Hansard
Consult the user guide
For assistance, please contact us
Consult the user guide
For assistance, please contact us
Add search criteria
Results: 1 - 10 of 10
View Marie-Hélène Gaudreau Profile
BQ (QC)
Madam Speaker, I am honoured to be the first in my party to speak, since this is a topic the Bloc Québécois has been looking at in response to a number of identity theft issues.
I want to take this opportunity to acknowledge my colleagues who have been with me from the beginning of the first session of the 43rd Parliament. We immediately started looking into the matter of privacy breaches and fraud. The Standing Committee on Industry, Science and Technology unanimously agreed to take into account the previous work done to study what action we should urgently take to prevent the kind of situation we are in now.
I salute my colleagues on the Standing Committee on Access to Information, Privacy and Ethics, and I also want to point out that I very much look forward to studying this bill in committee. We had already unanimously adopted a motion to study privacy matters, and today a bill has been introduced. We spent a long time in committee looking into conflicts of interest. I had 40 hours, during which it was difficult to vote on a motion in committee.
That being said, prorogation did not do us any good. If Parliament had not been prorogued, we would not be where we are today. We would already be at the forefront when it comes to protecting our people from fraud and identity theft. I know that this happened to some people who work for the House of Commons. This is a complex and troubling issue. As the Privacy Commissioner said, the accounts of no less than 30 million out of 37 million Canadians were affected.
I would like to tell everyone here and the people watching us at home that their personal information was used. We are talking about a privacy breach. What happens when our personal information is not protected? Obviously, the first thing that comes to mind is the possibility of fraud. The way things stand, fraudsters have quite the opportunity to use the personal information of others.
Madam Speaker, I am sorry. This is my first time without a written speech in front of me and I feel like I could keep talking for an hour. I would like to ask for the consent of the House to share my time with the member for Saint-Hyacinthe—Bagot.
View Marie-Hélène Gaudreau Profile
BQ (QC)
Thank you, Madam Speaker.
I provided a brief overview of this issue because safeguards have already been implemented in over 30 countries. Our friends in the European Union have been taking the bull by the horns since 2016, and I think we should follow their example.
I applaud the introduction of this bill. It was about time. I would also like to talk about a few things that I look forward to studying as soon as possible at the Standing Committee on Access to Information, Privacy and Ethics.
It was proposed that the commissioner be given additional powers. This bill proves that this proposal was taken into account. The commissioner will be able to impose major penalties. Currently, as all those who grabbed the bull by the horns know full well, businesses are responsible for protecting personal information or face penalties, which vary from one country to another. This bill introduces a 3% penalty, which means businesses such as Facebook, a company worth several billions, could pay up to $10 million if they do not properly protect personal information.
I am also very happy with another part of this bill, which came up earlier, about consent to use and transfer our data. Businesses and organizations that have our data must always have our consent. That is crucial, and I am happy about it.
Once again, I congratulate the government on giving the commissioner the power to issue orders.
However, there is one thing I am very concerned about, and it has to do with organizations such as banks that are under federal jurisdiction. I think that if there is one organization that should lead by example and demonstrate that it is protecting data and working to prevent fraud, it should be the government.
The first time I read the bill, I did not see anything about the government fulfilling its obligations. My hon. colleague talked about this earlier. Many people in Laurentides—Labelle have told me they are worried about finding out at tax time that someone claimed CERB using their name. People have even told me they tested it. They applied, and their application was approved. These are people who are receiving employment insurance benefits.
There are also those who, upon opening their account, discovered that they were victims of fraud. These people have followed up and filed a complaint. Unfortunately, it takes a long time for them to hear back, and some people never hear back. I feel that this bill should also include a requirement to support those who have been victims of fraud and help them through the process.
Right now, it is about prevention and punishment. Let me explain prevention, which is very simple. Prevention is making sure all the necessary elements are in place to validate a person's identity.
However, this bill does not propose a complete reform of the ID authentication processes for individuals through organizations or the government.
Several countries have already taken action and instituted two ID authentication processes. The first involves confirming what the person knows. However, if an individual's personal information is known and their data are open, anyone can immediately commit fraud using their name.
The second involves confirming what the person has using various tools. Some apps already use text message authentication, for example. Sometimes the person has to place a call from their home. This is another important authentication process.
Several countries use other authentication processes based on even more personal information, such as voice recognition or fingerprints. Close attention will have to be paid to facial authentication to ensure that all rules are followed.
I look forward to taking part in the committee deliberations. I welcome this bill, but it needs to be amended properly.
View Simon-Pierre Savard-Tremblay Profile
BQ (QC)
Madam Speaker, since there are no other questions and comments, I believe that shows that my colleague was very clear. I will try to be clear as well. The bar is high, but I will try to meet it.
Generally speaking, as my colleague said, this bill represents a step forward and addresses several of the Privacy Commissioner of Canada's requests. Quebeckers were profoundly shocked by the Desjardins data breach. It was a very significant event. However, it was not the only one. Similar incidents occurred in 2017 and 2018, and there have probably been dozens more that we are not aware of. In fact, when a bank's data is stolen, the bank is required to inform the police and the Privacy Commissioner of Canada, but it is not required to inform the public or even its customers.
We like this bill because it sets out a series of principles relating to the collection and sharing of personal information by companies: free and informed consent for the collection and use of data; the ability to allow or deny the transfer of data to another company, such as between two financial institutions; the ability to withdraw consent or request that data be deleted; transparency about the use of algorithms that use personal data; and stricter criteria for the use of de-identified data. This bill also gives real powers to Canada's Privacy Commissioner, sets out significant penalties for non-compliance, and creates the personal information and data protection tribunal. All of that is great.
Unfortunately, the problem is that the bill omits one extremely important element, and that is protecting people's identity online to prevent fraud due to identity theft, especially during financial transactions. We know that Europe has brought in a whole suite of regulations to force financial institutions to verify a person's identity before authorizing a transaction. There is nothing like that in Canada, and this bill does not have anything of the kind either.
The federal government is not properly verifying individuals' identity before authorizing electronic transactions. We know that the challenge is to prevent data from being stolen and used to commit fraud. Having personal data stolen is unpleasant enough, so all measures must be taken to ensure that the data are not then used for fraud.
The debate in Ottawa over the massive data breach at Desjardins mainly revolved around social insurance numbers. We know that several people would like to change their social insurance numbers, but under the current system, they cannot do so unless they become a victim of fraud resulting from identity theft.
In addition, the federal government has received a number of requests to redesign the social insurance card to make it harder to counterfeit, similar to what Ottawa did with passports after the September 11, 2001, attacks, at the request of the United States.
These two requests are perfectly reasonable. The Bloc fully agrees and is asking Ottawa to follow up. However, that alone will not stop fraud.
The best way to prevent identity theft is to make sure that the person who is making the transaction is indeed who they claim to be. This goes without saying. There are three ways to verify a person's identity.
First, a person can be identified based on what they know, namely personal information such as their name, address or social insurance number. However, as cases of identity theft are on the rise, it is getting harder and harder to accurately identify someone. In other words, our private information is no longer private when everyone can find out almost everything about us. Fraudsters can simply use this information to create a fake ID, and they are set.
Second, a person can be identified based on what they have, such as their computer's IP address, which the institution can recognize if the transaction is being conducted from the person's home, or their cell phone, to which the institution can send a secret code via text message.
Third, a person can be identified based on who they are. The institution can use technologies that recognize a person's physical characteristics, such as their voice, their facial features, through the use of facial recognition, their digital fingerprints, which are increasingly being used by cell phones, or their handwritten signature.
Europe adopted regulations in 2016 requiring financial institutions to use at least two of these three ways to identify someone before authorizing a transaction. Banks in Canada are under no such obligation. If they believe that the control mechanisms will cost more than the losses they are currently incurring in fraud, they are better off doing nothing. The banks will not pay for controls that would be more costly than the fraud. That is simply profit-driven logic.
Many members have probably had the experience of having a store issue a credit card on the spot, based solely on the personal information we provide. We just have to give our phone number, address, and so on, and that is all it takes. This practice really opens the door to fraud, and it has to stop.
We believe that the banks must be forced to tackle fraud. That is the solution that we are advocating. We are going to propose possible approaches. As my colleague was saying, we are going to support the bill, but we will be bringing forward amendments. We will have concrete, constructive and coherent proposals when the time comes to study the bill in detail.
We will propose ways to combat identity theft, such as by drawing on the European regulations I was talking about, in order to force the banks to bring in robust processes to verify people’s identity before authorizing a financial transaction. We will also propose to increase fines in order to encourage banks to better protect their customers’ personal information. We will propose that banks be required to submit a detailed report, as part of their annual reporting, on the number of identity thefts and the resulting losses.
We will also propose a requirement to contact any person whose identity has been fraudulently used within the organization, regardless of whether an account was opened or not. As I said earlier, there is no such obligation in place and it must be brought in. There is also an obligation to cover the costs paid by victims to recover their identity. These costs must be covered by the banks, which are rolling in a lot more money than individuals and most of their customers.
There also need to be anonymous tip lines for employees who are aware of unreported identity theft, as well as protection for whistleblowers. There is currently a void when it comes to whistleblower protection, as in virtually all areas. I am getting a little off topic, but the House will have to deal with this issue as well.
Ottawa also has to look in its own backyard. Beyond the banks, the same anti-fraud controls need to be imposed on the federal government itself. Bill C-11 applies only to private businesses. It does not apply to the federal government. Currently, Ottawa’s online identity controls are clearly inadequate. Before authorizing a transaction, the government does not take all the necessary steps to ensure that a claimant is who they say they are.
Since last spring, there have been numerous cases of identity theft. These include Canada emergency response benefit claims made in other people’s names and tax refunds being redirected to other accounts. Some people will not find out that they have been victims of identity theft until they file their income tax returns. It has not yet happened yet, but it will soon. In a few months, many people will discover that they have been victims of fraud. Right now, they have no idea. This is absurd, and it is unacceptable.
Again this fall, thousands of taxpayers lost access to their Service Canada account, which prevented them from applying for employment insurance even though they lost their jobs because their region was going back into the red zone.
It is all well and good to introduce a bill on the management of personal data by private companies. I want to stress that we agree on this bill and that we will vote in favour of it. That part is settled.
However, Ottawa needs to clean up its own backyard as soon as possible and take immediate action to combat identity theft. We are saying yes to regulating private businesses, but we are also saying yes to regulating Ottawa and the banking industry.
View Heather McPherson Profile
NDP (AB)
View Heather McPherson Profile
2020-11-24 11:41 [p.2299]
Madam Speaker, I would like to thank my colleague for his intervention today. It was very interesting.
Cybersecurity, of course, is a very important issue. As we know, in Canada there are too many victims of cybercrime each year. However, I feel it is not a problem that a privacy law would solve.
I am wondering if the member could speak a bit about why he is bringing forward a criminal law issue that would put more burden on Quebec and some of the other provincial jurisdictions at this time. I would like a few comments on that.
View Simon-Pierre Savard-Tremblay Profile
BQ (QC)
Madam Speaker, if I understood my colleague's question about criminal law, the bill in this current form suggests penalties for companies that break the law. That would involve criminal law.
If I understood the question properly, that is the response I have for my colleague.
View Joël Godin Profile
CPC (QC)
Madam Speaker, I would like to inform you that I will be sharing my time with the hon. member for Lethbridge.
Today we are discussing Bill C-11, an act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other acts, which received first reading in the House on November 17.
I am aware of the importance of the issue addressed in the bill. It is 2020. Who would have thought that, in 2020, we would have to come to grips with technology in such a hurry because of a pandemic?
Technology was already evolving at a fast pace, but I can say that we have had to increase our knowledge at great speed. If someone had asked me three months ago if I was comfortable with teleconferencing, I would have said no, but today it is an everyday occurrence. It is important to address this issue.
I would like to remind the House that I represent the fantastic riding of Portneuf—Jacques-Cartier in Quebec. In 2019, the personal data of 2.9 million Desjardins members were leaked. They were victims of identity theft. Their data were resold to people who wanted to use them to do business in the financial sector. Although the leak did not involve banking information, it still exposed the affected customers to identity theft.
On June 20, 2019, Desjardins revealed that the personal information of 40% of its members had been illegally shared outside the organization by an employee, who had since been fired, of course. On July 8, Quebec's Commission d'accès à l'information and the Office of the Privacy Commissioner of Canada announced that they were launching investigations. On July 15, Desjardins broadened its identity theft protection and offered protection to more than 4.2 million individual members and 300,000 corporate members. On November 1, it announced that all 4.2 million individual members had been affected by the data leak. About 173 of the 350,000 corporate members were also affected.
I will reveal that I am a Desjardins customer and that I was part of this group. Even before the pandemic, digital transactions were commonplace. The current context is speeding things up.
Today's bill comes from a good place, because we do need to keep up with the times, but will we be able to apply and enforce it? Are we not putting the cart before the horse? That is the problem with this bill.
Examples in my riding make me wonder. The government is trying to bring in legislation that would impose astronomical fines on non-compliant companies. The government is puffing out its chest, bragging that our country will be giving the biggest, juiciest, harshest and most lucrative fines, but will we be able to collect?
What do we want? We want to protect Canadians and provide them with the necessary tools. Would it not make more sense to invest in a service that gives these tools to our businesses, so they can help Canadians and consumers?
I have mixed feelings about this bill. It obviously comes from a good place, but are we taking the best possible measures to ensure solutions for the coming days, weeks and months? We need something concrete.
My constituents often tell me that I must find it hard to be a parliamentarian, because I am pragmatic. We need concrete solutions. The goal is laudable, but are we taking the right measures? I am not sure.
I hear from many businesses and citizens. They are still calling me to tell me they are having problems with Phoenix. They are federal employees who are having problems with their pay because of Phoenix. Phoenix is a problem that was never fixed. It has been around since the Liberal government's first term in 2015. It is now 2020, and nothing has been resolved.
I agree that we need to enact a law to protect personal information, but there may be other priorities. We are seeing it now with the Canada Revenue Agency. I have constituents calling my office to ask if I can help them, because the CRA is claiming it sent them money that they never received, which is a sign that they are victims of fraud and their identity has been stolen.
Should we be enacting a law to punish large companies when we cannot even solve the problem in our own backyard? I am aware of the importance of this bill, but I wonder whether we are taking the right measures.
I mentioned this earlier, but it is worth repeating: I am the member for Portneuf—Jacques-Cartier, which is in the province of Quebec. Quebec has a program to help people who have a baby: The mother or the father is entitled to parental leave.
Here is another example that boggles the mind. One of my constituents meets all of the EI eligibility criteria, but his claim is being reviewed because there seems to be some problem factoring in the parental leave he took in 2019 and the Canada child benefit claim he submitted during the pandemic interfered with processing his claim.
That only happens in Quebec. The Liberal government seems unaware of the existence of provincial programs, and its Canada-wide employment insurance system prevents it from fixing the problem. In this case, is it because it is a Quebecker? Is it because he is a father? I am asking because I want to stress the importance of finding concrete solutions to systems before we consider a bill that will punish big corporations.
I completely agree that those who are at fault should be held responsible, should accept the consequences and should pay if they break the law. I completely agree with my colleagues on that point. However, I wanted to show how bizarre this situation is, a situation that puzzles me.
Clearly, we need to reflect on this and update the legislation, but is the version being introduced today the best one? I think we need to send this bill to committee for further study and consultation with specialists and experts. We did actually notice that there is only one expert regarding the tribunal.
I do not pretend to be such an expert. I am not computer savvy and, as I said six months or a year ago, I was unaware of my skills and adaptability to technology. Many members here in Parliament have managed to learn quickly, at lightning speed.
That is why we need to think about this bill and, as I said in my speech, not put the cart before the horse. We need to do things right to make sure that the bill really meets Canadians' needs. At the end of the day, the goal is the same: to protect society's interests and ensure that Canadians are respected and protected. We are all working toward this goal.
I will now happily answer my colleagues' questions. On that note, let us be vigilant, because fraud is always lurking around the corner.
View Sébastien Lemire Profile
BQ (QC)
Madam Speaker, I am honoured to be sharing my time with the member for Terrebonne.
I am pleased to rise to speak to the fundamental issue of the protection of privacy.
Since March 2020, Quebec business owners have been hard hit by the negative economic impacts of the COVID-19 crisis, namely the lockdown, the closures, the health measures, the labour shortage and the drop in consumption.
SMEs in Quebec have received assistance in the form of tax credits from the Government of Quebec and the Government of Canada to help mitigate these negative economic impacts. Now more than ever, SMEs are struggling under a burden of debt and many of them may never recover. At this difficult time for Quebec's social and economic life, I am worried about Quebec's SMEs, and particularly the small business owners who do not have the time or money to get bogged down in a data protection program that, in some cases, will have to take into account a number of Quebec and Canada laws.
By amending the Privacy Act, the Government of Canada is creating a number of problems for Quebec's SMEs because of legislation adopted by two governments, the Government of Quebec and the Government of Canada. Depending on whether their economic activities extend beyond Quebec's borders, it is very likely that Quebec's SMEs will not know which law governs their data protection plan.
The new federal law proposed in Bill C-11 will have real teeth, which means that Quebec's SMEs are likely to suffer, unfortunately. I am scared to think how this bill will affect Quebec's SMEs.
The pandemic is forcing many retailers to shift to online sales, the kind of electronic commerce referred to in the bill. In his speech to the House this morning, the Minister of Industry acknowledged that the protection of personal information is essentially a provincial responsibility and a matter of civil law. He said his bill respects provincial jurisdiction, but a closer look at the text reveals that to be not quite the case.
It is true that Bill C-11 applies to all federally regulated businesses. However, businesses that are not federally regulated, which describes the vast majority of companies and virtually all SMEs, are not really excluded from the scope of the bill.
The minister can exclude them if the province has substantially similar legislation, as is the case in Quebec, but he cannot exclude them entirely. In fact, he can exclude them only “in respect of the collection, use or disclosure of personal information that occurs within that province”.
Imagine the mess: a Quebec SME will have to comply with the Quebec law if the information does not leave Quebec, but it will have to comply with the federal law if the information does leave Quebec. Information collected from one customer will be subject to two different laws.
Which law do Visa card payments fall under? Does it depends on which territory the Visa server is located in? This seems unenforceable to me. If a business is covered by the Quebec legislation on data protection, that should apply to all its activities, not just half of them, as it would under the bill as currently worded.
Furthermore, Quebec laws are also adapting to the reality. We must recognize that the federal government's bill represents a step forward, because the current legislation has no teeth. Under Bill C-11, a privacy commissioner could establish the specific practices to be adopted in accordance with the principles set out in the legislation. A privacy commissioner would have order-making powers to force organizations to comply with those principles.
Under Bill C-11, a citizen could file a complaint with a tribunal. The privacy tribunal will also be able to impose significant penalties of up to 3% of a multinational's global revenue for non-compliance. In short, the major difference between the law and the bill we are debating, is that the bill's mechanisms are more favourable to citizens when faced with an organization that misuses digital data.
This bill fails to address the important issue of online identity protection to prevent fraud through identity theft, especially when Canadians engage in financial transactions. Bill C-11 does nothing to ensure that financial institutions in Canada verify someone's identity before authorizing a transaction, which exposes Canadians to fraud. Even the federal government has failed to properly verify a person's identity before authorizing an electronic transaction.
I would like to share an unfortunate incident that happened to one of my constituents. This summer, a young man was a victim of identity theft and wound up having to defend his reputation to the Canada Revenue Agency and another financial institution. It was my own office manager who, while talking to a federal official on the phone, realized that fraud had taken place. My office manager took charge of the case and helped my young constituent navigate the unpleasant process that lasted weeks. There was a police investigation and all kinds of documentation. There were numerous discussions with a financial institution and government officials. He had to go to great lengths just to prove that a fraudster had stolen his identity and to defend his reputation to a financial institution and the Canada Revenue Agency.
It was weeks before this young man was able to access the Canada emergency student benefit he very much needed. That is not exactly the kind of introduction a young adult should have to dealing with banks and governments. This whole situation happened because the government did not take the time to verify the identity of the CERB applicant.
The government needs to set an example and take immediate action to combat identity theft. This is a serious problem. Bill C-11 contains some privacy mechanisms, but there is no mechanism to verify the identity of users or consumers to protect their personal information.
I remind members that private information falls under the umbrella of property and civil rights, which is a provincial jurisdiction, as set out in the Constitution. Quebec is in the process of modernizing its act. Unfortunately, it is difficult to assess right now how the federal act and the Quebec act will interface.
However, the Bloc Québécois foresees some problems, and we do not want these problems to affect small businesses in Quebec, which, I remind members, are struggling as a result of the economic issues associated with the COVID-19 crisis.
SMEs carry a heavy debt load at times. Any additional weight on the shoulders of Quebec entrepreneurs is becoming harder and harder to bear. Considering the potential administrative nightmare that could result from how the federal legislation intersects with the Quebec legislation, I would ask that Quebec SMEs be exempt from Bill C-11.
Simon Marchand, chief fraud prevention officer at Nuance Communications, is a certified fraud examiner, a certified administrator and an expert in biometrics and security. He appeared before the Standing Committee on Industry, Science and Technology on May 20. We were discussing fraud-related topics. He mentioned that in the context of COVID-19, telework was a risk factor. This is especially true when it comes to customer service.
All customer service agents who normally work in call centres now work from home, in an unsupervised environment. These agents have limited resources, but now have the opportunity to access sensitive consumer information, whether it is data on their assets or information that could be used by anyone to impersonate someone else.
A second factor is the socio-economic reality, which will no doubt put pressure on many households. When it comes to internal fraud, we know that pressure and opportunity are the two basic factors that drive an employee to go against their employer’s interests and commit fraud.
Some areas have seen a 600% increase in the number of phishing scams involving COVID-19; attachments, links to websites and other methods are being used to lure victims. Fraudsters will be able to get their hands on vast amounts of consumer information, which they will not use in the next few weeks. Rather, they will wait six to 18 months before opening up accounts, taking out financial products and acquiring products from telecommunications carriers. That is what this bill is all about. It provides a modicum of protection, which is a good thing.
In terms of accountability, Simon Marchand said:
I think, though, the focus should be on accountability and the responsibility companies have in relation to the information they use to deliver services.... it calls into question the bank’s responsibility, which is protecting that information.
The first benefit of accountability will be to give the government a clear picture of the situation. It will know exactly how many victims there are, and it will be able to direct measures accordingly to strengthen security, particularly in banks and telecommunications companies.
This will put a burden on businesses, which will have to file reports, but this burden is not unreasonable, since the data they have is already known. All they will have to do is provide them to lawmakers or to a government-supervised body that can present these data more broadly and anonymously so that members of Parliament can access that information and know exactly what is going on in Canada.
This is an important step, because if there is a leak, companies must tell individuals what information was exposed and the risk of harm from the leak. That is what the bill does, and it is absolutely fundamental, because that is a risk that we run.
In conclusion, the lack of accountability for federally regulated businesses is a problem with the current legislation. There is currently no overall picture of how many people are actually victimized by having their identity used once it has been stolen. I am therefore pleased that the federal government is taking greater responsibility and beginning to act by introducing this legislation.
View Gord Johns Profile
NDP (BC)
View Gord Johns Profile
2020-11-24 17:18 [p.2350]
Madam Speaker, we know identity theft is a crime. We saw what happened with LifeLabs; over 15 million people's data was stolen. An employee at Desjardins stole the personal data of four million people and affected 173,000 businesses.
We are not discussing the Criminal Code today, but maybe the member could talk about what changes he would propose in dealing with those issues to ensure there are steep penalties so that does not happen again.
View Sébastien Lemire Profile
BQ (QC)
Madam Speaker, I thank my colleague for his question, and I want to take this opportunity to talk about crisis management.
In my opinion, Desjardins' response is the gold standard. It acknowledged the thefts and sent a personal letter to its clients or, specifically, to the clients that had been affected. As a result, they were able to act very quickly.
There have been other situations. Equifax chose to cover up what happened to protect its reputation. The Bank of Montreal and CIBC did the same until the hackers themselves put a message online. There are dozens of similar examples.
Desjardins knows its clients. In all likelihood, it is other financial institutions, and not banks, that fall under federal jurisdiction. Once we identify the problem we can find a solution. The first solution is transparency.
View Michel Boudrias Profile
BQ (QC)
View Michel Boudrias Profile
2020-11-24 17:21 [p.2351]
Madam Speaker, it is a great pleasure to speak to Bill C-11 today.
This is an extremely important subject that concerns the security and protection of all citizens' personal information. As my colleague already clearly stated, over the past 10 years and during the current pandemic, there have been a multitude of phishing scams via telephone, the Internet and online shopping platforms, which are increasingly popular.
I believe that Bill C-11 is timely and will correct major problems that we have been seeing for some time in different areas. For example, there have been cases of bank fraud, notably at Desjardins, and the federal government has also been affected. I know that the bill does not apply to the federal government, but this issue remains a very serious concern.
Take, for example, a situation that has occurred in my riding of Terrebonne. For the past month or so, we have been seeing a whole host of complaints related to the Canada Revenue Agency, from people whose identities were stolen by fraudsters who claimed CERB cheques in their name. This shows that there is a gap at the government level, which is very interesting.
I understand that we need to look at what requirements should be established for banks and e-commerce, but I think that there may be some aspects of the bill that we could rework. We are only at debate at second reading for this bill, which means that the bill could be amended and improved to give it more teeth, make it more robust and ensure that it is more responsive to the various threats that could arise in the future. Since we are essentially talking about technology here, the new law should be able to adapt its mechanisms to the changes in technology that will occur in the coming years.
However, there are a number of troubling issues that the bill does not address. For instance, metadata is not included in the bill. I am not an IT expert, but metadata is something that we see regularly. For example, if we spend a few minutes on the Internet searching for a camp chair, it is not unusual to then see ads for various types of camping equipment.
That is worrisome because metadata can be used to target specific individuals. When a group of individuals is targeted, there is a risk of more targeted threats or cyber-attacks. That is why I think it would be a good idea to improve the bill by addressing the issue of metadata.
The federal government, and the Canada Revenue Agency in particular, has quite a lot of work to do on matters of identity theft. The CRA's mandate is to manage revenues on behalf of the Canadian government.
However, what happens in the case of computer fraud as a result of identity theft? In that case, it becomes more a matter of public safety and national security. In many cases, fraud and identity theft, particularly in the banking sector, are committed from abroad using fairly sophisticated electronic means.
Once again, I am not familiar with the mechanisms used to investigate these predominantly computer-based threats or to protect us from them.
I am also referring to the recent debate we had—and I do think this is related—on 5G networks in Canada, in terms of the technological means that will be deployed over the next few years to protect the IT infrastructure itself from all threats and foreign influences.
In some cases, the threat might involve political or public influence. In other cases, it could literally be individual hackers from around the world who use technology, including 5G networks, to circumvent security mechanisms and break into various systems to steal identities and the personal data of the various citizens that we are meant to protect.
It seems to me that the general intent behind Bill C-11 is a worthwhile one, crucial even, as I said in my opening remarks. However, we also need to tackle the technical side. I get the sense that some issues were not considered from all angles so as to ensure that the bill reinforces the back door as much as it does the front door.
Once again, protecting online identity is the most tenuous aspect, and we are trying to rectify that here. I am concerned about a number of aspects of the authentication mechanisms, because that is really what this is about. Currently, many banks, institutions and businesses use a variety of platforms to secure and protect the identity of online customers and consumers.
As a few minutes on the Internet will show, private online commerce companies use many different authentication platforms and mechanisms. It might be a good idea to consider using the bill to standardize those online transaction authentication mechanisms, but the government seems unwilling to do that in the current version of Bill C-11.
The government wants to have companies and financial institutions take on more of the control, responsibility and obligations of protecting personal information. The government should, however, set out some very specific measures in the bill to ensure that all companies can shoulder this responsibility. Not every company has the financial means to set up robust data protection mechanisms. I therefore think that the government needs to set some statutory requirements.
As my colleague from Abitibi—Témiscamingue pointed out earlier, a lot of small merchants and businesses do not have the financial means to improve or modernize their technology infrastructure. This issue may also need to be addressed in the comprehensive approach we are advocating today.
There is the whole issue of jurisdictions. Quebec's jurisdiction over civil law and consumer protection plays an extremely important role. We know that the laws are confined to the jurisdictions for which they were written. This is not just a Quebec and Canadian problem, but also an international one. By the way, I think it will be necessary for the government to define very clearly these famous control mechanisms and make solid political and governmental choices in connection with the new information technologies that will crop up here at home.
That is essentially where this will play out. We cannot give a foreign government control over telecommunications and computer infrastructure. It is extremely important. We are wading into another field, but to be able to protect our constituents we have to ensure that our infrastructure is not threatened by other countries or by foreign nationals, such as the hackers I mentioned earlier.
Then we have to find some form of standardization to help ensure that clients or consumers are protected during online transactions. Let's not forget the entire issue of metadata, which are a formidable tool for any bad actor wanting to target and attack groups that are more privileged or more vulnerable.
In conclusion, the federal government must ensure that Canadians can be guaranteed, in all circumstances, that a consistent international standard will be rigorously applied, and that it will be possible to efficiently identify any and all fraudsters. Identifying fraudsters has always been a problem, and the Canada Revenue Agency could speak at length about this in committee.
Results: 1 - 10 of 10

Export As: XML CSV RSS

For more data options, please see Open Data