market stability to some degree with regard to penalties and fines for the bad actors.
If it does not work right, if it is not seen as credible and if it does not flow the way it should, it can be an encouragement for some of those committing the breaches to be sloppy with personal information, disrespectful and also manipulative in taking information from Canadians, steering them to different purchases and activities, exposing them and then beating some of the competition. For some young entrepreneurs who have to go up against some of these established giants, it is very difficult for them to get a toehold.
A number of factors are in place, even in our general market economy, for young people and entrepreneurs to get busy and to compete. One most recently was in the retail sector. Businesses are being charged extra to get floor space in the real world. Amazon and other players have also used manipulative practices to steer consumers to particular products and services from preferred customers. That defeats our philosophy of net neutrality. It could also direct people and their families to making purchases or viewing activity with the time they have into different market conditions as opposed to exploring in a free and open Internet society.
Another thing is that Canadian federal political parties are exempt from oversight. We do not understand why the Liberals would allow this to take place. It should be clear and proper that their data and personal information be open and accountable in political parties as well. We will be looking at amendments to this activity because we strongly believe they should be accountable.
To bring faith and accountability to our democracy requires transparency. We have seen the sensationalism that has taken place in political advertising in the last number of campaigns and the favouritism that has been seen online. We have also seen the giant data assembly that has taken place which can manipulate voting and steer people to different discussion points.
The personal privacy information collected by political parties should also be clear. This way there will be more faith in the information that political parties get. More important, our democracy will be strengthened by privacy protection, not weakened or exempted with regard to the model being presented by the government right now.
We also want to be more technical and continue to have commercial activity defined under PIPEDA. This is more related to the business section aspect for fair and open transparency.
We want to deal with a particular issue in regard to algorithmic transparency. Algorithms can help direct purchasing and activity and can also manipulate someone. It will just get stronger because artificial intelligence is being introduced more and more into society in regard to all our products and services. This includes search engine searches, the types of purchases made with different corporations and a number of different activities that take place. It is important there be accountability and oversight for that.
A number of different things have been going on with regard to Canadians and their privacy. There is no doubt there will be more challenges with this bill. We want to go back to a number of different structures that take place with respect to this. Again, the New Democrats championed a digital bill of rights for many years. I want to highlight a few important things.
If we cannot have a fair, open and just society with regard to our digital footprint, we believe our democracy is threatened, our economy is threatened and, more important, investments into this country will be threatened. We will not have the same oversight that Europe or the United States have. That is very important to ensure that investment in Canada will take place.
It is important to note that if we are working toward things like access to telecommunication services all across Canada and we are investing in this, we need to think about the billions of dollars already spent on this, along with the additional money to be spent. We want this to be done right and proper, especially with COVID-19.
Over the years, as we have gone to more online services and invested in this, we have had opportunities. When we think about how we use this space for ourselves, whether it be commercial activity, entertainment or business, we sell off the spectrum. The spectrum is the infrastructure we can use. It is above us. It is the radio and capacity to move, most recently, the 5G network. We will see a spectrum auction.
In the past 20 years, $22 billion of revenue has come into the public coffers with spectrum auctions. We have seen a patchwork of activity take place all across the country.
I previously mentioned Maxime Bernier, with the Conservatives, and most recently the Liberals. Several plans have emerged that are more a hodgepodge of applications. It is one program after another that is sought out. They are also providing massive subsidizations for those markets, which costs billions of dollars. Even the CRTC has a fund.
I can list a series of them, but the point is that if we are going through all this trouble and investment to create a society space for our digital world and economy and we are heavily investing in this, then we need to do it right, especially with a geography like Canada, which is so large. This can be a challenge, but given our population size and the fact that we have dense populations along the border and other places, we can turn this into an advantage for business investment as well.
The New Democrats believe this is part of our human right with respect to how people are treated online. This includes accountability from companies with regard to cyberbullying, privacy protection, speeds and affordability. They are combined. If we do not have this type of approach as a philosophical one, we leave ourselves open to having more winners than losers. It would be no different than having lost education opportunities for people and a requirement for the government to come in and do the right thing, which is to make things more affordable.
I mentioned the concentration of our population. It is important we tie this into the bill as we finally expand to rural and remote locations, and the security and accountability for that information.
We have talked a lot about preserving different cultures and providing business opportunities for areas that have been weakened because of their geography or lack of connectivity to large populations, but if we do not put a rules-based system in place that allows them to compete fairly, then they will fall to the wayside. Specifically, we could have a number of opportunities for smaller businesses to evolve, some scale-ups to take place, communities that could actually have some empowerment in getting to new markets and keeping the community stronger and together, but if it is not done in a way to have online privacy protection and so that businesses can compete in a fair way, then it is going to be lost.
One of the concerns we have in general, not only with regards to ourselves as a country but also the rest of the world with some of the web giants, is the consolidation of services and how online services are used. In Canada, our competition has not been the strongest at some points, but there is an opportunity as we do this, which is why this legislation is so important.
With the spectrum auction coming up, New Democrats have argued that charging as much money as we can to the telcos coming in and then seeing how things go results in what we have right now: less competition and higher prices, and prices that, quite frankly, limit people's participation in the digital world. This is a concern that we have, and so we have suggested to turn the spectrum auction around, like many other countries have done, and use it as a way to connect at lower costs by putting out expectations, such as an RFP-type model. When the bidding comes in, we may get a little less money coming in the front door, but the expectations are going to be higher and the requirements to connect rural or remote communities will be there. The telcos will use it or lose it. That is one of the things we believe could be a real benefit to move along the different programs.
Basically, what we have now is a series of programs out there where communities almost have to go on bended knee to get access, to get support to actually lower the price points to make things more competitive and attractive. Our model would have a reverse role. The business community would already have the expectation that the spectrum is less, but the time frame to connect Canadians is high, with the expectation that they use it or lose it, for those things to happen relatively quickly. In fact, industry has indicated that the NDP plan could take place and connect Canada within four years: 98% in three years and the last little part in the last year, because it is more difficult in some locations.
This is important and critical, because this potential law would lay out the framework on how that activity takes place. It is one of the reasons we believe this tribunal is one of the more interesting curiosities, and there are other things to talk about regarding that. However, if we spend all of this money, time and public policy and then do not get it right, we would have a weak and irresponsible approach to oversight in making sure that Canada does not have problems with regards to this. It is already going to create a skew in the public policy laws that we have. I fear that the bill, in its current form, if it does not sharpen up on those points, would create a skewed market for some years to come.
Parliament most likely will not deal with this again any time soon. It has taken far too long to get to this point. We have to get this through a minority Parliament, we have to get it through the Senate and we have to get it signed off by the at the end of the day. That is going to take some time and commitment, which we have with the New Democrats. We want to improve the bill, we want to make sure that it is stronger, but if we do not get these points right, we are going to undermine things. This is why, when we think about how important this is with our current public policy and our resources, everybody out there has been concerned about COVID-19 and the effects upon the broadband and the experience for education, involvement and commitment.
To conclude, the difference for New Democrats is that we believe that our human rights and digital rights are enshrined just as our physical rights. As we move to this type of engagement, as we see hybrids take place within workplaces, schools and other types of activity, this bill is a step forward, but it needs to be strengthened, and we can be counted on to do that. It is our intent to make Parliament work, but, more importantly, to make sure that we have laws that are going to work to protect Canadians.
Mr. Speaker, I will be splitting my time with the member for .
We increasingly live our lives online and our laws need to reflect that reality. Privacy is a human right and it is inextricably connected to our personal autonomy.
The Council of Europe's Convention 108 states, “The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.” The GDPR states, “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
The incredible scale of data collection can be a powerful force, both for good and bad, so we need strong privacy and digital rights and a strong regulator to enforce them.
There is much in our government's Bill , which is a serious reform of PIPEDA and certainly long overdue. I remember in June 2018, I introduced legislation simply to give the Privacy Commissioner new powers, which our privacy committee had twice unanimously recommended. We have come a long way since then with this substantive bill. OpenMedia said, “Bill C-11 is a big win for privacy in Canada.”
While I have heard some reflections from experts and certainly from some parliamentary colleagues already about how the bill can potentially be improved, or some open questions about what might need to be fixed, it is certainly deserving of our support at second reading. I look forward to working with colleagues across party lines to improve the legislation at committee where we can.
At this point, to work at committee across party lines something of a detour is required. I want to specifically commend my Conservative Party colleagues from and , my NDP colleague from and my Liberal colleague from . We worked very long and hard on privacy issues in the last Parliament. We helped found the International Grand Committee, comprised of over 10 countries, to discuss these issues. We hosted the second meeting of the IGC in Ottawa. We tabled the report “Towards Privacy by Design” in February of 2018.
When we as parliamentarians talk about committee work and often the overlooked nature of the committee work, we do not always see that committee work turn into legislation. In this instance we have.
We recommended stronger consent rules and we see stronger rules in Bill . We recommended algorithmic transparency and we see in Bill C-11 a commitment on transparency where systems are used to make predictions, recommendations or decisions about consumers. We recommended data portability and interoperability. We see those commitments in Bill C-11.
We see stronger powers for the Privacy Commissioner. I mentioned that need for a strong regulator, including order-making, auditing and the ability to levy fines. We see order-making powers. We see the ability to audit. We see a new tribunal, and while I understand some of the caution or questions members are raising in respect of this design, it is consistent with the competition commissioner and tribunal operations and worth looking at more seriously to see if it can be approved. However, through the tribunal, we see the ability to levy significant fines, in the magnitude of $10 million to a maximum of $25 million for more serious fines.
In terms of the course of that committee work, I want to reflect on a couple of stories about why this kind of legislation is so important and critical.
I think it was in the fall of 2017, when we were in the midst of the study on PIPEDA reform, that the member for , the former member for Skeena—Bulkley Valley, I believe I am getting that right, and I went down to Washington and met with other elected representatives there. We witnessed some of the hearings in relation to the Equifax breach, but we also met with Facebook officials. At that time, when a question was put by I think the member for as to what Facebook's views were on the potential new regulations, they said absolutely no new regulations were required in Canada due to the strong framework through PIPEDA and, if there were new rules, that might affect Facebook's willingness and interest in investing in Canada. Certainly, we have come a long way since those kinds of conversations and push-back by big tech companies against stronger privacy rules.
We saw that Mark Zuckerberg unfortunately did not attend before the IGC, though he said he would like to work with parliamentarians around the world, but we can certainly say that the days of self-regulation are over and asking for regulation. Here is that kind of regulation in Canada.
On consent, I have to tell one other story that happened at committee. Again, we had Facebook officials there. We were in the midst of going down the rabbit hole of the Cambridge Analytica scandal and the Canadian context of that third-party app, which had shared so much information. I think it was under 300 Canadians who had used the app, but thousands of Canadians had their information shared. I put to Facebook at the time, “How is it that on the basis of meaningful consent thousands of Canadians could have agreed that their friends share their information through this third-party app and then share it with Cambridge Analytica?” With a straight face somehow, a Facebook representative said to me that it was in their terms and conditions.
That speaks to the problematic nature of consent in the existing law and the lack of meaningful consent. Thankfully, our Privacy Commissioner, despite his current lack of meaningful powers, pursued that line of inquiry and found that Facebook violated our current laws and took the matter to court. We know that with stronger consent rules, there would have been no ability for a Facebook representative to say with a straight face that there was meaningful consent.
Plain language is important. I would go further, though, and say that as we think about consent, particularly in a consumer context, I think we ought to be more wary of privacy by default. We have to be more concerned about privacy by default. Where there is a reasonable expectation of the consumer that information is going to be shared and used in a particular way, then explicit consent, obviously, ought not need to be required, but where there are secondary uses, where there are uses beyond a reasonable expectation of that consumer then, certainly, we need explicit opt-in consent. It needs to be very clear to consumers how their information is to be used, if at all.
I want to emphasize the consumer context because it is a curiosity of privacy legislation and a curiosity of consumer protection legislation that when I purchase my phone I do not have to read the terms and conditions. There is no expectation by government that I read the terms and conditions, yet I am protected. There are implied warranties pursuant to consumer protection legislation. I do not need to read those terms and conditions in order for my rights to be protected as a consumer, yet there is an expectation when I download any app on my phone that I read the terms and conditions. That cannot be a tenable state of affairs if we want to protect consumers. We cannot expect consumers to read every term and condition, and every consumer contract in the course of downloading applications, and in the course of living their lives, as I said, increasingly online. Our laws need to reflect that reality.
There are obviously some straightforward fixes for this legislation. The membership of the tribunal should obviously have greater privacy expertise. I think that is a no-brainer. We do have to think more deeply through some of these consent rules and how we can strengthen them potentially further. I would like to see us go beyond algorithmic explainability to some kind of algorithmic accountability.
I know that others have mentioned political parties being left out. I do not know that political parties need to be subject to PIPEDA specifically, but they ought to be subject to privacy legislation. If there is no further effort under way by the government, then I think PIPEDA may well be the place to do that.
Lastly, I think we have to focus on children, in particular, when we look at consent rules and protecting kids on the Internet. Previously, I have written and spoken publicly about my support for our right to be forgotten, but I do think we have to be more focused on our rules and protection for kids as they grow up with the Internet and live their entire lives online.
I will close by simply saying that this is a big bill. This is second reading and, certainly, all of us ought to support this in principle. I look forward to working with experts and colleagues to strengthen the bill at committee and get into the details.
Mr. Speaker, I rise today to join my colleagues in speaking to the digital charter implementation act, 2020.
In today's ever-changing digital environment, Canadians have demanded better protection of their personal information. They have also demanded that organizations be held accountable for misusing their information. Stakeholders have told us that they want flexibility to innovate responsibly and want consistency with privacy rules everywhere else in other jurisdictions.
I am proud to say that the digital charter implementation act, which would enact the consumer privacy protection act, or CPPA, represents the most ambitious overhaul of Canada's private sector privacy regime since PIPEDA was first introduced, in 2000. CPPA would introduce significant changes to better protect the personal information of Canadians in the way they have been demanding, including, of course, with strong financial consequences for those who do not follow the law.
Prior to PIPEDA, in the 1990s, other countries around the globe introduced new laws to ensure that privacy was protected and that the opportunities afforded by e-commerce and the flow of information around the globe flourished. In particular, the EU introduced a privacy directive for its member countries to implement into their national laws.
Inspired by the EU law, Quebec introduced the first private sector privacy law in Canada in 1994. This was an important step forward, but it also raised the potential and, of course, the prospect for a patchwork of provincial privacy laws. With the prospect of multiple, possibly conflicting, rules and gaps in privacy protection that could harm Canadians, the federal government needed to act. Canada required a national privacy standard to ensure consumer confidence and regulatory certainty for businesses.
At the outset of the new millennium, PIPEDA was created to address the privacy concerns arising from a period of technological disruption fuelled by the rise of the Internet. It provided a framework with robust privacy protections and the flexibility to support the legitimate needs of businesses to use personal information. It also provided a mechanism by which the provincial private sector privacy laws could be considered substantially similar. This meant that where such a law is accorded that designation, PIPEDA does not apply to an organization's activities within a province.
In 2004, Alberta and British Columbia passed private sector privacy laws that are considered substantially similar, as is Quebec's law. A number of newer provincial health information laws have also passed, since 2005, that have been appropriately designated as substantially similar.
PIPEDA would continue, however, to apply to the federally regulated sector in a province and to any personal information collected, used or disclosed in the course of commercial activities across provincial borders. This provided a stable regulatory environment and flexibility for the provinces, and supported Canada's trade interests for many years.
However, today we are faced with a changed environment. Today, in many ways, history is repeating itself, but the risks have evolved. The role of digital technologies is considerably more central to our lives than it was 20 years ago. Just consider our experience in recent months with the pandemic. To harness all that the modern digital world has to offer, we clearly needed to modernize our federal private sector privacy law.
In a globally connected economy, our laws needed to be consistent with those of other jurisdictions. Internationally agreed privacy rules, such as the OECD privacy guidelines, first introduced in 1980, were updated in 2013. So too, I might add, more recently, was the APEC privacy framework. Indeed, privacy laws based on these international norms have been changing and advancing in Europe, Japan, South America and New Zealand.
What have these changes entailed? Core privacy principles have remained, though some have been expanded, such as accountability and breach reporting. New elements, such as enhancing rights of erasure and mobility rights, a greater emphasis on transparency, more certainty for businesses and consumers through codes certification and stronger consequences for non-compliance, have been the principal hallmarks of many of these evolving changes.
Closer to home, this summer, Quebec introduced amendments to its private sector privacy law, and B.C. recently conducted a study on its own laws. Ontario too is considering introducing a new private sector privacy law. Stakeholders have told us they are worried about the burden of multiple laws with different requirements. They demanded harmonization here at home.
There is a clear need for the progress and reforms included in the digital charter implementation act, 2020. If we do not act, there is a risk of further fragmentation of privacy rules across the country. We need to keep up with changing technology and business practices, and incorporate the best international practices, protocols and safeguards in our own domestic laws. We also need to set a common standard for privacy protection for the private sector across Canada.
Like the current PIPEDA, the new CPPA would be grounded in the federal trade and commerce powers. It recognizes the very importance of doing business on a national basis and in an economy that must work across provincial boundaries. Also, like PIPEDA, it would provide for a mechanism to recognize provincial laws that are substantially similar. These regulations would set out the criteria and process for such recognition or for reconsideration of it, and would continue to provide the provincial flexibility that has been important to PIPEDA's success. CPPA, like its predecessor, would maintain the Privacy Commissioner's ability to collaborate and co-operate with his or her provincial counterparts, an important tool to ensure consistency.
As the emphasized earlier today, the focus should always be on compliance. Some ask why we cannot have just one national law. The answer, of course, is that Canada is a federation; there is a division of powers. Indeed, the provinces provide important coverage that a national law cannot, under our Constitution.
I would be remiss if I did not also acknowledge the international context.
We live in an interconnected world. Data are constantly flowing across borders. In 2002, the European Commission recognized PIPEDA as providing adequate protection relative to EU law, allowing for the free flow of personal information between Canadian and European businesses. However, in 2018, a new EU regulation came into effect: the General Data Protection Regulation. It updated many of the existing requirements and added strong financial penalties for contraventions. The EU is currently reviewing its existing adequacy decisions, including the one applying to Canada.
That is why the government launched Canada's digital charter in 2019. Its 10 guiding principles offer a firm foundation on which to build an innovative and inclusive digital and data economy. The principles of ensuring interoperability, a level playing field, strong enforcement and real accountability are clearly reflected in the digital charter implementation act.
I want to thank members for their attention today, and I can assure them that our approach to privacy protection respects the privacy rights of Canadians. It is pragmatic, principled, meets our trading needs and provides a consistent, coherent framework that Canadians and stakeholders can rely on.
With Bill , we will continue to encourage trade and investment and grow an economy that extends across provincial and international borders alike.
Mr. Speaker, it is my honour to rise again today to address Bill . This bill, when printed, is nearly an inch thick. It is a monster bill for around here. It is a timely bill, as well. I am looking forward to delving into it. I have not had the opportunity to read through it in great detail to this point, but I want to speak to it.
This is a top-of-mind issue for many Canadians. One of the things I want to point out right off the top is that when someone is online and a virtual persona, if they think they are getting a free product, they are actually the product. That is the thing to remember and many folks do not seem to realize that. That is something I have not seen in this bill, which is important. I think it is missing from this bill, although this bill may not be seeking to address that specifically.
There could be some sort of public awareness campaign, much the same as we have done with cigarettes. In the past, the public was trained that if someone smoked cigarettes, they would get cancer. We could do this for online profiles and show the dangers and what is going on out there.
As well, the member for mentioned what is actually happening with our data. We think we are filling out a fun game or personality test, but we are actually giving away data. It can be harvested commercially to send advertisements and promote certain products.
We continue to see more invasion of our privacy. I do not know about other members, but the thing that jumped out at me, during my first cursory read of this bill, was the term “algorithm transparency”. That is something I am really fascinated by.
On the weekend, my friend was telling me that he took his phone, laid it on the table and he and his friends talked about white rabbits for three to four minutes. They just said the words “white rabbits” often. Then they opened up his phone, went to Facebook and the advertisements he was getting were about white rabbits. Our phones are listening to us and there are algorithms that are promoting certain things.
We can probably turn that feature off and mute the microphones on our phones all the time if we know how to do that, if we care enough about it or are concerned about that kind of thing. There is a joke that the Chinese are listening to us. It is just an assumption that is being made. I do not think there is actually somebody listening on the other end, but there is an algorithm that is obviously listening to what we are saying and trying push products toward us that we are interested in.
The white rabbit story is interesting. It is not necessarily something that would come up in day-to-day discussions. However, I know that if we connect to someone else's WiFi then suddenly we start getting different advertisements. My cousin has a CNC plasma cutting table for cutting metal. It is really cool, but what is interesting is that when I go to his house and connect to his WiFi, which is also connected to that CNC plasma table, I start getting advertisements for CNC cutting tables. That is wild and fascinating. The algorithm transparency piece is one of the most fascinating pieces of this law.
Sometimes on Facebook, we get ads. We can click on the “X” to get rid of the ad. When an ad comes up, one wonders why they are seeing it. If I could get an answer for that, that would be amazing.
I am interested in that. What is being fed into the system that is promoting this particular ad to me? That is something I am really interested in knowing. At this point, there seems to be no recourse whatsoever to know why these ads show up. In my virtual personality that lives out on the Internet and in the data collected on me, what recent actions in particular have I undertaken that have driven this particular ad into my feed? I am fascinated to see if we are going to be able to bring that transparency with this bill. I am not necessarily convinced we will be able to do it, but I am fascinated by it.
The other piece I do not think this bill addresses at all is the question of social media platforms or Internet platforms being message boards or publishers. This continues to be a sticking point. There have been committee hearings with the major social media platforms, and we have seen countries around the world seek to grapple with this issue. This is precisely what governments ought to be doing.
What it means to govern and to legislate is to come up with a system that balances the interests of all people in a way of our choosing. That is what it means to be in a democracy. That is what it means to be governed by ourselves, so to speak. In many cases we see effective lobbying efforts by organized groups, and in particular commercial interests, that do not necessarily allow the government to get that balance right.
We see in the news how we grapple to enable this. Some large social media platforms have amassed a wealth that exceeds that of many nations. Some of the largest nations in the world are able to compete with this, but many smaller nations do not have the resource capacity many of these large media companies do, so there is tension there. I compliment this bill in that it is attempting to have that discussion.
Do I trust the Liberals to get it right? No, typically not, but I commend them for bringing this forward and beginning the conversation. This is going to be a long conversation. Like I said before, this bill is an inch thick.
The member for just made a comment. I do not quite know what he said, but I am sure he was complimenting me on my speech. I thank him and appreciate that.
Around algorithmic transparency, the piece that is really important, and that I do not think this bill quite grasps, is whether platforms are curating content, publishing it or choosing winners and losers. The algorithmic transparency of that is a big concern for me, and I know it is a big concern for many people across the country. It is interesting this is a concern for people both on the right and the left. It is a concern for all the political parties. It is a concern for ideological differences, and in general for what is curated and what is deemed to be on the platform.
This is also a concern for the platforms themselves, in that one particular message that comes from a platform can then become part of a mob mentality. People could then really go after it.
There is no protection, necessarily, for platforms because there is ambiguity about whether they are responsible for messages on the message board and, if they are, whether they are liable as a newspaper would be. That is the major challenge.
While I am not convinced, at this point, that we will get algorithmic transparency in that sense, it is important to be able to tell people, “This is our algorithm, this is how messages get on the board. We are not responsible for the messages and, therefore, this is how the system works.” There is no human input. It is just a sophisticated method of getting messages in front of people that they want to see, that they think are interesting and that they find helpful.
For the most part, I would say we are getting that right. Where there is some concern is about political messaging. We have already seen that Facebook has worked hard on that, but there is always a spectrum, I would say, of political messaging. There is explicit party messaging, which is relatively easy to monitor and manage, but then there is political messaging that goes farther afield. When it is a random, individual Canadian doing political messaging, how is that managed? That is when it will be really important for us to get the algorithmic transparency piece right.
There is another thing I am interested in seeing and have not seen. Part of the government's rollout on this bill has been pushing freedom from hate and from violent extremism. That is important to me. The managing of the Internet and platforms around violent and degrading sexually explicit material has been something I have worked on in this place. It was in 2017 that the House unanimously passed a motion for the government to study the impacts of violent and degrading sexually explicit material.
This was something that had not been studied since 1985. I was not even born in 1985, so that tells us it was a long time ago. The member for is shaking his head at me. I am not sure what that belies about me or him, but it was a while back, before I was born and before the Internet existed.
A study on the impacts of violent and degrading sexually explicit material was done in 1985. I remember distinctly, in 1991, going to my uncle's house. He had gotten the Internet. I had heard about it and said I wanted to see the Internet, so he showed me where the phone line plugged into the wall. I asked if that was it and he said we should look at it. He turned his computer on. It had a giant monitor and a big tower beside his desk that hummed. Members may remember the sound coming through the speaker of dial-up Internet. I remember, for the first time ever, seeing the Internet. We went to dogpile.com, which was an early search engine. That was the beginning of the Internet for me, in 1991.
Here we are nearly 30 years later, and we are still grappling with how to manage this. It is a public information highway. There are public highways all over the country, and the government manages a licensing system for folks who get to use the public highways and roads. There is no controversy around that. It seems like an effective way to manage it. Given that it is tangible and we can see it in front of us, that is a manageable thing. In reality, we are dealing with the information highway. Up to this point, there has been very little direction on the role of the government in managing the expectations of Canadians.
Many parents who I have talked to are looking for tools they can use to protect their children online, and they are not satisfied with being told they should just be better parents. They say they want help from the Internet service providers. They want help from their government. They want the ability to have some recourse with these large platforms. I am interested to see that.
The government says the Internet should be free from hate and violent extremism. That is something that I support notionally. Video imaging is the area where I am most concerned. In the other direction, I am concerned about free speech, and particularly the use of words and typed messaging. That, I guess, is a little harder to manage. However, particularly with images and video content, I think there is a lot of room for the government to operate in, especially with the violent and extremely degrading sexually explicit material that we have seen since 2007.
Since then, we can chart the impacts of those on Canadian society on a number of different indicators, and they have gotten worse. We see this particularly with our children in terms of the loneliness index going up and the isolation index going up. All of these things are exacerbated by the COVID lockdowns.
These are all things that we need to ensure come into this. Freedom from hate and violent extremism is necessary, and we have to get that right. This is what governments are built for. This is what we need to do, and we have to get it right, so I am looking forward to continuing debate around that.
The last thing I want to point out, which I find to be a little interesting, and I am hoping for some answers on from the government side, is this bill, the procedure of the House and how this bill will roll out over time. I must say this bill was unceremoniously dumped on Parliament. I was not anticipating it. I have been working on these issues for a while, and it was not something that was clearly on my radar.
I had written to the around this issue, and I was wondering how he was going to manage it, because I do remember seeing in his mandate letter that he was to try to remove hate and violent extremism from Canada through the Internet. I had some ideas and concerns around that, so I had written to him about it. I did not receive any feedback back saying the bill is coming, so I was a little surprised that this bill came when it did.
The other thing that I am really looking for an answer on is why the rumour around here is that this bill will be going to the ethics committee. I am wondering why the bill is going to the ethics committee. This seems like a bill built for the industry committee. That is typically where this would be dealt with, so I am left wondering. The ethics committee is seized with a number of other issues, and I am wondering why this bill would be rumoured to be headed toward the ethics committee, when industry seems like the committee that would be more in tune with where we would like to go with this particular bill.
I am going to be continuing to monitor the debate around this bill. I am looking forward to having a robust debate. I know that, given the size of the bill, we will be discussing it for a while, whether in this place, in the other place or in the committee, as well as out there in the general public.
I know that this will be a hot topic of discussion. I look forward to continuing that debate, and I look forward to the questions.
Mr. Speaker, I would like to start by saying that I will be splitting my time with the member for Richmond Hill.
I am speaking here on the traditional unceded lands of the Algonquin people.
At the outset, I want to thank the and his team for bringing forward Bill , an act to enact the consumer privacy protection act, CPPA, and the personal information and data protection tribunal act. These are important aspects as we, as a country, address the issues of privacy in relation to the enormous amount of information that is constantly gathered, and exists about all of us.
We are in an age when with a cellphone we have more information at our disposal than several libraries put together. We are able to access personal information about virtually anyone who has a public profile, and certainly about anyone who has created a profile in one of the major platforms, whether it be Facebook, Twitter, Instagram, TikTok or LinkedIn, and the list goes on.
These have posed obvious questions for all of us as policy-makers or even as individual consumers in terms of how this information is used, how it is reproduced, copied and misused. We have seen the worst of it over the years in platforms like Facebook where information may have been reused over and over again.
At the centre of this legislation are three major aspects. First and foremost is consumer control over individuals' personal information that is out there.
Second, it is about innovation. I know the previous speaker spoke about the balancing act that we need in order to ensure free speech and privacy.
The third element is to make sure that innovation continues. Innovation is absolutely important for a country like Canada. I know many innovators in my community who have done exceptionally well. I have spoken about many of them here. The University of Toronto Scarborough campus has a hub in which many local innovators have come forward and have developed in my riding of Scarborough—Rouge Park.
Members may know of the company, Knowledgehook. It is a company founded by my good friend Travis Ratnam. The company was just given additional funding of $20 million to expand the program. It is a platform that allows students and teachers to work together to use AI, devise curriculum and make sure that the weaknesses of each student are highlighted to the teachers so that the teachers can respond.
In all of these new forms of technology, there are questions of privacy. We worry about the relationship between, for example, companies gathering data for the purpose of insurance, whether health, life, or auto insurance, and the data that sometimes is readily captured in our day-to-day use.
All of these issues have become pronounced during COVID. We see that education, for example, is now online for many students whose parents choose to have their kids study from home via the Internet; or for many post-secondary students who are studying virtually. I always go back to the University of Toronto Scarborough campus, which is located in my riding, but there is also Centennial College, where most of the students are learning virtually. These again have complicated the challenges for ensuring that privacy is maintained.
The digital charter that is before us does really allow for consumers to have control over their personal information, and it allows for innovation and a strong enforcement oversight. Sadly, the enforcement aspect has been quite weak in Canada over the years. We do not have adequate enforcement. In fact, technology itself is hard to enforce, whether in Canada or other parts of the world.
The enforcement mechanism that is built into this legislation is critically important for us to look at. It is what makes this legislation accessible to individuals who may have a complaint. The enforcement mechanism looks to have individuals appointed through the order in council process.
I want to speak about the way our government, since taking office in 2015, has managed to put together proper processes to appoint individuals to these important bodies, including judiciary and administrative tribunals, but also other bodies that make critical decisions.
We are focused on ensuring a merit-based system that ensures the individual is fully qualified to make decisions on a particular issue. For me, my work on the Standing Committee on Immigration and Refugees was a great learning experience. I saw first-hand how the IRB was transformed from a patronage-based appointment process to one that is merit-based. We see decisions coming out of the IRB that are fully reflective of the quality of candidates we put on those boards.
When we look at appointments, it is meritocracy, but also diversity. We note that in previous governments, judicial appointments have often been focused on men. In fact, in the last several years, we have now achieved gender parity. We are looking at enhancing that and we are working toward greater diversity among other groups in Canada, including people with disabilities. I believe the enforcement mechanism is critical and we have taken concrete steps in that regard.
To note, there are monetary penalties that this tribunal could issue. For example, there is a penalty of 3% of global revenue or $10 million for non-compliant organizations. For a company like Facebook, Google or one of the major outfits, 3% of their global revenues is significant. The maximum penalty is 5% of global revenue or $25 million for certain types of contraventions.
The government and the have brought forward a very important piece of legislation. It appears to have the support of all parties. I am particularly impressed with the data protection tribunal act that is built into this bill and the mechanisms that allow for individuals to access the type of redress that is required.
I look forward to questions from my friends opposite.
Mr. Speaker, I am pleased to rise today to speak about the digital charter implementation act, 2020. I want to talk specifically about the balanced approach to the compliance and enforcement set out in the consumer privacy protection act, also known as the CPPA.
Canadians have told us they want to see strong consequences for those who mishandle their personal information. Financial consequences can be an important tool in protecting Canadians’ privacy, but so is helping organizations comply with the law at the outset.
I am pleased to say that the CPPA takes a very balanced approach to compliance and enforcement. It would help companies get privacy right from the ground up, and takes a phased approach to enforcement to correct problems as soon as they are discovered. The CPPA would incentivize organizations to get their practices right from the start, and the Privacy Commissioner would have a prominent role in supporting these organizations.
Under the CPPA, businesses would be able to approach the Privacy Commissioner for a no-risk review of their privacy management program and help them comply with the law. The commissioner could also ask to review their business programs, without using what he finds in an enforcement action. This is a very important step in early correction of problems. Under the current privacy regime, companies subject to the law are already required to establish a privacy management program, which would be maintained in the CPPA.
Privacy management programs can cover a wide range of issues, such as how companies handle service providers or third parties that support their businesses, how they respond to security breaches, privacy risk assessments, mitigation measures undertaken, and so on.
However, what is new is enabling the Privacy Commissioner to have a look at these policies and practices outside of an investigation. This would provide a safe space in which the commissioner could provide advice and companies could quickly take action. At the same time, the commissioner would benefit from examples of the challenges organizations are facing and their needs in the privacy space.
We know Canadian companies, especially smaller ones and those starting out, will be very interested in these changes.
The CPPA would also recognize not all organizations are the same. Some deal with minimal amounts of personal information, and for others it is central to their business model. Therefore, the CPPA would allow organizations to develop their programs according to the volume and sensitivity of the personal information they handle, as well as a company’s revenues.
The Privacy Commissioner has had a long-standing role in undertaking research and publishing guidance. The has also long had the ability to ask the commissioner to conduct research on privacy issues. This ability would remain in the CPPA. However, the minister would now be able to ask the commissioner to conduct research into the implementation or operation of the act. This would help the government know how well the law is functioning.
The Privacy Commissioner has prepared a lot of guidance materials over the years. We support this vital role. We want to reinforce a long-standing practice of the Privacy Commissioner to consult with stakeholders in guidance development. This practice would now exist in law so that guidance can be informed by what is happening on the ground.
The Privacy Commissioner would also consult with government institutions where relevant. There may be times when government policy may be implicated, such as with trade policies or public health.
These past months have shown us how vital it is for federal organizations to have a unified response on our most pressing challenges. By legislating, we are providing certainty to Canadians that guidance has been discussed with those on the ground.
I have stated how the bill would ensure organizations build privacy considerations from the start. Working with organizations and giving guidance individually is a fundamental role of the Privacy Commissioner. We want to avoid any problems, but there will be organizations that do not get things right.
The law provides individuals with the right to challenge an organization’s compliance with the law, and it allows them to file complaints with the Privacy Commissioner. This is an important exercise of their privacy rights, and the Privacy Commissioner retains his ability to initiate a complaint investigation where there are reasonable grounds to do so. The CPPA would also encourage the resolution of problems as early in the process as possible, and the bill would provide for dispute resolution.
Compliance agreements, a new tool introduced under PIPEDA, would remain in the CPPA. Companies are encouraged to come to the table to work out an agreement with the commissioner, without resorting to more formal measures such as orders. If no resolution is possible under PIPEDA, the commissioner would make recommendations at the end of an investigation and the matter may go to court. The court would then start again, with a new proceeding, and maybe it would issue an order. Few cases have gone that route, however.
Under the CPPA, the commissioner would be able to issue orders as well. To ensure fairness, a new process, called an inquiry, internal to the Privacy Commissioner’s office, would be introduced prior to issuing orders. Once the inquiry is over, the commissioner would issue his findings and decisions and may make orders to an organization to change its practices to bring it into compliance.
The Privacy Commissioner may also recommend administrative monetary penalties, or AMPs, to a new tribunal for certain contraventions of the CPPA. The personal information and data protection tribunal would hear any appeals of the commissioner’s decision and, if required, would decide whether to issue an AMP and, if so, the amount.
In our consultations, many industry stakeholders expressed concern over AMPs, which have the potential to significantly affect an organization’s bottom line and even put smaller companies out of business altogether. By introducing an inquiry phase before issuing orders, and by separating the imposition of AMPs from the commissioner’s other responsibilities, the CPPA would support additional due diligence in decisions to impose AMPs.
We anticipate that some organizations will challenge the commissioner’s orders and recommendations. We do not wish to burden the courts. This is another reason for introducing a new tribunal. It is intended to be less formal than the court and ease access to justice for organizations and individuals. After the tribunal issues a decision, if an organization or individual wants to, they could proceed to federal court and request judicial review.
As my colleagues can see, overall this is a very balanced and phased approach. The CPPA would place strong emphasis on proactive compliance activities, such as reviews of the privacy management programs, guidance development and consultation. When there are possible contraventions, the goal is resolution. If that cannot be achieved, matters would become more formal. This graduated approach to enforcement is built on the foundations of fairness, transparency and meaningful opportunities on all sides to achieve compliance, which is what we know Canadians want.
Many have said that Canada’s private sector privacy law needs more teeth. The digital charter implementation act, 2020, would give it that, and it would do it in a way that organizations that want to do the right thing have the incentive to do so from the start.
I am thankful for the opportunity to speak about how this important bill works to address Canadians' concerns in a measured way.
Mr. Speaker, it is a great opportunity to rise today to speak to Bill .
We are surrounded by data that seems to be out of control, lost by corporations, sometimes stolen from governments. Data that we voluntarily give up about ourselves is being collected billions of bytes at a colossal rate. It has a tremendous impact on our privacy and what is being calculated or inferred about us in our daily lives, such if we have a good credit rating, or if we can buy a car or when we go for drinks with a colleague. All of this is very much apparent today, particularly during this health crisis when people are definitely at home and using the Internet to a greater extent.
Everything we do today has some impact on data. Whether we take an Uber or order a meal, that data is collected. Quite frankly, we need to ensure people's privacy is protected.
Why does privacy matter? It is a question that has arisen in the context of this global debate, made worse by this pandemic, where millions around the world have come to rely on computers to carry out a function for their very lives. When we hear arguments about Internet privacy. A lot of what we hear about this mass surveillance is that there is no real harm due to this large-scale invasion, that people have nothing to hide. Those engaging in bad acts have a reason to want to hide and care about their privacy.
This is presupposed on the assumption that there are good and bad people in the world. Bad people who plot to take down governments and plan public attacks are the people who have reason to care about their privacy. By contrast, there are good people, people who go to work, pay taxes, care for their children and use the Internet, not to plot civil destruction but to read the news and find recipes. These people are doing nothing wrong and have no reason to hide.
In a 2009 interview of the long-time CEO of Google, Eric Schmidt, when asked about the different ways his company was causing the invasion of privacy for hundreds of millions of people around the world, he said, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.” There are many issues with this statement, one being that this is the very Eric Schmidt who blocked his employees at Google from speaking with the online Internet magazine CNET after it published an article full of personal private information, which was obtained exclusively through Google search and Google products.
A few short decades of the Internet, once held as an unparalleled tool of democracy liberalization, have been converted into an unparalleled zone of mass indiscriminate collection. Enter 2018, when the EU has set the global standard for privacy regulation with the flagship general data protection regulations, known as GDPR, signalling to Canada that our 1990s era of the Personal Information Protection and Electronic Documents Act did not have the teeth to take on big tech.
Bill would bring in additional privacy regulations. Replacing PIPEDA with CCPA would provide an opportunity for greater detail within the law rather than just relying on the interpretations of the Privacy Commissioner. This is a good thing.
The structure will include a personal information and data protection tribunal that will play a key enforcement role by reviewing all commissioner decisions and issue penalties for non-compliance. There will be an expert tribunal composed of three to six members, but interestingly enough it says there may be only one expert, which may be a deficiency in the act.
What are these new privacy rights? One is data mobility. Subject to regulations, on the request of an individual, an organization must, as soon as feasible, disclose the personal information that is collected from an individual and to an organization designated by the individual. Data mobility is a fact of life and this is a good thing. What format that data will be transferred in will need to be discussed.
On algorithmic transparency, if the organization has used an automated decision process to make a prediction or recommendation, then the organization must, on the request of an individual, provide an explanation of the prediction, recommendation or decision and the personal information that was used to make the prediction. It seems like a reasonable intent and is something it should be able to do without giving up the code.
With respect to de-identification, the bill states:
An organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified...
Then there is the new enforcement. The Privacy Commissioner of Canada will have the order-making power that will enable the office to order compliance with the law and recommend significant penalties.
I should mention I will be sharing my time with the member for .
In some cases, the recommended penalties are the highest in the G7, so they are significant. The expanded range of offences for contraventions of the law are a maximum fine of 5% for a global revenue of $25 million. There are administrative penalties as well.
One of the issues I see with this is that the legislation and penalties invoke fear, but there will be a question of whether there is adequate teeth for enforcement.
The law includes whistleblowing provisions that protect those who have disclosed alleged privacy non-compliance and a private right of action that will allow individuals to seek damages for loss or injury suffered through privacy violations.
There are new standards of consent. This has been a big issue for individuals. How many people have signed up to a site, with three pages of disclosure to which they are supposed to consent? I would argue that very few people will actually read that kind of detail. Therefore, there is an attempt within the legislation to use clear language and simplified consent. Given the depth of the legislation, that may be a difficult thing to achieve, but is a worthwhile goal.
Deceptive practices to obtain consent with false or misleading information renders the consent invalid and individuals can withdraw their consent at any time. There is the question of whether people are providing consent for multiple activities or just an individual activity. That should be clarified.
The realm of data is largely uncharted territory and we find ourselves asking the question of who owns our data. Our opinion is that people own their data and they should own their data.
The word “consent” is mentioned 108 times in the GDPR. In the first reading of Bill , it was mentioned 118 times. This sounds great. Who could possibly be against the consent of data? Challenging consent seems counterintuitive in the world of privacy because it is so linked to us and our autonomy. However, it is both impractical and undesirable and serves to explain why our privacy law is in such a sorry state. It is imperative the legislation is written with as little room for interpretation as possible.
There are some standards within that bill. It states:
An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2)...
Under that subsection, it states:
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
The issue is this. If that is subject to interpretation, we could have a pretty broad interpretation of what it says. Hopefully this act, with the regulations that follow, will clearly define what is in and what is out.
At the end of the day, if we are using services, many services are disrupting, shaping and helping our lives in ways we could not have possibly imagined mere decades ago. Whether we like it or not, it is big tech that has provided these realities for us and the government should, as with any other key stakeholder, create meaningful, effective and collaborative policy but require consultation. It is one thing to consult in front, but now that we have legislation, we need to ensure we get it right. We need to ensure that industry, particularly small businesses, remain competitive. The bill is being sent for review to the privacy and ethics committee. There is a strong argument that industry committee should have a look at this bill as well.
Therefore, proper consultation must happen. There is nothing wrong with doing that. I hope the government will ensure the bill is properly consulted on.