Mr. Speaker, as many of my colleagues already indicated, this is a large and complex bill, and we believe that its individual components are too important for them to be considered as one part of an omnibus bill. I am pleased with the ruling of the Speaker.
There are three separate pieces of legislation to this bill. In part 1, the consumer privacy protection act would repeal and replace decades-old measures concerning personal information protection. In part 2, the personal information and data protection tribunal act would strike a tribunal to administer penalties for violations of the CPPA. In part 3, the artificial intelligence and data act is brand new to the bill and sets up a framework for design and use of AI in Canada, which is almost entirely unregulated.
Long before the widespread use of the Internet, our Supreme Court was clear that privacy is at the heart of liberty in a modern state. The government should be taking every opportunity possible to enshrine privacy in our laws as essential to the exercise of our rights and freedoms in Canada. As Daniel Therrien stated in the Toronto Star earlier this month, “democracies must adopt robust solutions anchored in values, not laws that pretend to protect citizens but preserve the conditions that created the digital Wild West.”
The value of privacy should anchor the bill. Instead, the bill fails right out of the gate. The preamble states:
the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada
Placing this value in the preamble of the bill where it has no teeth raises distrust rather than confidence that the government truly respects Canadians' privacy rights. The CPPA would require organizations, companies or government departments affected by the bill to develop their own codes of practice for the protection of personal information. While these codes must be approved and certified by the Privacy Commissioner, one can only imagine the variation of protection that would result. This requirement would add significant red tape and would be yet another onerous task borne on the backs of small and medium-sized businesses, which employ most Canadians. It would also create more work for the Privacy Commissioner in parsing through complicated codes created by larger, wealthier, powerful corporations, companies or government departments that have legal teams whose sole purpose is to find creative ways to perhaps game the system.
Although it would take more time and investment up front, the better option, in my mind, would be to create a standard code of practice that all entities have to follow. This could certainly be taken on as one of the first responsibilities of the expanded Office of the Privacy Commissioner in defining the universal code of practices, where confidence in the process would be greatest and where the greatest level of concern for individual privacy actually exists.
This bill states that personal information can be transferred without Canadians' consent for purposes ranging from research to analysis to business purposes, but it must be de-identified before this can take place. At first glance, this is a positive measure until it is compared with anonymization as an alternative. According to the bill, de-identify means “to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” That leaves much to be desired when compared to the anonymization of personal information. In the bill, anonymize means “to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
Any attempt to identify individuals from de-identified information is prohibited, except in approved circumstances. While many of these approved circumstances relate to the ability of an entity to test the effectiveness of its de-identification system, the potential for abuse still exists. This bill would be improved by eliminating those chances for abuse. We should examine replacing de-identification with anonymization wherever possible.
In comparing Bill C-27 to the EU regulations, we see there are several ways in which the CPPA does not live up to what is widely considered to be the international gold standard of privacy protection, which is the European Union's 2016 General Data Protection Regulation, or GDPR. There is a glaring example of Bill C-27's inferior protections: The GDPR processes personal data in such a manner that it can no longer be attributed to a specific individual without the use of additional information kept separately, subject to technical and organizational measures. This is a security and privacy-by-design measure of the GDPR.
Regarding what Bill C-27 considers to be sensitive information, there is nothing to indicate what sensitive information actually entails. It is also limited in its application. Only the personal information of minors is considered to be sensitive. All information Canadians surrender to any entity should be considered sensitive. On the other hand, the GDPR possesses a particular regime for special categories of personal data, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data and data concerning health, sex life and sexual orientation.
We are happy to see that consent is better defined in Bill C-27. However, exceptions for activities not requiring consent would remain in place. Some of them are so broad that an entity could interpret them as never requiring consent. These are loopholes that Canadians should not have to endure when they are required to check the box that they have read and accept terms before they are able to interact with a digital site.
For example, legitimate interests in a given situation may be used by companies to disregard consent. There is a danger that these interests will outweigh potential adverse effects on the individual. Attempting to define legitimate interests allows for too much interpretation, and interpretation is not something that lends itself to privacy laws. The use of personal information could also be exempt from consent if a reasonable person would expect the use of their information for business activities. There is no definition as to what a reasonable person is.
The bottom line is that there are far too many loopholes and vague terms. For the savvy, wealthy or well-lawyered, the potential for abuse exists. The GDPR, conversely, is unequivocal on consent. It must be freely given, specific, informed, unambiguous and in an intelligible and accessible form, and is only valid for specific purposes. Canada should have followed that example. Canadians cannot help but wonder why Bill C-27 does not.
Under the proposed CPPA, there is no minimum age for minor consent, nor is “minor” defined. In the EU, the GDPR sets out a minimum age for a minor's consent at 16 years of age. Member states also have the flexibility to allow for a lower age, provided the age is not below 13 years.
If a breach of personal information does take place, Bill C-27 would make Canada slower to respond than its international counterparts. This bill mandates that a notification be made to the Privacy Commissioner of any breach that creates a real risk of significant harm as soon as it is feasible. The individual affected would also need to be informed, but, again, as soon as feasible.
The GDPR sets out that a mandatory notification must be made to the supervisory authority without undue delay, or 72 hours after having become aware of the incident in certain circumstances. Prior to the introduction of this bill, Canada was lagging behind internationally, and it still is, even after. The GDPR is already six years old. That is six years of extra time during which the Liberals have failed to develop this legislation to meet the robust international standard.
In Bill C-27, the Privacy Commissioner would be empowered to investigate any certified organization for contravening the act. The commissioner has been rightly asking for increased powers and responsibilities for some time, and this goes beyond a mere recommendation to violators to stop their actions. The commissioner would be able to recommend greater penalties of no more than $20 million or 4% gross global revenue for a summary offence, and no more than $25 million or 5% gross global revenue for an indictable offence.
These penalties should add more bite to what the Privacy Commissioner can do and impact how Canadians’ personal information will ultimately be treated. The penalties would also apply to a greater number of provisions, such as actions that contravene the establishment and implementation of a privacy management program and failure to ensure equivalent protection for personal information transferred to a service provider.
However, these new powers for the Privacy Commissioner hit a dead end when taken in context with the second part of this bill, which establishes a tribunal. The personal information and data protection tribunal would consist of no more than six members, and only half of those members must have experience in information and privacy law. The Privacy Commissioner would have order-making authority and the ability to make recommendations to this tribunal regarding penalties. However, the tribunal would have the power to apply its own decision instead, which would be final and binding. Except for judicial review under the Federal Courts Act, the tribunal's decisions would not be subject to appeal or to review by any court. These are powers equivalent to a superior court of record.
The existence of this tribunal would dull the new teeth given to the Privacy Commissioner. While the commissioner could recommend that a penalty be levied for violations of the CPPA, it is the tribunal that would have the power to set the amount owed by these organizations.
The cost associated with striking this tribunal is also a concern. Despite the fact that its work would likely be limited to a handful of times per year to determine penalties, it would apparently require a full-time and permanent staff of 20. I am deeply concerned as the government also has a bad habit of striking advisory councils, or so-called arm's-length regulatory bodies, in advance of bills being debated and passed in the House, long before the ink on the legislation is dry.
My memory is drawn to when a bill was being debated in the House, and I inquired about the details of the proposed environmental council. I was told with great zeal that it had already been established, and the members had been appointed before the bill was even debated in the House.
Can the current Prime Minister tell us if this tribunal would be struck only after Parliament has dealt fully with this bill? Will the Liberals be transparent with Canadians on how the appointment process would be undertaken? Can they assure Canadians that a full-time and permanent staff of 20 has not already been determined? After seven years of Liberal power, the level of patronage in this place run deep.
Part 2, which is the personal information and data protection tribunal act, should be removed as it is a bureaucratic middleman with power that would conflict and create redundancy with the Privacy Commissioner's new powers. The new powers would mean little if they were not coupled with quick and effective consequences for violators. It would prolong decisions on fines and harm Canada's reputation of holding violators accountable.
It would also not align with our friends in the EU, U.K., New Zealand and Australia that do not use a tribunal system for issuing fines. It goes to show Canadians that when it comes to making big government needlessly bigger, the Liberals do it well.
The third and final part of this bill is the only entirely new component. The artificial intelligence and data act seeks to regulate an entity, artificial intelligence, that has not been regulated before in this country.
It would set standards for the creation and use of AI systems in Canada by both domestic and international entities. More specifically, international and interprovincial trade and commerce in artificial intelligence systems would be regulated through common requirements for the design and use of those systems.
It would prohibit certain conduct pertaining to AI systems that could lead to harmful results for individuals and their personal data. There is that mention of personal data. This is a massive undertaking, attempting to regulate something that, up to this point, has been almost entirely unregulated.
I also understand that consultations on this were only initiated in June. Logic would dictate that such a bill requires careful scrutiny and time to get it right.
Requiring record keeping and human oversight are positive developments. What we find difficulty with is getting a clear picture of what the final framework would look like, as the minister alone would be empowered to establish these regulations. The minister would be able to act independently of Parliament in making rulings and imposing fines. In an age of uncertainty and new horizons for our relationship with AI, this is unacceptable. Parliament, at the very least, and independent experts and watchdogs should be central to the creation and enforcement of these rules.
It appears that once again the government has chosen to simply tack on a crucial area of concern to Canadians to an already complicated bill, and it wishes to again entrust sweeping powers to a minister to act independently of parliamentary oversight.
My final thoughts today on Bill C-27 are as follows. The Conservatives are considering this bill through a reasoned approach, and appreciate that stakeholders who have been calling for this legislation for years are watching today's debate closely.
It is absolutely clear that modern-day protection for the personal information of Canadians is required. They must have the ability to access and control its collection, use, monitoring and disclosure, and the right to delete it or the right to vanish.
How can we ensure that data is protected through watertight regulations and strict fines for abuse while also realizing that not every business affected by this bill would have the resources of Walmart or Amazon? Small and medium-sized businesses should be shielded from onerous regulation that stifles their growth. This is not to say that business interests should weigh equally with personal privacy, but there is a balance to be had, and I believe the Liberals do not have it right here.
Furthermore, in a cynical attempt to move their legislative agenda forward, the Liberals have bundled changes to privacy laws with a first-of-its-kind framework for artificial intelligence that once again intends to govern through top-down regulation and not through legislation.
The Liberals should commit today to splitting this bill up to allow Canadians a clear view of its intended impact. With that commitment, the Conservatives will be looking to do the hard work at committee to improve the long-awaited but flawed elements of this legislation. Even in an age of convenience, the world in which we live grows even more complicated by the day. Canadians deserve privacy protection worthy of 2022 realities and beyond.