moved that Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, be read the second time and referred to a committee.
He said: Mr. Speaker, it is with great pleasure that I rise today to discuss Bill C-11, the digital charter implementation act, 2020.
As members know, data and digital transformation is completely changing the way we access information, buy goods and services, connect with each other and live in our communities and cities. This digital transformation has been accelerated by the pandemic, and we are seeing more Canadians moving their activities online. Canadians are using more digital services and sharing more data online than ever before. They want to know that their personal information will be safe and that they are protected.
Recently, the Privacy Commissioner surveyed Canadians and found that the vast majority of Canadians, 92% of them, are concerned about the protection of their privacy, so this is an important issue to many Canadians. That is one of the reasons why last year I launched the digital charter, a set of 10 principles that lay down the foundation that will allow us to build an innovative, digital economy that is inclusive, people-centric and built on trust.
The principles of Canada's digital charter give Canadians more control over their data while helping Canadian companies innovate, grow and create quality jobs for middle-class Canadians across the country.
I would like to take this opportunity to remind members that the principles of the digital charter were very clear, and they focused on control and consent. Canadians will have control over what data they are sharing and who is using their personal data and for what purposes, and will know that their privacy is protected. This is one of the key principles we laid out in the digital charter.
Transparency, portability and interoperability will enable Canadians to easily manage access to their personal data and to transfer it without undue burden.
Data and digital for good is another principle that was laid out in the digital charter. The Government of Canada will ensure the ethical use of data to create value, promote openness and improve the lives of people at home and around the world. How can we harness data to solve problems?
Another key element was strong enforcement and real accountability. There will be clear, meaningful penalties for violations of the law and regulations that support these principles so that Canadians can rest assured that their privacy will be protected.
As members will see, the principles of the digital charter are firmly embedded in the legislation before us today. On top of this foundation sits three pillars: consumer control, responsible innovation and a strong enforcement and oversight mechanism.
Let me begin with outlining how Bill C-11 would give Canadians more control and greater transparency in the manner in which companies handle their information. It would do this by introducing important rules for consent, the right to delete information, data mobility and algorithmic transparency.
With regard to consent, Bill C-11 would enhance consumer control by requiring organizations to get meaningful consent from Canadians. This means individuals would get specific information in plain, simple language, not the 30-page legal document that no one reads. This, in turn, would allow individuals to make meaningful choices about the use of their personal information.
To make consent more meaningful and move away from lengthy agreements that, as I said, no one reads, we are introducing a new exception to consent for the collection and use of information for standard business activities that would be reasonably anticipated by individuals.
Here is an example in plain language. When a customer buys something from a company and gives that company their address, the company can give that address to a delivery company so the customer can get the product they paid for.
Under the law, that company would need to be transparent about how it uses personal information so that consumers are made aware of this and that the Office of the Privacy Commissioner can review these practices.
The second element I want to talk about is the right to delete information. Bill C-11 would allow Canadians to withdraw their consent and demand that data be deleted. When individuals no longer want to do business with an organization, that organization must stop using their information and must delete it permanently if it is asked by individuals. This would, for example, allow a Canadian to demand that a social media site delete their profile. It is very simple, but very powerful.
The next area the bill highlights is data mobility. To improve their control further, individuals would also have the right to direct and transfer their data and information from one organization or entity to another organization or entity in a very secure manner. Bill C-11 would do this by enabling regulations that establish frameworks for secure transfer and interoperability. This approach would support innovation in areas like open banking, where a common technical approach could allow Canadians to take advantage of the consumer-directed financial marketplace in a more secure way.
Another area the bill touches on, which was highlighted through extensive consultations, is algorithmic transparency. In the area of consumer control, Bill C-11 would improve transparency around the use of automated decision-making systems, such as algorithms and AI technologies, which are becoming more pervasive in the digital economy.
Under Bill C-11, organizations must be transparent that they are using automated systems to make significant decisions or predictions about someone. It would also give individuals the right to an explanation of a prediction or decision made by these systems: How is the data collected and how is the data used?
This is a brief summary of what is found in the first pillar of this legislation under more consumer control.
The second pillar of Bill C-11 is enabling responsible innovation.
The digital economy creates significant opportunities for Canadian businesses. Digital activity accounts for 4.8% of Canada's GDP, and when it comes to research and development in this country, no other private sector industry outperforms Canada's information and communications technology sector.
Investment and data has climbed as high as $40 billion. Across the economy, Canadian companies' data is worth as much as all other intangible assets, such as software, research and development, and mineral exploration rights combined. Therefore, we can see the potential of data not only today, but going forward.
Globally, we are seeing unprecedented growth in the technology sector, growth that is only going to pick up as artificial intelligence continues to grow and have a more meaningful impact in our lives. According to some estimates, AI is going to contribute an additional $13.7 trillion to the global economy by 2030.
The government also understands the importance of giving companies clear rules that enable them to innovate while still protecting Canadians' privacy.
Trust is the cornerstone of economic growth and innovation. When Canadians are assured that their data and privacy are safe and protected, it creates space for the kind of innovation that benefits everyone.
Our government believes that greater trust and certainty in the digital marketplace will empower small businesses and entrepreneurs to create news jobs and opportunities, expand their operations and better access the global marketplace.
It is also important to note that the new legislation would help small businesses prosper as well by ensuring that rules for data and privacy are fair, clear, enforced and flexible enough to meet the needs of smaller organizations.
One area that does that is the codes of practice and certification systems. To enable responsible innovation, Bill C-11 would create a framework to recognize the use of codes of practice and certification systems. This would help organizations both comply with the law and demonstrate their compliance, which, in turn, would support innovation and provide an important balance to a strengthened enforcement regime.
Organizations would be able to apply to the Privacy Commissioner to approve a code of practice outlining how the act's general requirements apply in a particular sector or activity. This would give businesses some certainty that if they are following the code they are in compliance.
I also want to highlight de-identified information. Bill C-11 would also clarify how organizations are to handle de-identified personal information. This would enable an important mechanism for both privacy protection and innovative uses of data, which would benefit many small businesses.
Lastly is data for good. In this area, it is important to note that under the second pillar of enabling responsible innovation, Bill C-11 would recognize an exception to consent for socially beneficial purposes in order to clearly allow organizations to support innovative data initiatives such as data trust, which is pursued by a range of public institutions, including hospitals, universities and libraries. There is so much potential with data trust because it can enable us to unlock some of the opportunities that exist to solve some problems across our society.
The next element I want to talk about is strong enforcement. Perhaps more importantly, the proposal would significantly strengthen the enforcement and oversight regime. This is critical.
With this proposal, we will have some of the toughest financial penalties in the world for violating our laws.
Currently, the Privacy Commissioner has little ability to enforce his recommendations on organizations that are non-compliant, other than seeking a hearing by the federal court. Under Bill C-11 this would change. The legislation would introduce a strengthened privacy regime that would be overseen by a more powerful Privacy Commissioner, with appropriate checks and balances in place.
The Office of the Privacy Commissioner would have broad order-making power, including the power to force an organization to stop collecting or using information and delete it. If the Office of the Privacy Commissioner found out that data was collected without appropriate consent, he would have the ability to do this.
As well, the Privacy Commissioner would make sure there is strong and meaningful consequences for organizations that do not comply with the law. The Privacy Commissioner would have the power to recommend administrative monetary penalties of up to $10 million, or 3% of global revenues, whichever is higher. The range of serious criminal offences would also be expanded, with a new maximum fine of up to $25 million, or 5% of global revenues, whichever is higher.
The legislation would introduce the new personal information and data protection tribunal, which would review appeals of the commissioner's orders and levy penalties.
This new administrative tribunal will help ensure procedural fairness in how the commissioner applies the new and enhanced enforcement powers. It will provide individuals and organizations with easier access to justice through a less formal mechanism for appealing decisions.
This enforcement regime would recognize that early compliance with the act remains critical and that is the key part. Early compliance will remain critical for the protection of Canadian privacy. We need to build on the commissioner's existing abilities to secure early resolution through compliance agreements. We want to make sure that Canadian companies actually comply with the legislation.
This new regime would see stronger collaboration between the Privacy Commissioner, stakeholders and implicated institutions, including federal organizations. When the commissioner is developing that guidance, it is important to have that level of collaboration. This will ensure there is a strong alignment between the law and how it is explained and enforced, and help avoid confusion for those trying to follow it. Again, this will provide further clarity.
To summarize, the third pillar of Bill C-11, strong enforcement and oversight, would introduce an escalating model that provides incentives for organizations to comply early. The focus is on compliance. Strong penalties will exist if they do not follow through. There will be a new tribunal to ensure the process will be fair, transparent and accessible for businesses of all sizes.
The three pillars of Bill C-11 work together to provide what Canadians need to engage in the digital economy: strong and enforceable protections for personal information, along with clear rules for businesses to follow as they innovate and deliver new products and services.
It is also important to note that the legislation would help protect the privacy of Canadians, while strengthening the ability of Canadian businesses to compete globally. This positions Canada to succeed internationally.
When PIPEDA was introduced in 2000, it was considered a global leader among data protection laws. In 2002, the European Commission found that PIPEDA provided adequate protection relative to EU law. The finding of adequacy gave us an international edge by allowing us to have free flow of data between Canadian and EU companies.
More recently in 2018, the EU brought into force its GDPR, the general data protection regulation. Since then, the EU has been reviewing Canada's adequacy against the GDPR. They have made it clear that we must reform our privacy regimes in order to maintain our advantage when it comes to this status. I believe the legislation would achieve GDPR adequacy while maintaining the made in Canada approach.
Lastly, I want to conclude by mentioning stakeholder reactions. This approach reflects years of public study, consultations and collaboration. It builds upon the fundamental work of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, as well as important deliberations in the other place.
I can tell members the legislation has gained support from a wide range of stakeholders. Goldy Hyder, the president and CEO of the Business Council of Canada, spoke positively about this. Michael Geist, who is well recognized in this area of expertise, said this is “Canada's Biggest Privacy Overhaul in Decades”. OpenMedia calls Bill C-11 “a big win for privacy in Canada.”
We know that Canadians will continue to use digital services that require the use of their personal data, and we know there is no turning back.
I will conclude with this last remark.
As the COVID-19 pandemic continues to increase our reliance on the digital economy, Bill C-11 will help Canadians embrace this new world, knowing that their personal information is protected and safe.