Charmaine Borg

Mr. Speaker, the Conservatives came to the committee study of this bill with their minds already made up. They said that we absolutely had to pass this bill in its current form without any changes, otherwise the process would take too long, especially with the upcoming election. Everyone in the House knows that we will be having an election soon, but the Conservatives had four years to do something.

The member even said in his speech that this bill was overdue and that it was needed. Of course this bill is long overdue, because the Conservatives waited four years before they introduced anything. Bill C-12 disappeared completely, and some reviews of PIPEDA simply fell through the cracks because the Conservatives did not act. They could have voted in favour of my bill, Bill C-475, and the legislation would already be amended.

Why did they adopt that attitude at the committee meetings? How can they justify such an undemocratic attitude towards this bill?

Mr. Speaker, I have a question as a follow-up to the question that my Conservative colleague asked the hon. member.

The R. v. Spencer ruling came down after this bill was studied in the Senate. What is more, Bill S-4 is based on models from British Columbia and Alberta. Some aspects from Quebec are included as well.

However, we saw that a report was tabled by the Legislative Assembly of British Columbia, the region my colleague represents, saying that in light of the ruling in Spencer, it would amend its personal information protection legislation, known as PIPA. If we are basing our legislation on a model that is changing, then I think we have a problem.

Why are we incapable of working together to see what repercussions the Supreme Court ruling might have on our laws, when other legislation, on which we are basing our bills, is in the process of changing?

Mr. Speaker, I thank my colleague for his question. He is right; this is a huge problem.

We heard the witnesses talk about problems, but from the very beginning, the Conservatives were not willing to give anyone the benefit of the doubt. They said that they would not change a single thing because they did not have time. There is always a way to speed things up. Where there is a will, there is a way.

I would like to emphasize another aspect of this issue. The Conservatives said that, since the Senate had already studied the bill, senators had already heard from all of the witnesses and studied the proposed changes. That is false.

Many of the witnesses who appeared during the study by elected members of the House of Commons had not testified during the Senate's study.

Furthermore, the Supreme Court's ruling in Spencer had not yet come down when the Senate was studying this bill. That is an important element to consider because it may have a direct impact on the way we treat personal information here in Canada. The Conservatives wanted to ignore all of that.

They said that the Senate studied it, but I am sorry: senators are neither elected nor accountable. I have a problem with that.

It would be better for us, the elected members who represent the ridings, to be able to make changes ourselves.

Mr. Speaker, we heard from a lot of witnesses. We could always hear from more, since the study of a bill can go on for a long time. We heard from professors, the Privacy Commissioner and many experts. Most of them pointed out the problems that could arise because the bill opens the door to sharing personal information without consent, without authorization and without even informing the person concerned. The bill is opening that door even wider. That concern was raised, but unfortunately, the proposed amendments were not accepted.

Some amendments were very reasonable. The Privacy Commissioner even made some suggestions, which were submitted in the form of amendments during the clause-by-clause study of the bill, but those amendments were rejected. We proposed implementing a system to at least ensure that when an organization shares personal information under exceptional circumstances, a public report is issued indicating how many times such information was requested and why it was requested so that we know and we at least have a little transparency when it comes to the sharing of personal information.

There have been cases of abuse. This government and government agencies made 1.2 million requests to Internet service providers. There were no explanations, which is extremely problematic. We want to fix this problem, but instead, the Conservatives decided to keep doing things their own way, without consultation and without including what witnesses told us in committee about this bill.

Mr. Speaker, we can learn quite a lot about protecting personal information from others. For example, Europe is bringing forward some very interesting ideas. However, are these the ideas that we want to include in our system or to consider for our Canadian system? We can consider them, but that does not necessarily mean that we will accept them in their present form. There are discussions under way about this. Unfortunately, we are not even able to have these discussions in this place because only the Conservatives' approach is the right one, and so it is that or nothing. That is really a problem.

We could also look to the provinces, especially British Columbia, Alberta and Quebec, which have good legislation and systems. In British Columbia and Ontario, the information and privacy commissioners have the ability to make orders following their investigations. Thus, there is already a precedent in Canada, within our own country, that we could use as a model.

I cannot understand why the bill before us does not include a clause to give the privacy commissioner the authority to issue orders. That is really ridiculous.

Mr. Speaker, I thank my colleague for the question.

Indeed, the way this bill was examined is very problematic. From what I remember, and someone will correct me if I am wrong, this is the only time a bill has been sent to committee for study before second reading. In such a situation, one might think there are changes to be made, otherwise why would we do that? Furthermore, this exceptional measure would allow the committee to put forward amendments that go further than the strict substance of the bill, and it is therefore a good opportunity.

We were not able to seize the opportunity, however, because the Conservatives came into the committee room saying that we should just accept the bill, otherwise there would be no changes at all to the Personal Information Protection and Electronic Documents Act, or PIPEDA.

Yes, we are running out of time. We understand that. However, the Conservatives had many opportunities to amend this legislation. They waited for years to review PIPEDA as they were supposed to do, given that under the existing legislation, the act is supposed to be reviewed every five years. We could have passed my bill, Bill C-475, which could have become law. Bill C-12 disappeared. In short, they had many opportunities.

Instead, they dragged their feet for years. When we were hearing evidence and during the study in committee, they said that time was running out and we had to accept the bill as is. Well, that is no way to operate, especially in a democracy like ours.

Mr. Speaker, unfortunately we will oppose Bill S-4 for the reasons I will provide in my speech.

What I am especially disappointed about is that we all voted in good faith for this bill to be studied in committee before second reading. We told ourselves that we could perhaps work together to improve the bill and eliminate the most problematic parts or ensure that it would truly protect Canadians in the digital age. Unfortunately, that did not happen, even though we know that there are more and more risks associated with protecting personal information online.

For more than four years, we have been in Parliament with the same government that rejects all our motions and refuses to work with us in committee. This time, I do not know why, but I had hoped that we could work together.

Usually, a bill is sent to committee before second reading because there are problems with the bill and we want to make changes. Perhaps we want to change something or make changes to PIPEDA that go beyond the immediate scope of the bill. We had hoped to work together. Unfortunately, that did not happen.

That is why I moved three motions today to remove the most problematic sections from this bill. These motions will be voted on together.

We heard over and over that these two sections—clauses 6 and 7—are extremely problematic. These clauses will make it easier to share people's personal information without their consent and without them even knowing that their personal information is being shared. The government is trying to broaden the scope of situations in which information can be shared without consent. That is extremely problematic.

Obviously, there are sometimes extreme circumstances that require personal information to be shared. Such situations exist. Everyone knows that. We take issue with the fact that there is no transparency. There is no mechanism in place to ensure that this information is shared only in exceptional and urgent circumstances. What is more, the threshold of reasonable suspicion is very low.

As a result, we voted against these clauses when the bill was examined in committee. Unfortunately, the Conservatives decided to go ahead with them anyway.

We even proposed amendments to improve these clauses by restricting the kind of situations in which information sharing can happen and creating a system that encourages transparency. There has to be an accountability or oversight mechanism to ensure that this information sharing only happens under exceptional circumstances. That is really not the case.

As I said, we proposed amendments to improve the bill because everyone in the House of Commons knows that protection of personal information is a big issue right now, one that is really important to our constituents.

I even give computer security courses to seniors in my community because they want to understand how to use new technology and they want to have a certain level of confidence when it comes to protecting their information and their identity.

Everyone agrees that this is an important issue and that we have to update PIPEDA to ensure that it can better address the threats present in the digital age in the 21st century.

Unfortunately, the Conservatives' approach was to put something on the table and refuse to accept any amendments or listen to what the witnesses had to say. They just forged ahead.

All of the parties proposed amendments, except for the Conservatives, of course, and all of the amendments were rejected. The NDP even proposed 18 separate amendments that were all rejected.

Most of all, I deplore the fact that from the beginning of the committee's examination of this bill before second reading, the Conservatives said they did not want to change anything. Why should we bother voting to send something to committee before second reading if, from the beginning, the Conservatives have already decided that they will not change anything? It makes no sense. It also demonstrates bad faith. We are supposed to examine bills with an open mind and a desire to improve them, correct their shortcomings and work together. That is what it means to live in a democracy.

The Conservatives even insulted some of the witnesses during the study in committee, telling them that they could choose to either vote for the bill in its current form or accept that there would be no changes to the Personal Information Protection and Electronic Documents Act before the next election. I understand we are having an election soon, but the Conservatives had plenty of opportunities to modernize the Personal Information Protection and Electronic Documents Act. There was Bill C-12, which simply disappeared because of prorogation. The bill that I introduced in the House contained very similar provisions to the ones found in Bill S-4, but the Conservatives voted against my bill.

These changes could have already been in the legislation. Unfortunately, the government suddenly says the timeframe is too tight and the only thing we can do is pass the bill as is despite all its problems and flaws. The government simply wants to pass the bill as is. I think the Conservatives are being disingenuous about this. To tell all the witnesses that the choice is between this bill and nothing is really insulting to them after they took the time to travel here to share their opinions and present their proposed changes.

Since the government rejected all the amendments and we did not manage to improve the bill, the NDP will have to vote against it even though we recognize that some provisions are a step forward, although they do not go as far as they should. Nonetheless, I cannot vote in favour of a bill that will create more opportunities for personal information to be shared without consent, without authorization, without the individual concerned being informed, and without a proper oversight mechanism. That is what this bill would do.

Clauses six and seven, which my motions would eliminate, will weaken the protection of privacy by allowing the sharing of personal information without the consent and authorization of the individual concerned. I already stated that the threshold was very low. I proposed raising the threshold so that the organization asks questions before sharing this information. The Conservatives refused. The Privacy Commissioner even raised concerns about this provision. He said that it could open the door to abuses, and that is what we found. This government made 1.2 million requests to Internet service providers to obtain personal information as a result of flaws in the Personal Information Protection and Electronic Documents Act. There have been actual abuses. As members of Parliament, we cannot consciously open the door to further abuses. However, that is exactly what clauses six and seven of this bill do.

I will now read what the Privacy Commissioner said at the February 17, 2015, meeting of the Standing Committee on Industry, Science and Technology:

Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

This is very problematic because according to its title, this bill is supposed to create the digital privacy act. I am sorry, but there is a problem when parts of the bill contradict its objective. You do not have to be a genius to understand that.

I would like to share a quote from Michael Geist, who also testified at the Standing Committee on Industry, Science and Technology on March 10, 2015:

...the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed....With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

He also took the opportunity to disagree with the process that the Conservatives put in place and the idea that we should pass this bill without amendment because we are out of time.

The warning mechanism for a data security breach proposed in the current bill is another problem. Many parliamentarians understand the need for such a mechanism. This was brought up in the committee on which I sit, the Standing Committee on Access to Information, Privacy and Ethics, while we were studying this bill.

As the Privacy Commissioner has said many times, we must require that organizations notify individuals when their data are compromised. In a number of cases, as with Target and Home Depot, the data of thousands of people have been compromised or lost completely. Since the people in question are not always informed, they are not in a position to protect the compromised data. That is a huge problem.

Bill S-4 fixes this problem but does not really go about it in the right way. The proposed model is much too subjective because it allows the organizations themselves to determine whether a data breach creates a real risk of significant harm to an individual. The organizations therefore have to police themselves. They also decide for themselves whether to inform, or not, the Privacy Commissioner and the individual affected of any data breaches that occur.

The model that I am proposing is more objective. I proposed it before when we were examining this bill in committee and when we were examining my private member's bill, Bill C-475, which could have been passed already had the Conservatives not voted against it. This model would give the Privacy Commissioner the power to determine whether a security breach is serious enough to inform the individual. Thus, it would not be up to the organizations to do it.

What is more, PIPEDA covers all organizations, from convenience stores to large digital technology corporations. Some organizations, such as convenience stores that have only a couple of employees, are unable to determine how serious a data breach is. It is therefore important to allow them to turn to an expert, namely the Privacy Commissioner.

I would like to read a quote from John Lawford, the executive director and general counsel for the Public Interest Advocacy Centre, who testified before the Standing Committee on Industry, Science and Technology on February 19, 2015. He said:

Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.

As he said, the proposed mechanism is much too subjective. It is unfortunate that the Conservatives refused to implement a more objective system.

This bill does not give the Privacy Commissioner the power to issue orders. The former privacy commissioner, Jennifer Stoddart, asked for that repeatedly. Provincial privacy commissioners also wanted it because they have that power.

All too often, organizations do not act on recommendations made following an investigation by the Privacy Commissioner. Big international companies do not think they need to comply because it is just Canada, but Canada's laws must be respected. When our laws and the Privacy Commissioner's recommendations are constantly ignored, we need to fix that problem.

We could give the Privacy Commissioner the power to issue orders, but there is nothing about that in the bill. Instead, it calls for compliance agreements, which do not go far enough and do not really motivate organizations to act on the recommendations because they are not orders. We wanted to fix this problem, but once again our proposal was rejected.

I would have liked them to adopt the model I proposed in Bill C-475. I suggested following the usual investigation procedures, after which the commissioner would issue orders and set a deadline for compliance. The parties would act in good faith. For example, if problems were not resolved within a year, the Federal Court would impose a fine.

This system would give organizations that comply with the law and the recommendations a chance, with no repercussions whatsoever. However, if we do not find a solution and do not encourage organizations to respect privacy, there will continue to be abuse, and the law and the Privacy Commissioner's recommendations will continue to be ignored.

Bill S-4 is a step in the right direction, but it does not go far enough. That is what I said throughout the entire study. As a matter of fact, some witnesses also said it was important to have a system that truly encourages privacy protection.

What is more, given that we studied this bill in committee before second reading, we had the opportunity to correct other problems with the Personal Information Protection and Electronic Documents Act, because we knew there were some flaws. Under what circumstances is it acceptable for the government to submit at least 1.2 million requests a year for personal information to Internet service providers? This is a serious problem, but nothing is being done about it.

I thought we could sit down as parliamentarians and come up with ways to put oversight and transparency mechanisms in place and even get rid of these flaws and abuses. This was a missed opportunity.

Recently, the Supreme Court established in Spencer what was reasonable and not with regard to privacy protection. Unfortunately, that ruling was not taken into consideration during the study in committee. The Personal Information Protection and Electronic Documents Act was not amended in order to make it consistent with the Supreme Court ruling. That needs to be done. The government needs to show some vision and correct these flaws to provide better protection of Canadians' privacy because that is what Canadians deserve.

moved:

Motion No. 4

That Bill S-4 be amended by deleting Clause 7.

moved:

Motion No. 1

That Bill S-4 be amended by deleting the long title.