Bill C-29 (Historical)

Mr. Speaker, I would like to ask the minister a question. I want to read something from the bill. The bill permits organizations to collect, use and disclose information without the knowledge or consent of the individual if the personal information is contained in witness statements related to insurance claims, or was produced in employment or business, or to establish or terminate employment relationship. or required to communicate with next of kin, or disclosed to prevent, detect or suppress fraud or financial abuse and used to identify injured, ill or deceased persons; and finally, for policing services.

We will support the bill to send it to committee to make some changes. Would the hon. member be willing to support changes so we can properly identify lawful authority and policing services?

Mr. Speaker, we are seeking to create the appropriate balance between the rights of individuals to their privacy and also protect society in cases of fraud or crime or to help families of victims or themselves, if they are not capable of helping themselves. That is the balancing act we must play.

As I expressed in my remarks, we think we have achieved that balance, but we are always open to criticism and we are certainly open to constructive criticism. If they are ways we can improve the bill that do not do violence to the intentions of the bill, we would be all ears.

Mr. Speaker, I thank my colleague, the minister, for the work he does on behalf of all Canadians, protecting our personal privacy and ensuring that we are not going to have to share personal private information with the Government of Canada. These changes he is making through PIPEDA address the issues of personal information in the private sector.

I think Canadians are worried about their information. It was a few years ago where Home Sense or one of those companies had credit card information taken from its system. We have known of banks that have lost critical banking and customer information.

Today, with the new technology, photocopiers with hard drives remember digital information and make digital copies of this information.

With all these different forms of technology, whether it is e-commerce, or a customer walking in and doing a credit card transaction or it is photocopy of information on a hard drive, is the bill technology neutral and is will it do more to protect the private information of Canadians in this sense?

Mr. Speaker, I appreciate the member's remarks on this topic. The intention of the bill is to be technology neutral, as the hon. member has suggested. One of the strengthening clauses or improvements from the current legislation is designed to create an obligation on behalf of the private sector when there is a large breach of privacy, a legal obligation to in fact inform customers and inform the Government of Canada that there has been a major privacy breach.

Under the current rules, there is no such obligation. There might be a moral obligation, but there is no legal obligation to do so. We want to ensure that if there has been a large scale breach, there is an obligation to report that.

Mr. Speaker, the previous questioner seemed to be concerned about the privacy of Canadians. Yet we debated for several hours today Bill C-42, An Act to amend the Aeronautics Act. It would allow Canadian carriers to give private information on the PNR to the American security.

How does the minister reconcile this whole effort to update the privacy legislation of the country with Bill C-42, in which we will give information away to American entities without reciprocity? The Conservative government could have demanded the same treatment. The Americans have 2,000 flights a day flying over Canadian airspace. We have 100 flights flying over American airspace.

Surely the government could have said that if the U.S. demanded the information from it, the Canadian government would demand the same information on those 2,000 flights. Did the government do it? I do not believe so.

Mr. Speaker, I feel like I am in a bit of a time warp here. I believe this place was discussing that very bill awhile ago, so I will not rehash that. If the hon. member had a comment at that time, he could have put it on the record.

This deals with is the protection of personal information in the private sector context. We were talking about bank records and transactions, credit card information, all this type of personal information that is now available to private sources, which Canadians are willing to give to be part of the online universe and to be part of a modern economy.

However, at the same time, we have to ensure there are adequate protections that Canadians can reasonably rely on and have confidence in so they can take part in the normal transactions that we do nowadays online or with our banks, or with other private sector institutions. We need to have the faith that the system is designed, in most cases, to protect our privacy, unless there are extraordinary circumstances as outlined in the bill.

Mr. Speaker, the minister and other members of Parliament are always concerned about privacy issues. Has the government taken into account people or companies that might abuse the bill, if it passes, and are there any penalties for that?

Mr. Speaker, there are sanctions. It would not be much of a bill if there were no sanctions to ensure these rights are enforced appropriately. We have been working with the Privacy Commissioner to ensure that she is fully cognizant of this legislation. She has been an active interlocutor in the drafting of the bill to ensure it has teeth and to ensure it can actively do what it intends to do. This has been a most collaborative process with the Privacy Commissioner as well as with other deponents, including consumer rights groups, who have particular expertise in this area. Again, I believe we have the appropriate balance.

I would like to inform the House pursuant to Standing Order 38 that the question to be raised tonight at the time of adjournment is as follows: the hon. member for London—Fanshawe, Aboriginal Affairs.

Resuming debate, the hon. member for Eglinton—Lawrence.

Mr. Speaker, the closing comments by the minister, when he referred to bites, et cetera, reminded me of a statement made by our colleague from Montmorency yesterday. So much of the government legislation is sound bite legislation, “safeguarding Canadians' personal information act”. It almost as if we had a guard dog on site. The only problem is that the guard dog has a bark like a sheep dog and a bite like a chihuahua. When is the government going to get away from sound bite legislation and actually do something worthwhile?

The minister justifies it all by saying we have an Internet economy that is worth some $62.7 billion and so we will ensure we can grow that. The government is not going to do anything about that at all.

What is going to happen is companies that want to get on the Internet for the purposes of expanding their commerce are going to do so. They are not going to worry about whether the government wants to jaw-jaw its way into this. They are going to take a look at this legislation and say that the member from Montmorency is right, that those guys have a bite and a bark like a chihuahua.

This is especially so after the industry committee has made some recommendations to the minister. With the benefit of those recommendations, he still goes ahead and presents legislation that he himself acknowledges requires further study from the committee and make the kinds of suggestions to improve the bill that he knows he must put in place if this will be acceptable legislation.

All of us are desirous of maintaining our privacy, in keeping what is ours to ourselves, keeping our security safeguarded at all times, to ensure that anything that pertains to our person, our businesses, our interests is released only when we think it is appropriate for our sake, for our interest.

For the government to come forward and say that it will safeguard all of that, except in certain circumstances, does not make safeguarding personal privacy interests very secure. What it does is introduce exceptions to kinds of privacy and security that it claims to be support.

Its sound bite title is, like everything else the government does, smoke and mirrors, deception and manipulation.

One can easily applaud the fact that there are amendments to PIPEDA, the Personal Information Protection and Electronic Documents Act, and notice that there is nothing in that title that sounds like a sound bite that it is actually a factual issue, but the government decides to take this legislation and make it look like it has done something else with it. That might enhance its opportunities to sell itself as something proactive.

It took the government four and a half years to discover that 80% of businesses are on the Internet, that means they have a website, and that 88% of Canadians are Internet savvy, that means they can browse the net. All of these things do not a business make, but they are the fertile ground for businesses interested in making their commerce more time sensitive, more immediate and more global.

Bill C-29 amends PIPEDA to, among other things, permit the disclosure of personal information without the knowledge and consent of the individual who possesses that for certain purposes. Some of the purposes will make sense. It is a little bit like the Trojan horse that gives access to a treasure trove in somebody else's domain.

The first of these does sound as if it makes sense. Number one is for identifying an injured, ill or deceased individual, communicating with their next of kin. There are very few people who would say that is bad.

Second is for performing police services. There are no other qualifiers. There are a lot of people who want to know what that means.

Third is for preventing, detecting or suppressing fraud. Successfully or unsuccessfully? What is the intent? Which organization?

Fourth is for protecting victims of financial abuse. How so? By releasing their information?

Another series of amendments is to permit organizations, any organization, for certain purposes not specifically outlined, to collect, to use, to disclose without the knowledge and consent of the individual, his or her personal information, number one, contained in witness statements related to insurance claims. Whose commercial interests are we looking at there? Second is information produced by the individual in the course of his or her employment, business or profession. That is virtually anything. Everybody in this place is producing information literally on a minute-by-minute basis, but some organization is going to have access to that.

Members might say that in a great, open and transparent environment such as the Parliament of Canada, such as the House of Commons, anybody who is engaged in this ought to so admit. It is something that we might have asked the Minister of Defence, for example, who today talked about the complexity of the procurement process and military hardware acquisition as being a little too complicated for the simple-minded public that wants to find out whether it is transparent and whether it meets the test of value for money, as being a bit of an intrusion and just barely tolerable.

This is hardly accountability. It is hardly transparency and it certainly does not lead to the business of openness, but under PIPEDA, everybody else has to operate that way.

A third set would require organizations to report material breaches of security safeguards to the Privacy Commissioner and to notify certain individuals and organizations of breaches that create a real risk of significant harm. Somebody is going to make a judgment. I will come back to that in a moment.

As I go through this, I ask how we can safeguard Canadians' personal information. I am a consumer like everybody else in this House. As an individual and like many people in this House, excluding all those who serve the House, I am a legislator, and I do not believe that my personal information will be any safer, believe it or not, under the current drafting of Bill C-29.

The Government of Canada prepares a piece of legislation by which I, as a member of Parliament, as a consumer, as a private citizen, just like the Minister of Immigration, who is really listening to this, think that my information is easily protected by some of these measures that have gaping holes, in a legislation that did not exist before. It is going to need a lot of amendments in order for me to feel comfortable.

Why do I focus on me, Mr. Speaker? Just like you, we represent the general public and the general public expects us to feel what they feel, to see what they see, to experience what they live every day. There is not a Canadian out there who is not thinking, “Hold up. Is this legislation really designed to protect my privacy, or are they beginning to insinuate some sort of little loophole for others who are involved in business or whatever, to use to my disadvantage?” There are a lot of them out there already.

It is interesting that this legislation did not have this sound bite title that said, “We are going to go after all the crooks. We know they are out there but they are not being reported. We are going to build jails for them so that when we catch them, if we ever put police on the beat and if we ever sustain the court system enough that they will be able to process all of these accused and alleged criminals, we will actually be able to house them”.

That is not what this is about. If that is the kind of intention they have, I do not see that intention in the legislation. Primary in this kind of assessment relates to the requirement that I mentioned a moment ago to report a “material breach of security safeguards involving personal information under its control” to the Privacy Commissioner. That is what is going to happen. All of this is going to be reported to the Privacy Commissioner.

First, the threshold for determining that requirement for that disclosure is ambiguous. I noted that the minister did not make any effort to be specific to give us an indication of where the intent is. He did not give us any indication of the precision of the language. Not only is it ambiguous; it is confusing, quite frankly. As I said a moment ago, it has more holes in it than a retaining wall that has been breached by an invading army.

Second, there is no enforcement provision included in the bill to ensure that this will be done. When my colleague from Montmorency—Charlevoix—Haute-Côte-Nord says that the sound-bite legislation that the Conservatives put in place is a little bit like a chihuahua barking away and trying to bite, he is right. If there is no enforcement mechanism, what is the purpose of making all of these statements? Who are they playing for fools? Do they really think Canadians do not look, do not listen, do not watch, do not critique?

I took a look at what the bill states and under proposed section 10.1:

(1) An organization shall report to the Commissioner any material breach of security safeguards involving personal information under its control.

It does not tell us how it got there in the first place or whether the organization had the right to get it there. It goes on:

(2) The factors that are relevant to determining whether a breach of security safeguards is material include:

Here is a definition for them, and so when I say it is ambiguous, confusing, wide open, it says, first of all, the “sensitivity of personal information”. Who is the best judge of whether personal information is sufficiently sensitive? Is it going to be the organization? Is it going to be the Privacy Commissioner? Is it going to be the person about whom that information is rendered? The proposed section continues:

(b) The number of individuals whose personal information was involved...

This reminds me of days gone by when priests in a confessional were trying to explain to penitents the significance of lies. One of the penitents said, “Father bless me for I have sinned, but it is no big deal; I just told a lie”.

The priest did not know any other way to get the penitent to understand the severity of that lie and said, “I tell you what. Here is a pillow full of feathers. Go up to the top of the hill. It is rather windy right now. I want you to open that pillow.”

The penitent went to the top of the hill, opened the pillow full of feathers and, behold, the wind blew them all over the place.

The penitent went back to the confessional and said, “Father I did what you asked me to do”.

The priest said, “Good, go pick them all up”.

The penitent said, “I cannot do that. Those things have gone for miles and miles now”.

Members can understand what the priest said then. That is the gravity of personal information about which one spreads lies, but the bill does not say that the person about whom information is being supplied has any control over it. Somebody else is shaking that pillow at the top of the hill. The proposed section continues:

(c) An assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.

Yes, that will happen. Every organization is willing to beat its chest and say, “Mea culpa, mea culpa, mea maxima culpa”. It is not going to happen. Very few people did it in times when people spoke Latin, and now that English has replaced Latin as the lingua franca, there are even fewer people.

So who makes the determination? Mr. Speaker, I guess you are like me. If it were my personal information that was being breached, I would want to report it to the commissioner. Yet Bill C-29 leaves that decision up to the organization that is supposedly making the report if not, in fact, the breach.

Bill C-29 also states that under proposed subsection 10.2(1), “Unless otherwise prohibited by law,” and look at that loophole:

an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

As the hon. member for Elmwood—Transcona said a few moments ago, so now the Americans, under Bill C-42 that the House had discussed before, can ask any of our domestic airlines, our carriers, to give them every piece of information in their possession, including everything one can name from there on in, everything one has to lay bare when one goes to buy a plane ticket. Bill C-29 essentially says that organization can do all of that.

What is the definition of significant harm under proposed subsection 10.2(2)? It is:

For the purpose of subsection (1), “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Now one has to prove how significant that was. There are not very many people who are going to be better defenders of one's character and one's interest than oneself.

Real risk of significant harm and the factors that have to be included are those that are relevant to determining whether a breach of security safeguards creates real risk of significant harm to the individuals, and have to include the following. Listen to this. They have to include this:

(a) the sensitivity of the personal information involved in the breach;

Who is making the decision on the sensitivity? Somebody else.

It goes on:

(b) the probability that the personal information has been, is being or will be misused.

I am just thinking of Bill C-42. Any foreign state can ask of a Canadian carrier information that it will say is not going to be a problem and it is not going to do anything nasty with it, so the probability of that personal information being used or misused is practically nil, so it will take it all. Oh, good.

Again, while the conditions are defined, the interpretation is wide open and even includes variables that are impossible to determine. For example, how can an organization assess the probability that the personal information will be misused?

Most critical is that there is no enforcement and there are no penalties if the organization does not disclose a breach. This is untenable.

Other jurisdictions with similar laws have very high penalties for non-prompt disclosure. Let me see. I wonder where those other jurisdictions are.

Well, for example, right here in Canada, under the Alberta Personal Information Protection Act, PIPA, individuals and organizations can be fined up to $10,000 and $100,000 respectively for failing to notify the commissioner of a breach. There is an onus of responsibility. There is none in Bill C-29.

In Florida, which is just down the road, there are penalties of up to $500,000 for similar breaches. I mention Florida especially since our carriers are going to have to reveal everything to the Americans anyway; it is about a three-hour flight from Pearson Airport in Toronto. In Michigan, penalties run up to $750,000. Bill C-29 has no penalty. Why would these jurisdictions, including Alberta, have penalties and not the federal act that the government wants us to believe is the best thing since sliced bread?

Mr. Speaker, the minister made his speech with a lot of flourish and he answered a couple of questions. He talked about $62 billion in e-commerce in Canada. The question comes down to the nature of the government's role in e-commerce and government online.

We have seen a big change in the last five years, in comparison with the previous government. The Conservative government has no vision when it comes to e-commerce. It has no vision when it comes to government online programs and broadband development.

I would like to know how much money the government is collecting on a transactional basis. Under the old Liberal government, there were a number of e-government programs that provided services to the public. They were transactional, and they contributed to the general revenues.

I would like to know what the Conservatives have done in the last five years to expand e-government services to the people of Canada. How much of it is transactional?

Lots.

The minister says they have done lots, Mr. Speaker. I would like to know how much money is being brought in on a year over year basis from government online programs. What is the government's vision for the future?

It is fine for the government to address these matters piecemeal, with a bill on spam and a bill making changes to PIPEDA, but what is its vision on e-commerce, government online, and broadband issues? Governments like those in Australia and England have a vision for these areas.

Mr. Speaker, I find myself ill-equipped to defend the Conservative government. There was a time when I would defend the Government of Canada because it was a Liberal government that had a vision on governance and on providing a future for Canadians. It did not matter what part of the country they were in. For my colleague's information, he may wish to ask one of the government members sitting here listening to the debate.

He will know that one of the first things that the Conservative government did when it came to power was to put over to one side, first, the initiatives of its predecessor in delivering government services online, and second, all the initiatives designed to provide greater service to Canadians at a reduced cost. For example, all the initiatives associated with Service Canada were put on hold, even though the system had been up and running for a year, because the Conservatives needed to see whether there was efficiency in service.

In addition, the Conservatives cut back on all kinds of services associated with immigration. They needed to bring the number of applicants down, and the best way to do that was to reduce the services provided in posts abroad, so that fewer applications would be received. When fewer applications are received, less revenue is being generated.

As for the revenues the Conservative government has generated from an e-commerce perspective, or what it has done to develop e-governance and government online, I can only say that the short answer is nothing.

If the member does not believe me, he could go to the trouble of reading today's Auditor General's report. The Auditor General looked at a series of departments and said that over the last five years there has been a reduction in efficiencies and direction. A reduction was seen in the parameters that are put in place to manage efficiencies. Her department saw a reduction in accountability and an increase in waste.

If my colleague were to ask if there is a correlation between a having a vision and the wasting and squandering of opportunities, I would say there is. The government opposite has chosen the chihuahua approach to governance: to be a little pipsqueak and do nothing.