Bill S-4 (Historical)

Now with Bill S-4, you are going to have more reporting, breach reporting, that will come from the private sector.

Just for those of us who are not well-informed of the protocol, just so we understand where the resources should be allocated, can you give us a very brief overview of the way a breach flows thorough the system once it is reported, so we know what components are involved in assessing that breach?

My understanding is that with Bill S-4 you'll be anticipating an increase in the number of investigations relating to the private sector. Is that right?

I have the honour to inform the House that when the House did attend His Excellency the Governor General in the Senate Chamber, His Excellency was pleased to give, in Her Majesty's name, the royal assent to the following bills:

Bill C-247, An Act to expand the mandate of Service Canada in respect of the death of a Canadian citizen or Canadian resident—Chapter 15.

Bill C-452, An Act to amend the Criminal Code (exploitation and trafficking in persons)—Chapter 16.

Bill C-591, An Act to amend the Canada Pension Plan and the Old Age Security Act (pension and benefits)—Chapter 17.

Bill S-3, An Act to amend the Coastal Fisheries Protection Act—Chapter 18.

Bill S-6, An Act to amend the Yukon Environmental and Socio-economic Assessment Act and the Nunavut Waters and Nunavut Surface Rights Tribunal Act—Chapter 19.

Bill C-51, An Act to enact the Security of Canada Information Sharing Act and the Secure Air Travel Act, to amend the Criminal Code, the Canadian Security Intelligence Service Act and the Immigration and Refugee Protection Act and to make related and consequential amendments to other Acts—Chapter 20.

Bill C-46, An Act to amend the National Energy Board Act and the Canada Oil and Gas Operations Act—Chapter 21.

Bill C-2, An Act to amend the Controlled Drugs and Substances Act,—Chapter 22.

Bill C-26, An Act to amend the Criminal Code, the Canada Evidence Act and the Sex Offender Information Registration Act, to enact the High Risk Child Sex Offender Database Act and to make consequential amendments to other Acts—Chapter 23.

Bill C-63, An Act to give effect to the Déline Final Self-Government Agreement and to make consequential and related amendments to other Acts—Chapter 24.

Bill C-66, An Act for granting to Her Majesty certain sums of money for the federal public administration for the financial year ending March 31, 2016—Chapter 25.

Bill C-67, An Act for granting to Her Majesty certain sums of money for the federal public administration for the financial year ending March 31, 2016—Chapter 26.

Bill C-42, An Act to amend the Firearms Act and the Criminal Code and to make a related amendment and a consequential amendment to other Acts—Chapter 27.

Bill C-555, An Act respecting the Marine Mammal Regulations (seal fishery observation licence)—Chapter 28.

Bill S-7, An Act to amend the Immigration and Refugee Protection Act, the Civil Marriage Act and the Criminal Code and to make consequential amendments to other Acts—Chapter 29.

Bill C-12, An Act to amend the Corrections and Conditional Release Act—Chapter 30.

Bill C-52, An Act to amend the Canada Transportation Act and the Railway Safety Act—Chapter 31.

Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act—Chapter 32.

Bill S-2, An Act to amend the Statutory Instruments Act and to make consequential amendments to the Statutory Instruments Regulations—Chapter 33.

Pursuant to an order made on Wednesday, June 17, the House will now proceed to the taking of the deferred recorded division on the amendment of the member for Victoria on the motion at third reading of Bill S-4.

Call in the members.

It being 6:30 p.m., pursuant to an order made earlier today, all questions necessary to dispose of the motion for third reading of Bill S-4 are deemed put and the recorded division is deemed to have been demanded and deferred until Thursday, June 18, at the expiry of the time provided for oral questions.

The hon. Parliamentary Secretary to the Minister of Public Works and Government Services.

Mr. Speaker, unfortunately, as lawmakers we know from experience that there will always be those who will break the rules. That is why Bill S-4 would make important improvements to PIPEDA's compliance framework. These changes would ensure the commissioner has the necessary tools to ensure organizations respect the law and protect the privacy of Canadians.

The digital privacy act would set out serious consequences for any organization that deliberately ignores its data breach obligations and intentionally attempts to cover up a data breach. Bill S-4 would make it an offence for any organization to deliberately fail to notify individuals, report to the commissioner, or keep the necessary records.

In these cases of deliberate wrongdoing, an organization could face fines of up to $100,000 per offence. I want to ensure this point is very clear. It would be a separate offence for every single person and organization that is deliberately not notified of a potentially harmful data breach, and each offence would be subject to a maximum $100,000 fine.

These changes are widely supported by stakeholders, as evidenced by witness testimony during the committee's review of the bill. Professor Michael Geist stated:

These disclosure requirements are long overdue as I think it creates incentives for organizations to better protect their information and allows Canadians to take action to avoid risks such as identity theft. There are aspects in this bill that are an improvement over the prior bills, Bill C-12 and Bill C-29, most notably the inclusion of actual penalties that are essential to create the necessary incentive for compliance.

At committee, the Canadian Internet Policy and Public Interest Clinic stated:

We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored...The fines currently in PIPEDA are designed as penalties for very overt offences.

The list continues. The Canadian Bankers Association stated:

We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

The Canadian Life and Health Insurance Association Inc. was also supportive. It stated that the bill takes a balanced approach to the responsibilities placed on business and organizations, but most importantly, it will protect the consumer of those businesses, and gives individuals the information they need to take corrective action when it is necessary.

The digital privacy act does indeed take a balanced approach, one that avoids the over-reporting of harmless incidents while ensuring that the commissioner has the necessary tools to oversee whether organizations are meeting their obligations under Bill S-4.

This balanced approach would also ensure that punishment is reserved for the most egregious offenders, those who knowingly and deliberately try to circumvent the law. Those organizations caught making a mistake in good faith would instead work with the Privacy Commissioner under the existing dispute resolution tools in the act.

Our government recognizes that many organizations already notify individuals of data breaches in a responsible manner.

Let me be very clear. The penalties in the digital privacy act would target the bad apples, those organizations that willfully and knowingly disregard their obligations or, worse, cover up a breach.

The digital privacy act would encourage all organizations to play by the same rules. It would provide incentives to comply with the new data breach obligations, and also to implement appropriate data security practices to prevent breaches from happening in the first place.

By requiring organizations to keep records of their data breaches and by enforcing the requirements with stiff penalties, these amendments would increase the accountability of organizations to maintain good privacy practices and would provide the Privacy Commissioner with the tools he needs to enforce these protections.

I urge hon. members to join with me in supporting the bill.

Mr. Speaker, I will be sharing my time with the member for Kelowna—Lake Country. I appreciate the timeline on this.

I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act, which would make a number of important changes to strengthen Canada's private sector privacy law, the Personal Information Protection and Electronics Documents Act, or what is more commonly known as PIPEDA.

Data breaches are very concerning to Canadians. In fact, a recent survey conducted by the Office of the Privacy Commissioner in 2014 found that news of data breaches among several large retailers had made 80% of Canadians more reluctant to share their personal information with businesses. This is simply unacceptable. Canadians needs to know that when they choose to share their personal information with a business, it will be protected and kept confidential.

The proposals in Bill S-4 will amend PIPEDA to significantly strengthen the current law and ensure that the privacy of Canadians will be protected when it comes to the rules that companies must abide by when they collect, use or disclose personal information in the course of commercial activities. In the current legislation, there is no legal obligation for businesses and organizations to tell customers and clients when their personal information has been lost or stolen.

The digital privacy act would correct this by making important changes to PIPEDA and implement new data breach requirements for businesses. These changes would ensure that organizations would be taking appropriate steps to notify Canadians. The requirement for mandatory notification is welcome by many stakeholders, in particular the Privacy Commissioner of Canada. In his recent annual report to Parliament on PIPEDA, he stated:

—we welcome the proposed amendment to PIPEDA in Bill S-4, the Digital Privacy Act, which seeks to implement mandatory breach notification.

He went on to say:

Mandatory notification will also provide a clearer picture of the frequency and type of data breaches experienced by organizations.

Mandatory notification would better inform Canadians of situations in which their personal information has been compromised. It would also enable Canada to keep pace with other jurisdictions where similar measures have been enacted or are being considered.

As we have discussed many times, strong rules are meaningless if they are not backed up with strong compliance tools. Bill S-4 would give the Privacy Commissioner of Canada the necessary tools to hold companies accountable when it comes to the protection of the personal information of Canadians.

In addition to the notification provisions, Bill S-4 would also require organizations to keep a record of the event, regardless of whether a breach posed a risk of harm. These records would not only allow organizations to demonstrate due diligence in the risk assessment, but would also require companies to keep track of when their data security safeguards fail so they could determine whether they have a systemic problem that would need to be corrected. What is more, organizations will be required to provide these records to the commissioner upon request at any time.

This record-keeping requirement will give the Privacy Commissioner the appropriate tools to hold organizations accountable for their obligation to report serious data breaches. Once again, I would like to quote the Privacy Commissioner's 2014 annual report, where he stated:

—requiring organizations to keep and maintain a record of breaches, and provide us with such information upon request would be an important accountability mechanism. Our Office would be able to evaluate compliance with the notification provisions and assess how organizations are deciding whether—

Mr. Speaker, it is an honour to speak to Bill S-4, legislation which amends the Personal Information Protection and Electronic Documents Act.

As our lives are more and more immersed in a digital world, our understanding of digital privacy changes and our means of protecting digital privacy also needs to be updated. We use the Internet in so many ways. Our digital identity is now more a part of our identity when it comes to banking and commerce, our tax returns, government services, and our interactions with other people in society. Those are examples of how our identity is becoming more digital. In a world where crimes involving data theft, identity fraud and online stalking are on the rise, and we are becoming more worried about those, it is crucial to protect data to protect our identity.

Data is not simply information. In fact, as my colleague from Victoria very elegantly gave some examples, it is power. It is a doorway into the private lives of many. It is commercial power. The Liberal Party is deeply concerned that the government's commitment to safeguarding the personal information and privacy of Canadians is less than absolute.

Let me give another example which is not quite related to Bill S-4 but I think is important to mention just for the record. Members might know that since the elimination of the long form census, the government has been looking at linking different so-called administrative data sources in different parts of the government in order to reduce the burden of filling out the census. Indeed, some European countries do not have a census. They have deep links between different pieces of administrative data, and people have to report where they live every time they move. The Privacy Commissioner, whose testimony on Bill S-4 at committee was also quite important, has warned Canadians that we should be very wary of simply moving over to this European system, that there are serious privacy considerations which Canadians should look at and agree with before the government proceeds in that direction.

More and more, all of this information is becoming digital. As an example, although I think this is perhaps not the point at which we should be too concerned, in the 2016 census, the government is planning to automatically use income and benefit information from the Canada Revenue Agency. It can do this because everything is digitized. That information would be automatically tacked onto census information and any voluntary replies that Canadians provide to the national household survey, unless of course the election result in October is such that we do not have to go through that. I just wanted to bring that up for the record.

What I would like to talk about most is the process that happened at committee. We are at third reading now. We are trying to decide whether this is the best possible bill that this Parliament could pass.

Unfortunately, there are definitely concerns about whether the approach in Bill S-4 is too broad and whether there are unintended consequences. I will not go too deeply into them. In fact, my friend, the member for Victoria, has done a much better job than I ever could. Suffice it to say that Bill S-4 identifies situations where personal information can be disclosed without the knowledge or consent of an individual. It permits federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual. It permits organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions. Therefore, there is a danger, we believe, that Bill S-4 is too broad.

The problem is that at committee stage, there really was not sufficient examination of these details. There were 42 amendments proposed by the opposition parties. There was not substantive debate at committee. There were no explanations for why the government members opposed amendments that were based on the testimony of expert witnesses, such as the Canadian Bar Association, the Privacy Commissioner and the Insurance Bureau of Canada. There were 42 opposition amendments, all of them defeated rather quickly without a defence of that vote by the government side.

It has been brought up in debate by previous speakers about how committees have worked in this Parliament and how they could be changed in the next Parliament. I really do believe that a couple of simple steps would be a good start to reforming the committee system.

The first one would be to allow committee chairs to be chosen by a secret ballot in this House, just as the Speaker is chosen. My first encounter with this idea was in fact a motion from a Conservative backbencher, the member for Saskatoon—Humboldt. That would be a good measure to ensure that committee chairs are as independent as possible not only from the government, but from their own party leadership. That would be a step toward what we need to make committees really fulfill their role in Parliament, which is ultimately the role that all of us have, which is to hold the government to account.

The second thing which I think would be very useful in committee, and this reverts to past practice in this House, would be to forbid parliamentary secretaries and ministers from sitting as voting members of committees. That would be a good way to protect the independence of committees for the purpose of committees being able to do a better job of holding the government to account.

I believe that if committees had been working better, we would have at least had on the record somewhere the reasons for rejecting the 42 opposition amendments to Bill S-4. In fact, I also believe that if we really had independent committees, some of these amendments would have been adopted, and even in this majority Conservative Parliament, with those amendments we would have passed a better bill than it looks like we might be passing, given the majority on the Conservative side.

By way of conclusion, I just want to say that without a genuine, collaborative, detailed committee study, I believe that the committee has not held the government to account with regard to Bill S-4. Expert testimony has not been properly either taken into account or discounted with some evidence or some cogent argument. We have in Bill S-4 a bill in which there are potentially overly broad provisions and good reason in fact to believe there are overly broad provisions and unintended questions. That is why I will be voting against the bill at third reading.

Mr. Speaker, my colleague really put his finger on the problem, which is rather widespread and applies to other bills besides the one before us today.

For instance, following public pressure, the government unfortunately had to withdraw Bill C-30 from the order paper. However, there was also Bill C-51 and Bill C-13 on cybercrime. Now we are talking about Bill S-4, which completely destroys Canada's privacy protection regime. It waters down the criteria for obtaining warrants and, in some cases, even allows authorities to access the personal information of Canadians without a warrant.

I wonder whether the member could tell us just how troubled he is that this government says here in the House and elsewhere that it wants to protect Canadians, and yet it introduces a number of bills, like Bill C-51, Bill C-13 and Bill S-4, that put Canadians' privacy at risk.

Mr. Speaker, it is a pleasure to rise and speak to Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act, called PIPEDA. The bill has the rather misleading title of the digital privacy act.

I will be speaking against this bill for a number of reasons that have been articulated very well in past debates by the member for Terrebonne—Blainville, our digital issues critic. She has brought in a bill of her own. The government took parts of it and did not go as far as it needed to, to actually protect the digital privacy of Canadians.

I would like to, first, talk about why this is such an important bill. Second, I will talk about the history of getting it here. Last, I will talk about some of the critical problems with this bill and propose an amendment at the end of my remarks.

E-commerce is the backbone of the modern Canadian economy and it is only going to be more important going forward. Think of our children and their use of digital material.

My colleague, the member for Toronto—Danforth, made some comments about e-commerce and why this bill, which underscores legal protections for privacy and e-commerce, is so important. He said that the world's largest taxi company has no cars. It is the largest taxi company because it has personal information. It is called Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company because it owns personal information. The world's largest retailer has absolutely no inventory. He was referring to Alibaba in China.

As we move to what my colleague called the Internet of Things, by 2020, we will have 26 billion devices connected to the Internet. I hope that people appreciate that we are moving into an economy where we need to know the rules of the game and we need to know that our personal privacy in the private sector is protected. Business wants that certainty and consumers demand that what is left of their privacy be treated fairly by those private sector organizations that hold their information.

Canada is really in a unique position on the planet. We are halfway between the European Union, which has a very aggressive data protection regime, and the United States, which has sectoral legislation but not a comprehensive private sector law like PIPEDA, the bill that is before us in its amended form.

I say that we are halfway between those two regimes because, under PIPEDA, Canada has managed to create what is called a substantially similar regime to the European Union. That means that e-commerce companies in England, Ireland, France, and the 28 other countries that make up the EU can confidently share their personal information with Canadians because they know that they will have substantially similar protection. Canada achieved that. The United States does not have anything like that, so companies like Google and Facebook will often use Canada as a launching pad.

If we can make privacy protection sufficient in Canada, it will likely be sufficient for Europeans, who have had the most stringent requirements of privacy on the planet. It is important that we get this right.

It is amazing and very timely that we are having this debate at this time because on Monday of this week a clear signal was given by the Council of Ministers in the European Union that it is going to go for a regulation soon, not the directive that has been enforced for some time. After two years, all 28 countries will have to come up with an even more stringent regime.

That is why this bill is so problematic. It would not help small business, as I will describe, and it certainly would not give consumers the protection that the courts say that they are entitled to. I refer to the case of Spencer in 2014, where warrantless searches were said to be not on for Canadians, yet they seem to be just fine in this bill, which is odd. We need it get it right from a commercial point of view, as well.

I am indebted to Professor Michael Geist, who testified before the industry committee and the Senate, and who is so prolific and thoughtful in his analysis of private sector privacy legislation and other privacy regimes. He talks about how it is has taken us eight to nine years to get to this state.

I wanted to talk about this because the government's ineptitude in helping the e-commerce industry that I talked about and protecting the privacy of Canadians is on full display in the history of this bill.

The Conservatives tell us that it is urgent, that we must get on with it. Well, that is because they have dropped the ball, as I will describe in many ways. It has taken eight or nine years to get to this situation.

The Conservatives left an earlier version of a privacy bill sitting for two years in the House of Commons with no movement whatsoever and then it died at prorogation. How did that happen? In November 2006, the Standing Committee on Access to Information, Privacy and Ethics undertook its hearings on this reform. That was one year later than the five-year review process required by the act.

Just to back up, PIPEDA, the bill before us that is being amended, requires parliamentarians to review it after five years. They could not even get that deadline together.

In 2007, there was a report recommending certain things be done. Nothing seemed to happen. First reading was in 2010 for Bill C-29, the first PIPEDA reform. Second reading of the bill was in October. In September 2011 there was the first reading of Bill C-12, the second attempt to reform PIPEDA. That never got past second reading. It died when the government prorogued. Then another bill, this Bill S-4 was introduced in April 2014. This was the third try. Three strikes are lucky, I guess.

Here we are before Parliament with a bill that when it was in committee, the government said solemnly that it was urgent that we get on with it because it did not want to take a chance on any further delays and amendments. It is laughable the way the government treats the backbone of e-commerce, this privacy legislation. It has taken eight or nine years to get to where we are tonight. In the dying days of Parliament we are debating the legislation. It shows how important this must be to the government of the day.

In my riding, where we have a thriving e-commerce industry, with start-ups trying to develop apps and so forth, the bill is important and the government treats it with a history of neglect, which is the best way I can put the ineptitude I have described.

It is critical for small businesses, as I will describe, because they just do not have the wherewithal of large business to comply with some of the provisions of the legislation. I will come to that in a moment.

What does the bill do? Some of the things it does right is that it has finally agreed with endless Privacy Commissioner recommendations that there ought to be mandatory breach disclosure. If there has been a breach of data by a company, where it is sent to the wrong place and suddenly my personal information is found in the back of a taxi cab on a data stick, someone has to be told about it. That is pretty simple and obviously long overdue. That is a good thing to have in the bill.

Second, there are increased enforcement powers for the Privacy Commissioner, including the notion of compliance agreements that companies would enter into. This is a long-standing consumer protection approach that has now found its way into the bill.

According to experts, such as Mr. Lawford, testifying on behalf of the Public Interest Advocacy Centre, it would likely result in fewer reported breaches because it leaves the determination of whether a breach causes a real risk of significant harm entirely in the hands of the private sector companies.

Do the words “conflict of interest” seem to come up? They do and that obvious conflict of interest is fatal to the purpose of the bill. Why is a company going to want to blow the whistle on itself? It seems a bit odd and others have suggested, as has my colleague from Terrebonne—Blainville, in her Bill C-475, that it ought to be for the Privacy Commissioner, an independent officer of Parliament, to pass on that, not the industries themselves. That was the subject of much criticism in the industry committee, which studied Bill S-4.

That gives me a chance to talk about the attempt by the opposition to actually get meaningful debate in the industry committee. Since I got here, probably the most disappointing thing I have found is the government's utter indifference to any amendments unless they come from its side of the aisle.

There is an effort to have a real dialogue and to improve this and come up with a kind of unanimous support for something which is technical in nature, but the government said no to every single amendment, which, of course, in my experience is the way it does it every single time. I have been on two committees and I have not seen one amendment passed that anybody but the government proposes.

Trying to co-operate with the government to do something which is at the backbone of the new economy and it will not even talk to us. Apparently, that is how the government wants to do business. Fortunately, like so many Canadians, I hope that these are the dying days of a government with such arrogance and indifference to what Canadians want.

The efforts to try to fix this bill fell on deaf ears. My colleague, the digital critic from Terrebonne—Blainville, proposed that the Privacy Commissioner be the one who determined whether a data breach was significant enough to report, which makes sense, as opposed to the fox in the henhouse, where a company has to decided whether it is big or little.

That is not for banks to decide, whether they weigh their reputational risk that they might have versus consumers' rights. I know who could do that, an officer of Parliament. That would be the right person to do that. That is what my colleague suggested. The Conservatives propose putting the burden on companies.

Here is the problem with that, and not only the obvious conflict of interest but there are large companies, think banks, telecoms, companies of that size, that have departments that are responsible for privacy protection. More and more companies have what is called chief privacy officers to regulate this very technical area of the law.

They do a good job sometimes, but they often have this penchant that they obviously feel when they are trying to protect privacy, which is their job description, and not make a career-limiting move when information that is disclosed could cause harm, and the company would be angry with them and shoot the messenger. I have talked to CPOs in companies that tell me that the conflict is alive and well and I can understand that.

Small companies do not have these chief privacy officers, for example, to determine whether there is a significant breach or a significant risk of harm. They have no idea what to do. They want to co-operate, but they do not have the personnel or expertise to do it.

My colleague reasonably suggested that we give them a little help by letting them have access to the Privacy Commissioner's expertise and resources. Is that not a common sense provision? Is that not one that would help those small start-ups in the e-commerce industry that would really like the opportunity to do the right thing but do not have the budget to do it?

The economy in my community, the largest sector now, is not tourism or hospitality, it is high tech. The people who are producing the largest contribution to the Victoria economy are people who are just in this situation, wanting to understand the rules of the game in the new e-commerce, looking to the government to give them clarity, make it easy for them to do the right thing, so they can compete internationally, as they are doing so effectively, and to be onside with the European Union's incredibly stringent rules.

Guess what? They do not have a CPO, paid $150,000 a year or whatever, like the large banks would. The government has done nothing to assist them and they are angry about it. They do not understand why this so-called business-friendly government simply does not get it.

Some 18 amendments were proposed by the NDP and 18 amendments declined by the government of the day. We tried to work it out, but the government just wanted to jam it through. To add insult to injury, for the 97th time it used time allocation on a bill of a technical nature like this. I think the government is over 100 times now.

In the history of Parliament, has there ever been a government that has done this more often? I certainly do not know. I want to study it. I have a student looking at this because the arrogance and the anti-democratic behaviour of the government has to be exposed. The 97th time was for a bill on digital privacy. It is shocking and shameful that we are in this world today with this government.

The Supreme Court has told us that warrantless searches are wrong. They are unconstitutional. My colleague from Toronto—Danforth said we should send it to the court for a constitutional reference. We cannot have yet another loss in the Supreme Court. How many would that be? I have lost count. It is six or seven. How about having a reference to the Supreme Court of Canada?

The leader of the opposition asked for that today with respect to Bill C-51. The government, of course, would never do that. It just wants to go lose again in the Supreme Court.

The Spencer case in 2014 established that warrantless searches are a bad thing. How can the government then put these searches into Bill S-4, the bill before us, and pretend it is going to be constitutional? It is great work for lawyers. I have many friends who welcome the government's position because it is a make-work project for constitutional lawyers, but is it helping the Canadian taxpayers? Is it helping the e-commerce businesses, those little businesses from coast to coast that are struggling in this international economy? Do they have the clarity they need to go forward? Why do we have to waste our time with yet another Supreme Court loss by the government? It makes no sense.

Could the government have co-operated a little with people of good faith who wanted to make it better and solve this problem, as New Democrats tried to do in committee? One would think the government would welcome that, but it simply said no.

My next point is kind of a technical thing, but I want to raise it. We talked about breach notification, and I want to give an idea of how complicated this is for the little mom-and-pop or individual family businesses that are now arising in the economy. Clause 10, which would add section 10.1 to PIPEDA, talks about the kind of notification that is required when there is a breach. I want to give an idea of how complicated this can be and how lack of clarity means something.

Proposed subsection 10.1(5) says, “The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.”

Three times the word “prescribed” is mentioned, which means it will be prescribed by regulation to follow later. There would be regulations that would define the kinds of things that would have to be done to give notification of a breach. However, as an example, let us take a small business that is trying to do the right thing. When there is a breach, it wants to notify people immediately. What is it going to do? Until there are regulations, it is utterly meaningless.

I know the government will bring in regulations eventually. That is a good thing, and I am sure companies are looking forward to seeing them, but as they plan ahead in this incredibly dynamic sector, they do not have a clue, and neither do we. None of us can say what those prescribed requirements are, because “prescribed” means to follow later in regulations, regulations nowhere to be found. People will have to try to figure that out. People sitting in a little start-up in Victoria or St. John's or Toronto or Montreal will have to try understand how to work their way through this difficult bill.

It is a history of neglect. It is a history of failure to listen to the opposition, which wanted to work together to create this regime. It has a history of eight or nine years in coming to the dying days of Parliament, but we should not worry, because it is urgent now, according to the Minister of Industry.

New Democrats do not believe it.

Therefore, I move:

That the motion be amended by deleting all the words after the word “That” and substituting the following:

“this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it:

a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected;

b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies;

c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances;

d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and

e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”

Mr. Speaker, I would like to ask my colleague across the way another question about Bill S-4.

According to some experts, many parts of Bill S-4 are unconstitutional. Why, then, will the government not simply take out the parts that are unconstitutional, especially in light of the Spencer ruling?

I would like my colleague to comment on that.

Mr. Speaker, when we look at the process of Bill S-4, is it any wonder that Canadians look at Ottawa and come to the determination that Parliament is broken? There is a need for real change, and the Liberal Party of Canada will be advocating for that.

Let us look at this bill. We have legislation before us that has some serious flaws. We had the opportunity in committee stage to make some changes with amendments. The majority government, over the years, has made the determination that it does not matter what kind of amendment it is if it comes from the opposition benches. It is an automatic default that amendments are bad unless they are Conservative amendments.

Will the member not recognize that this bill is faulty in the sense that the many amendments that were brought forward, whether from the Liberal Party or other opposition members, did have some merit to them? Would he not acknowledge that fact?

Mr. Speaker, it is truly a pleasure for me to ask my colleague opposite a question on behalf of my constituents from Alfred-Pellan in Laval.

In the bills that the Conservatives introduce, the devil is often in the details. When examining the proposals set out in Bill S-4, I had some concerns that I would like to raise.

One of those concerns in particular reminds me of the nightmare of Bill C-51 and its lack of a proper oversight mechanism. Bill S-4 presents the same type of problem. It would allow greater access to personal information without a warrant and without provisions for an oversight mechanism.

In fact, I am wondering why the Conservative government is working so hard to allow snooping without a warrant and why it is creating bigger holes with bills such as Bill S-4.

Mr. Speaker, I want to thank my colleague for his description of the balanced approach we have taken, in contradiction to the NDP's heavy-handed approach. I would like him to comment on how Bill S-4 would amend PIPEDA to reduce red tape for normal business activities.

Mr. Speaker, I heard my colleague mention amendments. However, the Conservatives rejected one of our critical amendments that was supported by many witnesses. That is rather problematic. We wanted to work with the Conservatives, but as usual, they turned a deaf ear in committee and refused to work as a team.

Why did they once again refuse to accept our amendments, which would have corrected and improved the bill so that we could better protect Canadians? As it now stands, Bill S-4 is still quite flawed. For example, it leaves it up to the companies to enforce the regulations, which is unacceptable.

I would therefore like my colleague to explain why the Conservatives rejected our amendments.

Mr. Speaker, I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act.

Last year our government launched digital Canada 150, an ambitious plan for Canadians to take advantage of the opportunities of this digital age. It is a broad-based ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and to connect Canadians to each other. As the digital economy grows, individual Canadians must have confidence that their personal information will be protected. That is why under digital Canada 150, one of the five pillars is known as “protecting Canadians”.

The digital privacy act would provide important and long awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities while also setting guidelines for the collection, use and disclosure of personal information.

These rules are based on a set of principles developed jointly by government, industry groups and consumer representatives. The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, the amendments would clarify rules for businesses and reduce red tape.

These guidelines would ensure that vital information is available to Canadian businesses so that they have the necessary tools to thrive in a global economy. Balancing individual expectations for privacy and the need for businesses to access and use personal information in their day-to-day operations is important. Bill S-4 gets this right. It assures individuals that no matter the transaction, their personal information will continue to be protected under Canadian law.

The need to update the rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements. The bill before us does exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The Privacy Commissioner will also be notified.

An organization that deliberately covers up a data breach or intentionally fails to notify individuals and report to the commissioner could face significant fines as a result.

Let me now take a minute to point out some of the ways in which the bill before us creates an effective streamlined regime for reporting data breaches. The digital privacy act establishes a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach.

If a business determines that the data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and the Privacy Commissioner.

If the organization determines that the data breach does not pose a risk of significant harm, that is, its data security safeguards were compromised but it avoided a situation where the customers are exposed to a threat, like identity theft, fraud or humiliation, then that organization must keep a record of that breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, serves two purposes. First and most important, it requires companies to keep track of when their data security safeguards failed, so that they can determine whether or not they have a systemic problem that needs to be corrected.

An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individual affected may not be so lucky. Keeping track of these breaches will help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the Privacy Commissioner to hold organizations accountable for their obligations to report serious data breaches. At any time, the Privacy Commissioner may request companies to provide these records which will allow the commissioner to make sure that organizations are following the rules.

If companies choose to deliberately ignore these rules, the consequences as set out under the digital privacy act are serious. Bill S-4 would make it an offence to deliberately cover up a data breach or intentionally fail to notify individuals and report it to the commissioner.

In these cases, organizations could face a fine of up to $100,000 for every individual they fail to notify. These penalties represent one way that the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee:

I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill. Proposals such as the breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm. We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I have been discussing the data breach rules which are a very important element of the bill before us. I would like now to turn my attention to four ways that Bill S-4 would strengthen Canada's privacy rules.

First, the bill establishes strong consent requirements to protect vulnerable individuals online, particularly children. These enhanced consent provisions were introduced as a result of recommendations made by Parliament during the first statutory review of PIPEDA.

Under PIPEDA, organizations need to obtain an individual's consent to collect, use, or disclose their personal information. Under the bill before us, an individual's consent would not be considered valid unless the way the information will be used is clearly communicated in language appropriate to the target audience.

For example, some businesses operate online playgrounds or educational websites that target children and collect personal information of children that is used for marketing and other purposes. Bill S-4 requires that the language used to obtain consent must be such that a child could reasonably be expected to understand the nature, purpose and consequence of sharing his or her personal information. If the consent request is too complicated for the child to understand, the consent would not be valid.

Again, the Privacy Commissioner of Canada supports this amendment. He told the committee:

I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of various clientele from whom they are collecting information so that consent is as meaningful as possible.

Second, Bill S-4 seeks to harmonize federal laws with provincial privacy protection laws when it comes to a sharing of personal information without consent in narrow, limited circumstances.

PIPEDA already provides for a number of circumstances where personal information can be shared without consent when it is clearly in the public interest to do so. The amendments in Bill S-4 would add to this by allowing information to be shared in order to protect seniors and other vulnerable individuals from financial abuse or neglect, communicate with the family of an injured or deceased individual, or identify a victim of an accident or a natural disaster.

In his testimony before the standing committee, Mr. Marc-André Pigeon, director of financial sector policy at Credit Union Central of Canada expressed his strong support for Bill S-4 and the financial abuse amendment. He said:

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse.

The third way that Bill S-4 would strengthen PIPEDA would be through changes that would support day-to-day business operations. The digital privacy act would remove unnecessary red tape for businesses by allowing for the collection, use and disclosure of personal information without consent in the context of specific legitimate business activities. For example, Bill S-4 would allow information to be more readily available in order to conduct due diligence in the context of mergers and acquisitions.

Similarly, the digital privacy act would allow businesses to share any type of business contact information in order to carry out normal business activities. It is simply ridiculous that PIPEDA allows an employee to share an office phone or fax number, but not an email address. Bill S-4 would fix this problem, a solution supported by the Retail Council of Canada. It told the committee:

—we support the clarification on the exclusion of business contact information...This section 4 clarification will better equip businesses to conduct their ongoing operations.

Finally, the digital privacy act would make existing compliance tools stronger and more effective. PIPEDA is enforced by the Privacy Commissioner of Canada who can turn to the Federal Court when an organization is found to break the rules. Bill S-4 would also give Canadians the option of taking an organization to Federal Court to order an organization to change its practices or to seek damages.

While the digital privacy act would keep those options open, it would also provide an alternative to court action such as voluntary compliance agreements. Under a compliance agreement, organizations would voluntarily commit to take action to comply with the law to avoid costly legal action. The agreements would be legally binding and would allow the commissioner to hold organizations accountable to follow through on their commitments to private privacy protection.

Again, the Privacy Commissioner expressed his strong support for this tool when he appeared before the standing committee. He said that the compliance agreement amendment was “very necessary” and “helpful for us to implement and apply”.

Canadian organizations care about their reputation and they know that sound privacy practices will have a lasting impact on the legitimacy of their brand. They also know that the reverse is true, that if their customers find out about shoddy privacy practices, their businesses will suffer. This is why the digital privacy act would give the Privacy Commissioner broader powers to name and shame a non-compliant organization to encourage it to take corrective action.

If either of these measures fail to provide the right incentives for businesses to fix their privacy problems, Bill S-4 would give the Privacy Commissioner more time to take them to court. Under the current law, the commissioner only has 45 days after he finishes the investigation to take the organization to court.

The Privacy Commissioner told the standing committee that it was simply not enough time, given the high complexity of issues with which his office dealt. Quite often, the Privacy Commissioner will work with organizations for several months, if not a year, to ensure they follow through on their commitments to fix any problems he has identified. The problem, of course, is that organizations can simply delay taking action for a couple of weeks, knowing that after 45 days, the commissioner will no longer have the option to take them to court. Bill S-4 would fix this problem and would provide the commissioner with a year to take an organization to court for non-compliance.

I have just outlined the five major provisions in Bill S-4, which include: new data breach rules; clear requirements when obtaining consent from individuals, including from minors; changes to support other public interest objectives, like fighting financial abuse; reducing the red tape for day-to-day operations; and new compliance tools for the Privacy Commissioner of Canada.

It is clear that Bill S-4 would deliver a balanced approach to protect the personal information of Canadians, while still allowing the information to be available to the growing, innovative digital economy.

Karl Littler, vice-president of Public Affairs at the Retail Council of Canada, summed it up best when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

We have it right with this digital privacy act. Both businesses and consumers have been empowered in this digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting personal information, and that is essential to conduct business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians. I urge hon. members to join me in supporting this bill.

moved that Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, be read the third time and passed.

Mr. Speaker, I saw that my friend the opposition House leader was out in the foyer of the House of Commons yesterday having a press conference at which he showcased the incredible productivity of the House of Commons during the 41st Parliament. Of course, these were actually Conservative initiatives he had on display, which were passed thanks to our diligent, hard-working, orderly, and productive approach to Parliament. However, I sincerely appreciate the New Democrats' efforts to associate themselves with the record of legislative achievement that our government has demonstrated.

Before getting to the business for the coming few days, I am sure that hon. members and Canadians will have noticed that we have been bringing forward a number of pieces of legislation in recent days, and we will continue to do so for the days to come.

These bills will give effect to important policy initiatives that the Conservative government believes are important for Canada's future. Together they form the beginning of a substantial four-year legislative agenda that our Conservative government will begin to tackle under the Prime Minister's leadership after being re-elected on October 19.

Thanks to the productive, hard-working, and orderly approach that I just spoke about, we have delivered real results on our legislative agenda. In fact, over 90% of the bills that were introduced by our Conservative government between the 2013 Speech from the Throne and the beginning of last month will become law before Parliament rises for the summer.

Now I will go on to the schedule for the coming days.

This afternoon we will continue debating Bill C-35, the justice for animals in service act, also known as Quanto's law, at third reading. I am optimistic that we can pass it later today so that the other place will have a chance to pass it this spring.

I also hope that we will have an opportunity to have some debate today on Bill S-2, the incorporation by reference in regulations bill.

Tomorrow, we will finish the report stage debate on Bill S-7, the Zero Tolerance for Barbaric Cultural Practices Act. Early and forced marriages, honour-based violence and polygamy should not be tolerated on Canadian soil, but unfortunately the opposition disagree and are striving to rob Bill S-7 of its entire content.

On Monday, we will consider Bill C-59, the Economic Action Plan 2015 Act, No. 1, at third reading. This bill will reduce taxes, deliver benefits to every Canadian family, encourage savings with enhanced tax free savings accounts, lower the tax rates for small businesses, introduce the home accessibility tax credit, expand compassionate leave provisions—and the list goes on.

Tuesday will see the House debate Bill S-7 at third reading.

On Wednesday, we will take up third reading of Bill S-4, Digital Privacy Act, which will provide new protections for Canadians when they surf the web and shop online.

On Thursday I will give priority to any legislation to be considered at the report or third reading stages. On that list will be Bill S-2, the incorporation by reference bill, which would help keep our laws up to date in response to emerging scientific and technical recommendations.

Bill C-50, the citizen voting act, will also be considered once it has been reported back from the procedure and House affairs committee. This legislation would play an important role in accommodating the decision of the Ontario Superior Court should we not have the benefit of the Ontario Court of Appeal's decision in time for this year's election.

Mr. Speaker, I am very happy to be in this place and to rise on behalf of the people of Okanagan—Coquihalla. I am also pleased to express my support for Bill S-4, the digital privacy act.

Bill S-4 provides a number of important updates to the Personal Information Protection and Electronic Documents Act. In my view, these updates are long overdue and will better protect Canadians, in particular consumers, seniors, and children, who could be more vulnerable to sharing personal information online.

I believe that most parents would agree that today's kids' use of the Internet and related digital technologies is unprecedented in our history. Today, children have access to everything online, from information for school projects to gaming, music, movies, and much more.

A wide variety of devices are used to engage in activities such as socializing or gaming with friends, and of course, sharing photos and videos on social media sites that can be viewed by people all over the world. A young teenager may have a picture or a self-made video viewed by tens of thousands of people. While that may be an exhilarating experience, I would also say that it could potentially be a dangerous one.

As we know, a survey conducted in 2013 found that 30% of grade 4 to grade 6 students had Facebook accounts. By grade 11, that increases to 95% of all students, and that is just Facebook. What about Twitter or Instagram or Snapchat?

Businesses are not naive to these trends. Online services can generate massive amounts of revenue. The action of collecting and analyzing personal information for marketing purposes is huge and increasingly valuable. This includes personal information taken from websites, apps, and search engines aimed at kids.

Do kids have any idea that their information is being gathered? Do parents? Is there a clear understanding of what happens to that information that is required to register and download or play a free online game?

Our government recognizes that the digital world offers benefits to children. We are also aware that the online community is often a reality in our day-to-day lives.

The skills kids develop by participating and navigating in online activities can create a significant advantage as they grow up and transition into the job market. Indeed, many high-school-aged kids today have as much, or more, online literacy than a technician would have had a decade ago. However, with growing participation in the online world come increased threats to privacy.

PIPEDA currently contains provisions that protect the personal information of children. As an example, businesses cannot obtain consent in a deceptive or misleading manner. The act also prevents companies from denying access to services on the basis of a refusal to share personal information.

The digital privacy act proposes an amendment to increase protection by creating new safeguards related to the collection, use, and disclosure of personal information. The bill would require that an organization ensure that users, as a group, were able to understand what happens to the information that is collected about them.

I would like to provide this place with a few examples of how the proposed amendment would work.

One example could be an educational website designed to help elementary school kids develop math skills. Under the proposed amendment, requests by that particular website to collect, use, or disclose personal information would need to be understandable by the average elementary school student. This would ensure that these requests used words and language that was appropriate for the website's target audience. Under the digital privacy act, it would not be reasonable to simply expect average elementary kids to understand what clicking the “I agree” box actually meant. If there was no clear understanding as to why the information was being collected, the company would not have valid consent.

As another example, in the case of a mobile app that allowed teenagers to create music recordings, that app would need to obtain the consent of these teens in a manner that would be different if the app were targeting adult users.

I am also aware that during the committee hearings on Bill S-4 , a number of witnesses shared their views on the proposed consent measures.

The Privacy Commissioner of Canada, when expressing his support for this amendment, stated the following:

it is a useful clarification of what consent is, and it has the potential of improving the situation for the issue of consent sought from children.... So, when the individual is a child, if your product is addressed to children, you should think about what is reasonable to expect of a child in understanding the consent being sought. Overall, I think, again, the definition of consent in Bill S-4 will assist generally and will assist particularly groups that are more vulnerable, like children.

The committee also heard from other expert witnesses who offered their support for the consent amendment. For example, the Retail Council of Canada stated its wholehearted support for this proposed amendment on valid consent, emphasizing in particular that, “a vulnerable population such as children should be protected”.

In addition, the Marketing Research and Intelligence Association, which represents the Canadian survey research industry, also wrote to the committee to share its views on Bill S-4. In its submission, it stated that the amendment “provides added clarity for organizations when they seek the valid consent of an individual when collecting, sharing and disclosing their personal information” and “that specifying the elements of valid consent will go a long way to protecting the most vulnerable Canadians, such as seniors and children”.

These are positive endorsements, and I believe they speak to the idea that children need and require extra protection when it comes to their online activities and the protection of their privacy.

In early May of this year, an international network of privacy commissioners, called the Global Privacy Enforcement Network, or GPEN, conducted a worldwide spot check on children's privacy protection. This privacy sweep, as it was called, looked at whether apps and websites worldwide inappropriately gathered information on children.

For some background, GPEN began conducting worldwide privacy sweeps in 2013. The first sweep focused on website privacy notices, and then in 2014, it focused on mobile apps. These sweeps have involved the active participation of Canada's own Privacy Commissioner. They have highlighted areas where privacy practices are lacking. Each time the sweeps have successfully resulted in concrete positive changes to a large number of apps and websites.

This year GPEN also looked at the types of information being collected from children and whether protective controls exist to limit that collection. This year's sweep also looked at whether these sites and applications take steps to make privacy policies understandable to kids, using things like simple language, large print, audio and animation, and whether parental involvement is encouraged.

The Privacy Commissioner of Canada had this to say about the children's privacy sweep:

Children are more connected than ever before and these platforms must bear that in mind when seeking potentially sensitive data such as name, location or email address. This is about protecting children. I can’t think of anything more important than that.

I agree with the Privacy Commissioner.

This year's sweep was a privacy spot check that included 29 data protection authorities from 20 countries, including the Privacy Commissioner of Canada. I believe that many members of this House will look forward to the results of this groundbreaking privacy sweep when it is released in the fall. I expect the results will be of assistance to the Privacy Commissioner and the private sector in determining where changes need to be made to comply with the new enhanced consent requirements under the digital privacy act.

Earlier this year, our Privacy Commissioner also published a top 10 list for protecting children's privacy for organizations with services aimed at children and young people. These tips offered by the Privacy Commissioner emphasize that when it comes to children, the privacy protection bar needs to be set extremely high. I submit that this is why the Privacy Commissioner of Canada has publicly recognized that the amendment would enhance the concept of consent.

We have heard from the Privacy Commissioner and from privacy commissioners that this is an emerging field. I believe that the amendments made to PIPEDA will help protect our children and other vulnerable populations, like seniors. I would humbly ask all members in this place to give these provisions their due review and support.

Mr. Speaker, I thank my colleague from Nipissing—Timiskaming for his speech on Bill S-4.

I worked on Bill C-51, which thousands of Canadians opposed. They were worried that the bill would invade their privacy and violate their rights and freedoms. In the answer he just gave, my colleague said that this bill was not necessarily perfect but that we need to take action. I have a question for him.

Bill S-4, and also Bill C-13, would allow greater access to personal information without a warrant and without provisions for a proper oversight mechanism. This is reminiscent of the extremely distressing Bill C-51, which we studied not too long ago.

Why is the government working so hard to allow snooping without a warrant by creating bigger holes with Bill C-13 and Bill S-4?

Mr. Speaker, I am pleased to rise to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.

Last year, our government launched digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a broad-based, ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and connect Canadians to each other.

As the digital economy grows, individual Canadians must have confidence that their personal information is being protected. That is why, under digital Canada 150, one of the five pillars is known as “protecting Canadians”. The digital privacy act would provide important and long-awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities, while also setting guidelines for the collection, use, and disclosure of personal information. These rules are based on a set of principles developed jointly by government, industry groups, and consumer representatives.

The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, amendments would clarify rules for businesses and reduce red tape. These guidelines would also ensure that vital information is available to Canadian businesses, so they have the necessary tools to thrive in the global digital economy.

Balancing the individual expectations for privacy and the needs of businesses to access and use personal information in their day-to-day operations is important, and Bill S-4 gets it right. It would ensure individuals that, no matter the transaction, their personal information would continue to be protected under Canadian law.

The need to update rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements.

The bill before us would do exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The privacy commissioner must also be notified. An organization that deliberately covers up a data breach, or intentionally fails to notify individuals and report to the commissioner, could face significant fines as a result.

Let me now take a minute and point out some of the ways in which the bill before us would create an effective and streamlined regime for reporting data breaches. The digital privacy act would establish a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach. If a business determines that a data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and to the privacy commissioner. If the organization determines that a data breach does not pose a risk of significant harm—that is, their data security safeguards were compromised but they avoided a situation where their customers are exposed to threats like identity theft, fraud, or humiliation—then that organization must keep a record of the breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, would serve two purposes. First and most important, it would require companies to keep track of when their data security safeguards fail, so that they can determine whether or not they have a systemic problem that needs to be corrected. An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individuals affected may not be so lucky. Keeping track of all breaches would help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the privacy commissioner to hold organizations accountable for their obligations to report serious data breaches.

At any time, the privacy commissioner might request companies to provide these records, which would allow him to make sure organizations are following the rules. If companies chose to deliberately ignore these rules, the consequences, as set out under the digital privacy act, would be serious.

Bill S-4 would make it an offence to deliberately cover up data breaches or intentionally fail to notify individuals and report to the commissioner. In these cases, organizations could face fines of up to $100,000 for every individual whom they fail to notify. These penalties represent just one way in which the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee that:

...I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm.... We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I think it is clear that Bill S-4 would deliver a balanced approach to protecting the personal information of Canadians, while still allowing for information to be available in a growing, innovative digital economy.

Mr. Karl Littler, vice-president, public affairs, Retail Council of Canada, summed it up best, when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

I think we have it right with the digital privacy act. Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting the personal information that is essential to the conduct of business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians.

I urge hon. colleagues to join me in supporting this bill.

Mr. Speaker, I am sure my colleague would, but I think we will keep the topic on Bill S-4 today.

Mr. Speaker, it is my pleasure to speak to Bill S-4, and I would like to do so by addressing three themes. The first will be how Bill S-4 reflects rather badly on our democratic process. The second theme will be that Bill S-4 is already hopelessly out of date. It is behind the technological times. The third theme is that there are worrisome features in Bill S-4 to the extent that it would inadequately protect privacy, even within the limits of what it is trying to do.

On that first theme of democracy, we should recall that a lot of what has subsequently come through the House in a series of different bills started with Bill C-30, which I always called the Internet surveillance bill. It got so panned by experts and civil society that the government tried to take it off of the table in the House by sending it to committee for study before second reading. It then disappeared, because the government knew that too much in there had attracted too much early attention from Canadians.

I mention that, because parts of it have begun to reappear in bits and pieces since Bill C-30 disappeared.

Bill S-4 uses one of the same techniques as Bill C-30 to try to take it away from public scrutiny. It is ironic that the method it would use is one that was recommended by the McGrath committee in 1982 or 1984, which is to make better use of committees by having them look at bills before the principle of the bill has been fixed, by having the government send the bill to committee before second reading. That is between first and second reading. It would allow committees to effectively look at the bill as a strong draft from the government, but for MPs, presumably from all parties, to try to improve and perfect the bill without being hamstrung in the way we are now in our committee study of bills by the principle having been fixed, as it gets fixed when we go to second reading for a bill in principle.

Bill S-4 did get sent to committee and, surprise, surprise, with the way that the government has operated since I have been here and since it got a majority in 2011, there were no amendments. The government rejected every amendment and presented no amendments itself. It was as if it had not heard anything that had convinced it of anything, despite all of the witnesses who had appeared and who, in very measured tones and with a very focused analysis, had indicated that there were ways, even within the limited confines of what the government was trying to do in the bill, that the bill could be improved. However, the government, through its MPs on that committee, decided that the bill was fine as-is.

Look at House of Commons Procedure and Practice, second edition, on page 742. It tells us what this procedure was intended to be when the McGrath report came down in 1982 or 1984. It was intended to be an empowering mechanism for the House in relation to government legislation. It was meant to create more of a partnership between MPs and the government. It says:

This empowers Members to examine the principle of a bill before second reading, and enables them to propose amendments to alter its scope.

In the end, this was a subterfuge. Who here is going to doubt that the reason it was sent to committee between first and second reading was to get it off of the agenda in the House, which can tend to lead to a bill receiving more public attention and producing the kind of civil society push back that we have seen meet the government's bills on and on for the last little while? It was a mechanism to reduce its visibility and to have it reappear just about now, with two weeks to go, when there is no steam, no energy, nothing left for civil society to get its mind around in terms of general resistance.

My colleagues have mentioned a problem with this bill, as with other bills that start in the Senate, which is a structural problem that will hopefully be dealt with after the next election by having the Senate put in its proper place. There is also something here, which is that there has been no acknowledgement by the government that this bill probably does conflict with the Spencer decision of 2014 in the Supreme Court of Canada.

This decision recognized the nature of the privacy interests in Internet users' data, including all the metadata that identifies various features of their existence on the Internet, and indicated that in a police context, warrants are needed in order to get access to that information.

PIPEDA, as amended by Bill S-4, would now allow private sector organizations, using the guise of fraud investigations, contractual breach investigations, et cetera, to request of any other private actor all that same information, and nothing is put in here by way of safeguards. It is as if the Spencer decision never came down.

We have had no opinion tabled anywhere from the Department of Justice, through the Minister of Justice, to say that under section 4.1 of the Department of Justice Act, the minister has assessed that Bill S-4 complies with the charter, even after the Spencer judgment. That is because the government never tables opinions and never takes charter arguments seriously.

The record is clear. Last year alone, something like a dozen judgments came from the courts, and 10 out of the 12 found that the government's legislation breached the charter or other principles of law.

The bottom line is that this bill is not a good story for democracy, but that again, I am sorry to say, is not a new story.

The second theme is that the bill has missed the boat.

This all started in 2007. That was when the PIPEDA review was mandatory under the statute, and very quickly a couple of different bills began to appear in the House. They just never got through the minority Parliament at all. Nothing really changed along the way. The government is still stuck back in whatever its thinking was around 2007.

Let me quote from the Library of Parliament's background paper on Canada's federal privacy laws. It says:

As advances in technology increase the ease with which information about individuals can be gathered, stored and searched, the need to protect the privacy of such information presents a rapidly evolving challenge for legislators.

That challenge has not been met. It is as if the government does not know how much of an information economy we have rapidly, almost exponentially, year by year, evolved into being.

How about these basic facts?

The world's largest taxi company right now has no cars. It is the largest taxi company because it has information. That is Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company by virtue of how it owns information.

The world's largest retailer has absolutely no inventory. That is Alibaba, in China.

This is the world we live in now, and there is nothing in the PIPEDA amendments, in Bill S-4, to indicate the government is at all aware of what it means to be living in this economy.

We should think about the so-called Internet of Things. According to recent research, by 2020, 26 billion devices will be connected to the Internet. That is roughly an average of something like three or four per person on earth. There is no evidence that this bill even comes close to understanding the privacy issues that arise from the fact that we are increasingly living in a connected world in which our phones will be reporting on our heart rates, our fridges will report on our eating habits and even order our groceries, self-driving cars will be out there on the roads, and thermostats and smart meters will monitor our every movement. There is nothing in the bill in that regard. All I would say is that amendments that are 10 years out of date are not exactly something to write home about.

The third theme is the inadequacies and the problems in the bill.

Let me just list them. They have been mentioned before.

First, the way in which the bill deals with giving consent on the web is inadequate after the Spencer case.

Second, the loophole that allows for private organizations to pass on information without any kind of safeguard system analogous to a warrant system, on the simple basis that they are investigating breaches of agreement or fraud or financial abuse, is a recipe for incursions into privacy.

Third, I would end by saying that the reportability standard whereby, if there is a breach of data, a company or holder of the data must tell the person whose data has been lost on the basis of a real risk of significant harm is a subjective standard that is assessed by the company. There is no real system to ensure that it does not become a mechanism for breaches to be hidden from public view and hidden, therefore, from accountability.

Mr. Speaker, Bill S-4 would better protect the privacy of Canadians by requiring organizations to inform Canadians when their personal information had been lost or stolen. Organizations would also be required to keep all records of data breaches and report significant breaches to the Privacy Commissioner of Canada. Organizations that deliberately covered up a data breach or intentionally fail to notify individuals and report to the commissioner could face up to $100,000 for every individual they have failed to inform.

The law being put into place would protect Canadians. It would force businesses to be expedient when they were dealing with the personal information of Canadians. I trust that businesses in our country will take this very seriously when they look at the penalties that are in place for any breach of privacy that might occur.

By keeping these records, if a complaint is laid, the Privacy Commissioner can go to the records at any time and if the breach has not been recorded or if there is any further breach, the maximum penalty can be applied.

Mr. Speaker, I am pleased to rise today to speak Bill S-4, the digital privacy act, which would significantly strengthen Canada's private sector privacy law.

In today's increasingly digital world, Canadians need to have confidence that their online transactions are secure and their privacy is protected. Unfortunately, data breaches, computer hacks, malware and other online threats are simply a reality of today's modern digital landscape. If Canadians do not trust that their private information is safe when it is in the hands of business, then they will not provide it. Without the free flow of information, our digital economy will stall. This is why strong, effective privacy laws that protect personal information are essential to building consumer trust and confidence. Canadian businesses need clear and balanced rules to follow so that their handling of personal information meets the expectations of Canadians.

The digital privacy act would provide important improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA. Canadians want control over their personal information and our privacy laws give them exactly that. PIPEDA requires businesses to obtain a person's consent before collecting his or her personal information and ensures that this information is used only for the stated purposes. PIPEDA also gives Canadians control over which type of information is collected about them, how it is used and with whom it is shared. PIPEDA holds businesses accountable for the private information they hold, requiring them to keep it safe and out of the hands of hackers or thieves.

Further, the law gives Canadians the right to access their information at any time to make sure that it is accurate while also giving the Privacy Commissioner strong tools to enforce compliance. Privacy is a major concern for Canadians and they want to know that their personal information is secure. Businesses that can offer that security have a clear competitive advantage.

If I have a choice between a company that does not make protecting my personal information a priority versus one that tells me exactly what information it is collecting and how it is protecting it, I am going to choose the business that offers me the most protection. Businesses that are clear about what they are doing with personal information and have appropriate safeguards in place to protect that information will have an advantage in the marketplace.

Thankfully, limiting the collection, use and disclosure of personal information, having appropriate safeguards and being open about privacy practices are all part of the founding principles of PIPEDA. PIPEDA applies to all private sector organizations operating in Canada. It came into force on January 1, 2001, and its framework has stood the test of time. It is based on a set of 10 internationally recognized principles called the fair information principles. These principles give individuals control over their personal information and the way it is managed in the private sector. They establish strong privacy rights for Canadians and real obligations for companies.

By requiring businesses to protect personal information, PIPEDA is not only protecting the privacy rights of Canadians but is helping contribute to a vibrant Canadian economy. These founding fair information principles for PIPEDA mean that the act is flexible and scalable and allows data to move seamlessly across borders, all of which are good for Canadian businesses. PIPEDA is a flexible piece of legislation. It is technology neutral, which means that it evolves and will apply to new technologies in businesses as they emerge. It applies to all categories of businesses, not just one sector. It also lets companies find innovative new ways of protecting privacy because it is not overly prescriptive.

As I said, PIPEDA is also scalable. It applies to organizations of all sizes in Canada. Whether a small business or a large multinational corporation is doing business in Canada, it is governed by PIPEDA. Having a foundation based on these internationally recognized principles, being flexible and scalable, all contribute to PIPEDA reducing unnecessary red tape for businesses while also maintaining and protecting the privacy rights of Canadians. This puts Canada at a strategic advantage globally.

PIPEDA's balance between these two approaches allows Canadian businesses to be competitive in different markets around the world. By not being overly burdensome, PIPEDA allows Canadian businesses to adapt to new technologies as they emerge, thus allowing them the opportunity to compete with international markets and increase their revenues. At the same time, because PIPEDA is not overly lenient, Canadians can feel secure that their personal information will be protected in their dealings with businesses in Canada. It is clear that privacy is important for businesses and our economy.

Clearly, PIPEDA supports business activities, while protecting the personal information of consumers. Bill S-4 takes Canada's privacy protection a step further and clarifies rules for businesses.

Our government recognizes that companies need to have access to and use personal information to conduct business activities. That is why Bill S-4 provides a clear set of guidelines for businesses when it comes to the collection, use and disclosure of the personal information of Canadians in the course of commercial activities. These activities can include undertaking a merger or acquisition, processing an insurance claim or simply share an employee's email address and fax number with another company.

Bill S-4 would maintain PIPEDA's balanced approach and would provide important clarifications for businesses to conduct themselves with confidence, while at the same time offering consumers the assurances they need that their information is being protected.

The digital privacy act would also provide for oversight and accountability to ensure that when safeguards failed, individuals would told about it and could take the appropriate measures to protect themselves.

The balanced approach found in PIPEDA and continued in Bill S-4 is an important element in establishing a growing trust and confidence in today's digital economy. Once again, it is that consumer trust and confidence that will help businesses and the economy to flourish. It is that trust and confidence that will help us to continue to build a digital Canada.

Thanks to PIPEDA and the improvements proposed in Bill S-4, Canadians can be confident that their privacy is being protected when they provide their personal information to businesses.

The digital privacy act proposes common sense changes that will reduce red tape for businesses, while also maintaining and protecting the privacy of Canadians. A clear set of rules for privacy protection allows businesses to focus on providing exceptional service to their clients, while simultaneously offering them an advantage in today's increasingly competitive worldwide marketplace.

I want to take this opportunity to urge all hon. members to join me in supporting the bill.

Mr. Speaker, the NDP is entirely supportive of the need to update our privacy laws, especially in the digital age, when we frequently share our private lives online. However, something about this bill really bothers me, which is why the NDP will not be supporting it.

Unfortunately, although the bill is called the digital privacy act, some of its measures actually work against privacy by opening the door to more sharing of personal information among organizations, on a voluntary basis, without the knowledge or consent of the individuals in question. The Privacy Commissioner even raised some concerns about this. This will really open the door to a lot of information sharing. Sometimes it will be for legitimate reasons, and sometimes not.

Why has the government not taken action in this regard? Why did it not include the amendments put forward by the Privacy Commissioner to ensure that this bill really does protect Canadians?

Mr. Speaker, I am pleased to have the opportunity to speak to Bill S-4, the digital privacy act. The bill would make significant improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA.

One aspect of the digital privacy act that has not received a lot of attention is how the bill would help reduce red tape for businesses. Reducing red tape for Canadian businesses saves money and helps encourage greater investment in our economy. I would like to focus my comments today on these important changes.

We must always bear in mind that strong privacy legislation is not just good for everyday Canadians; it is also good for businesses. In our rapidly evolving digital economy, personal information is becoming increasingly valuable, creating tremendous new opportunities for businesses to innovate and develop new products and services.

Canadians will not provide their private information to businesses if they do not trust that it will be protected. At the same time, if the rules are too cumbersome and complex for businesses to manage and show no clear benefit to consumer privacy, then companies will struggle to implement them. It is for these reasons that the digital privacy act proposes a number of common sense changes to help businesses protect privacy in a way that does not hinder their ability to conduct business.

All of these changes make sense. They were all identified by the Standing Committee on Access to Information, Privacy and Ethics when it conducted the first statutory review of PIPEDA back in 2006. Businesses have been waiting a long time for these changes, and it is important that we move now to implement them. I would like to briefly touch on each of these important changes.

The first changes are in relation to business transactions. Currently, if a company wants to examine personal information as part of its due diligence—for example, if a business is thinking of buying a magazine and would like to look at the list of current subscribers—it first needs to obtain the consent of each individual subscriber. This requirement not only presents a tremendous burden for the company but is also often impractical, given the confidential nature of most prospective business transactions.

Bill S-4 fixes this problem by creating an exception to the requirement for consent that would allow businesses to share information in this context. This must be done in such a way that the privacy interests of those involved are protected.

Under the digital privacy act, information could only be shared for the purpose of assessing the feasibility of the transaction. If the transaction did not proceed, the information would have to be destroyed or returned. If the transaction did proceed, then the individuals would have to be informed.

This amendment would implement a recommendation made by the standing committee during the first statutory review and is modelled after a similar exception that is currently in place in Alberta and British Columbia under their private sector privacy laws.

In addition, the amendment has widespread support among stakeholders. Ms. Éloise Gratton, a lawyer with the Borden Ladner Gervais law firm, appeared before the Standing Committee on Industry, Science and Technology. She said:

I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.

The next important amendment I would like to highlight is the change to how business contact information is dealt with under PIPEDA. Currently, certain types of business contact information are not defined as personal information. Specifically, a person's business title, address, and telephone number are not considered personal information and are therefore not regulated.

As was pointed out during the first statutory review of PIPEDA, this would present an obvious problem: only a few bits and pieces of information are considered to be business contact information under PIPEDA. A person's work email address or fax number or their LinkedIn account or a business Twitter handle are all considered personal information.

The digital privacy act would correct this problem by creating a technology-neutral definition of “business contact information”. It would do this by being inclusive of all types of communication points of contact, such as social media applications like Twitter and LinkedIn. With this change, a sales manager would now be allowed to share an employee's work email address with a client without having to get permission first. This would create a better balance between protecting privacy and allowing information to flow in a digital economy. At the same time, the act would continue to protect business contact information if it is used outside of a business context.

Another important amendment in the digital privacy act would be the clarification around the rules for when someone's personal information is included in their work product. An example would be when a garage mechanic signs off on a vehicle's inspection or a work estimate. The fact that the mechanic signs off on the estimate would mean that it now contains his personal information.

Currently, under PIPEDA, a business must obtain an individual's consent to use or share any work product he or she creates if it contains the individual's personal information. Again, this seems like a rather silly and unnecessary bit of red tape. Bill S-4 would fix this problem by ensuring that businesses can use their employees' work without getting the employees' consent.

Finally, the digital privacy act would ensure that insurance companies can use witness statements when assessing or processing any insurance claim. Witness statements provided to the police or other investigating authorities may contain personal information. For example, if I were to witness someone running a red light that results in a car accident, my statement to the police would include personal information. Currently, under PIPEDA, an insurance company processing any claims for the accident would need to get the consent of anyone named in my witness statement in order to use it. Such a requirement would create the potential for someone who breaks the law to use privacy as a shield to avoid responsibility for his or her actions.

The digital privacy act would fix this problem with an amendment that would enable an organization to obtain a witness statement without having to obtain the consent of an individual whose personal information is contained within it. However, this experience would only apply when the information is necessary to assess, process or settle an insurance claim.

In addition to strengthening privacy protection in Canada through measures like mandatory data breach reporting and stronger enforcement powers for the Privacy Commissioner, which had been discussed extensively in this place, the digital privacy act would also make a number of important changes that would cut red tape for Canadian businesses.

I hope hon. members will join with me in supporting a balanced and carefully considered bill that would dramatically improve Canada's privacy law.

Mr. Speaker, I am pleased to rise in the House today to speak to a bill, perhaps for the last time in this 41st Parliament. I would like to thank the interpreters, who have helped us so much these past four years, as well as the team of clerks and pages and everyone who supports our work every day.

In the digital age, privacy is extremely important. It often feels as though I have a clone that is wandering around computer networks with information on my life, my past, my present, my sexual orientation, my purchases, my consumption and my travels. All of these data are like a twin over which I have no control. That is a problem.

Unbeknownst to me, my twin goes from company to company, government agency to government agency. No one will inform me that an agency is using the information my clone carries to determine how it will approach and deal with me.

A number of distinguished analysts who testified obviously told us that this bill could be challenged by the Supreme Court. The court recently ruled that a warrant was required to access the personal information and IP addresses of customers of Internet service providers. It is therefore highly likely that a number of provisions in this bill will be challenged by the Supreme Court.

The Conservative government has a strange relationship with the Supreme Court. This will not be the first time that a bill has ended up before the Supreme Court. Under the Conservative government, we have gotten used to seeing bills that, according to experts and parliamentarians, violate our charters and our laws. These bills risk being challenged by the Supreme Court and, in fact, they are being challenged. The government has suffered many defeats, and yet again it is risking being put in its place.

Introducing these constitutionally weak bills is a real waste of time. How insulting it is to the intelligence of the members of this Parliament and the members of civil society who give their input on these issues. What contempt it shows for our institutions and the Canadian Constitution.

The Conservatives have botched the drafting of dozens of bills. Take Senate reform as an example. Everyone knew that that measure would be declared unconstitutional, because 50% of the population would have had to agree, but the government went ahead with the measure anyway.

As for the appointment of Justice Nadon, everyone said that it would not work. The appointment was challenged, and Justice Nadon was ineligible under the Supreme Court Act. The matter still had to go to court, but everyone knew how it would end. Once again, it was an insult to the intelligence of parliamentarians and the experts who were advising us.

Another example is the repatriation of Omar Khadr. Two Federal Court rulings and a Federal Court of Appeal ruling ordered his repatriation, but the government still took the matter to the Supreme Court. What happened? The Supreme Court of Canada upheld that young man's rights and even said that they had been violated since he was captured in 2002. The government's attitude puts it at odds with civil society, the opposition members and the Supreme Court.

We told the House that mandatory minimum sentences were not constitutional. The government pushed ahead anyway. What happened? The Supreme Court said that the opposition was right and that these sentences were not constitutional. The Federal Court of Appeal had come to the same conclusion, but the government did not listen to that court.

The government tried to close safe injection sites by passing a law. What happened? The Supreme Court found that the site in Vancouver could continue to operate without the risk of criminal prosecution. The government's refusal to grant an exemption to InSite violated the right to life guaranteed in the Canadian Charter of Rights and Freedoms. This once again showed the Conservative government's contempt for our institutions, the Canadian Constitution and the Canadian Charter of Rights and Freedoms.

The Conservative government also lost its case before the Supreme Court regarding the retroactive application of the Corrections and Conditional Release Act. It was not constitutional to do away with accelerated parole review. Those who challenged it were granted parole. The NDP told the House that the measure would not work and that it violated the Canadian Constitution and the Canadian Charter of Rights and Freedoms. The government did not listen. It went to the Supreme Court and lost once again.

Another case that the government lost before the Supreme Court is the case regarding the Canadian securities commission. We told them that setting up a Canada-wide commission would not work since that is an area of provincial jurisdiction. The government did not listen to us and said that it was going to set up the commission anyway. The government went to court and the Supreme Court told the government exactly what the opposition had told the House. What is more, the Supreme Court suggested that the government take a co-operative approach. This government has failed to co-operate with the provinces, as we have seen with the TFSAs in the latest budget. By 2080, that measure will cost the provinces $34 billion. Did the government discuss that with the provinces? Did it seek to co-operate with them? Not at all.

I am getting to my last and main point: Internet users' privacy. The issue is whether searching through people's personal information is lawful or not. I am reiterating this because the government has to understand that it cannot use any pretext whatsoever to search through people's personal information: the police need a warrant to obtain the name, address and telephone numbers associated with a subscriber's IP address. The Supreme Court has told the government that.

We are debating Bill S-4, which could still go to the Supreme Court. How do we know? We listen to the experts. Not all members claim to be experts in law, computer issues and general issues that apply to data management. People appeared before the different committees, in the Senate and the House of Commons, to explain why the current version of this bill is weak. We spoke about Michael Geist earlier. In his testimony, he said that although the government claimed that Canadians should not worry about this provision, this exception will let companies share personal information with other companies or organizations without the court's authorization. That is one of this bill's flaws. He added that the failure to require transparency, disclosure and accountability with respect to the communication of information without a warrant was a glaring omission in this bill.

This is not the first time that we have told the Conservatives that their laws are flawed. They are unconstitutional. Here again, provisions will be struck down by the court. Why not fix this now? Why waste time, money and energy in the Supreme Court just to be slapped on the wrist again? The Conservatives have been slapped on the wrist 10 times by the Supreme Court. They may want to continue. Perhaps systematically going against Canada's Constitution and the Canadian Charter of Rights and Freedoms is part of their political agenda. That seems to be the case. The Conservatives do not like the Canadian Charter of Rights and Freedoms, because in the case of the 10 laws that I mentioned, the Conservatives went against the charter.

Is there someone who can read it and interpret it properly? Why not listen to the opposition once in a while?

Mr. Speaker, I want to thank my hard-working colleague for the very thoughtful question. There is nothing more important than one's private information. There is some information people just do not want to share with other people. We have insisted on removing the provisions in Bill S-4 that would allow organizations to share personal information without Canadians' consent and without a warrant. We have also said that there are loopholes in this bill that need to be addressed. We tried to address them with amendments, but of course, we were ignored.

However, we are not the only ones who are saying that. Here is a quote from Michael Geist, who is a law professor at the University of Ottawa:

the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed.

He has also said:

While the government has claimed that this provision should not concern Canadians, the reality is that the broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval.

It is a lack of transparency, a lack of disclosure, and a lack of reporting requirements and believing that these companies can police themselves. Surely we have learned lessons from other situations. There are some glaring omissions in this bill, and they should be addressed.

As a matter of fact, Michael Geist even says, “[This bill] is both not well studied and ought to be fixed. Canadians deserve better”.

Mr. Speaker, I thank my colleague for her speech on defending privacy and people's personal information.

Through Bill S-4, the Conservatives are making a third attempt at talking about privacy protection, but they missed the mark yet again. As my colleague pointed out, the opposition parties, including the NDP, proposed a number of amendments, but the Conservatives categorically rejected them all.

Some of the amendments would have prevented companies from determining whether or not privacy has been breached and whether or not complaints should be addressed. We want a third party to take care of this in order to keep the process transparent and effective.

We are also calling for the Federal Court decision to be complied with so that information shared between companies is better protected and Canadians' personal information cannot be shared without their permission.

Bill S-4 does not do any of that. We are talking about a very serious breach of privacy. The current Privacy Commissioner raised some concerns about this. This bill still has a number of major flaws.

I would like my colleague to comment on that.

Mr. Speaker, it is my pleasure today to rise and speak to Bill S-4.

As my colleague mentioned a couple of minutes ago, I too have very serious concerns that here we are in a parliamentary democracy with elected MPs sent here by their constituents to do the work of Parliament, and Conservatives have brought forward a bill introduced by the unelected Senate. It sort of begs this question. What was the real agenda behind doing this? Was it to fast-track it? Was it to try to give the Senate some sense of credibility as it goes through some very difficult and challenging times?

Nevertheless, it is about process, and now that I have made my point, I also want to make the point that in Parliament, as my colleague across the way pointed out, there is a natural rhythm as to how bills are introduced in the House and debated. The government, in its wisdom, first took a Senate bill instead of spending the time, of which it has a lot, to bring forward its own bill. It took a Senate bill and, even before second reading, basically declared that it was not willing to accept any amendments, which really makes one wonder what the purpose has been behind a lot of legislation.

Now I know that my colleagues across the way have an allergy to evidence, science, and data and do not really like listening to all the expert witnesses that are flown in to appear before committees. The interesting thing is that even before they heard from those witnesses, they started to make comments such that they did not want to accept any amendments because if they did, the bill would have to go back to the Senate. It does not seem to me to be a good reason to bring forward legislation that is poorly thought out.

I am not saying it is not needed. It is.

As a matter of fact, my esteemed colleague from Terrebonne—Blainville introduced Bill C-475, which would have actually addressed many of the concerns that Canadians want addressed. That is an example of a well-thought-out bill that would not overreach but would actually do the job that is needed, which is to modernize our code of conduct around personal information. With the advent of electronic and digital media, we absolutely need some changes.

Getting back to the bill, once again, it is a process that is flawed. Experts came forward and gave testimony. I sometimes wonder, if the government's mind is already made up that it is not going to accept any amendments, what the purpose is of flying in experts to present their testimony. To me, that is the highest sign of disrespect. It basically says the government has already made up its mind, but just to make witnesses feel better, it will hear from them. That is really bad form.

Here is something else. The NDP put forward 18 amendments, well thought out and researched, supported by the evidence that was presented and by experts; and other people presented 14 other amendments. True to their commitment or the bizarre statement before the bill got debated, there were zero amendments accepted by my colleagues across the way. So much for committees working with consensus.

I have often heard ministers from the other side of the House say they have to rush things through the House because at committee stage experts will be heard and that is when we get to have the really meaty debates. I have never bought that, and evidence bears out that it is not how committees work. Despite hearing expert witnesses and hearing from the opposition, the Conservative government accepted zero amendments, and that says a lot about the process.

Now the bill is back in the House, and we are debating it, but once again, there is time allocation. The government could have moved on the bill over the last number of years, but it chose not to. Here we are in the last three weeks, when suddenly the Conservatives have rediscovered that they had better do something. After all, it is election time. They are now moving time allocation to prevent the Canadian public from knowing what is really in the bill. One way to do that is to limit and shut down debate, which seems to be a very common move by the government.

Here are some facts and figures. The Conservatives made 1.2 million requests to telecommunication companies to obtain Canadians' personal information in just one year. Some 70% of Canadians feel less protected today than they did 10 years ago. With this bill, they have reason to feel even more concerned and worried, because now there are all kinds of loopholes in the bill whereby their information can be shared way beyond the person they give it to.

Some 97% of Canadians say they would like organizations to let them know when breaches of personal information occur. That is reasonable, but if companies are giving away data themselves, I personally see that as a breach, because they have breached my trust, because I gave the data to them. We have some concerns around that as well. Some 80% of Canadians say they would like the stiffest possible penalties to protect their personal information, and 91% of respondents—not 51%, not 41%, not 21%, but 91%—are very or extremely concerned about the protection of privacy. It seems to me that the government should be paying some attention to what Canadians are feeling and their fears.

There was also a Supreme Court ruling, on June 13, 2014, pertaining to the sharing of personal information. The Supreme Court stipulated that subscriber data, including name, address, email address, phone number, ID address, et cetera, cannot be disclosed to a third party without a warrant. In light of this decision, the constitutionality of certain provisions in Bill S-4 is questionable.

I am sitting here thinking that a government that really wanted to do due prudence would actually pay attention to the fact that the Supreme Court had made a ruling. Despite that ruling, we did not see any amendments from the Conservatives, nor were they willing to accept any of ours, which really lets me know that to pander to their friends, they are willing to sell out Canadians, they are willing to ignore the Supreme Court ruling, and they are burdening hard-working taxpayers with future challenges in the courts, because that is where this will certainly end up.

The NDP believes that Canada needs a mandatory data loss or data breach reporting mechanism based on objective criteria. We are not the only ones who are saying that. Witness after witness said that we need the Privacy Commissioner to have some powers over this.

Huge companies get our data through nefarious means, some of them very innocent, like when we pay bills with a credit card. They not only get what we paid and where we bought something but all that micro-targeting information can now be moved on to other companies when a company deems fit. To me, that is just not acceptable.

I would urge my colleagues across the way to not ignore Canadians or the Supreme Court ruling. Let us make sure that we address the deficiencies in this bill.

Mr. Speaker, I am less interested in the speech that my colleague was given to read into the House of Commons today and more interested in hearing his views about the fact that the bill is labelled “S-4”, which means it did not originate in the House of Commons; it originated in the Senate.

In my view—and I would like the view of the member for Elmwood—Transcona, to see if he agrees with me—senators have no legitimate right to introduce legislation. No one elected them to be legislators. In fact, they are appointed, usually because they were good fundraisers on behalf of their party. They were hacks and flacks and fundraisers, and they get rewarded with this lifetime sinecure in the other place.

For God's sake, how did we ever get to the point where we are debating legislation that they have developed? How have we slipped to this, in the status of our parliamentary democracy, that it is the House of Commons' job, that the elected representatives, the duly, democratically elected representatives in the House of Commons, have to end up debating legislation that was put together by a bunch of unelected, undemocratic, and under indictment half the time, senators?

Does he agree with me that there is something fundamentally wrong with this picture? Will he stand up on behalf of his elected colleagues in the House of Commons and say the bill has no legitimate right to be in the House of Commons, never mind the points he was making about its relative merits?

Mr. Speaker, I am pleased to rise in my place today to express support for Bill S-4, the digital privacy act, which was first introduced in April of last year. The digital privacy act would make important changes to Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, to better protect the privacy of Canadians.

I would like to spend my time highlighting the measures in Bill S-4 that are designed to better safeguard the privacy of minors and protect vulnerable members of our society. In our modern digital economy, it is absolutely critical that we make sure our children have safe and secure access to online resources.

Being digitally literate is no longer merely nice to have; it is now a necessary prerequisite for young Canadians, whether to be successful in school or to find their first job. In fact, a recent survey revealed that in 2013, 99% of Canadian students were able to access the Internet outside of school.

While there are many benefits to being digitally connected, going online can also expose our children to risks. As we have unfortunately seen, young people can become targets of online intimidation and abuse. Our government has acted to protect our children from cyberbullying and other similar threats through Bill C-13, the Protecting Canadians from Online Crime Act. This bill, which came into force on March 9, 2015, ensures that all Canadians can freely access the Internet without fear of victimization.

Bill C-13 protects children and adolescents from online predators and exploitation. Provisions of the bill permit and empower the courts to penalize those who harass, intimidate, exploit, or threaten others online or through telecommunication devices. In other words, Bill C-13 serves to counter cyberbullying in Canada.

The Government of Canada takes cyberbullying very seriously and supports a no-tolerance framework. In January 2014, our government launched the anti-cyberbullying national awareness campaign called Stop Hating Online, which raises awareness of the impact of cyberbullying and how this behaviour amounts to criminal activity.

We have also taken further steps to protect children from online predators. Our government has invested $14.2 million a year through the national strategy for the protection of children from sexual exploitation on the Internet. In addition to Bill C-13, our government has implemented other concrete measures to keep young Canadians safe online and in their communities. Such measures include increasing the maximum penalties for luring a child online, strengthening the sentencing and monitoring of dangerous offenders, and strengthening the sex offender registry, to name only a few. All of these initiatives align with our government's commitment to stand up and protect Canadians.

Bill C-13 was introduced to provide a safe and secure environment for Canadians online, and the digital privacy act seeks to accomplish this as well. In this rapidly growing digital world, we must be aware that going online can expose vulnerable Canadians to privacy risks. For example, minors can be subject to aggressive marketing tactics or can have their personal data collected and shared without them truly understanding what is being done and the potential long-term privacy consequences.

To address this concern, the digital privacy act includes an amendment to clarify requirements for the collection, use, and disclosure of personal information. Specifically, the bill clarifies that when a company is seeking permission to collect, use, or disclose personal information from a group of individuals, such as children, it must take the necessary steps to ensure that, as a group, these individuals are able to understand what would happen to their personal information. In practice, this means that the organization's request for information must be presented in a clear and concise manner and must be appropriate for and easily understood by the target audience. This includes making sure the wording and language used in the request are age-appropriate.

Let me take a minute to give an example explaining to the members of the House how this would work. Let us say that an online service designed for children wishes to gather information about who visits their site. In order to seek consent, the company would be required to design and present its request to collect, use, and disclose information using language that a child could reasonably be expected to understand. If a child could not be expected to understand what the website seeks to do with their information, the child's consent would not be valid. As a result, consent from a parent would need to be sought.

The Privacy Commissioner expressed his strong support for this amendment when appearing before the standing committee. This is what the Privacy Commissioner said:

I think with the clarification that Bill S-4 provides, it is a useful clarification of what consent is, and it has the potential of improving the situation for the issue of consent sought from children....

There are additional amendments in Bill S-4 that are also designed to better protect the interests of other vulnerable individuals. I would like to bring to the attention of hon. members two particular amendments that would allow information to be more easily shared in emergency situations.

The first of these amendments would allow organizations to share personal information in order to contact a family member of an injured, ill, or deceased individual. The importance of this amendment was well summarized by the representative of the Canadian Pharmacists Association in her appearance before the standing committee when she said:

Pharmacists, as well as any health care provider, may find themselves in the difficult situation of having to deal with patients who may be severely ill, unconscious, or incapacitated for any number of reasons. In such circumstances it may be imperative for the pharmacist or other health professional to immediately contact family members or next of kin to inform them of the patient's condition, or to seek valuable information on the patients' medical history. But seeking permission or consent to contact those individuals in advance may simply not be reasonable nor in some cases possible. This clause would provide pharmacists and other health care providers with the comfort and knowledge that in the case of a severe health emergency they will not be in contravention of PIPEDA for acting in the best interests of their patients by contacting next of kin or authorized representatives.

The second of these amendments would allow information to be shared in situations such as accidents or disasters, in order to assist in the identification of injured, ill, or deceased individuals. For example, this would allow dentists to provide an individual's dental records to authorities in order to identify victims of a natural disaster.

These two amendments are clearly in the public's interest and are long overdue.

The government is committed to protecting the privacy of Canadians. The digital privacy act would take necessary actions to protect the most vulnerable members of our society, including children.

Mr. Speaker, it is my pleasure to be here today to express my strong support for Bill S-4, the digital privacy act. This bill would make significant and long-overdue improvements to Canada's Personal Information Protection and Electronic Documents Act, or PIPEDA.

One question that has been asked repeatedly by members opposite is why the government is not amending PIPEDA in response to the Supreme Court of Canada's decision in Canada v. Spencer. They claim they cannot support the digital privacy act because the bill fails to act on this decision. Those are very strong words and it is clear that the opposition parties have not done their homework before speaking on this matter.

The answer to their question is quite simple. The government is not proposing amendments to PIPEDA in response to the Spencer decision because the Supreme Court confirmed that PIPEDA does not give the police any search and seizure powers. In fact, the whole purpose of the law is to increase the protection of Canadians' personal information.

Given the questions that have been raised around the Spencer decision, it is important that I take time today to clear up some of the misinformation. My hon. colleagues opposite do not need to take my word for it. They can always take the time to read paragraphs 71 and 73 of the decision themselves. The Spencer decision deals with a child pornography investigation carried out by the Saskatoon police department. As part of the ongoing investigation, police identified the IP address of a computer that was being used to access and distribute child pornography.

It is important to understand that the police were able to obtain the IP address simply by going online and interacting with the child pornographer, because computers make their IP addresses public whenever they engage in a file-sharing activity. With this IP address in hand, the police then asked the Internet service provider to voluntarily provide account information for the subscriber assigned to the IP address. The account information included the subscriber's name and mailing address. The police asked for the service provider's co-operation on the good faith belief that the subscriber did not have a reasonable expectation of privacy with respect to his or her basic account information, which is the individual's name and address.

With this information in hand, the police obtained a warrant to search the suspect's house, at which time a computer was seized and found to contain child pornography. Mr. Spencer was charged and convicted of possession of child pornography. Mr. Spencer appealed his conviction on the grounds that he had a reasonable expectation of privacy with respect to the account information obtained by the police. In other words, he argued that the police were required to obtain a warrant before getting his basic subscriber account information from his Internet service provider to make sure that his charter rights were respected.

In its decision, the Supreme Court found that Canadians in general have a reasonable expectation of privacy with respect to their Internet browsing habits and history. This is because the sites we visit and the online activities we engage in can reveal “intimate biographical details” about ourselves, details that we may wish to keep private. Because linking an IP address with a specific account holder enables the police to learn about and observe an individual's Internet habits, the court found in the specific circumstances of the Spencer case that the police should have obtained a warrant from a judge to collect Mr. Spencer's account information.

It is, however, important to note that because the police were acting in good faith, believing that Mr. Spencer did not have a reasonable expectation of privacy in his account information, the court did not exclude the evidence obtained by the police and Mr. Spencer's conviction was upheld.

These are the facts. It is difficult to see how this decision means that PIPEDA, the digital privacy act or Bill S-4 in some way violates the charter rights of Canadians, as the members opposite have asserted at every opportunity. This is blatantly false.

As I stated at the outset of my remarks, the Supreme Court confirmed that PIPEDA does not create any search and seizure powers for law enforcement. Nothing in the law compels companies to provide personal information to law enforcement and the digital privacy act would not change that fact.

Justice Cromwell stated in his decision, “In short, I agree with the Ontario Court of Appeal...on this point that neither...the Criminal Code, nor PIPEDA creates any police search and seizure powers”.

He said, “PIPEDA is a statute whose purpose” as set out in section 3 “is to increase the protection of personal information”. Justice Cromwell further clarified that there are clear restrictions that PIPEDA places on disclosures by private businesses to law enforcement agencies. He stated that even in child pornography cases, the circumstances “cannot override the clear statutory language of...PIPEDA, which permits disclosure only if a request is made by a government institution with 'lawful authority' to request the disclosure”.

This fact clearly demonstrates that PIPEDA prohibits unlawful disclosure unless the requirements of the law are met, including that the government institution demonstrates the necessary authority to obtain, not just simply to ask, for the information.

In addition to a warrant or court order, what might this lawful authority to obtain information include? Justice Cromwell stated:

“Lawful authority” may include several things. It may refer to the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy. It may refer to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law.

Justice Cromwell clearly noted that issues of disclosure and lawful authority arose in this case simply because the investigation was begun by police. This is simply not the case for private organizations. In his Supreme Court decision, Justice Cromwell wrote that, “...entirely different considerations may apply where an ISP itself detects illegal activity and of its own motion wishes to report this activity to the police”.

To summarize, this is what the Supreme Court said about PIPEDA in the Spencer decision.

PIPEDA does not provide law enforcement with any “search and seizure powers”.

Consistent with the charter, PIPEDA permits businesses to disclose personal information to law enforcement without consent in only the following circumstances: law enforcement have a warrant or a similar court order; the information is required to address an emergency, such as information that is needed to stop a crime in progress that threatens someone's life; the law enforcement agency is acting pursuant to a specific law that gives it the authority to obtain private information without a warrant; in response to a routine inquiry by law enforcement regarding information for which there is no reasonable expectation of privacy; or the organization, on its own initiative, provides the information to police to report a crime.

Clearly, the Supreme Court did not find any part of PIPEDA unconstitutional.

I hope that with this clarification, all hon. members will join us in supporting the digital privacy act Bill S-4, the digital privacy act, in ensuring that Canadians' personal information is protected.

Mr. Speaker, I rise in the House today on behalf of my constituents from Surrey North to speak on Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act. I rise today because I oppose the bill in its current form.

Members from three parties proposed amendments to the bill so that it would stay within constitutional boundaries. However, the Conservatives rejected every single one of those amendments, even the amendments that were drafted according to the comments and suggestions from the witnesses.

As the official opposition, it is essential that we carefully review the legislation and voice dissenting opinions in order to ensure that each bill is thoroughly examined. In this case, as in most cases that I have experienced in the past four years, it is evident that the Conservatives are determined to push through their own agenda on their own timeline.

I feel strongly that it is important for Canadians to know that their privacy is being protected, especially in the digital age that we live in. However, just because the Conservatives have not conducted the mandatory five-year review of the Personal Information Protection and Electronic Documents Act, PIPEDA, does not mean that we should rush through an unbalanced bill.

I feel very strongly that the bill before us was not well studied and needs to be fixed before it is passed through the House. In fact, the Conservatives did not support or submit any amendments to the bill because they did not think that would allow enough time to pass the bill before the election. This sounds politically expedient to me. Canadians deserve better than what the Conservatives are giving them.

The issues surrounding online privacy and safety are not new problems. Rather, they are existing problems that have become increasingly harder to protect against as technology continues to advance. Therefore, given the changing nature of the problem, it is important that the legislation that we create also evolves.

I am glad that after so many years of inaction, we are finally considering legislation to address online privacy issues. My colleague, the member for Terrebonne—Blainville, tried to take action to protect Canadians' privacy back in 2012 with Bill C-475. Unfortunately, that bill, which was stricter and more effective than the bill before us although very similar to it, was voted down by the Conservatives.

The Conservatives have become very good at pretending they know how to do their jobs and protect Canadians. They are actually able to stand up in this House and lie through their teeth in saying that this is a balanced bill, and they believe that.

Online privacy and security breaches have the potential to significantly harm an individual. Protecting these rights is important for all Canadians so that we do not put anyone potentially in harm's way.

Some Canadians may feel that the bill does not affect them in their daily lives, but I can assure them that Bill S-4 would affect every single Canadian.

One part of the bill that I am very concerned about pertains to the sharing of our personal information. The bill contains a provision that would make it easier for companies to share our information without our knowledge or consent, without a warrant, and with zero oversight. It is troubling to me that there is no mechanism in place for oversight.

Do the Conservatives remember the ruling in Regina v. Spencer? I do. In this decision, the Supreme Court of Canada ruled that Canadians have a reasonable expectation of privacy online. More specifically, the Supreme Court stipulated that spyware data cannot be disclosed to a third party without a warrant.

In light of this decision, it is questionable whether certain provisions in Bill S-4 are even constitutional. There are limits on what the government can do, but the Conservatives seem to have forgotten that.

We are demanding that every clause pertaining to the warrantless disclosure of information be withdrawn out of respect for the Supreme Court ruling and the privacy of Canadians.

There is no doubt that the Conservatives have a dark past when it comes to protecting personal information, and this bill would only add to that darkness. The lack of oversight and the allowance of warrantless disclosure has led to 1.2 million secret requests from Conservative government agencies for personal information from telecommunications companies in one year alone. Under the current Prime Minister, staggering numbers like this show that something needs to change, and it starts with this bill.

The Conservatives' hesitation to accept amendments to this bill makes me question whose interests they are truly protecting. Are they protecting the interests of Canadians, who deserve to trust that their personal information will be protected, or are the Conservatives protecting their own self-serving interests?

We would like to see this bill contain a mandatory data loss or data breach reporting mechanism. However, the bill in its current form would most likely result in fewer breaches being reported. It would be up to the organization that suffered the breach to determine if the breach posed a real and significant risk of harm. Companies want to save their reputation and money, so why would they inconvenience themselves by reporting a potentially embarrassing breach of privacy that could cause consumers to lose trust in them when they could just hide it instead?

There would be no incentive to report a breach and no advantage to doing so. This is a conflict of interest that would deprive Canadians of the information that they need to make informed choices about which companies they decide to share their personal information with.

Furthermore, because of the Conservatives' inaction, PIPEDA, which is supposed to be updated every five years, is falling far behind international standards. Since the first statutory review in 2007, subsequent attempts to amend PIPEDA have died on the order paper. After this long wait to update PIPEDA, the bill would simply not go far enough to protect Canadians in this digital era. We as Canadians are getting the message that the government does not take the protection of personal information seriously.

I, along with my fellow NDP members, truly do not ask for much when it comes to this bill. We have long called for the modernization of Canadian privacy laws. They are not up to date. Instead of making it easy for companies to share our information, the government should put deterrent penalties put in place that would require or encourage these private companies to respect and follow Canadian laws. Following that, we insist that the provisions in Bill S-4 to allow organizations to share personal information without consent or a warrant be removed and that the loopholes in PIPEDA, which do the same thing, be closed.

The point of the Constitution and the Canadian Charter of Rights and Freedoms is to protect the very rights and freedoms contained within them. Warrantless access to our subscriber data and personal information most definitely poses a risk to Canadian privacy.

Modernizing the laws that govern the protection of personal protection is an important issue in the digital age. However, ramming through a bill that has huge holes, such as this bill, is not a fix that can make up for years of inaction by the current government. I urge the Conservatives to accept the amendments to this bill so that we can work collaboratively to ensure that all Canadians can trust that their personal information is being protected to the best of the government's ability.

One of the other things that was very troubling was seeing time allocation moved for the 97th time. Time allocation basically puts closure on this bill. It does not allow for all of the members to bring the views of their constituents into the House, which is one of our primary jobs.

This is the 97th time the Conservatives have done it and I can assure you, Mr. Speaker, they are not going to get the chance after October 19, because Canadians are tired. They have seen democracy and the workings of democracy crumble. These guys are going to be out.

Mr. Speaker, on June 2, 2014, the Supreme Court of Canada handed down an important decision about sharing personal information.

In their decision, the Supreme Court justices stated that information about customers, including their names, addresses, email addresses, phone numbers and IP addresses, could not be shared with a third party without a warrant.

In light of that decision, does the member believe that some of the provisions in Bill S-4 might not be constitutional?

Mr. Speaker, as I mentioned in my speech, the changes in this bill affect private investigations, which, as the bill defines, are investigations carried out by a private sector organization, not a government authority.

With regard to the Supreme Court decision, the Supreme Court itself noted that PIPEDA does not create any search and seizure powers for law enforcement; instead, it allows companies to provide information to police should they choose to do so when—and here is the kicker—the police are legally able to obtain the information, meaning through normal warranting procedures.

The court has clearly stated that this is only when police have a warrant, are acting in exigent circumstances, are acting under an authority granted to them in law, or are obtaining information for which there is no reasonable expectation of privacy.

The Supreme Court decision itself clarifies how PIPEDA works, and it does not mean how the act or Bill S-4 needs to change.

I hope that my colleague will inform himself. I know he is well informed on this bill. He certainly knows the ramifications of the Supreme Court ruling in this regard. I hope that he would actually provide the correct information to his constituents and to folks abroad about this. Indeed, as the member for Terrebonne—Blainville said on April 8, 2014, “We have been pushing for these measures and I'm happy to see them introduced.”

This is something that supports all Canadians and is a common sense measure to help strengthen our legal system.

Mr. Speaker, I am pleased to rise to speak on behalf of Bill S-4, the digital privacy act, which is referred to the House by the Standing Committee on Industry, Science and Technology.

When Parliament first enacted the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA, in 2001, it recognized there were certain limited circumstances in which an individual's right to privacy must be balanced with other fundamental rights and public interest.

One such interest is the need for investigations into breaches of agreements, contraventions of law and for fraud prevention, which in certain circumstances must be conducted by the private sector.

Examples of these are common. They include investigations into professional misconduct by self-regulating professional associations, like the provincial colleges of physicians and surgeons, as well as the law societies. Another example is cross-sector investigations to detect crime and prevent fraud, such as the work done by the Bank Crime Prevention Centre and Investigation Office of the Canadian Bankers Association and the investigative services division of the Insurance Bureau of Canada.

It is not difficult to see that there is a real public interest in ensuring that these organizations have the ability to investigate. In order to do so, they must be able to obtain personal information that is protected under PIPEDA.

The Privacy Commissioner told the committee:

I totally agree that there needs to be provision in PIPEDA allowing organizations to address the issue of fraud or breaches of agreements that they may face.

The need for such a provision is also recognized within the legal community. The committee heard from Eloise Gratton, leading privacy officer and partner at the law firm of Borden Ladner Gervais and a professor of law at the University of Montreal. Ms. Gratton spoke of her own experience as counsel to private organizations conducting investigations into wrongdoing. She said:

The bottom line is that I agree that we need to have a provision authorizing the disclosure of personal information without consent to address these types of situations.

To enable this type of information sharing, PIPEDA currently has a regime that allows organizations to disclose an individual's personal information in order to conduct certain types of investigation.

As it stands right now under the current law, investigators who want to access personal information must be listed as an investigative body in the regulations. This involves coming forward with an application to the government and if the federal cabinet decides that the application is warranted, the organization is added to the list.

This is an extremely burdensome process for organizations. During the first parliamentary review of the act in 2007, the Standing Committee on Access to Information, Privacy and Ethics recommended that this system be scrapped and replaced with a different set of rules based on those that had been in place for a decade in Alberta and British Columbia. The bill would implement this recommendation.

A number of witnesses who came forward at the committee to express support for the importance of the changes within the bill expressed many positive sentiments in this regard.

The Life and Health Insurance Association of Canada told the committee that these amendments would help the industry's effort to detect, deter and minimize insurance fraud, which is stated to be extremely costly to the industry. A witness from the association explained to committee members that there was a current gap in PIPEDA to which he said:

[It] restricts the ability of organizations to disclose information without consent...for the purpose of conducting an investigation into a breach of an agreement or of a law of Canada.

The Central Credit Union of Canada also testified that it supported the proposed exception for consent for fraud prevention. In the words of the Central Credit Union witness it would:

—reduce the administrative burden associated with some of the activities of...my organization's Credit Union Office for Crime Prevention and Investigation.

Finally, the Insurance Bureau of Canada also spoke to the importance of the proposed amendments for the investigation and prevention of automobile fraud. According to Insurance Bureau statistics, automobile fraud cost the Ontario economy an estimated $1.6 billion in 2014 alone.

The witnesses from the Insurance Bureau explained in detail to the committee how Bill S-4 would make an insurance crime easier to detect and prevent as a result of the changes our government was making, and this is great news. However, I should note that during the committee's review of the bill, some concerns were expressed about the potential for misuse of such an exception to consent or resulting in the over-sharing of personal information, as my colleagues opposite have noted today.

However, the bill would protect against this aspect. Organizations can only make use of the exception to consent when a four-part test is met.

First, the disclosure must be made to another private organization, not to the government or to law enforcement. Disclosure to government authorities must follow a different set of rules, for example, when police must obtain a warrant to get private information.

Second, the exception to consent is only available if the information is being shared for the purpose of conducting an investigation into a breach of Canadian law or a breach of an agreement, such as a contract, and it must be reasonable. This means that an average Canadian must be able to see the merit of disclosing the information in question for the purposes of an investigation.

Third, the investigation has to be legitimate. It must pertain to a contravention of law or a breach of agreement that has occurred, is occurring or is imminent. Information cannot simply be disclosed because an agreement might be broken.

Finally, it must be reasonable to believe that seeking the consent of the individual in question to disclose the information would compromise the investigation, for example, by allowing them to destroy or alter evidence.

The intention of this four-part test is to allow legitimate investigations that are in the public interest to take place in a manner that is being balanced with an individual's right to privacy.

My colleagues have brought up the issue of copyright trolling. Certain concerns have been raised that copyright lawyers could abuse the amendment to target Canadian consumers. Let me be clear. This type of activity is not an investigation. Nor is it fraud prevention. Under no circumstances do we believe this proposed amendment provides a backdoor that could be used for trolling, due to these tests. PIPEDA has always provided a legal certainty with respect to the rights of legitimate private sector investigations. Bill S-4 maintains that legal certainty.

I also want to touch on a couple of comments that have been made in light of the bill.

First is the definition of “significant breach”. There has been some doubt as to what this means. As set out in the bill, a significant breach is a breach that poses a real risk of significant harm based on the sensitivity of the personal information involved in the breach, the probability that the personal information has been, is being, or will be misused and any other factor prescribed in the regulations.

The definition of “significant harm” was also brought up. It is defined in Bill S-4 as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record or damaged or lost property.

There was also some doubt about “private investigation”. It is defined as an investigation carried out by private sector organizations, therefore, not a government authority into an alleged contravention of a Canadian law, or an alleged breach of agreement.

Since we are getting to the end of this session of Parliament, should I not have an opportunity to rise again in debate in the next few weeks, I would like to thank all of my constituents in Calgary Centre—North for the privilege of allowing me to serve them in the last four years, as well as my volunteer team and certainly, in a moment of non-partisanship, my colleagues across the aisle and in the House who every day travel away from their families to spend time in the honour of public service. This is not a job. This is service. Certainly, when we all rise here in debate to discuss these issues, we might be passionate opponents one way or the other but we all do it to build a better Canada.

It is a wonderful position to be in to rise to support bills like this, which are common sense measures to make Canada a better place, to support better legislation, better privacy, better access to information and strengthening Canadian laws. These are the things with which we as parliamentarians are often seized.

It is always a great pleasure to speak in this place and it is a great pleasure to be here as a parliamentarian.

Mr. Speaker, I am pleased today to speak to the very important Bill S-4. It concerns the sharing of personal information in the digital age. It deals mainly with the way in which we legislate against companies responsible for the loss or sharing of information. We know this is a very sensitive issue because we are in the digital age where more and more personal information is found online. We think first of banking information, and also of information that sometimes seems not that important, but that is nevertheless part of peoples' private lives. It is information that we share on social networks, such as photos.

This covers all kinds of of complex issues, such as copyright, that we have addressed in the House since the last election, and the dissemination of information pertaining to national security. We had an important debate on this issue during the debate on Bill C-51. We learned that information technology companies, or startups, had concerns about some of the bill's provisions.

Of course, we are all familiar with the infamous story of Bill C-30, where the minister of public safety and emergency preparedness at the time told us that we stood either with the government or with child pornographers. This example shows just how big an issue we are dealing with and the Conservatives' poor record in this regard.

First, I would like to mention something very important and very simple: the obligation to review the privacy legislation every five years. Obviously, this is very important given how quickly technology changes. Unfortunately, such a review has not been implemented. A number of bills were introduced in this regard, but they died on the order paper when the Prime Minister prorogued Parliament. There was, of course, Bill C-30, which is a whole other story, and there was also the bill introduced by my colleague from Terrebonne—Blainville. That bill, which the government refused to support, sought to implement a robust privacy review process, give more power to the Privacy Commissioner and have clearer legislative provisions.

Bill S-4 includes similar provisions. However, they do not go far enough and there are still worrisome loopholes. One of the grey areas that I am particularly concerned about has to do with organizations, such as banks, that could share private information. These organizations are required to report a loss of personal information to the Privacy Commissioner only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. That may seem clear, but when it comes to legislative measures, we can see that there is a lot of leeway in how this provision of the bill is worded. The company could decide that no one's privacy was really violated and that there was no risk of harm to the individual and simply not report the privacy breach.

One of the flaws in this bill is the requirement for a court warrant, which my colleague from Terrebonne—Blainville brought up earlier and which she included in her bill. The Supreme Court recently ruled that any invasion of privacy by the government and any request that the government makes to a private company that is in possession of our information require a mandate. There is no such requirement in this bill, which is extremely worrisome. That is why I made the link earlier to Bill C-51 and the debate on Bill C-30, which did not end up taking place because we managed to get the government to back down. The government seems to be on the wrong track and does not seem to take privacy seriously.

Its record is a great example of that. How many times does the House need to hear criticisms about mismanagement at the Canada Revenue Agency, for example, during question period or at every possible opportunity, whether it is when bills are introduced and petitions are presented or at press conferences?

This department is in possession of the most sensitive information on Canadians, such as their social insurance numbers and their tax information. The department has been the victim of data breaches, and the government does not seem to be taking any responsibility. That makes it hard for us to trust that the government will require private companies to comply with high privacy standards when it is not capable of doing so itself. This situation is extremely worrisome.

We know that this is a complex issue because more and more things are done online. As far as matters of national security are concerned, we know that as legislators we have work to do. We wanted to propose amendments to ensure that this bill went further and complied with the Supreme Court decision. Like a number of witnesses in committee, we question the constitutionality of this bill in its current form.

If I am not mistaken, the 18 amendments the NDP proposed were all rejected. True to form, the Conservatives did not listen to any of the testimony or pay any regard to the amendments proposed by all the parties. The amendments proposed by the NDP were all based on what the public had to say and on the very hard work of my colleague from Terrebonne—Blainville, who was trying to get suitable provisions for 2015, not 2000. Technology changes and so does our reality, and we have to adjust accordingly.

In this context, there are a number of troubling aspects. First, this bill was introduced in the Senate, which, naturally, we criticize every chance we get. The Minister of Industry made an announcement about how he wants to proceed in the digital age, but instead of introducing this bill in the House himself, he introduced it in the Senate. That is one problem.

The second problem is that the Conservatives wanted to skip second reading and send the bill straight to committee. That is not a bad idea in and of itself. The NDP has asked for the same in order to study certain extremely complex files.

For example, we asked to take this approach for Bill C-23, which we called the “electoral deform” bill. Since the government wanted to go straight to committee, we thought it was willing to accept amendments and listen to witnesses, but that did not happen.

The third problem concerns another of the government's bad habits: the honour of the 97th time allocation motion was bestowed on Bill S-4 in order to limit debate. Unfortunately, at this rate, the Conservatives will have moved 100 such motions by the time the election is held. To be blunt, that is pretty shabby.

Although it is important to protect Canadians' privacy and to do what it takes, in 2015, to implement an approach appropriate for the digital age, recent Supreme Court decisions have cast doubt on the constitutionality of this bill.

This bill does not go far enough, and since the government wants to limit debate and does not accept the amendments and the work done in committee, we cannot and will not support this bill. I am very pleased to rise in the House to say that.

Thank you, Mr. Chair.

I would like to support my colleague's motion to increase the funding for those three commissioners. When they testified last week, they told us they were making as many cuts as possible, but that they have run up against a wall. Their current funding no longer enables them to fulfill their mandate.

The Office of the Information Commissioner even went through a crisis. At the end of last fiscal year, the commissioner made an urgent request for a funding increase. She had only 0.2% of her budget left. She was worried, not about her office, but about Canadians' right of access to information. I repeat that the right is quasi-constitutional. By failing to allocate our commissioners the funding that enables them to continue to operate and do everything their mandate requires, we are letting Canadians down. That is the key issue.

The Privacy Commissioner, who has been assigned new responsibilities, told us that he was managing for now, but that he could not get through another fiscal year after the implementation of Bills S-4 and C-51. Many bills directly affect his activities. He will be asked to carry out more and more tasks with less and less funding, and that's unreasonable. He said that he could not go on much longer with the current funding. The Lobbying Commissioner also said that it was becoming increasingly difficult for him to deliver on his mandate with the funding he receives.

In closing, I would like to say that the commissioners are there to implement an accountability system, so that someone oversees our actions as parliamentarians, and those of lobbyists, and to ensure that regulations and acts are being complied with. Their actions are being limited when they are not given an opportunity to carry out their activities properly. It's as if we were saying to those tasked with overseeing us that we no longer want their oversight. It is really disgraceful.

I would really like us to give serious consideration to this motion and not to cast it aside as we have others. As my colleague said, I think it would be good for the future Parliament to provide the commissioners with the funding they need to deliver on their mandate properly.

Thank you.

Mr. Speaker, when it comes to reducing taxes everyone knows these are Conservative ideas and Conservative proposals. In fact, when we reduced the GST from 7% to 6% to 5%, saving Canadians billions of dollars, the NDP voted against that measure to benefit Canadians. Therefore, we know who is delivering on lower taxes for Canadians.

This afternoon we will start the report stage of Bill S-7, the zero tolerance for barbaric cultural practices act. Needless to say, I am disappointed to see on today’s notice paper some 17 report stage amendments, which, all told, would eviscerate the content of the bill. From these proposals, the opposition are clearly signalling that they do not support this Conservative government’s efforts to send a strong message to those in Canada, and those who wish to come to Canada, that we will not tolerate cultural traditions that deprive individuals of their human rights. Early and forced marriages, “honour”-based violence, and polygamy will not be tolerated on Canadian soil, so Conservatives will be voting against all of these opposition amendments.

Tomorrow, we will resume the third reading debate on Bill C-42, the common sense firearms licensing act. I am optimistic we can pass the bill soon so the Senate will have adequate time to consider these reductions in red tape, which regular, law-abiding Canadian hunters, farmers and outdoor enthusiasts face.

Monday shall be the sixth allotted day. The New Democrats will provide a motion for the House to debate when we come back from a weekend in our constituencies.

We will complete the report and second reading stages of Bill S-4, the digital privacy act, on Tuesday. Earlier today, the House heard my colleague, the Minister of Industry, explain the importance of this key legislation.

Wednesday, we will see the House return to the report stage of Bill S-6, the Yukon and Nunavut regulatory improvement act. This legislation is clearly both needed and wanted north of 60. Bill S-6 would modernize regulatory regimes up north and ensure they are consistent with those in the rest of Canada, while protecting the environment and strengthening northern governance.

Next Thursday, June 4, will be the seventh allotted day, when the House will again debate a topic of the New Democrats' choosing.

Finally, for the benefit of those committees studying the supplementary estimates, I am currently eyeing Monday, June 8 as the final allotted day of the supply cycle. I will, however, confirm that designation at this time next week.

Mr. Speaker, I certainly appreciate the comments the minister has made. I will just use my time to ask a substantive question about the piece of legislation.

When I sat on the ethics and privacy committee for a number of years, we did have substantive debates about these kinds of issues. We have had previous versions of this legislation, which has come forward in previous sessions of this Parliament.

I am very glad to see the government moving forward in getting the bill passed. It has already been through the Senate and is now here in the House. We have the opportunity to have this debate and get this legislation passed in a timely fashion.

As a parent, something that concerns me is the amount of time my children spend online and the lack of rules and regulations in some instances that we know are there, some of the risks and some of the issues that are online, and the lack of clarity and the lack of standardization. We know full well some of the issues that pertain to that.

I am wondering if the minister could speak to how Bill S-4 actually improves the online world insofar as protecting young people, vulnerable people, and especially children.

Mr. Speaker, I would like to correct some of the false information the minister has spread. First, he said that we had enough time to debate Bill S-4 on Canadians' privacy. Unfortunately, we had just one day to debate this very complex bill that Canadians consider controversial. We have unfortunately not had enough time to study this bill thoroughly in the House.

In his speech he showed contempt for the official opposition. He is wrong: all of the recommendations were proposed by the official opposition. This is not how our Parliament should work. He also mentioned the Information Commissioner. There has been a flagrant lack of respect for the Information Commissioner during this Parliament.

Not only did the government not accept any of the recommendations that the Information Commissioner made during the study of Bill S-4, it also prevented the Information Commissioner from testifying before the committee during the study of Bill C-51, a bill that, as we all know, is even more controversial than Bill S-4.

This is the 97th time they have invoked closure in the House of Commons. That is not something to be proud of. The government keeps breaking records when it comes to gag orders in the House.

Mr. Speaker, I completely disagree. That is what we did with Bill S-4. We had a very respectful and serious debate. We spoke about this bill in depth and talked about the implications of a bill as complex as this one.

In the debate in the House and in committee, and outside the House of Commons, we have had respectful exchanges with the government's partners that are affected by this bill, such as lawyers, representatives of the private sector and the Privacy Commissioner. We carried out analyses, we took part in debate, and presentations were made to the government. We made decisions after truly listening to the people who had concerns about the status quo.

We listened to them and that is why the chamber of commerce, former privacy commissioner Chantal Bernier and Daniel Therrien support this bill. I have a long list of people who support the bill. A large group of Canadians pointed out that our government listened. We did our analyses, we did our homework and we came up with a balanced bill that not only meets the interests of our commercial and electronic future and Canadians' needs, but also meets the government's need to have a really effective bill on Canadians' privacy.

That is what we did. There was debate here, in the House, at committees and outside the House of Commons, before we introduced the bill and while it was before the House. We continue to follow an approach that is democratic and effective, as part of a process that truly achieves results.

Mr. Speaker, as the Speaker and a member of the House of Commons, you are well aware that this is always a very important discussion to have at the beginning of each Parliament.

In the future, it will be very important for every one of us to discuss the serious nature of our work in the House of Commons and the way that we are all going to participate in debate that is respectful to our constituents. We need to have that conversation not just here in the House, as an institution, but also within our political parties.

That discussion will be even more important when the number of seats in the House of Commons goes from 308 to 338 this fall. This is always a topic of discussion within the parties, particularly with regard to the House of Commons.

In my opinion, our government is very serious about meeting the needs of Canadian taxpayers and having effective and respectful debates about the content of our bills. That is what we have done with Bill S-4.

Mr. Speaker, the fact remains that half the legislative process in the Parliament of Canada is conducted in the Senate. I know that the NDP wants to abolish the Senate. However, the Supreme Court says that that is impossible, so the NDP's policy is clearly pointless. Bill S-4 did originate in the Senate, but that is because we wanted an efficient approach to the process in order to ensure that both houses of Parliament would have the time needed to do their homework and act responsibly with regard to a bill as complex as this one. That is why we took this approach.

Certainly, in legislation as important as this, the personal information protection and electronic documents act reform, Bill S-4, which is quite technical, it is important that we have a thorough process. It is mandated that Parliament do this review and, as Minister of Industry, it is my responsibility.

I know the industry committee did a thorough study of this. We had all kinds of views that were incorporated prior to us tabling legislation, during the legislative process and deliberation at the committee stage. It happened on the Senate side as well. This legislation is something of which I am quite proud. It is very important for our country. Reporting of data breaches, accountability, the implication of support of the Privacy Commissioner with regard to data breaches, the penalties that are in place for firms that do not inform people about data breaches that take place, all are important. This would be a big step forward for Canada.

Again, it was arrived at after a great deal of consultation, in a non-partisan way, to draw in ideas. We arrived at legislation that would strike an effective balance. When the legislation is adopted and moves forward, the country will be very well-served.

Mr. Speaker, I find it interesting that the Minister of Industry is talking about a Parliament that will have 338 members. It is difficult enough to speak with 308 members in the House. I am not looking forward to what will happen when there are 338 members. My colleague should not be proud in the least about a 97th time allocation motion, a gag order to prevent members from speaking, in this case at all stages. This 97th time allocation motion is really one of a kind.

We are hearing that the committee's work was short-circuited and that no proposals were accepted. The exercise of democracy is at stake on the eve of an election campaign that is going to be pretty tough for the government, according to what we are hearing on the ground.

Is he not concerned about how the government is curbing democracy in our country and not just because Bill S-4, as important as it may be, is a Senate rather than a government bill?

Mr. Speaker, I know this is a very well-articulated and long-standing concern of the leader of the Green Party on this matter.

With regard to Bill S-4, the time in the House is precious. I personally have the view that I would like to see Parliament sit later into the evenings. Parliament is going to go from a 308-seat House to a 338-seat House, so affording more members of Parliament the opportunity to speak on more bills is an admirable goal. I would hope the Standing Orders in the next Parliament might reflect that.

If we look at other jurisdictions, for example, the U.S. Congress sits very late into the evening, but it also has an approach where it has fixed times for debate of specific bills. It allots to all political parties specific speaking slots and it is done a very different way. Perhaps this conversation needs to be had, given that the House will grow in size by 30 seats this coming fall.

There are other ways in which the government could accommodate, in a meaningful way, people's views on government legislation.

With regard to Bill S-4, which is a technical bill, as well as with the Copyright Modernization Act and other legislation that I have had the responsibility to steer through the House, I suspect the opposition parties would concede that we have tried to approach this in a pretty non-ideological, non-partisan way to draw in opinion from the private sector, from academics and from those who are interested in digital policy and privacy policy to arrive at legislation that would be as effective as possible and would move the country forward in a significant way.

Mr. Speaker, I rise on a point of order and would appreciate your guidance on this, but it is a question of relevance. I understand that the government House leader can at any point rise to put forward such a motion as the one to put time allocation, yet again, on another government bill. However, I find it to be offensive to the principles of examining Bill S-3 to then, in the pretense of speaking to Bill S-3, which is an important piece of legislation to ratify global action on our fisheries, slide into a completely different matter.

On the point of relevance, I think the hon. government House leader should not have pretended to be speaking about Bill S-3 in order to put time allocation on Bill S-4.

Mr. Speaker, I must advise that an agreement could not be reached under the provisions of Standing Orders 78(1) or 78(2) concerning the proceedings at the report stage and second reading stages and the third reading stage of Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act.

Pursuant to the provisions of Standing Order 78(3), I give notice that a minister of the Crown will propose, at a future sitting, motions to allot a specific number of days or hours for the consideration and disposal of the proceedings at the said stages of the said bill.

That's great. We are looking forward to it. I think Canadians are also looking forward to seeing a bit more transparency around requests for sharing personal information.

In response to Mr. Simms' questions, budgetary constraints were briefly discussed. Your office will eventually have to deal with the implementation of Bill C-51. There is also Bill S-4, whereby your advisory role with companies will increase. Under the legislation, companies are also asked to report privacy breaches to you.

I understand that you are not asking for additional resources today, but that you will eventually. What are your concerns should you fail to obtain more resources?

I assume it's always good to have as many forums as possible.

I would now like to briefly discuss Bill S-4, which will soon become law. We examined it in committee at second reading. You testified at those meetings. You proposed a few amendments, including to clauses 6 and 7 of the bill. However, those proposals were not accepted, and no changes have been made to the original version of the bill.

Are you worried about the repercussions that may have?

Mr. Speaker, the committee heard many witnesses. They provided views and testimony from both sides of the spectrum.

It is important to note, as per my colleague's question, that the digital privacy act would require organizations to tell Canadians if their personal information has been lost or stolen. As well, heavy fines of up to $100,000 would be imposed on companies that deliberately break the rules. The legislation would place strict limits on the type of personal information companies can disclose; establish new rules to protect the privacy of vulnerable Canadians, particularly children, as I just discussed; provide provisions to protect seniors from financial abuse, something we have spoken about extensively this afternoon; include measures to allow the use of information to help find missing children; and give the Privacy Commissioner of Canada more power to enforce the law and help hold offenders to account.

Bill S-4 meets those objectives more than adequately.

Mr. Speaker, I am pleased to speak to Bill S-4, the digital privacy act, which was recently reviewed by the Standing Committee on Industry, Science and Technology.

Bill S-4 introduces a number of important improvements to the Personal Information Protection and Electronic Documents Act that will increase the level of privacy protection for Canadians.

PIPEDA is privacy legislation that has been in place for more than a decade now. Under the law, organizations are expected to apply stronger protection in situations that are privacy-sensitive. As an overriding rule, businesses must limit what they do when it comes to the collection, use, and disclosure of personal information to activities that one would consider reasonable and appropriate in the circumstances.

Not all individuals have the same capacity to understand what is reasonable and appropriate, nor can they necessarily appreciate the immediate or long-term consequences of providing information about themselves to a commercial enterprise. This is particularly true of minors. The range of online activities today's kids engage in is astounding. They take part in multi-player games with people from all over the world. They explore virtual worlds. They join chat rooms and post comments, photos, and videos about themselves and their friends.

Today's kids have grown up with the Internet and digital technologies. Social networks, gaming consoles, and smart phones have always been a part of their lives. When kids interact with their friends and when they play games, more often than not it is through technology.

According to a survey conducted in 2013, more than 30% of grades 4 to 6 students have Facebook accounts. By grade 11, 95% of students have such an account.

Digital technology offers tremendous benefits to children's education, development, and social lives. In today's digital economy, children must be able to safety and securely use network technologies and access the online world if they are to develop the skills they will later need to find jobs in the digital marketplace.

What children may not be aware of is that the information they share in the context of online play or learning can actually have unintended consequences. Online personal information has become an enormous source of revenue for companies. Kids are able to play online games, download and use apps, and talk to their friends at no cost because companies offering these services generate revenue by harvesting and using personal information for profiling and marketing purposes.

This government does not wish to prevent today's youth from fully realizing the benefits of the digital world. The skills they develop through these many online activities will provide them with significant advantages when they enter the job market as young adults. This government fundamentally believes that digital literacy and skills are at the core of what is needed for individuals to succeed in today's digital economy.

However, with an increased online presence comes added risk. Strong protections for children's online privacy are needed.

PIPEDA already contains defences that safeguard the personal information of minors. For example, the act prohibits organizations from using deceptive means to obtain consent. Most importantly, it requires companies to limit the purposes for which they collect, use, or disclose personal information to reasons that individuals would consider reasonable and appropriate in the circumstances.

Bill S-4 enhances these protections by clearly setting out requirements that organizations must meet when obtaining consent. These new provisions will have a positive impact, especially when it comes to the protection and the privacy of children.

The new measure will require organizations to clearly explain why they are collecting information, what they will do with it once they have it, and what the consequences of providing it will be.

What is more, they must provide this explanation in a way that can be understood by the audience they are targeting with their product or service. This means that any business targeting children must pay very close attention.

The amendments in Bill S-4 mean from a legal perspective that when a company is seeking permission to collect, use, or disclose personal information from a group of individuals such as children, it must take steps to ensure that these individuals are able to fully understand what would happen to that information.

In practice, this would mean that the organization's request for information can be easily understood by the target audience. This includes making sure that the wording and language used in the request are age-appropriate. For example, a video game designed and marketed to preteens would clearly need to take a different approach to obtaining the consent of players to collect personal information than a video game marketed to adults.

We heard from a number of witnesses during the committee's consideration of the bill, and the majority were supportive of our government's proposed amendments in Bill S-4 to enhance consent.

The Privacy Commissioner of Canada repeatedly expressed his support for the amendment. This is what the Privacy Commissioner told the committee:

Consent is a big part of PIPEDA, and I think it's useful to have this clarification of what actually is consent. We obviously know that it is a huge challenge for organizations to properly advise individuals of the reasons they collect information and they use it, so any tool that enhances, that provides an incentive for organizations to be clearer, and to take into account the context of the individual or consumer I think helps Canadians.

The commissioner further emphasized:

So, when the individual is a child, if your product is addressed to children, you should think about what is reasonable to expect of a child in understanding the consent being sought. Overall, I think, again, the definition of consent in Bill S-4 will assist generally and will assist particularly groups that are more vulnerable, like children.

Privacy information must be clear to the user. The privacy policy should be specific to whatever service the child is using and not be a one-fits-all privacy policy.

The standing committee also heard support for this amendment from a number of other witnesses, including from business. For example, the Marketing Research Intelligence Association, a national self-regulatory body that represents Canada's survey research industry, wrote in a submission to the committee that it fully supports the enhanced consent requirements of the bill.

The association noted in particular that the amendment provides “added clarity for organizations when they seek the valid consent of an individual” when collecting, sharing, and disclosing their personal information. It went on to say:

We believe that specifying the elements of valid consent will go a long way to protecting the most vulnerable Canadians, such as seniors and children.

Our government has already taken significant action when it comes to protecting children online. We have made important progress to shield our children from online intimidation, cyberbullying, and other similar threats and abuse through amendments to the Criminal Code of Canada that were passed under the Protecting Canadians from Online Crime Act.

The amendments put forward under the digital privacy act build on those actions taken to address cyberbullying and represent additional real and tangible measures to protect Canadians and their families from online threats.

PIPEDA has been in force since 2001. Concerns about the protection of children's online privacy were raised with Parliament in 2007 during the first statutory review of this act. There was general consensus among witnesses that children warrant extra privacy protection, given their particular vulnerability to deceptive and privacy-invasive practices. Indeed, at the conclusion of its review of the act, Parliament recommended that the government examine the issue of consent by minors to determine if PIPEDA should be amended.

Our government heard stakeholder concerns and is responding to the recommendations of committee by introducing enhanced protection for the privacy of minors that is now before the House. This is an important amendment, and along with all other measures in this bill, it should be passed quickly.

The digital privacy act takes real and tangible steps to protect society's most vulnerable individuals. I hope hon. members will join me in supporting this bill so that these new protections can come into force quickly.

Mr. Speaker, why is my hon. colleague across the way opposed to the position of the Privacy Commissioner? The Privacy Commissioner came to committee. The fact is that almost every witness agreed. Some did not agree with Bill S-4, and as we have heard, there were diverse opinions. However, the vast majority supported the changes that Bill S-4 presented, and the Privacy Commissioner was part of those.

Why does the NDP ideology get in the way of recommendations from the committee and the Privacy Commissioner?

Mr. Speaker, I am pleased to speak about a topic as important as privacy protection.

We need to amend the Personal Information Protection and Electronic Documents Act to bring it in line with the reality of the digital era. The bill seeks to impose new requirements for the collection, use and disclosure of personal information by a company or organization.

What really bothers me about this bill is the provision that would allow organizations to share personal information without a warrant—yes, I did say without a warrant—and without the consent of the individual concerned. That is a major problem.

Even though this bill is called the digital privacy act, it contains a provision that could really interfere with the protection of privacy. I find that deeply contradictory.

Once again, this Conservative government has proven that it spends more time coming up with grandiose titles than working on content. It is also extremely important to point out that between the drafting of this bill and today's debate, the Supreme Court ruled that information such as the data that Internet service providers have on users and clients—IP addresses, email addresses, names, telephone numbers, and so on—is considered personal information and cannot be obtained without a warrant. I am not the one saying that. It was a Supreme Court ruling.

I have some serious concerns about the constitutionality of this provision. The government must comply with the Supreme Court's ruling and remove all the provisions enabling the disclosure of personal information without a warrant.

During the study in committee, a number of witnesses expressed concerns about this very provision. For example, the Privacy Commissioner said the following in a submission:

Allowing such disclosures to prevent potential fraud may open the door to widespread disclosures and routine sharing of personal information among organizations on the grounds that this information might be useful to prevent future fraud.

We want to protect privacy, but it is questionable to allow access to personal information without a warrant, without consent, without any kind of judicial oversight and without transparency. The Conservatives have a poor record when it comes to protecting privacy, and Bill S-4 will not erase the past.

In one year alone, government agencies secretly made at least 1.2 million requests to telecommunications companies for personal information, without a warrant or proper oversight. Why did they ask for this information? We do not know.

The government should have taken advantage of Bill S-4 to close the loopholes in PIPEDA that allow this kind of information transfer without legal oversight, consent or transparency.

There is another provision in the bill that made my jaw drop. This bill would require companies to declare a data loss or breach if and only if it is reasonable to believe that the breach creates a real risk of harm. In other words, it is up to the company itself to determine whether or not it should notify the authorities in the event of data loss. That is crazy.

This measure will actually give companies less incentive to report data breaches by leaving it up to the company whose data were breached to decide whether the breach creates a real risk of significant harm to an individual.

This blatant conflict of interest is what really kills the purpose of this bill because a company will see no benefit to reporting a data breach and every benefit to hiding it. Deciding that a breach is benign will save the company money, damage to its reputation and inconvenience

It will also help the company avoid being put under the microscope by the Office of the Privacy Commissioner of Canada for an audit or investigation. It will create a culture of non-reporting because the commissioner would be nothing more than an observer.

In conclusion, the Conservatives say that their bill is balanced, but we can do much better. We are increasingly aware of the harm that data breaches can cause, so we cannot create a bill that will barely be useful.

We need a bill that will do an excellent job of giving Canadians better protection from data breaches. This bill has not been looked at carefully enough, and we need to fix it. Canadians deserve better.

Mr. Speaker, in committee, one of the issues that was discussed at length is elder financial abuse. I would like to ask the member how Bill S-4 would work to combat this serious problem in our society today.

Mr. Speaker, my Conservative colleague spoke about corporate accountability with regard to privacy protection. However, she knows full well that Bill S-4 allows those same businesses to decide for themselves whether or not they will address the complaints people make regarding the use and sharing of their personal information without their knowledge, without consultation and without a warrant.

Many witnesses told the committee that there is a problem with transparency in this bill and that it creates a conflict of interest because the company at fault is the one that decides whether or not the complaint will be addressed. This bill does not provide greater protection for consumers and Canadians. On the contrary, it opens the door to abuse. Many people and experts told the committee that the bill is seriously flawed.

I am wondering how the member opposite can say that this bill is going to protect children when it is flawed. Even the Privacy Commissioner said that the bill does not have the power to really protect Canadians.

Mr. Speaker, as the member of Parliament for Renfrew—Nipissing—Pembroke, it is my pleasure to rise in my place and express strong support for Bill S-4, the digital privacy act. This legislation would make important updates to the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

I take issues of privacy very seriously, just as do the people in my riding, like teachers, parents, and grandparents. The number one concern that is expressed to me by individuals is their right to privacy and their right to be protected from the misuse of private information. When it comes to the Internet, while it has brought many improvements to the lives of Canadians, the concern always is what happens to the information that is collected from the Internet on individuals and how it may be used.

Under the current law, companies must seek permission from an individual to collect personal information and may only use this information for legitimate business purposes that had been identified prior to collection. Businesses are required to protect this information when it is in their possession, and they cannot share it with anyone, except in the case of very narrow, limited circumstances. The digital privacy act would build on these protection policies and would add new requirements by which companies must abide.

For example, the bill would require companies to inform Canadians if their personal information has been lost or stolen and if they have been put at risk as a result. It would also clarify the rules around obtaining individuals' consent to collect their personal information, clarifications that would ensure children and other vulnerable groups would be protected when they go online.

The recent high-profile criminal court case in Ontario of a hand-picked senior Liberal provincial deputy minister being convicted of charges related to the heinous crime of pedophilia using the Internet demonstrates how dangerous a place the Internet is for children and the continual need to try to stay one step ahead of the bad guys. The fact that an individual could occupy such a senior position for years as deputy minister of education and a senior advisor to the Liberal premier of Ontario, and apparently do so undiscovered until uncovered by an international crime investigation, is shocking. Convicted pedophile Ben Levin was photographed happily campaigning with the leader of the third party in this place undetected, apparently, or otherwise. This demonstrates why we must always keep up our guard, particularly when children are involved. The Internet is a dangerous place for children.

My constituents in Renfrew—Nipissing—Pembroke know that, when children are involved, I will always err on the side of caution. As we have discussed many times before, strong rules are meaningless if they are not backed up with strong compliance tools. I would like to focus my comments in this critical area.

Let me begin by explaining how PIPEDA currently works with respect to compliance. The act is enforced by the privacy commissioner, who has the ability to investigate complaints and the power to launch investigations in the event that he feels an organization is in violation of the law. PIPEDA gives the commissioner broad investigative powers, which allow him to enter premises, compel the production of information and gather evidence. It is a criminal offence to obstruct the commissioner in the process of an investigation. However, for the most part, the commissioner acts as an ombudsman, using a range of dispute resolution tools to address any violations of the act he discovers in the course of an investigation. At the conclusion of an investigation, the commissioner issues a report outlining any violations of the act, a list of recommendations, and an assessment on whether corrective action needs to be taken moving forward.

PIPEDA's compliance regime has, for the most part, been successful in resolving issues brought to the commissioner's attention. Most organizations in Canada are good corporate citizens, and when the commissioner identifies that they are in violation of the law, they move quickly to correct their practices.

Unfortunately, as a lawmaker, I know from experience that there will always be those who try to skirt the rules. That is why Bill S-4 would make some important improvements to PIPEDA's compliance framework. These changes would make sure the commissioner has the necessary tools to ensure organizations respect the law and the privacy rights of Canadian citizens.

First, Bill S-4 would increase the amount of time available to take an organization to court. Currently, an application to the Federal Court has to be made within 45 days after the commissioner issues the report of findings. In their testimony to the standing committee, officials from the Office of the Privacy Commissioner explained why this period needs to be increased. They stated:

As we've experienced in practice, 45 days is a very short time period to resolve some of the highly complex technological issues or broader accountability issues that organizations quite rightly need time to rectify.... We...follow up with them several months, if not a year, afterwards to ensure they did follow through on the recommendations they said they would undertake to do.

To address this issue, Bill S-4 would increase the time in which an organization could be taken to court from 45 days to 1 year. As the Privacy Commissioner pointed out to members of the standing committee, organizations are often given up to a year to implement recommendations. This amendment would enable the commissioner to enforce compliance in court if a company fails to take the necessary action.

The second important change brought forward by Bill S-4 would give the privacy commissioner the authority to enter into binding compliance agreements with organizations. A compliance agreement is a regulatory tool that provides an alternative to taking an organization to court if it was found to be in violation of PIPEDA. Compliance agreements are voluntary but binding agreements. They are agreements between an organization and the commissioner. These agreements benefit both sides. From the organization's perspective, it gets certainty and clarity. From the commissioner's perspective, these agreements increase the accountability of the organization to become compliant with the law. Currently, commitments made by an organization to implement the commissioner's recommendation are non-binding. Compliance agreements, however, would make these commitments binding and enforceable by a court.

The inclusion of compliance agreements in the digital privacy act was supported by a broad range of stakeholders during committee hearings on the bill. The Privacy Commissioner himself stated that there are two main amendments that are very necessary and would be helpful for us to implement and apply. The first amendment he was referring to was about mandatory data breach reporting. The second was about compliance agreements. Similarly, Mr. Tamir Israel, from the Canadian Internet Policy and Public Interest Clinic, stated, “We're particularly pleased to see the inclusion of compliance agreements and an extended appeal period...”.

Finally, Bill S-4 would give the commissioner more power to name and shame, or to publicly disclose information when organizations are not co-operating. Under the current act, the commissioner can only publicly reveal information about the way in which an organization handles personal information. However, the commissioner cannot, for example, disclose that an organization is not co-operating with an audit or is otherwise acting in bad faith. For many organizations, the threat of having their lack of action made public would be an effective tool to hold them accountable and encourage them to comply with the law; and the proposed amendment could be used, for example, against foreign-based companies that are otherwise beyond the reach of Canadian courts.

Mr. Speaker, I would like to ask a question.

Bill S-4 has several flaws with respect to the protection of personal information. For one thing, it would lead to a reduction in the number of complaints and reports of breaches because the complaints made would be managed by the companies themselves. It would be up to the companies that receive the complaints to determine if they are serious enough to be addressed.

John Lawford, the executive director and general counsel of the Public Interest Advocacy Centre, says that this will incentivize not reporting data breaches by leaving it up to the organization to determine whether the breach creates a real risk. That is a real conflict of interest.

I am wondering what the member for Winnipeg North thinks about that. Was the committee told that the fact that this bill reportedly protects privacy when it actually does the opposite is a serious concern?

Mr. Speaker, I thank the member for York West for allowing me the opportunity to share a few thoughts on Bill S-4.

I am used to the member talking very passionately on a wide variety of issues, particularly regarding our seniors. She is a very strong advocate for our pension programs and so forth. It is also very nice to see that she takes the same sort of attitude in wanting to hold the government accountable on an issue that is important to seniors and all Canadians, which is the digital privacy laws, especially since the Internet and the use of it has exploded over the last decade or so.

When we get advancements in technology and witness it first hand, to the degree in which we have, one would expect the government to have an interest in wanting to ensure we stay on top of the issues related to those advancements. However, the government has not done that.

In fact, it is interesting that we are today debating Bill S-4, which is an important issue. If we were to consult our constituents, I think we would hear genuine concern with respect to the type of information that is on the Internet and just how easy it is for a breach of that security, ultimately causing a great deal of harm to individuals. In a macro situation, it could have a severe impact on the economy.

However, we have an important issue in which the Prime Minister has made the determination that he wants to give the bill that final push as we start to wind down after four years of inaction on the file. Now the Prime Minister, with four and a half weeks of sitting days left, wants to rush the bill through the process and pass into law.

As has been pointed out, we had a different situation in the process with Bill S-4. Not only did it come through the Senate, but it was also stopped before second reading and sent to committee for review. From what I understand, that is very rarely done. The reason it is done is to accommodate significant potential changes to the legislation. That tells me the government, the minister responsible for bringing this legislation before us today, understood there were issues related to the legislation that needed to be dealt with before it completed second reading. I am convinced it was the reason the government took the initiative to take the bill out of the normal process and bring it to a committee first.

I suspect the Independent members, the Liberals and the New Democrats believed the government would be open to amendments. That was kind of the impression that was given to us. However, something happened between the decision to bring the bill to committee and have it voted on in committee with respect to the amendments. This is where the Prime Minister's Office interjected.

Through his office, we found that the Prime Minister was not interested in amendments, because all that would do would prolong the amount of debate, possibly, by having it go back to the Senate. He was more interested in being able to make the statement that the Conservatives had made some changes to the law, even though the legislation was flawed.

I want to focus some attention on the fact that we have very important consumer-type legislation related to something about which Canadians in all regions of our country are concerned, and that is the issue of privacy and protecting it.

The amount of purchasing and other items taking place economically on the Internet is increasing every year. The government wants to try to score a political point by saying it is trying to address the issue. In reality, nothing could be further from the truth. If it were really important to the government, I would suggest that Conservatives would likely have brought it in before the last month or two of this session and that the Prime Minister's Office would have allowed for amendments at the committee stage. Why would Conservatives oppose amendments that would improve the legislation? Unless maybe the government did not want the opposition to support the legislation. There is a lot of merit to that. We have seen that in other pieces of legislation: bring in an idea, give it a label, tell Canadians they are concerned about something, but then leave serious flaws in the legislation to try to maybe get the opposition party offside. Who knows?

What I do know is that there are many deficiencies within the legislation, as has been pointed out by the Liberal Party critic or others, at committee. There are serious flaws in the legislation and there were, I believe, 40-plus amendments that were being proposed. Not one of those amendments passed. The government cannot say that it was political parties that were doing the posturing on it. Many of the amendments, including amendments brought forward by the Liberal Party, were taken from experts at committee who made presentations, some credible organizations, government agencies of sorts that came before the committee.

The government made the decision that it was not going to accept any amendments. What surprises me is that if the Prime Minister's Office had been more clear with the minister responsible for the legislation, the bill could have gone through the normal process. The normal process is not that much better. Ever since the Conservative/Reform government received a majority it had a different attitude in terms of how democracy works here inside the chamber.

I have heard about many pieces of legislation, not only this one, where opposition parties or individual members of Parliament would bring forward amendments and the government consistently said “no” and defeated amendments. The government makes a mockery of the system by not allowing members from all sides of the House to move amendments that would improve the legislation.

Subscriber data requests are very important. People are concerned about that. We know that there are victims who need to be warned when there are breaches of security. Personal identity theft is very real. It is happening far too often. The amount of fraud out there continues to grow and is becoming a serious problem.

We need to protect the privacy of Canadians, and this bill would not go anywhere near far enough to address the many concerns that were brought up, whether at committee or by individual members.

The issues are important. The government has dropped the ball. I would suggest that if the Conservatives really wanted to make a difference, they would allow amendments to pass. In essence, that would provide assurance to Canadians that the government truly does care and that it is more than Conservative spin that it is interested in, but there is no sign of that, unfortunately.

Mr. Speaker, let me use the telecommunications companies as an example. There were thousands of times that telecommunications companies were giving access to personal information; that is our information and the information of many others.

My privacy and that of other Canadians needs to be protected. It should not be randomly given out because somebody asks for it. On anything to do with fraud, Canadians should be aware that their credit cards have been compromised. Individuals should be notified of that fact so they can monitor it themselves, not just assume that the credit card company will be on alert to protect their interests. Far too often the consumers are not notified of those kinds of things.

Again, on the issue of committee, my colleague has been here for quite a long time. He is knows how parliamentary committees are supposed to work, and have always worked. When the government came into power, it decided it was not interested in committee work anymore. It did what it had to do to fill in time to go through the basic process.

Bill S-4 came in through the Senate. The bill should have come in through the House, and had the proper work done through a member of Parliament or minister. That is a proper way to deal with legislation. However, bringing it in through the Senate is the back door way of getting things done, and the government has used that approach several times to get through what it wants done.

Mr. Speaker, I am pleased to have an opportunity to speak to Bill S-4. I will be sharing my time with the fabulous member for Winnipeg North.

I am pleased that we are discussing this bill, but again, unfortunately, it is the same Conservative divisive policy of “You are either with us or you are against us.” Members from all sides wanted to see some improvements to Bill S-4, but unfortunately the bill came from the Senate, and any changes were going to disrupt the process of trying to get legislation through very quickly, which is typical, of course, of the government's plan. I can only say that I was disappointed and that I have to stand and say that I have recommended that the Liberal Party vote against Bill S-4.

It is legislation that could have given our digital privacy laws the shot in the arm they so desperately need, and Liberals would have welcomed it if we had had the opportunity to make it better. That was certainly the intention from the Liberal Party's perspective.

As Canadians are increasingly turning to online commerce, education, banking, recreation, and communication platforms, our laws must keep pace in order to protect all of us. Sadly, the government has a wilful ignorance and reckless disregard for reason on such matters, and Bill S-4 proves it again very clearly.

Information oversight and management are not areas that the government has excelled in, so forgive me if my confidence is shaken a bit. I simply cannot accept without proof the government's word that it is actually protecting consumers' interests.

Of course, the way the government looks at personal information protection and privacy has already been subject to a Supreme Court ruling, and once again the court gave the government another failing grade.

This should come as no surprise to anybody who is paying attention to politics in Canada right now. We all remember when the government lost a hard drive that held the social insurance numbers, medical records, birthdates, education levels, and occupations of 5,000 Canadians. In addition, we remember when the interim privacy commissioner revealed that telecommunication companies receive an average of 1.2 million requests from federal enforcement bodies for private customer information every year. That is approximately 3,300 requests every single day for Canadians' personal information.

Perhaps I should also mention the headline that appeared in The Hill Times this week. It warned that Canada's access to information regime is slipping into—guess what—irrelevance. The article went on to reveal that the Centre for Law and Democracy ranks our ATI regime 56th out of 89 countries. I repeat, we are 56th out of 89 countries. We are really way up there, are we not?

The article also said that in September 2014, Canadian Journalists for Free Expression noted that ATI “is severely failing to meet its minimum requirements, let alone adequately serve the population’s needs.”

While I understand that access to information laws are different from digital privacy laws, these examples all point to a government that does not understand information management, yet refuses to seriously consult or listen to the experts on the matter who came before committee. The government stubbornly refused to listen to experts such as Professor Michael Geist and many others who appeared, including lawyers and professors, who said it was a good piece of legislation but that it could be better.

The intent, certainly on the Liberal side, was to try to make it better, but as everyone here knows, Bill S-4 was referred to the committee after first reading, as my colleague mentioned.

This is typically done for procedural reasons, and because it more readily allows for substantive amendments, the referral traditionally indicates the government's willingness to compromise. It was really very unusual for the government to do this, but it was very welcome. We thought that maybe the government had seen the light and that together we could improve this important piece of legislation, so we gladly supported it after first reading. We were preparing to move amendments, work together with the government, and make it a good, strong bill. It was on this implied promise that the Liberal caucus was prepared to support Bill S-4.

Committee members heard from several experts, including the privacy commissioner, IBC, the Canadian Bar Association, Professor Michael Geist and so many more. We took their counsel to heart in those four meetings.

After the hearings concluded, over 42 substantive amendments were presented in good faith, most taken directly from expert testimony. Those 42 amendments came from the three opposition parties in the House.

Let me give an example. I introduced an amendment that was specifically proposed by several witnesses and contributed to the committee study, including the Insurance Bureau of Canada. The amendment dealt with the reporting threshold for privacy breaches. My amendment would have required the reporting of any unlawful breach of personal information security so long as the said breach presented a significant threat of harm to an individual. That same amendment also clarified what a company needed to do to remedy the breach, including a requirement to warn victims that their information was lost. That sounds pretty basic. If my credit card was compromised or my personal information was lost, I would want to know that.

However, the government was unmoved. In just one short meeting, government members defeated every one of those 42 amendments without any explanation or defence. Some of them were out of date already by the time other ones had been defeated. There was no explanation or no big defence. It was simply the silent majority on the other side of the House voted them all down, just like they do all the time at all committees.

Despite warnings of overly broad, cumbersome and nebulous provisions within Bill S-4, the Conservatives took less than three minutes each to consider, discount and defeat everything that the experts had warned us about. As a result, Bill S-4 remains flawed. It has never been fully considered and should not be accepted or passed without a true and unbiased evaluation.

To be clear, there are positive elements to Bill S-4. For example, the legislation grants the Privacy Commissioner the ability to enter into enforceable compliance agreements with companies that have likely breached the act. This provides a regulatory remedy for certain actions and is a positive development. Public Safety Canada said that the bill would help to protect the security and privacy of Canadians by limiting the number of police and security officials who could request subscriber data and applying new requirements for recording, reporting and auditing those requests.

These may be good things, but several independent and credible sources outside of government expressed their concerns with Bill S-4. For example, many warned that metadata could be used to track specific individuals on the Internet and when in the wrong hands, that tracking could represent a serious threat to personal privacy. Bill S-4 utilizes a similar approach, and this is an issue of tremendous concern for those of us on this side of the House.

I want to ensure that law enforcement officials have the information they need to keep us all safe, but a blank cheque approach is inappropriate and promises limited success. We could do better if the government would just listen to the experts and then work with the opposition.

In broad strokes, Bill S-4 represents a shift in the way we deal with digital privacy. Privacy laws have traditionally outlined the rules and procedures needed to protect information and personal data, but in this case the legislation sets up circumstances under which that material could be released.

In a world where crimes involving personal data theft, identity fraud and online stalking are on the rise, protecting data is crucial. Data is not just information; it is a commodity. It is power and it is a back door into our private lives. The Liberals are deeply concerned that the government's commitment to safeguarding personal information and privacy of Canadians is less than absolute with Bill S-4.

Whether driven by Conservative ignorance or intent, Canada is clearly on the cusp of a paradigm shift with respect to privacy laws, and the Liberals are worried about the consequences of Conservative insolence.

Mr. Speaker, surely the member would recognize that Bill S-4 was put in a unique situation in that it went to committee before it received second reading, thereby creating what turned out to be a false expectation that the government was open to making changes. In reality, all the amendments brought forward were defeated. It was almost like a normal routine of other pieces of legislation that have just gone through the normal process at second reading.

My question to the member is this: why did he feel it was important to isolate this piece of legislation by bringing it to committee before it completed second reading and then sending it to committee stage? Why change the normal procedure, given that the government had no intention of making amendments?

Mr. Speaker, I thank my colleague for his presentation today on this important legislation. I would like to ask him, with regard to Bill S-4, if he could elaborate on how our government is working to protect and help vulnerable Canadians, especially children.

Mr. Speaker, I am pleased to be here today to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.

As consumers, we are all aware that, in the digital world we live in today, our personal information has become increasingly more accessible. People and organizations exchange huge amounts of information over the course of the day, whether it be through email, Internet browsing, or financial transactions. Digital networks have fast become the most efficient and convenient method of communication for Canadians.

Our government takes the protection of this personal information very seriously. We recognize the importance of having strong privacy protections in place to ensure that organizations are properly safeguarding the personal information of individuals across this country. Bill S-4 would implement changes to the Personal Information Protection and Electronic Documents Act, known as PIPEDA. These modifications would ensure that organizations are taking the appropriate steps to address the handling and protection of information in today's digital era. This bill, entitled the digital privacy act, sets out specific rules that businesses and organizations must follow when personal information they hold is lost, stolen, or accessed, either for malicious purposes or as the result of an accident.

As we have seen in the past year, data breaches continue to present themselves as a major challenge to the privacy and security of information. Breaches can happen in any number of different ways and to any type of organization. Digital information can be stolen through sophisticated cyberattacks or through simple software vulnerabilities that are made public.

Take the Heartbleed incident, for example. According to Symantec, this software glitch that was exposed in 2014 left approximately 0.5 million trusted websites at risk of a serious data breach. Financial information and sensitive customer data can also be left vulnerable in the event of a data breach. Unfortunately, this is a familiar topic for Canadians in today's digital age. Take, for example, last September when Home Depot announced that a data breach by unknown hackers left as many as 56 million debit and credit card customers across North America vulnerable to fraud.

Research shows that the majority of today's data breaches are conducted with malicious intent. The Symantec Internet threat report states that nearly half of all breaches are caused by outside attacks and that these attacks are becoming increasingly sophisticated. Canadians are concerned about this. A recent nationwide survey on Canadian attitudes around data breaches concluded that this issue is creating significant public anxiety. The survey found that 79% of Canadians are worried about being a victim of a data breach. Data breaches are a top-of-mind issue for Canadians. This is not surprising, given the importance of the Internet in the day-to-day lives of Canadians.

Organizations should also be concerned about data breaches, given how expensive these incidents can be to businesses. It is estimated that the cost to combat and recover from data breaches worldwide last year was approximately $364 billion. Business owners need to know that consumer demand for responsiveness to data breaches is increasing. A nationwide survey highlighted that Canadians assume that companies will take immediate action in the event that personal information is lost or mishandled.

That is not all Canadians expect. The same study concluded that over half of all respondents want companies to do the following: provide clear information and instructions on how individuals can protect themselves; and provide them with free credit monitoring for a certain period of time in the event that a breach occurs.

With the digital privacy act, our government is responding to the needs and concerns of Canadians. First, companies would be required to put in place strong security measures to prevent data breaches. Second, companies would be required to respond to a breach if and when it does occur or risk facing a strong penalty. With the changes we have proposed in the digital privacy act, if a company has its computer systems hacked and believes personal information has been stolen, or if that information has been lost inadvertently, the company would need to take a number of steps.

The company would be required to assess the risk resulting from the breach, and if it determines that the incident poses risk of harm, it would need to notify the affected individuals and file a report with the Privacy Commissioner of Canada. On the subject of mandatory breach reporting, the Privacy Commissioner has stated that:

Mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.

An organization would also have to keep a record of the event, regardless of whether a breach poses an obvious risk of harm. These records would not only allow organizations to demonstrate due diligence in their risk assessment, but they would also require companies to keep track of when their data security safeguards fail. This would help businesses determine whether or not they have a systemic problem that needs to be corrected.

What is more, organizations would be required to provide these records to the privacy commissioner at any time, upon request.

This record-keeping requirement would provide a mechanism for the commissioner to hold organizations accountable for their obligation to report serious data breaches.

Here is what the Privacy Commissioner had to say on record keeping:

I believe that the organization experiencing the breach is in the best position to assess risk and decide whether notification of individuals is warranted.

To provide an appropriate incentive to implement these measures, we believe that there should be serious consequences for intentionally ignoring them or attempting to cover up a data breach. Bill S-4 would make such deliberate acts a serious offence, punishable with fines of up to $100,000 per offence.

These changes are widely supported by stakeholders, as is evidenced by witness testimony during the committee's review of the bill.

The Canadian Internet Policy and Public Interest Clinic said that:

...we're very grateful to see this notification obligation coming into force. It's much delayed and needed.

The Canadian Bankers Association also came out in favour, stating that:

The banking industry supports the requirements in the Digital Privacy Act for organizations to notify individuals about a breach of their personal information where there is a real risk of significant harm.... We also support the Commissioner’s new oversight powers to ensure organizations comply with these new provisions.

Finally, the Canadian Pharmacists Association also expressed its support, saying:

For pharmacists who access a significant amount of sensitive information related to the medication and health of their patients every day, a breach or disclosure of this information has the potential to put the patient at risk.... As a result, CPhA believes that...reporting this breach to the individual concerned and the Privacy Commissioner are reasonable steps to take in order to mitigate any risk that may occur.

It's also reasonable for the organization in question to maintain proper records of these occurrences....

While there was broad-based support for the bill among stakeholders, the committee did hear some concerns about certain elements. One issue on which the committee heard different views is the threshold for reporting data breaches to the commissioner. Some stakeholders felt that the threshold is too high and that more breaches should be reported. Others thought the threshold is too low and that only material breaches should be reported to the commissioner.

The digital privacy act would take a balanced approach, one that avoids over-reporting of harmless incidents and yet allows the commissioner to oversee how organizations are meeting their obligations. The Privacy Commissioner agreed, telling the committee:

I support the risk-based approach that will require organizations to assess the seriousness of each incident and its impact on affected individuals.

Some stakeholders also expressed concern that the obligation to keep records of all data breaches is burdensome. However, the Privacy Commissioner, again, believes that the digital privacy act would get it right, telling the committee:

Requiring organizations to keep a record of breaches and provide a copy to my Office upon request will give my Office an important oversight function with respect to how organizations are complying with the requirement to notify.

Record-keeping can be done in a way that would minimize burden while still allowing businesses to demonstrate that they are conducting the proper risk assessments. The government would need to enact regulations to elaborate on what these records would need to look like and how long companies would need to hold on to them.

As a result, consultations during the regulatory development process would allow for further discussion, with stakeholder input, on this important issue.

Finally, some have questioned the need for fines in this area. The government recognizes that many organizations already notify individuals of data breaches in a responsible manner. However, we know from experience that there will always be those who try to break the rules.

The penalties in the digital privacy act would target those organizations that wilfully and knowingly disregard their obligations under the law or, worse, cover up a breach. These fines would not apply to organizations that make a mistake in good faith.

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa told the committee that:

We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored.... The fines currently in PIPEDA are designed as penalties for very overt offences.

Bill S-4 would encourage all organizations to play by the same rules and implement adequate controls and safeguards around the personal information they hold.

Furthermore, I encourage the House to oppose the motion put forward by the Green Party to delete clause 10 of Bill S-4. This would remove the new requirements for organizations to notify individuals who have been put at risk if their personal information is lost or stolen. The amendment ignores the advice of numerous privacy advocates including the Privacy Commissioner of Canada.

On several occasions, the commissioner has recommended that PIPEDA be amended to require mandatory data breach reporting. The digital privacy act would act on this recommendation, and the commissioner has expressed strong support for the approach taken in Bill S-4. The Privacy Commissioner and the majority of witnesses who appeared before the standing committee agreed that Bill S-4 is a significant improvement to PIPEDA and a necessary step in ensuring Canadians' personal information is safeguarded.

I think the Canadian Life and Health Insurance Association said it best in its witness testimony. It said that Bill S-4 takes a balanced approach to the responsibilities placed on business and organizations, but most importantly, it would protect the consumers of those businesses and give individuals the information they need to take corrective action when necessary.

Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4 would strengthen these rules and increase the protection of Canadians' personal information. In summary, the digital privacy act would balance the privacy needs of Canadians and the ability of businesses to access and use personal information in their day-to-day operations. It would do this in a way that avoids over-reporting of harmless incidents while making it clear to businesses what their legal obligations are.

I hope we can count on the opposition's support and quickly pass the digital privacy act into law.

Mr. Speaker, I agree with my colleague.

With Bill S-4, the government missed out on an opportunity to introduce a system that is in line with the Supreme Court decision in R. v. Spencer.

It is too bad, because this really could have been possible with the amendments brought forward by the opposition parties. Every party here brought forward amendments that would have worked. However, the government decided to reject all of them.

Mr. Speaker, I have a question as a follow-up to the question that my Conservative colleague asked the hon. member.

The R. v. Spencer ruling came down after this bill was studied in the Senate. What is more, Bill S-4 is based on models from British Columbia and Alberta. Some aspects from Quebec are included as well.

However, we saw that a report was tabled by the Legislative Assembly of British Columbia, the region my colleague represents, saying that in light of the ruling in Spencer, it would amend its personal information protection legislation, known as PIPA. If we are basing our legislation on a model that is changing, then I think we have a problem.

Why are we incapable of working together to see what repercussions the Supreme Court ruling might have on our laws, when other legislation, on which we are basing our bills, is in the process of changing?

Mr. Speaker, first, I hasten to correct my friend. I have never spoken in this place, or in any serious location, with anything but respect and love for my colleagues.

My second point runs to the testimony provided by Professor Michael Geist that Bill S-4 runs contrary to the spirit of the Spencer decision and that, in fact, by allowing the disclosures to be made with upfront Internet service providers from telecom companies and so on without having the notification to the holder of the information, in his words:

The provision opening the door to massive expansion of warrantless, non-notified, voluntary disclosures should be removed....

Mr. Speaker, I want to start by expressing my sincere thanks to my colleague from Terrebonne—Blainville, who just delivered a very important speech. She worked very hard on her own bill on this topic, and I think her bill should have been passed. In my opinion, her bill was far superior to Bill S-4.

I share the sentiments of the hon. member for Winnipeg North. He, like the member for Terrebonne—Blainville, said that all the opposition parties thought that in light of the work that went into the current bill and all the others, such as Bill C-12, the government might make the effort to take a collaborative approach with the other parties. Unfortunately, that was not the case.

Here we are, looking at Bill S-4, a bill that comes to us after, as we have heard from other members, a convoluted process, a bill that died on the order paper, a superior private member's bill that failed when the Conservatives did not support it. It is an effort to bring up to date the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA.

This is, of course, a very significant area of citizen and consumer concern. PIPEDA was passed in 2000, and a lot has changed in the world of digital information, privacy concerns, and information held by Internet providers, banks, and a great number of organizations to which Canadians trust their private information online.

Bill S-4 should have been an attempt, and may in fact have been an attempt that failed, to adequately balance the privacy rights of Canadians and the important facilitation of commerce in Canada. That would certainly be the expectation.

The larger context around which the bill comes to us is one in which we have had some rather spectacular accidental breaches of the privacy of Canadians through the release, through various errors, human errors, of health information, consumer information, and banking information because of breaches in the system.

One would have thought, especially in the specific context of the last year, that in drafting the bill, the government would have been very cognizant of the decision of the Supreme Court of Canada in June 2014 in the Spencer decision. That was a decision written by Mr. Justice Tom Cromwell, one of my former friends and professors from my time at Dalhousie Law School, a brilliant legal mind and someone who has, within the Supreme Court of Canada, written a number of critical and important decisions. The Spencer decision is one of them.

The Supreme Court of Canada, in Spencer, came down very clearly on the side of the privacy rights of Canadians. Mr. Justice Tom Cromwell wrote in his decision:

...the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information....

He went on to note that users would never really know when their information was forming some sort of pattern that resulted in a review, and users, consumers, would not know when their information might be becoming accessed. However, in entering into agreements with ISP providers, the Supreme Court of Canada, through Mr. Justice Cromwell, noted that there is a “reasonable expectation of privacy in subscriber information”.

There is no denying that Bill S-4 would do some things that are fairly universally approved of by those who are leading critics in this area. The Privacy Commissioner for the Government of Canada, and of course, the Privacy Commissioner is an officer of Parliament, saw a number of significant improvements.

The Privacy Commissioner started his review by turning his attention to the purpose of PIPEDA in the beginning, back in the year 2000, noting:

The purpose...is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Given the fast-changing world of digital communications, with the Internet, the cloud, and all the various ways in which we now store information online, fortunately Parliament saw fit in the year 2000 to include a five-year mandatory review of PIPEDA so that we could keep up with the ways in which technology moves so rapidly.

Generally speaking, some of what is being done here has met with universal support. The risk-based approach that would allow organizations to assess each incident on a case-by-case basis was supported by the Privacy Commissioner, at least. The Privacy Commissioner would have an opportunity to enter into compliance agreements, but while the Privacy Commissioner found this acceptable, numerous other commentators did not. They did not feel it went far enough or actually protect privacy information adequately.

The things that met universal approval I will list briefly. The improvements in Bill S-4 include the additional qualification and clarification of what is meant by the standard of consent, the extension of a deadline to take cases to the Federal Court, and of course, the expansion of the powers of the Privacy Commissioner to publicly disclose information related to findings. These were things the Privacy Commissioner liked.

Leading critics include, and my friend from Terrebonne—Blainville has already pointed to one of the leading critics in this area, Professor Michael Geist, advisers, and a very exceptional group of lawyers who now work a lot on information privacy law at the Public Interest Advocacy Centre, where, in the 1980s, I was also associate general counsel. However, in those days, believe me, we did not have open files on Internet data and privacy, because we were mostly dealing with trying to advocate in areas of technology that now seem very outdated. In any case, the Public Interest Advocacy Centre has stayed on top of the technology.

We had from the Canadian Bar Association, the Public Interest Advocacy Centre, Professor Michael Geist, and of course, members of opposition parties a rich group of substantive and helpful amendments that would have led to universal support for this bill at that moment. Unfortunately, those amendments were all rejected.

I want to look at three aspects in the time I have left this afternoon: compliance agreements, the expansion of voluntary disclosure, and transparency reporting.

Compliance agreements are a source of concern. The way in which they are drafted in Bill S-4 would have been acceptable had they been strengthened and had penalties or had an order-making power been available to the Privacy Commissioner, but they have none of those things. The Canadian Bar Association brief made this point about it:

Our principal concern is that while entering into such an agreement with the Privacy Commissioner stays any court enforcement by the Commissioner, it does not have any effect on any affected individual’s right to go to court against the organization for the same matter under investigation. This omission means that there is a much lower incentive for organizations to enter into such agreements. Also, it is not consistent with the regime in other similar schemes.

Despite recommendations to improve this, no improvements were made.

Second, the expansion of voluntary disclosure is probably for me the most significant failure of Bill S-4 and is quite inexplicable in that it runs directly counter to the Spencer decision I referenced earlier. This needed to have much more rigour to ensure that there was no warrantless access. This is the key issue. The task force should have come down harder for privacy rights.

Last, in transparency reporting, there should have been reforms to require organizations to publicly report on the number of disclosures they make without knowledge or consent and without a judicial warrant.

This information should have been disclosed on a regular basis for transparency, and organizations should have been required to notify affected individuals within a reasonable time of any accidental disclosure.

With that, I regretfully conclude that Bill S-4 does not meet the standard this Parliament should expect of an update to PIPEDA.

Mr. Speaker, I would like to thank my colleague from Terrebonne—Blainville for her work on this issue, which she knows a lot about.

We know that the Conservative government introduced Bill S-4 as a way to protect consumers. It is trying to sell the bill as a bill for consumers. However, consumer advocacy groups, lawyers, professors and even the Privacy Commissioner have indicated that there are problems with the bill, such as the provision on voluntary disclosure.

Can my colleague comment on the lack of balance in this bill?

Mr. Speaker, I appreciate the comments made by the member, but I do want to express some concerns as to the manner in which Bill S-4 was brought into the House.

The member made reference at the beginning of her comments about how she was optimistic at the beginning. I think there was a shared sense of optimism that we had the bill go on a different routine. As opposed to completion of second reading and then go to committee, we wanted the committee to provide some feedback so that we could look at making some more significant changes.

There were a number of presentations made. A number of amendments were brought forward. At the end of the day, the government showed no sympathy in terms of accepting what witnesses were telling the committee, nor amendments that were being brought forward, whether from the Liberal Party or others. Given the importance of information, in particular online banking and things of this nature, and the issue of privacy, we have really lost an opportunity to make some positive contributions through changes to the legislation.

I would ask the member to reinforce what she started off her speech with: the importance of the government recognizing a sense of co-operation that was there at the beginning and not responding well, which has ultimately led to a great deal of opposition to the bill we are now being asked to vote on.

Mr. Speaker, unfortunately we will oppose Bill S-4 for the reasons I will provide in my speech.

What I am especially disappointed about is that we all voted in good faith for this bill to be studied in committee before second reading. We told ourselves that we could perhaps work together to improve the bill and eliminate the most problematic parts or ensure that it would truly protect Canadians in the digital age. Unfortunately, that did not happen, even though we know that there are more and more risks associated with protecting personal information online.

For more than four years, we have been in Parliament with the same government that rejects all our motions and refuses to work with us in committee. This time, I do not know why, but I had hoped that we could work together.

Usually, a bill is sent to committee before second reading because there are problems with the bill and we want to make changes. Perhaps we want to change something or make changes to PIPEDA that go beyond the immediate scope of the bill. We had hoped to work together. Unfortunately, that did not happen.

That is why I moved three motions today to remove the most problematic sections from this bill. These motions will be voted on together.

We heard over and over that these two sections—clauses 6 and 7—are extremely problematic. These clauses will make it easier to share people's personal information without their consent and without them even knowing that their personal information is being shared. The government is trying to broaden the scope of situations in which information can be shared without consent. That is extremely problematic.

Obviously, there are sometimes extreme circumstances that require personal information to be shared. Such situations exist. Everyone knows that. We take issue with the fact that there is no transparency. There is no mechanism in place to ensure that this information is shared only in exceptional and urgent circumstances. What is more, the threshold of reasonable suspicion is very low.

As a result, we voted against these clauses when the bill was examined in committee. Unfortunately, the Conservatives decided to go ahead with them anyway.

We even proposed amendments to improve these clauses by restricting the kind of situations in which information sharing can happen and creating a system that encourages transparency. There has to be an accountability or oversight mechanism to ensure that this information sharing only happens under exceptional circumstances. That is really not the case.

As I said, we proposed amendments to improve the bill because everyone in the House of Commons knows that protection of personal information is a big issue right now, one that is really important to our constituents.

I even give computer security courses to seniors in my community because they want to understand how to use new technology and they want to have a certain level of confidence when it comes to protecting their information and their identity.

Everyone agrees that this is an important issue and that we have to update PIPEDA to ensure that it can better address the threats present in the digital age in the 21st century.

Unfortunately, the Conservatives' approach was to put something on the table and refuse to accept any amendments or listen to what the witnesses had to say. They just forged ahead.

All of the parties proposed amendments, except for the Conservatives, of course, and all of the amendments were rejected. The NDP even proposed 18 separate amendments that were all rejected.

Most of all, I deplore the fact that from the beginning of the committee's examination of this bill before second reading, the Conservatives said they did not want to change anything. Why should we bother voting to send something to committee before second reading if, from the beginning, the Conservatives have already decided that they will not change anything? It makes no sense. It also demonstrates bad faith. We are supposed to examine bills with an open mind and a desire to improve them, correct their shortcomings and work together. That is what it means to live in a democracy.

The Conservatives even insulted some of the witnesses during the study in committee, telling them that they could choose to either vote for the bill in its current form or accept that there would be no changes to the Personal Information Protection and Electronic Documents Act before the next election. I understand we are having an election soon, but the Conservatives had plenty of opportunities to modernize the Personal Information Protection and Electronic Documents Act. There was Bill C-12, which simply disappeared because of prorogation. The bill that I introduced in the House contained very similar provisions to the ones found in Bill S-4, but the Conservatives voted against my bill.

These changes could have already been in the legislation. Unfortunately, the government suddenly says the timeframe is too tight and the only thing we can do is pass the bill as is despite all its problems and flaws. The government simply wants to pass the bill as is. I think the Conservatives are being disingenuous about this. To tell all the witnesses that the choice is between this bill and nothing is really insulting to them after they took the time to travel here to share their opinions and present their proposed changes.

Since the government rejected all the amendments and we did not manage to improve the bill, the NDP will have to vote against it even though we recognize that some provisions are a step forward, although they do not go as far as they should. Nonetheless, I cannot vote in favour of a bill that will create more opportunities for personal information to be shared without consent, without authorization, without the individual concerned being informed, and without a proper oversight mechanism. That is what this bill would do.

Clauses six and seven, which my motions would eliminate, will weaken the protection of privacy by allowing the sharing of personal information without the consent and authorization of the individual concerned. I already stated that the threshold was very low. I proposed raising the threshold so that the organization asks questions before sharing this information. The Conservatives refused. The Privacy Commissioner even raised concerns about this provision. He said that it could open the door to abuses, and that is what we found. This government made 1.2 million requests to Internet service providers to obtain personal information as a result of flaws in the Personal Information Protection and Electronic Documents Act. There have been actual abuses. As members of Parliament, we cannot consciously open the door to further abuses. However, that is exactly what clauses six and seven of this bill do.

I will now read what the Privacy Commissioner said at the February 17, 2015, meeting of the Standing Committee on Industry, Science and Technology:

Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

This is very problematic because according to its title, this bill is supposed to create the digital privacy act. I am sorry, but there is a problem when parts of the bill contradict its objective. You do not have to be a genius to understand that.

I would like to share a quote from Michael Geist, who also testified at the Standing Committee on Industry, Science and Technology on March 10, 2015:

...the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed....With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

He also took the opportunity to disagree with the process that the Conservatives put in place and the idea that we should pass this bill without amendment because we are out of time.

The warning mechanism for a data security breach proposed in the current bill is another problem. Many parliamentarians understand the need for such a mechanism. This was brought up in the committee on which I sit, the Standing Committee on Access to Information, Privacy and Ethics, while we were studying this bill.

As the Privacy Commissioner has said many times, we must require that organizations notify individuals when their data are compromised. In a number of cases, as with Target and Home Depot, the data of thousands of people have been compromised or lost completely. Since the people in question are not always informed, they are not in a position to protect the compromised data. That is a huge problem.

Bill S-4 fixes this problem but does not really go about it in the right way. The proposed model is much too subjective because it allows the organizations themselves to determine whether a data breach creates a real risk of significant harm to an individual. The organizations therefore have to police themselves. They also decide for themselves whether to inform, or not, the Privacy Commissioner and the individual affected of any data breaches that occur.

The model that I am proposing is more objective. I proposed it before when we were examining this bill in committee and when we were examining my private member's bill, Bill C-475, which could have been passed already had the Conservatives not voted against it. This model would give the Privacy Commissioner the power to determine whether a security breach is serious enough to inform the individual. Thus, it would not be up to the organizations to do it.

What is more, PIPEDA covers all organizations, from convenience stores to large digital technology corporations. Some organizations, such as convenience stores that have only a couple of employees, are unable to determine how serious a data breach is. It is therefore important to allow them to turn to an expert, namely the Privacy Commissioner.

I would like to read a quote from John Lawford, the executive director and general counsel for the Public Interest Advocacy Centre, who testified before the Standing Committee on Industry, Science and Technology on February 19, 2015. He said:

Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.

As he said, the proposed mechanism is much too subjective. It is unfortunate that the Conservatives refused to implement a more objective system.

This bill does not give the Privacy Commissioner the power to issue orders. The former privacy commissioner, Jennifer Stoddart, asked for that repeatedly. Provincial privacy commissioners also wanted it because they have that power.

All too often, organizations do not act on recommendations made following an investigation by the Privacy Commissioner. Big international companies do not think they need to comply because it is just Canada, but Canada's laws must be respected. When our laws and the Privacy Commissioner's recommendations are constantly ignored, we need to fix that problem.

We could give the Privacy Commissioner the power to issue orders, but there is nothing about that in the bill. Instead, it calls for compliance agreements, which do not go far enough and do not really motivate organizations to act on the recommendations because they are not orders. We wanted to fix this problem, but once again our proposal was rejected.

I would have liked them to adopt the model I proposed in Bill C-475. I suggested following the usual investigation procedures, after which the commissioner would issue orders and set a deadline for compliance. The parties would act in good faith. For example, if problems were not resolved within a year, the Federal Court would impose a fine.

This system would give organizations that comply with the law and the recommendations a chance, with no repercussions whatsoever. However, if we do not find a solution and do not encourage organizations to respect privacy, there will continue to be abuse, and the law and the Privacy Commissioner's recommendations will continue to be ignored.

Bill S-4 is a step in the right direction, but it does not go far enough. That is what I said throughout the entire study. As a matter of fact, some witnesses also said it was important to have a system that truly encourages privacy protection.

What is more, given that we studied this bill in committee before second reading, we had the opportunity to correct other problems with the Personal Information Protection and Electronic Documents Act, because we knew there were some flaws. Under what circumstances is it acceptable for the government to submit at least 1.2 million requests a year for personal information to Internet service providers? This is a serious problem, but nothing is being done about it.

I thought we could sit down as parliamentarians and come up with ways to put oversight and transparency mechanisms in place and even get rid of these flaws and abuses. This was a missed opportunity.

Recently, the Supreme Court established in Spencer what was reasonable and not with regard to privacy protection. Unfortunately, that ruling was not taken into consideration during the study in committee. The Personal Information Protection and Electronic Documents Act was not amended in order to make it consistent with the Supreme Court ruling. That needs to be done. The government needs to show some vision and correct these flaws to provide better protection of Canadians' privacy because that is what Canadians deserve.

There are five motions in amendment sitting on the notice paper for the report stage of Bill S-4. Motions Nos. 1 to 5 will be grouped for debate and voted upon according to the voting pattern available at the table.

Mr. Speaker, I agree with the hon. member so far as his first statement is concerned, that this has been a good week for Canadians.

It has been, because today the House of Commons voted on a ways and means motion and introduced a budget bill that would reduce the small business tax rate from 9% to 7%, although the NDP voted against that this morning, and it brought in a family tax cut to bring fairness to families, except the NDP and the Liberals voted against that.

We also introduced, of course, expanded flexibility for seniors on their RRIFs and increased room for all Canadians on tax-free savings accounts. Unfortunately, the Liberals and NDP voted against it, but that does not matter, because we delivered, and Canadians will get to enjoy the benefits of that because of the vote we had today in this House.

It has indeed been a good week for all Canadians, certainly those who care about and want lower taxes.

After this statement, we will debate Bill C-52, the Safe and Accountable Rail Act, at report stage and third reading. This bill strengthens Canada’s rail safety system, and I understand that all parties are interested in seeing this bill move forward quickly.

As I announced in the House yesterday, tomorrow shall be the third allotted day. Monday will be the fourth allotted day. Additionally, I am designating Monday as the day, pursuant to Standing Order 66(2), when we will conclude the debate on the eighth report of the Standing Committee on Finance.

On Tuesday morning, we will continue the debate on Bill C-52.

After question period today, we will consider Bill S-4, the digital privacy act, at report stage and second reading. This legislation would provide new protections for Canadians when they surf the web and shop online. These changes to protect Canadians' personal information are key elements of Digital Canada 150, our government's plan for Canada's digital future.

Starting on Wednesday, and for the remainder of next week, we will debate Bill C-59, economic action plan 2015 act, No. 1, which was introduced earlier today, as I already referenced.

This critical economic legislation would reduce taxes, including many of those I already spoke about, and deliver benefits to every Canadian family through the family tax cut; our enhancements to the universal child care benefit; encouraging savings with enhanced tax-free savings accounts; lowering the tax rates for small businesses; introducing the home accessibility tax credit, a very important improvement for seniors to help them stay in their homes for longer; and expanding compassionate leave provisions; and the list goes on and on.

As the hon. member said, it has been a very good week for Canadians, even though he opposes all of those measures.

Regrettably, the Liberal leader, earlier this week, announced that he would raise taxes for middle-class Canadians by replacing that very same family tax cut with a family tax hike, and despite this Liberal tax, the Liberal leader is discovering that budgets do not balance themselves. He has a $2 billion hole in his plan. Canada cannot afford that kind of reckless, high-tax, deficit-building approach.

In voting against our tax cuts for families set out in the ways and means motion the House adopted—

Mr. Speaker, I thank the hon. opposition House leader for his question.

This afternoon we will continue debating economic action plan 2015, our Conservative government's balanced budget, low-tax plan for jobs, growth and security.

He was referring to it and its impact on future generations, and that is where this budget is perhaps at its best, because it delivers long-term prosperity.

With the tax-free savings account, it will provide benefit for generations to come. It helps families save for their children's university education. We have put an additional element in the budget to allow greater flexibility with student loans with calculation of income.

In fact, it is future generations who stand to benefit the most. The most important element from which they benefit, something they would never see under an NDP government, is a balanced budget. That means they will not be paying the freight for generations that came before them for high-spending debt plans that we see from the opposition parties. That is the most important long-term benefit for future generations, so we are very proud of the budget in this regard. Of course, we have been hearing from my colleagues this week that it is a prudent and principled plan that will see Canadians more prosperous, more secure, and everyone confident in Canada's place in the world for some time to come.

While we are focused on creating jobs and putting money back in the pockets of hard-working Canadians, the opposition parties have both confirmed that they want to see higher spending and higher taxes on middle-class families, high taxes on middle-class seniors, high taxes on middle-class consumers. In fact, any tax they can raise, they will probably take a shot at it when they get the chance.

The budget debate will continue on Tuesday and Wednesday of next week.

While I am talking about the budget, I cannot help but note that, when pressed Tuesday night for some detailed insight into the Liberals' economic vision for Canada—something we have been waiting for since the hon. member for Papineau became the Liberal leader two years ago—that member told reporters that he would keep it secret from Canadians for yet more weeks—or months—to come.

I am going to give him an opportunity next week to be courageous and share an actual proposal with Canadians—something beyond the view that budgets balance themselves. Therefore, Monday shall be the second allotted day.

Meanwhile, we will start the report stage debate on Bill C-51, the Anti-terrorism Act, 2015, tomorrow. Through this legislation, the government is taking additional action, in line with measures taken by our allies, to ensure our law enforcement and national security agencies can counter those who advocate terrorism, prevent terrorist travel and the efforts of those who seek to use Canada as a recruiting ground, and disrupt planned attacks on Canadian soil.

Next Thursday, after we have concluded the budget debate, we will consider report stage and second reading of Bill S-4, the digital privacy act. This legislation aims to protect better and empower consumers, clarify and streamline rules for business, and enable effective investigations by law enforcement and security agencies.

In anticipation that Bill C-46, the pipeline safety act, will be reported back from committee soon, we will start report stage, and hopefully third reading, after question period that day.

We will round out next week with the debate on Bill C-50, the citizen voting act, at second reading, on Friday.

Mr. Speaker, I have the honour to present, in both official languages, the sixth report of the Standing Committee on Industry, Science and Technology in relation to Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act. The committee has studied the bill and has decided to report the bill back to the House without amendment.

This amendment reverts back to the proposed language for notifying the Privacy Commissioner about security breaches, which is found in the previous PIPEDA reform bills C-12 and C-29, but it is stronger and clearer. Why? It creates a mandatory security breach disclosure requirement at the federal level, and that is long overdue. Geist at the Senate said that Bill S-4 establishes the same standard of “a real risk of significant harm” for both notifying the commissioner and the individuals, but also said this is very puzzling. It means that there is no notification for systemic security problems within an organization. This is very likely to result in significant under-reporting of breaches. Our amendment creates incentives for organizations to better protect that information and allows Canadians to take action to avoid risks including identity theft.

Thank you, Mr. Chair.

In testimony on Bill S-4 we heard a lot of different opinions on the implementation of a notice mechanism for data breaches. This is a contentious point. In fact I examined this at length when drafting my bill. I am referring here to Bill C-475 which was unfortunately defeated because of the Conservative Party.

Through this amendment, I want to propose a more objective threshold. Indeed, I would like the Privacy Commissioner of Canada to be responsible for assessing the prejudice the person whose data has been lost, breached, and so on could suffer.

This legislation does not only apply to large businesses, but also to small ones. However, small enterprises do not necessarily have the necessary means to determine if the data breach is serious. These businesses could turn to the Privacy Commissioner of Canada. He knows these issues and is in a position to determine whether the data breach justifies notifying the person.

Moreover, this amendment would allow the Privacy Commissioner of Canada to order organizations to inform the persons concerned. This would also force organizations to notify people and would give the commissioner a little more power. Indeed, he could ensure that the privacy of individuals dealing with the organizations is respected.

I think this threshold is more objective, that it would afford better privacy protection, and that it would reduce the burden on small businesses.

Thank you.

Mr. Chair, these amendments deal with deleting the lines regarding new warrantless disclosure provisions that go from company to company. As they're drafted in Bill S-4, companies will be able to share the general public's information without our knowledge or consent. Privacy experts are most concerned about this aspect of Bill S-4.

There has been a surge of recent cases of what some people call “copyright trolling”; in other words, companies sending extensive legal letters to customers threatening huge fines for downloading movies that people have never heard of.

As it stands, Bill S-4 would allow involved service providers to offer this information to anyone without the consent of the individual. Therefore, we feel that warrantless, non-notified voluntary disclosures should be removed from the bill.

Thank you, Mr. Chair.

As you know, these three paragraphs in amendment deal with sharing information related to insurance claims. Our amendment is based on recommendations from the Privacy Commissioner.

Bill S-4 contains three separate provisions allowing an organization to collect, use, or disclose witness statements without consent at the request of the insurance industry. We have not been presented with any information or evidence demonstrating that the absence of these provisions has created any problem for the industry. We introduce these amendments in the hope of limiting the potential for fishing expeditions, to put it bluntly.

Thank you, Mr. Chair.

Following the testimony we have heard, and several revelations in the media, parliamentarians and society realized that, unfortunately, there are far too many cases where the exceptions in the PIPEDA are used in far too broad and vague a way. There is no transparency regarding the exceptions that permit the sharing of personal information without consent and without a warrant.

I think that today we have to broaden our study and not only examine Bill S-4 and PIPEDA. That is what we must do when we study a bill at second reading.

That said, I move that section 7 of PIPEDA be repealed, so as to correct the flaws in this law that allow for the sharing of personal information without consent and without warrants.

Good morning, colleagues.

Good morning, everyone.

Welcome to the 40th meeting of the Standing Committee on Industry, Science and Technology. Today we're considering Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act.

We are pleased to have three experts here, officials from the Department of Industry. Lawrence Hanson is the assistant deputy minister for science and innovation. Christopher Padfield is the director general of the digital policy branch, and John Clare is the director of the privacy and data protection policy directorate.

Thank you very much for joining us, gentlemen, and for being here for questions.

Colleagues, we have, as you can see piled in front of you, quite a number of proposed amendments to the bill. I was saying to my fine officials beside me that a chair never does this enough to get really slick at it, so we'll proceed, with your patience, through the bill. The officials have kindly batched the amendments together.

Unless I have some specific instruction from you, colleagues, on how to proceed, I'll just begin with the first clauses that have no amendments, then we'll move to the clauses that have amendments, and proceed in that way.

Is that fine for everyone?

Thank you, Mr. Chair.

I'm in the same position I was last week, when many of the questions I would have had were already answered.

I was struck by listening to the testimony today. You go through so many of the different areas that we've talked about, and we've heard witnesses say one thing to one extent and then different witnesses at a different time have said something completely on the other side of an issue and suggested that we move in a different direction.

I remember one witness in a previous meeting talking about the importance of getting this right, and I noticed that phrasing was in the Credit Union's opening statement saying that in this case they thought Bill S-4 does get it right, or gets a lot of things right.

On consent, for example, we've heard arguments that we should go in one direction or another. We've heard that with breaches: people saying it goes too far; people saying it doesn't go far enough. On information sharing now we're hearing the same thing.

Ms. Gratton, in your comments it was interesting, because I think your opening statement captured that balance, and the question of balance that we're trying to strike. It sounds like you think the legislation needs to go forward—you said that in questioning—but at the same time you have some questions. They're not necessarily declarative statements that this is what's going to happen down the road, but you asked whether we can find ways to avoid “over-disclosing”.

As this legislation hopefully passes and moves forward, what you are going to be watching for over the next few years in terms of the execution of this? We've heard, for example, on that issue, that in Alberta and B.C. there haven't been issues with that. Someone said that it's different circumstances with the federal legislation.

Thank you, Chair.

Thank you to the witnesses.

I'd first like to provide a brief history of how we are where we are, and then ask for general comment from each of you on whether you support Bill S-4 going ahead or not going ahead. Then I will have some specific questions.

PIPEDA was passed in 2000. It came into force in 2001 to 2004, I believe. We can make changes to legislation in Parliament by legislation or by regulation. If it is by regulation, you regulate changes to existing legislation. It is also very common, and often required, that legislation be reviewed every five years. PIPEDA was reviewed in 2006-07, and some of you were involved in making recommendations as witnesses or by presenting submissions. The responsibility of the government is to listen to those and try to create a balance. Any legislative change is not going to get support from everyone for everything, because there are opposing ideas. But in general, I think, our government has reached that balance, and most of the witnesses from whom we have heard want Bill S-4 to go ahead.

We are about eight weeks away from this Parliament ending, and you may be the last group of witnesses that we hear from before we start dealing with the bill and working as a committee to see if we have any amendments. If there are amendments to this bill, given that there are only eight weeks left, it would be just about impossible, in my opinion, for Bill S-4 to move ahead, because it would then have to go back to the Senate.

I think I have heard general support for the bill going ahead.

Mr. Bundus, I think you said you don't want to stop it with these amendments; you want it to move forward.

I think, sir, you noted that changes could be made by regulation, which they can, if there are additional changes that need to be made.

Perhaps you could make a quick comment: do you support Bill S-4 moving ahead as it is now, or do you not support it moving ahead?

Maybe I could start with the Credit Union Central of Canada.

Thank you very much, Mr. Chair.

To all of our witnesses, thank you for taking the time to come out and to help us deal with an important piece of legislation.

I think we could talk to the Insurance Bureau an awful lot more. What other changes would you like to see in Bill S-4 that would ultimately help you in your quest to have the tools you need to deal with the kind of insurance fraud that's going on—related to Bill S-4? You mention in your brief about having other issues other than the ones that you mentioned today.

I am anxious to know how you track these fraudsters who come into the system. In your opening remarks, you talked about organized crime, different body shop organizations, and other types of groups that come into this. There has to be a way of tracking this.

Does Bill S-4 give you the tools to do what you need to do in order to start to address some of these issues?

Thank you, Mr. Chair.

Welcome to our witnesses. Thank you for appearing today.

I'd like to begin with Mr. Pigeon and Mr. Martin on the credit union side.

You spoke about elder abuse and fraud. You suggested, in your opening comments, that we're doing some things right with Bill S-4. I wonder if you could expand on it. You say in here that the measure could be refined, however, by making it possible to disclose suspected abuse to a member of the individual's family, and that research has shown that often, in the case of elder abuse, the next of kin is the abuser. You also talk about CUSOURCE as a training program, or you've taken some of your solutions and are applying them to day-to-day operations.

I wonder if you could talk about Bill S-4 and how this is making it more feasible to track elder abuse. What are you doing through CUSOURCE to make it work?

Thank you very much.

Ms. Gratton, do you think that the compliance agreements as proposed in Bill S-4 are sufficient to really encourage businesses to respect people's personal information?

Thank you.

Mr. Bundus or Mr. Dubin, I would put the same question to you.

In your testimony at the Senate on Bill S-4, you said that you preferred the breach notification mechanism model that is used in Alberta. Do you still feel that way? If so, can you explain why?

Thank you very much.

I also have a question concerning the breach notification mechanism proposed in Bill S-4. In your opinion, could this model adequately protect people's personal information?

Thank you.

I thank the witnesses for their presentation.

My first question is for Ms. Gratton.

In your presentation, you spoke of the need to change the mode of consent. Do you have some concrete proposals on what we could do? This could be done through an amendment to Bill S-4, or an amendment to the Personal Information Protection and Electronic Documents Act, PIPEDA, so as to change the method of consent to bring it more into line with what you have described.

Thank you, Mr. Chairman.

First of all, to the Insurance Bureau of Canada, as a designated investigative body, IBC's investigative services division can already share information to investigate contraventions of the law. Why are the proposed changes to this framework in Bill S-4 necessary?

Good morning, ladies and gentlemen. Bonjour à tous.

Welcome to the 39th Meeting of the Standing Committee on Industry, Science and Technology.

Again we have witnesses here in regard to Bill S-4.

From Borden Ladner Gervais, we have Éloïse Gratton. Welcome.

From the Canadian Life and Health Insurance Association, we have Frank Zinatelli, vice-president and general counsel; and Anny Duval.

From the Credit Union Central of Canada, we have Marc-André Pigeon, director of financial sector policy; and Rob Martin, senior policy adviser.

From the Insurance Bureau of Canada, there is Randy J. Bundus, senior vice-president, legal and general counsel; Madalina Murariu, acting manager, federal affairs; and Richard Dubin, vice-president, investigative services.

We will begin with the opening statements in order.

I think you've been advised that you have five to six minutes for your opening statements.

Madame Gratton, please begin.

I would like to get back to bill S-4. As we know, this bill would give the Privacy Commissioner new powers to conclude compliance agreements with organizations. However, given that there will likely be insufficient resources at the Office of the Commissioner, do you not think that he may be overwhelmed by the task, and that every breach that occurs will be submitted to him?

M. Levin, could you answer that question, please?

Thank you very much.

I would also like to raise the issue of consent, which is I think of concern to all of us. The fact that there are 10-page forms that people cannot read is indeed very worrisome. Bill S-4 at least sets the stage for limiting the circumstances in which consent could be considered valid. This is in clause 5 of the bill. Several witnesses made different comments on that clause.

Mr. Levin, Mr. Brown and Ms. Romanko, since you spoke of the most vulnerable populations, I would like to ask you whether in your opinion this clause is appropriate as it stands, or whether it should be amended. If so, what would you propose?

Thank you, Mr. Chair.

I thank the witnesses very much for being here today.

My first question is for Mr. Levin.

I had the opportunity of hearing your testimony at the Standing Committee on Access to Information, Privacy and Ethics. You said that businesses had to be motivated to protect people's personal information.

In my opinion, Bill S-4 is an improvement, but it does not go far enough to encourage companies like Google and Facebook to properly protect individuals' personal information. You mentioned briefly that you were in favour of compliance agreements, but you added that they should confer more powers.

Could you provide some further explanations on that?

Could we possibly do it with amendments to Bill S-4?

Thank you very much, Mr. Chair.

Welcome, and thank you for sharing some of your time and your insights into this issue.

Professor Levin, the penalties we're talking about go from $10,000 and up for people who don't report.

There seems to be such an easy way to have breaches of people's privacy today. Constantly, everywhere you go, you're being asked to tick a box that says “I agree”. A piece of software that I looked at yesterday had seven pages. Now I'm not going to read those seven pages—I'm just being blunt—and I don't think anybody else is who's not some high-tech person who has a specific reason that they're looking at that. However, in order to have access to that particular program, I scrolled through the seven pages and clicked “I agree”. I tend to think that's what a lot of people do.

Could you comment on that? I mean the object with Bill S-4 is to make privacy legislation better and strengthen people's confidence in it. I think that's what we all want to do.

We have nine weeks of work here, including the constituency weeks, and a lot of work to do before this Parliament wraps up.

Is it important that we pass Bill S-4 within this Parliament, or do you think we should be waiting? Will we leave people vulnerable if we don't pass S-4?

Thank you, Chair.

Thank you, witnesses, for being here.

I want to focus my questioning on how the digital industry has so dramatically changed since PIPEDA first became law in 2000. I believe that things have changed dramatically since it came into effect. It actually came into force from 2001 to 2004, over three years. Then, as is normal, there was a judicial review, a parliamentary review, and that started in 2006-07. I think some of you have been involved with that and have provided submissions or have testified.

Bill S-4 contains I think important updates that relate to what we saw when it was established in 2000. In regard to what's being proposed now in Bill S-4, the world has changed. Technology has changed dramatically. That includes the number of people who are using digital technologies for emails, banking, and so on.

We've heard from you. We've created Bill S-4. It provides important updates to current private sector privacy laws that will help protect consumers with regard to their personal information, whether it's been stolen or lost.

There is currently no legal requirement for a business to inform consumers when there has been a data security breach. A business could be hacked and decide right now not to inform customers, but the changes in Bill S-4 will compel businesses to report when hacked and will impose fines of up to $100,000 per individual if the business fails to notify the customer.

It also provides some very important focus on protecting the vulnerable, both the youth and our seniors.

Ms. Romanko, you touched on that, as did Mr. Brown, and that's the focus of your organizations.

The Bankers Association was one of the many that really supported Bill S-4. They applauded the amendments in the bill that will allow banks and financial institutions to advise public guardians, law enforcement, or family members when they have evidence of financial abuse. I think you touched also on the abuse that may be coming from family members. The banks would now have the discretion in regard to how to deal with these serious situations and protect the vulnerable. That does not exist now.

We also heard from the Privacy Commissioner about the tools necessary for the commissioner to do their job. There was not adequate time for them to be able to act. Now, with the changes in Bill S-4, that would change.

If you could, just touch on how things have changed and on these changes that have been now incorporated in Bill S-4 to update PIPEDA.

Ms. Romanko.

Thank you.

I want to ask you about information sharing by companies in a prospective business transaction, which would be allowed under Bill S-4 without the knowledge or consent of an individual. Do we need this clause and does it strike the right balance around privacy and the need for businesses to have certain information?

Thank you.

I want to ask you about breach notification. The threshold is pretty high, it's “a real risk of significant harm”. Do you think that is the right threshold? We've had some witnesses suggesting a two-step system where the Privacy Commissioner is informed of all breaches and then there is a decision about when an individual is notified about a breach. Do you think that the way it is structured now under Bill S-4 it's leaving these decisions to industry itself? Is that the right approach?

I have a question for Mr. McLinton and Mr. Littler.

Bill S-4 provides for a mechanism to notify individuals of security breaches. You appear to support that. The model proposed under Bill S-4 will require organizations to, themselves, determine whether the breach creates a risk of significant harm to the individual or not. Do you think it would be easy for your members to make that assessment? Do you expect to receive some support to ensure you are properly complying with the bill's provisions?

We received a letter from the privacy commissioner indicating that Bill S-4 was based somewhat on B.C.'s model. That is what it was supposed to look like, but suggestions changed in light of the report. I think that calls into question the provisions in Bill S-4. Would you agree with that? Do you think we should find a way to bring the bill in line with the report recommendations as well, in order to achieve that alignment between the acts?

I will go back to the banking association. Financial institutions also provide insurance coverage for loans. What aspects of PIPEDA or Bill S-4 prevent the banking system from accessing the metadata or medical information on an insurance applicant under that same umbrella with the banks? The reason I ask is, the bank lender knowing a client's medical information could prejudice the lender. What you had stated previously is that you'd like to have more sharing of information to prevent a crime. How does the customer know that this barrier will not be crossed?

Thank you very much.

Ms. Sali, I'm going to read a comment made by your executive director. I'm going to read the quote in English as I don't have it in French. It reads as follows:

...this legislation, while welcome, does almost nothing to tackle the serious problem of ongoing government surveillance against law-abiding Canadians.

Since we are studying the bill before second reading, we have the ability to propose amendments to PIPEDA that don't necessarily appear in Bill S-4. I see that as a golden opportunity. Unfortunately, the government seems convinced that the bill is going to pass as is, regardless of the amendments suggested by all the witnesses. That's truly unfortunate.

In light of your executive director's comments, do you think the committee could improve certain aspects of the bill?

—and when there is an opportunity for somebody to report, you want to know that the report is going to fall on ears that are able to listen and respond.

Going over to the Retail Council, I'd like to refer to your opening comments on consent in Bill S-4. In this paragraph you say, “We note that the bill contains a provision specifying that 'Consent is not valid unless how the information will be used is clearly communicated in language appropriate to the target audience.'”

Could you expand on that and talk to how that is going to benefit your membership?

Bill S-4 provides that ability for you.

I think it's important, because this is an area we all know is growing—

Thank you, Chair.

Welcome to our witnesses.

I'd like to begin with the Canadian Bankers Association. Feel free to determine who answers.

In your opening comments you talked about financial abuse, specifically of our most vulnerable. In your comments you said that PIPEDA limited you in much of what you would report when you saw a potential senior abuse or elder fraud, something going on that was inappropriate.

My understanding of Bill S-4 is that much of the remedy for this is now in place. I wonder whether you could talk to what works and what doesn't work to assist you so that your members can support and improve the situation of those most vulnerable clients.

Would Bill S-4 improve protection for seniors and vulnerable groups?

You are generally in favour of Bill S-4 moving forward. Is that correct?

Thank you, Mr. Chair.

Thank you to the witnesses.

My focus and my questions will be on dealing with privacy issues and moving forward.

As you know, PIPEDA became law in 2000. It came into force over 2001 to 2004 and there is a statutory review on most federal legislation and that statutory review took place, I believe, in 2006 or 2008. My question is going to be focusing on whether we should continue to discuss potential amendments to this or we should move forward and get general consensus on Bill S-4 and move it forward. Or do we not move forward on Bill S-4 and ask the next parliament to deal with this.

As we heard from you, Mr. Chair, you're recommending that we start clause by clause on the 31st, because what we've heard, in submissions and from the witnesses, is that there's general support for Bill S-4, from the public and from the witnesses. There are some suggested amendments but some of these changes can be done by regulation following the amendments and passage of Bill S-4 if it does happen. We have a very short window to pass it in this parliament. If we don't, it will be the next parliament and we've already been at work on this almost a year.

That's going to be the focus of my question. Do we move forward or are you suggesting that we not move forward?

I'm going to first go to the Canadian Bankers Association. You were quite involved in the judicial review. You appeared before the committee to express a general support for PIPEDA and then you made a number of recommended changes that are in Bill S-4. Could you highlight some of those changes that you are happy with that are included in Bill S-4?

Thank you.

We heard that the federal bill S-4 is based on the Alberta and B.C. bills, but it's our understanding that B.C. recently conducted a review of PIPA, its provincial legislation, based on the Spencer decision at the Supreme Court. We heard from Vincent Gogolek at our last meeting from the BC Freedom of Information and Privacy Association. He said that what happened was the scope of PIPA, the B.C. law, was narrowed. Now the minister, Minister Moore, feels that Bill S-4, this current bill, is in compliance with Spencer. You seem to have a different point of view. Can you clarify that?

Thank you.

Bill S-4 includes new provisions that will assist organizations in preventing and combatting fraud. How will these provisions further assist and facilitate these activities? This is directed to the banking association.

I think the other thing is, there are many things that are hidden in there such as marketing use of your data, etc., that you're signing off on, which is not necessarily something you want to do.

My next question is to the Retail Council of Canada.

You have stated that support to risk-based approach to data breach notification on individuals.... Would you say that Bill S-4 sets appropriate thresholds for notification for individuals?

Thank you, Chair.

Thank you, witnesses, for being here.

My first question is to Ms. Sali.

Do you think that Bill S-4's new provisions on valid consent will strengthen the protection of children's online personal information, in fact, anybody's information? A lot of the time the consent that you're actually looking for is so complex that I don't know anybody who has actually read through it all.

Would you like to comment on that?

So the new provision in Bill S-4 really just makes the new legislation consistent with the old. Is that correct?

Thank you, Mr. Chair.

I found it interesting to listen to all of the testimony first before getting a chance to talk.

Ms. Lawson and Mr. Geist both made similar statements. I wrote down that Ms. Lawson said, “We should be getting it right” and Mr. Geist that “We have to get it right”.

Interestingly, of course, I think that when we have these hearings, “right” means “the way you want it”. Ultimately, there have been other witnesses who have come before committee and said very different things. If the definition of “getting it right” means, for example, agreeing with those who said that consent provisions go too far, which we heard in the previous meeting, I don't imagine you would think it means we're getting it right.

Someone said that our data breach reporting regime is too onerous. If we decided that was the direction to go in, I'm quite certain that neither of you would say that this is “getting it right”. When anyone uses this term, I always hearken back to our hearings on anti-spam and copyright and even UBB. People's definitions of getting it right are very different. As in those cases, we're left to try to find the balance between very different, competing positions, and I think the case with this bill is no different.

Taking a look at three of the areas that have come up, I find it interesting....

Ms. Lawson, I'm going to come to you first and deal with section 20. You mentioned you had some concern with that section, I think around the confidentiality provision written into Bill S-4.

What you are saying is interesting.

Let's come back to Quebec. Quebec legislation relating to the protection of digital privacy sets out exceptions that allow a business to gather or disclose any personal information without the consent of the individual concerned, but these exceptions are very limited and include, for example, situations involving a criminal investigation.

Do you think Bill S-4 could be inspired by what has been done in Quebec?

Thank you very much, Mr. Chair.

Mr. Geist, thank you for being here today.

During a Senate committee meeting, you gave the example of California, which requires the disclosure of any security breach related to unencrypted personal information when there are reasonable grounds to believe that the information was acquired by an unauthorized person.

Could you give us a concrete example to explain the impact that a similar definition might have on the application of Bill S-4?

You said there are positive aspects of the measures in Bill S-4.

I have one other question for you, Ms. Lawson. You talked about the fines today and the fines contained in Bill S-4as the costs of doing business, and you said they're not a serious enough disincentive to any kind of privacy breach.

What do other jurisdictions have? What would be a serious disincentive that would really encourage the private sector to ensure that it is maximizing privacy protection?

Okay, super, thank you.

I do want to reiterate the point, through you, Mr. Chair, that the point of view that is being expressed by the witnesses here today, and the concerns that they're expressing about Bill S-4 were in fact offered to the Senate committee, but those changes that were recommended were not reflected in the bill that we see before us today. I'm assuming that's what we're being advised of here.

I think the witnesses are raising serious concerns and the Privacy Commissioner, himself, raised concerns about the scope of this bill.

Ms. Lawson, I want to start with you and ask you specifically about the subjective model proposed here for companies determining if there's been a mandatory data breach, disclosure on that. Can you advise us of your interpretation of what could happen with what's being offered in Bill S-4, and how you would recommend tightening up that provision?

Okay.

Chair, I think it would have been very helpful if these points had been made at both the Senate and the House.

My question relates to a presentation made by the commissioner. The commissioner made a presentation not quite a year ago, in June of last year, before the Senate committee as they were dealing with Bill S-4, and then appeared before this committee on February 17.

I just want to read the summary of the commissioner. The commissioner does have new tools and greater flexibility to enforce PIPEDA. The commissioner said:

Overall, the introduction of Bill S-4 is a positive development for privacy protection in Canada. PIPEDA was written in the 20th century. It is more than a decade old. From a privacy perspective, the world has changed dramatically during this relatively short time. Passing Bill S-4 with a few adjustments will strengthen PIPEDA and help the Office of the Privacy Commissioner better protect Canadians while addressing the emerging privacy issues of the 21st century.

Also unable to be with us today, Chair, is the Insurance Bureau of Canada. They provided a submission to the Senate when this was dealt with last year and they've communicated their support for aspects of the bill, particularly the fraud prevention measures.

Generally, the committee has heard support for this, and it's important that we provide the protection Canadians want. Bill S-4 does that.

Do any of the witnesses here today have a critique of the commissioner's perspective in supporting Bill S-4 going ahead?

Thank you, Chair.

Thank you to the witnesses here today.

I think each of the witnesses is aware that there have been hearings back to 2006, which I think Mr. Geist referred to.

PIPEDA was written in the 20th century. It's over a decade old and it needs to be improved. This is what Bill S-4 attempts to do.

Also, it is almost impossible to get unanimous support for any piece of legislation, so I think there has been a lot of energy that's gone into improving PIPEDA. Canadians want companies to tell them if their personal information has been lost or stolen and if they've been put at risk. I think that consent needs to be appropriate, particularly for target groups like children.

Dr. Geist, you've been involved with providing input to the Senate. You were involved in the hearings back in 2006.

My question is for Mr. Gogolek. When the Senate dealt with this at committee a year ago—not quite a year ago, but when the hearings at the committee in the Senate were beginning on Bill S-4, did you appear as a witness? As you're aware, any legislative changes have to be supported in both Houses, and Bill S-4 began in the Senate and is now in the House of Commons. Were you a witness when this was dealt with at the Senate?

Thank you.

That's the area that I am most concerned about. Every time we pick up our BlackBerry or whatever gadgets we have, I agree that we don't read it. I would suggest that very few people read any of that. It's just an automatic check. It's a nuisance, and we just agree to it—until we find out that we have no protection, or very little protection. I think that's what we are trying to do here: to look at how to protect the consumer.

I attended a conference on cybersecurity yesterday. Certainly the issues that were raised there about security, whether you're talking about the Internet and so on, somehow make Bill S-4 look like it's still nowhere near what it should be, or the kind of legislation we need to be putting forward to better protect Canadians. I think it's unrealistic, frankly, to think that with this legislation companies are going to be reporting all of these breaches and so on. I think they'll ignore it. I think a $100,000 penalty is insufficient for a significant breach, based on the kinds of things we're learning through this process.

Certainly, Dr. Geist, your comments about transparency and disclosure would go toward improving it, as far as the real risk that consumers are facing is concerned, before they get into things like identity theft and violation of their basic rights. I don't want all my information shared with every Tom, Dick, and Harry who wants it. If we are going along with Bill S-4—and, from my party's perspective, I'm not sure that we are, but at least we're trying to make some improvements—what else would you suggest we need to put in here to make it stronger and more enforceable? I would ask that of all three, given my timelines here.

Thank you very much. I have one last question for you.

We are studying this bill before second reading, which is a rather unique situation. For me, this means that we have an opportunity to really improve the bill and make important amendments in order to properly protect the privacy of Canadians. We also have the opportunity to go beyond Bill S-4. We can adequately amend PIPEDA to properly protect Canadians.

Do you think that, in the wake of the Spencer decision, we should amend the provisions of PIPEDA that relate to the disclosure of information without consent? Should we go that far? Do you think it's necessary to do this? Should we take this opportunity?

My question is for all of the witnesses.

Thank you very much.

Mr. Gogolek, I would like go back to the Personal Information Protection and Electronic Documents Act, or PIPEDA.

You were actively involved in assessing this legislation following the Spencer decision. I read with great interest the report that was produced and that recommends amending the legislation to improve the framework for disclosing information without consent and without warrant.

Obviously, we do not want to establish 10 different privacy protection regimes in Canada. We want to ensure in some way that it is comprehensive.

If we are in the process of amending an act that Bill S-4 is supposed to resemble, should we not be proactive and amend the bill so that it corresponds to the new act?

Thank you very much, Mr. Chair.

I would like to thank all of our witnesses for being here today. You all have some very interesting points of view.

My first question relates to the Spencer decision.

Mr. Geist, you have already testified before the Senate, but the decision had not yet been made. So I would like to hear your opinion on the decision and its possible repercussions on Bill S-4.

When the minister appeared, he seemed to think that no changes to Bill S-4 and the PIPEDA were required. I would appreciate hearing the other witnesses comments on this, if they have any.

Good morning, ladies and gentlemen. Bonjour à tous.

Welcome to the 36th meeting of the Standing Committee on Industry, Science and Technology. We are studying Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act.

We have before us today, from the BC Freedom of Information and Privacy Association, Vincent Gogolek, the executive director.

We were going to have the Insurance Bureau of Canada here, but they're stuck on the tarmac in Toronto in a plane that was not able to go. They're trying to get on another plane, but of course they're not going to be able to make it to the meeting. We have already rescheduled them by phone for another meeting.

We also have before us Michael Geist, Canada research chair in Internet and e-commerce law at the University of Ottawa. He is testifying as an individual.

By teleconference we have Philippa Lawson, barrister and solicitor. She's coming to us from Whitehorse in Yukon.

Can you hear us okay, Ms. Lawson?

Thank you very much, Mr. Chair.

Mr. Lawford, you're not happy with where Bill S-4 is.

Thank you.

My second question is for Mr. Israel and Mr. Lawford.

In terms of the compliance agreements, we know that one of the objectives of the bill is to ensure that organizations are really taking PIPEDA seriously, which is unfortunately not always the case right now.

Do you think the compliance agreements proposed in Bill S-4 are sufficient to really encourage organizations to comply with Canadian law?

Because our time is so tight here, I'm just going to go to all three of you, in a sense, and ask this question. Are we better off with Bill S-4 as is, than prior to Bill S-4, than we are currently, in a sense? If we pass Bill S-4 as it is, are we better off with our privacy legislation than we were before?

Do you mind if I clarify my question? What is the problem that this change in Bill S-4 is trying to fix?

Thank you, Mr. Chair.

In terms of the issue that has been of concern to this committee about warrantless disclosures and the concern, for example, that the recent Supreme Court decision may require amendments to Bill S-4 as it currently stands, how has business been handling this concept of warrantless disclosure and the sharing of information without the knowledge of the individuals up until now? I presume it hasn't specifically been permitted. Has that been a problem? In other words, has it been business saying the issue of not requiring consent is a problem we need to address?

Good. I appreciate that clarification.

The commissioner said PIPEDA is written in a general language to allow flexibility so if there was contradiction, a breach, and inadequate reporting, if there's a complaint lodged, then it would go through the Privacy Commissioner. He or she would look at it, and at this point he has 45 days to take an action. S-4 is suggesting that change to a year.

Would you agree with that proposed change?

The reason I ask is I'm a member of a very active chamber in Langley, and I did not hear this come up, so I was surprised that the position was opposing S-4.

Maybe you want to clarify that.

Legislation can begin in either the House of Commons or the Senate, so S-4, because of the “S” in front of the number instead of a “C”, indicates it began in the Senate.

Mr. Smith, is there a reason that the Canadian Chamber of Commerce did not make a submission in the Senate?

Thank you to the witnesses.

The Canadian Chamber of Commerce and the Canadian Marketing Association, did either or both of your organizations make submissions to the Senate hearings in dealing with S-4?

Thank you, Mr. Chair.

Bill S-4 can force private sector organizations to report any losses or breaches of personal information. The test proposed for this mandatory reporting is subjective since it enables the organizations themselves to determine whether it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

In your view, can we ask organizations to determine themselves what constitutes significant harm? Would that assessment not be too subjective? What do you think about that?

Thank you very much, Mr. Chair.

Welcome to our guests.

The whole intent is on how we better ensure through Bill S-4 that Canadians are protected and that the appropriate law enforcement and so on have the tools they need to do their jobs. I think that's what everybody wants to see happen. Whether Bill S-4 accomplishes that or not is fully questionable.

Mr. Smith, you mentioned the issue of network information security in particular . Would you elaborate a bit more on that?

I'd like to pursue the questions of Mr. Warawa around consent, because it is a topic that is certainly addressed in Bill S-4, and it's a very important topic that most people truly don't understand in an era of rapidly changing technology.

I discovered to my surprise that I ended up owning one of these TVs. It's a good thing I never get to watch it, but it apparently has the potential to be allowing someone to listen in. It would be pretty boring, but....

I wanted to ask you specifically about children. You did mention the consent of children. We're going to be hearing from the Chamber of Commerce, and they have said in their submission that your office has not been hampered in its efforts to protect children through ensuring valid consent; therefore, a specific valid consent amendment is not needed. What's your view on that? We'll ask this question also to the chamber, but do you believe that a specific valid consent amendment for children is needed?

Very well.

Bill S-4 could force private sector organizations to report any losses or breaches of personal information. However, unlike what is set out in Bill C-12, the test proposed for this mandatory reporting is subjective since it enables the organizations themselves to determine, and I quote:

if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

In your view, is that test reasonable?

Thank you, Mr. Chair.

When Minister Moore appeared before this committee a few days ago, I asked him whether the office would have sufficient resources and funds to accept the new and major responsibility that will follow once Bill S-4 is passed. He said that you had the resources you need for that.

Is that really the case?

The combination of C-13 and S-4, the impact of both of those pieces of legislation will be fairly significant, from what I understand.

Do you have any additional concerns over what you have mentioned specific to S-4 once those two are combined?

We're glad to have you here.

I have a couple of questions.

How are Canadians going to be better off with Bill S-4? We know certainly some of them...front level, but I'm concerned with some of the other possible breaches and your ability as a department to pursue them.

Good morning, ladies and gentlemen.

Welcome to the 34th meeting of the Standing Committee on Industry, Science and Technology where pursuant to the order of reference of Monday, October 20, 2014, Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act, is what our study is right now.

We are grateful to have before us the Privacy Commissioner of Canada, Daniel Therrien. With him are Patricia Kosseim and Carman Baggaley.

We have a second panel at noon, colleagues, so we will begin with the Privacy Commissioner's testimony and then our rounds of questions.

Mr. Commissioner.

Thank you, Mr. Chair.

Again, I want to emphasize that I think there are many provisions in this bill that Canadians are looking for and feel are long overdue, and they are happy to see. I think it's unfortunate that there are some other provisions in this bill that are creating a lot of concern. Canadians are very concerned about their digital privacy, which is why this bill is being brought in. Yet, the area of warrantless disclosure is one that has been highlighted. It was highlighted at the Senate committee. While there may be absolutely legitimate areas where it makes sense to have warrantless disclosure, it's the lack of oversight that's troubling here.

I just want to cite quickly a couple of pieces of testimony on Bill S-4. First of all, Peter Murphy, who is a partner at a Canadian law firm, Gowling Lafleur Henderson, says again there are some welcome changes in Bill S-4. But he also goes on to comment in particular on the provisions allowing for disclosure of personal information without consent between organizations in support of investigations and breaches of law agreements or fraud cases of financial abuse, and I'm quoting:

This change would seem to permit fishing expeditions by companies seeking to sue individuals. For example, copyright holders would have grounds to freely obtain lists of internet addresses of individuals to find and sue internet downloaders. This seems to be a significant invasion of privacy if reasonable controls are not added to the proposed wording.

Michael Geist, who is a law professor here at the University of Ottawa, is an expert on digital matters, and he says:

Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).

So, my question is, why is there not greater accountability, greater oversight, to ensure that this provision, if you do believe it is necessary, is not abused?

Thank you, Mr. Chair.

I'd like to pick up on the part of Bill S-4 that concerns the transfer of information between the organizations.

I'd like to first say I think it's very commendable to have a bill that seeks to protect the elderly and young people when they are sharing information online. But I am troubled by the total lack of oversight when it comes to public institutions sharing information among one another, including law enforcement agencies. The information is being shared without the individual's consent or any monitoring. There is an absence of any civil liability in that regard.

Don't you think the bill should be amended to address that? The Privacy Commissioner is involved, especially when it's a matter of security, but in other cases, as I just pointed out, the information is being shared without any oversight.

Bill S-4 would require organizations in the private sector to report any loss or breach of personal information. But the criterion on which that mandatory reporting is based is subjective. In fact, the bill allows organizations to determine, themselves, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

Why didn't the government choose a more objective criterion as the basis for that determination, such as the one proposed in Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), which was introduced by my colleague?

Yes, I'm going to continue.

Bill S-4 would give the Privacy Commissioner additional powers to enter into compliance agreements with organizations. In light of the fact that the date of the budget has been postponed numerous times—it won't be before April—has the government committed additional financial and human resources to the commissioner so that he can fulfill his new functions?

You have been in power for nearly 10 years and you are preparing a new budget. Can you assure us that the commissioner will have sufficient financial and human resources to do the job properly?

It can be reviewed at any time. This committee can choose its own business. You can review it the day after, if you like. The committee can do whatever it wants. But as my deputy points out, this is the third time we've taken a run at this legislation and updating PIPEDA, so there is some urgency.

I was in opposition for two terms and I understand the nature of chastising governments for reasons real and imagined. That's fine, but one of the reasons we took the approach, why it is Bill S-4, and why we tabled it in the Senate first, is that this committee had a very full agenda. Parliament itself had a very full agenda, with a number of high-profile and complex pieces of legislation through the fall session of Parliament, and we wanted to get going on this. We wanted to get forward traction.

Of course, our legislative process requires it to have the support and consent of both houses of our bicameral legislature. We wanted to get it passed and moving forward, keeping in mind that we do have a campaign coming up this fall and House time is precious and limited. We reversed the process for that reason: because we do want this legislation to get passed and we do want it to go forward.

We see it as essential for a number of reasons, including taking full advantage of the digital economy and protecting Canadians online. There is I think a growing anxiety and an expectation amongst Canadians that the government do all it can in order to protect the privacy of Canadians online, not only in terms of the Privacy Act and citizen engagement with the Government of Canada in ensuring that their privacy is protected when they provide their information to the government, but also when they are doing so in the private sector.

It has now passed the Senate after consideration and deliberation, and there are a number of amendments that were debated at committee. This committee of course can fill its schedule and consider this legislation as it wishes, but it certainly is my desire that the bill move forward and be adopted so that we can protect Canadians and give Canadians the confidence they deserve.

Thank you, Minister.

Chair, we will be discussing this in great detail. We'll be calling a number of witnesses. The reality is that in our calendar we have about 15 meetings in the rest of this Parliament. If it's not passed, forwarded to the House and then passed, this will not be going ahead in this Parliament. I believe it's needed. I believe we've heard—and the Senate heard—that this reaches the balance.

Minister, just to reconfirm, there is a review built into Bill S-4. This will be reviewed in five years to see if it's effective and if there are any problems with it. Is that correct?

Thank you, Chair.

Thank you, Minister, for being here.

I think it's very important that we protect the rights and the personal information of Canadian consumers. We realize, with regard to the digital economy and how it's evolved so dramatically over the last few years, that it's important that we address the concerns we hear from Canadians.

With respect, Chair, I hear from the NDP that we should maybe amend what has come to us from the Senate.

Minister, if we were to delay and amend, would Bill S-4 then have to go back to the Senate to get passed? My concern is that this is needed, Canadians want this, and a vast majority of Canadians want this passed, and if we amend it, what's the chance of it passing in this Parliament? It's needed.

That's a good question.

It's not always easy to figure out. Hence the importance of making sure that, whenever you give your credit card number to a supplier online, you have to read all the fine print, so to speak, because, at the end of the day, you are giving an organization your legitimate consent to share your personal information.

It's vital that, when using technology, consumers be extremely careful with their personal information. For that reason, Bill S-4 has a provision meant to protect young people, because they are the most vulnerable to these kinds of violations.

It's challenging for a government to put in place laws and regulations to protect people in their online communications. We believe this legislation gives the commissioner the powers needed to protect Canadians.

It's an ongoing debate in society and the media, not to mention within families. Whenever a breach of personal information occurs, we have to try to understand what went wrong and adopt new measures to protect individuals.

That's a good question.

In our view, Bill S-4 clearly defines the obligations organizations and businesses are under in that regard. Once the bill comes into force, if any organizations have questions or need clarification, they can certainly speak to the people in my department or contact the Office of the Privacy Commissioner of Canada.

We introduced this bill to address the need to balance the rights of Canadians and the right to privacy. As I said in answer to Mr. Lake's question, we need to make sure that we are not creating barriers for organizations and businesses wishing to fully participate in the digital economy.

Thank you, Mr. Chair.

Good morning to you, to the minister and his officials, and to all my colleagues around the table.

We are talking about Bill S-4. In today's technological environment, it is indeed important to bring forward measures like these, but it is also important to make sure that personal information is well-protected.

Let's get right into it and look at new section 7(3)(d)(i), which deals with exceptions to consent requirements. It says that the information can be disclosed if the organization "has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed".

How can an organization determine the relevance of the information it is sharing to a federal or provincial contravention, all the while protecting individuals' rights?

Thank you.

Minister, you said that Bill S-4 did not violate the Constitution and that the Supreme Court's decision in the Spencer case did not apply to the provisions in the bill.

Did I understand you correctly?

Was any research done in that regard, further to the Spencer decision?

Thank you very much, Mr. Chairman, and I appreciate the opportunity to come back, as you said, with my officials to talk about Bill S-4, the digital privacy act, which for me is a very important piece of legislation for a number of reasons: the context of the legislation in terms of Canada's digital policy moving forward but also our responsibility as a government, as a Parliament, to update our privacy legislation to protect Canadians.

But before I do that, I gather there were some changes in the committee membership, so I want to congratulate those of you who have been tasked to come onto this committee. As you know, the Department of Industry...and therefore your oversight of our activities, your advice, and constructive criticism, are of course an important part of our parliamentary function. To those of you who are on the committee, I look forward to working with you over the coming months as we move forward on pieces of legislation like this one here.

Thank you, Mr. Chair, for inviting me to appear before the committee today to discuss an important bill, the Digital Privacy Act, which is intended to better protect Canadians' personal information online.

You know, our government is focused on the mandate that we were given by Canadians back in 2011, to create jobs, focus on a growing Canadian economy and, as Minister of Industry, to move forward with an effective digital policy for Canada.

Also, we know that any government's plan that is centrally focused on the economy must of course have a robust engagement to strengthen Canada's digital economy. That's why last year I unveiled Digital Canada 150, our government's plan that sets clear goals for a connected and competitive Canada. It will help Canadians participate and succeed in our digital economy. One of the key pillars under Digital Canada 150 is the need to protect privacy.

The digital privacy act is an essential part of that goal. Our government understands that a strong digital economy requires strong protections for Canadians when they surf the web and when they shop online. The digital privacy act will modernize Canada's private sector privacy law by introducing important new protections for Canadians online. It sets clear rules for how personal information can be collected, used, and disclosed. It requires organizations to tell Canadians if their personal information has been lost or stolen and imposes heavy fines on companies that deliberately break the rules. It gives the Privacy Commissioner of Canada more power to enforce the law and to hold offenders to account. The bottom line is that it delivers a balanced approach to protect the personal information of Canadians, while still allowing information sharing to stop illegal activity when it occurs.

These are much-needed changes to Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act, or more commonly known as PIPEDA. PIPEDA “sets out the ground rules for how private sector organizations...collect, use or disclose information in the course of commercial activities” across Canada. This should not be confused with the Privacy Act, which deals with how the Government of Canada handles the personal information of Canadians.

Let me share with the committee four areas where the digital privacy act will significantly improve PIPEDA.

First...data breaches. Unfortunately, this is an all-too-familiar topic for Canadians in our digital age.

It may surprise the committee members to learn that, under the current legislation, businesses are not obligated to notify Canadians of security breaches involving data under their control.

In other words, if a company's data is compromised and a hacker gets a hold of your credit card number, the company is not under any obligation to notify you. That's a serious problem.

Last December, for example, Target revealed that a data breach had compromised millions of its customers' credit and debit card information. In September, Home Depot announced that a data breach perpetrated by unknown hackers left as many as 56 million debit and credit card customers across North America vulnerable to fraud. On October 10, Kmart disclosed, in the United States, that almost all of its 1,200 stores throughout the States had been attacked by hackers, putting credit card and debit card details of customers potentially in jeopardy. Later in October, Staples announced a suspected breach of its customers' credit card and debit card information as well.

Canadian online consumers need stronger laws to protect them from similar fraud here. The digital privacy act will make it mandatory for an organization to tell individuals if their personal information has been lost or stolen and whether or not it puts them at any risk.

Under the Digital Privacy Act, organizations will be required to notify individuals whose personal information has been lost or stolen and let them know whether they are at risk of harm as a result.

Companies will have to inform Canadians of the steps they must take in order to protect themselves, such as changing their credit card PIN or email password. These are crucial safeguards to protect Canadians, and yet they are not currently in place.

The digital privacy act has been praised by consumer rights groups and those in the retail industry for its balance. The Marketing Research and Intelligence Association has said that they support the mandatory breach notification requirements that are in the bill. The Canadian Marketing Association has said that they support the changes to breach provisions.

The digital privacy act will make it mandatory that organizations also report these potentially harmful breaches to the Privacy Commissioner. When there's a privacy breach, not only is the individual informed by law; the Privacy Commissioner is also informed by law. In fact it will be mandatory for all organizations to keep records of all data breaches as well. If the Privacy Commissioner makes a request for these records, they must be handed over. Once law, organizations that deliberately cover up privacy breaches and destroy records will face fines of up to $100,000 for every person or client that they intentionally fail to notify.

The Office of the Privacy Commissioner of Canada is on the record as supporting these amendments as being in the best interest of Canadians. In addition, in my home province, the B.C. privacy commissioner has also recommended to their provincial government that they adopt the same approach that we have taken in Bill S-4.

Second, our digital privacy act clarifies the rules around obtaining consent to protect vulnerable Canadians online, particularly children and seniors, when companies ask to collect and use their personal information. For example, when the owner of a website for children wants to gather information about visitors to the site, the owner will need to use language that a child could reasonably be expected to understand. If the child can't be expected to understand how the information will be used, the child's consent would not be deemed valid. The owner would need to get consent from a child's parent.